From xpat at vm1.spcs.umn.edu Thu Nov 17 12:51:38 1994 From: xpat at vm1.spcs.umn.edu (xpat at vm1.spcs.umn.edu) Date: Thu, 17 Nov 94 12:51:38 PST Subject: Fundies: The last word on this subject (please) Message-ID: <9411172051.AA13593@toad.com> *This is the last reponse to a former crypto thread gone bad* *Please post your flames to me, not the list. Thank you.* Once upon a time, I said: >>The political history >>of Christian states or heavily influnced Christian states is a bloody one, >>and a definite lack of privacy for anyone "outside" the religious majority. >>(See the histories of the British Empire, Spain, Nazi Germany, and the >>United States (lets not forget "Manifest Destiny")). On Wed, 16 Nov 1994 17:52:14 -0600 (CST) you said: >Nazi Germany was run by occult-influenced pagans. Duh. What about the other millions of participants. Did you have relatives living and participating in Nazi Germany? I did. They were some of the most sadistic invasive individuals you could ever imagine. They were Lutherans. Can you say, "Papieren, bitte?". >To include it as a >Christian or Christian-influenced state demonstrates substantial ignorance, >prejudice, falsification, or some combination thereof. Let's see that's C -> ((I & P & F) v (I v P v F)), a conditional disjunctive. Not very convincing really, not to mention downright mean spirited. Perhaps your argument would be more compelling if it had anything to do with crypto/privacy issues. See you later and thanks for the bait. >What Manifest Destiny has to do with privacy is obscure to say the least. Let me guess, you're not a pre-1600 Native American. You should read some real interesting accounts of just how tolerant the largely Christian settlers were of the native population of North America. Statement after statement and plea after plea were made to stay out of their lives and to give them the privacy to live as they wished. Try reading "The Long Bitter Trail: Andrew Jackson and the Indians" by Anthony F.C. Wallace or "The World Turned Upside Down: Indian Voices from Early America by Colin G. Calloway. You might be saying to yourself, "Hey, I remember that differently from history back in school". That's true. It's interesting to find out what a farce the written history interpretations in this country are on some matters. Historians had their agendas and interpretations too. Try reading "Historians Against History" and "The Free and the Unfree: A New History of the United States" by David S. Noble. These works point out the importance of primary material in recording history, and may cause oneself to be more cautious about positing historical "facts". Now let's get back to talking about how we are going to insure our liberty through encryption and all that it implies. regards, -pd- From amanda at intercon.com Thu Nov 17 12:51:52 1994 From: amanda at intercon.com (Amanda Walker) Date: Thu, 17 Nov 94 12:51:52 PST Subject: Islands in the Net Message-ID: <9411171551.AA34415@elfbook.intercon.com> Tim May writes: > We "locally clear" (approximately the same as "readable on its face") > cash and commercial paper because of an assumption that forgery > is difficult and unlikely. When forgery becomes common in some > area, merchants carry lists of suspected numbers, IDs, etc., and > the "readable on its face" criterion erodes. Exactly. What allows something to be used as an economic unit are its uniqueness and liquidity. Real assets are unique simply by virtue of being physical objects, and are liquid (in the long run) by virtue of having inherent value. I don't worry about someone forging my house, for example, and even things like gold coins or other precious metals are much easier to verify than to forge, and once verified can be exchanged for real assets without reference to the entity which originally issued them (for example, the value in a Krugerrand is that it's gold, not the fact that it was issued by South Africa). Precious metals and the like are borderline, for all practical purposes we can view them as having inherent value, since people have assigned them value for all of recorded history. Currency, however, has no inherent value. Its only value lies in its being made up of unique tokens which can be exchanged for real assets. If a token ceases to be unique, it ceases to have value (except perhaps as a curiousity-- there may well be people who collect counterfeit money, for all I know). Also, if it loses its ability to be exchanged for real assets it likewise loses its value (e.g., Confederate dollars from the Civil War). Digital cash poses two problems. The first is that digital information is easier to duplicate than to verify, and a successful forgery is absolutely indistinguishable from the original, since it is the information itself that is the token, not any phsyical instantiation of it. The other is that to be successful, digital cash needs to be liquid. For a token to be liquid, it must be backed by real assets. Governments are the classical examples of entities which have sufficient resources to back a currency, although cartels in the private sector can also do so (VISA/ MasterCard, for example). So far, though, no one has solved either the uniqueness problem or the liquidity problem for digital cash. As a result, it might be more realistically be called "digital scrip", at least so far. > This is the sense in which I meant that "Money sure isn't like this." Indeed, mainly because existing currency is either physical objects or data controlled by the banking system and overseen by governments. Right now, digital currency only works by being a pointer to a token, not the token itself. > We need to find a way to get back to exploring the various nifty > systems that are being described in the crypto papers, but which lack > any real implementation. Speaking as someone who has a sharp interest in such things, and the resources to apply to them, I have to say that the current regulatory environment serves as a large barrier. If industry's hands are tied, then this all has to be done in "free time" or academia... This slows things down immensely. If it weren't for the Department of State holding the export-control sword over our heads, we'd already have things like digital purchasing, online user registration, digital sigs & encryption by default in email, and so on. Amanda Walker InterCon Systems Corporation From m00012 at KANGA.STCLOUD.MSUS.EDU Thu Nov 17 13:28:18 1994 From: m00012 at KANGA.STCLOUD.MSUS.EDU (m00012 at KANGA.STCLOUD.MSUS.EDU) Date: Thu, 17 Nov 94 13:28:18 PST Subject: Coding and Cypherpunks -- (was Re: Islands in the Net) Message-ID: <009879B8.5B295B00.4181@KANGA.STCLOUD.MSUS.EDU> I don't know if it got through, but I made an simple modificartion to blowfish to turn it into a 128 bit block cipher. But nobody seems to want it. Oh well. Mike From JLICQUIA at mhc.uiuc.edu Thu Nov 17 13:31:00 1994 From: JLICQUIA at mhc.uiuc.edu (JEFF LICQUIA (CEI)) Date: Thu, 17 Nov 94 13:31:00 PST Subject: Soldiers of God Message-ID: -----BEGIN PGP SIGNED MESSAGE----- > From: sarah at purvid.purchase.edu (Sayah) > I apologize if someone else has mentioned this, but what about the > antiabortion folk... the Christian Coalition, Right-to-life, et el? Religious > persecution is alive and well. And we *all* ought to worry about a group that > doesn't even want the opposition to think, say or publish opposing viewpoints. > > It's all relevant... I give up; I must really be a persecutor... Say, anyone remember what I did with my KKK hood? Now for some content. I see two very good reasons why Christian fundamentalists (CFs) would be on the side of the cypherpunk ideals: 1. There is a recurring theme in CF thought that can be summed up in a quote often heard: "...cross-referencing the Book of Revelation with the New York Times..." Many CFs see parallels in the Bible concerning predictions about the Antichrist and his aims with the power that is becoming rapidly available through the "Information Superhighway". For an example of this, try mentioning "digital cash" to a CF who isn't very technically hip and see what kind of reaction you get. Yet their concerns with these things is ultimately rooted in concern that a power structure will be erected that centralizes power; when that center is taken over by the Antichrist (whoever that may be), that's when "no one could buy or sell unless he had the mark" (Revelation 13:17 NIV, if you're interested). These same people, when they question me (since I'm a computer professional and therefore am "in danger"), are very enthusiastic when I talk to them about public-key crypto, anonymized digital cash, and the like, since these work to decentralize power. They are also appalled when I describe to them the implications of Clipper and Digital Telephony. Thinking CFs many times despair because of the inevitability of the "information economy" and the power implications it has; if they were to find out about any technical tools that would ensure decentralization of the NII, I'm sure they would fight hard to ensure their inclusion. Anybody around here know of any such technical tools? :-) 2. There are still places in the world where Christians are persecuted; Tibet comes to mind as one place. I have already put a copy of PGP into the hands of someone who wants to communicate with an underground church, and have also hinted to him about how to use anonymous remailers, pseudonyms, and the like. Maintaining communication in many cases is essential to the survival to a particular cause, and the spread of the gospel is no different. I will also add in passing that PGP could possibly be of interest for use by both moderate and radical pro-life groups, who now both fear repression as a result of the publicity of the murder of the abortion doctor in Florida. (BIG DISCLAIMER: I am pro-life, and am totally opposed to the killing of abortion doctors. I am NOT advocating any position on abortion on the list, however, and will not defend my position here. Remember that just because YOU oppose a group does not mean they don't deserve privacy!) -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLsvK+TER5KvPRd0NAQFNGAQAqZTgWPo8FPWej4Bj1eotN5fYPE9SM1Yq 8TCzG5JSjoTroAmmCGjMLp0zyCFHmz/Lf0PSkUzUURGr8KMkVUfzuMRaPc5OA33u 1RtmuOlaQrLNoECJvpasLlf54FSPuAXFiaAFGD+9A8kXCIsgP3Cc87tGhouFswpY Mku0dPUm9Bc= =k1kL -----END PGP SIGNATURE----- From sq0nk at alt.anonymous.messages Thu Nov 17 13:54:11 1994 From: sq0nk at alt.anonymous.messages (Random Factor) Date: Thu, 17 Nov 94 13:54:11 PST Subject: Changes to remailer@jpunix.com In-Reply-To: <199411162016.OAA24470@jpunix.com> Message-ID: <199411171606.AA18990@xtropia> -----BEGIN PGP SIGNED MESSAGE----- > Date: Wed, 16 Nov 1994 14:16:46 -0600 > From: "John A. Perry" > Subject: Changes to remailer at jpunix.com > Well folks... > It happened again. Last night jpunix was used to post proprietary > code to the net. I had to spend a couple of hours on the phone with the > authors of the code, generating cancel messages, etc.. It seems that > jpunix is a magnet for those that wish to abuse the remailers. > Since jpunix seems to attract problem users, I have installed some > safeguards in the remailer that will hopefully add a level of difficulty > to those that wish to abuse while remaining transparent to proper usage. here are some other ideas to consider in addition to or instead of the 20k limit: * require encryption for incoming messages. * require that the sender, the receiver, or both be a known remailer address. at least one other remailer has to be involved. * impose a 20k limit on message unless they are received from a known remailer and sent to a known remailer. randy -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAgUBLstzsM1Uod4Abd1NAQGJUwQAnUB9CGdheNImzapwbtlfpWmnygrdpSva qioE5FM3U19knz+nwsEUYKE/xKAyC0G+jou0dmNy+W6NQ9QwCMslQ0YdR3hRxyMT DBiodSFu23H/6R+7PYUNscM9T2Lr/imkHLZZtxbcV7/IBzqlX9VdVFLd5/rWs4Fh Nk+BlhTwwjI= =srSt -----END PGP SIGNATURE----- From sq0nk at alt.anonymous.messages Thu Nov 17 13:56:32 1994 From: sq0nk at alt.anonymous.messages (Random Factor) Date: Thu, 17 Nov 94 13:56:32 PST Subject: Here's one for laughter In-Reply-To: <9411162328.AA10269@toad.com> Message-ID: <199411171707.AA19239@xtropia> -----BEGIN PGP SIGNED MESSAGE----- > From: Alexandra Griffin > Subject: Re: Here's one for laughter > Date: Wed, 16 Nov 94 18:27:20 EST > > > How about a rationale for shutting down the entire link for 15 minutes > > > instead of simply refusing to make the requested connection? > > > > the total shut down discourages exploring. > > > > randy > Am I the only one that finds it a bit sad and disturbing that > "discouraging exploration" is being presented as a worthwhile goal? i only meant to say that this is a rationale for shutting down the link. i don't think this is a worthwhile goal. i agree, it is disturbing when educators discourage exploration. unfortunately educators have traditionally done a lot to discourage exploration. randy "When I think back on all the crap I learned in high school, it's a wonder I can think at all." - Paul Simon -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAgUBLsuND81Uod4Abd1NAQHtMQP/RzjAqAnO2Tba0bjvYAX936K4vSMChDZz cUReKWLzoHjtEbYnqo1ujrYGcjXSGWWO5kwB8UY8mprykeH328sEki+c9YdWxBC/ 0P7etVbfaXCoCcEmVbnLCKNnwIUVjjomvT98EaRVGdG82/+g7k0NAkYo/ILVl04I //NmrAunvqY= =oiSw -----END PGP SIGNATURE----- -- Random Factor to send me private mail, post an article pgp encoded for 0x006DDD4D to alt.anonymous.messages. my key is available from public servers. From abostick at netcom.com Thu Nov 17 14:11:10 1994 From: abostick at netcom.com (Alan Bostick) Date: Thu, 17 Nov 94 14:11:10 PST Subject: Spelling Flame -- Hit 'D' Now (Was Re: wreaking havoc on the net) In-Reply-To: <9411162343.AA14429@homer.spry.com> Message-ID: <5MxokyczBCCV073yn@netcom.com> -----BEGIN PGP SIGNED MESSAGE----- In article <9411162343.AA14429 at homer.spry.com>, bshantz at spry.com wrote: > I think Tim May went over this once a few months back about why he doesn't > like people mailing him little puissant messages that don't really need to be ^^^^^^^^ > encrypted, but they encrypt them anyway. The word I think you mean to use is "pissant." "Puissant" means "powerful." A puissant message probably should be encrypted. | Alan Bostick | "Stand back! I've got a dictionary, and abostick at netcom.com | I'm not afraid to use it!" finger for PGP public key | Key fingerprint: | 50 22 FB 46 41 A3 17 9D F7 33 FF E1 4E 1C 89 79 +legal_kludge=off -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQB1AgUBLsu3OuVevBgtmhnpAQFUGgMAkp7qap0GWkBgKOahogc08laoSdnhlfsc 2T4B/biKRCf95sLdsX7VwIurpe/cZOx4AFxvN01oDM1KD6CI77RPZnQv1fsV16V5 t5y3zELND3CD5h5AQBBvDZkiJfZdQGsm =87Bi -----END PGP SIGNATURE----- From eric at remailer.net Thu Nov 17 14:20:07 1994 From: eric at remailer.net (Eric Hughes) Date: Thu, 17 Nov 94 14:20:07 PST Subject: Islands in the Net In-Reply-To: <199411171923.LAA11063@netcom10.netcom.com> Message-ID: <199411172218.OAA29675@largo.admate.com> From: tcmay at netcom.com (Timothy C. May) Language is an example we ought to look at more closely, as both of us have noted. In contrast to the "data structures" we love so much, natural language is a way of creating a more fluid data structure, a more nuanced statement. The version of language though, that I was referring to were formal languages, the stuff of DFA's (deterministic finite automata) and push-down automata. The advantage here is entirely in their formality, in that precise interpretations of a formal language can be made. A great benefit derives from the explicit formulation of the semantic scope of particular representation. A formal language _can_ "mean exactly what I want it to mean, neither less nor more." The social process of creating these interpretations ("meanings") and getting everyone to agree upon them, however, can be tortuous. We in the ASCII world all agree that the number 65 represents the capital letter 'A', but the letter 'A' is a further abstraction, albeit universally shared in the literate world. Interpretations of data structures almost universally share this trait; they are reductions of one abstraction to another. Two major problems about compatibility can be framed in terms of formal languages: the need for well-formed data structures and the coexistence of multiple data structures. The formal language notion of recognition is merely an algorithm for set membership, the set being called the "language". "Is this string of symbols a member of the language or not?" Is layman's terms, the problem is with data corruptions. While everyone knows data corruption is a problem, deciding what data is corrupt and what is not is sometimes difficult; witness the habitual arguments between client and server writers about whose implementation is wrong. Even fairly clear standards like RFC-822 (mail) leave wide holes in interpretation. The second problem is less immediately pressing and ultimately more important. Given a string of bits, what exactly _does_ it refer to? One can pass it through all the recognizers one has, but it may still not be uniquely determined as being a particular kind of data. Compatibility between data of different types will be of vital importance to achieve systemic robustness. Any set of languages, though, can be made compatible by prepending a common language which acts as a dynamic type specifier. Unix has the beginnings of this with its "#!" syntax for picking the interpreter of an executable. The problem with the Unix version of this is that a particular interpretation binary is specified, not an actual language specification. Natural language is often misinterpreted, hence the value of data structures. For example, I'm glad my financial accounting at my stock broker is handled with robust data structues, but I'm also glad to be able to communicate my goals and desires in a natural language. Well, there's someone somewhere who understands both the formal language and the natural language; it can be either oneself or an intermediary. Now the formal language may be quite flexible and understandable and admit synonyms, but the contextual nature of human languages mitigates against their strict interpretation. One of the real-life characteristics of natural language which isn't present in computer systems is a way of correcting misunderstandings. If one person misunderstands another, further conversation can ensue. If the computer interprets a command differently than the commander intended, disaster can ensue. Suppose I want to delete some data and then I change my mind: E: Computer, please get rid of this old correspondence. C: OK, boss, all done. E: No wait, I need one particular series of those back. C: Sorry, all gone. E: What do you mean, "all gone". C: I destroyed them utterly. E: Why? C: You asked. This stuff has been a theme in SF humor forever. I find it highly ironic that the computer industry, so steeped in SF themes, hasn't thought more about how to alleviate this problem. As a very basic example, consider the issue of data persistence. No standard operating system has at a deep level the notion of "backed-up data". The replication and redundancy could take many forms, including tape, network disk, or data haven. This particular issue is going to be an obstacle for the widespread deployment of digital cash. When a disk crash (hard or soft) means that you lose fungible money, either the problem gets fixed or the system doesn't propagate. What's the common theme? Agents. Chunks of code which also have local processing power (brains, knowledge). I don't think that agents have any relation to the problem of mapping natural languages to formal languages. Perhaps you mean something else by this reference. Someone sent me private e-mail on this "Islands in the Net" topic, and talked about "payloads of data carrying their own instructions," in reference to the Telescript model of agents. (I wish he'd post his comments here!) This approach, also typified in some object-oriented approaches, seems to be the direction to go. > If steel were like software, there would be a knob on each beam that > allowed you to change, for example, the balance between hardness and > toughness. Knobs mean random knob-twiddling. Actually, such "dynamic buildings" are becoming more common, I hear. Now add knobs to the thermal expansion coefficients, the densities and masses, the rates of oxidation, the stress-strain matrix elements, etc. If materials engineering were like software, we'd have _both_ nanotechnology and everybody living in trees because they didn't crash so often. But the effect is to increase the "state space" which must be tested, and we are led to "testability" and "provable correctness" of programs, two interesting areas of programming. So far we've seen little application of these ideas to Cypherpunks interests. Not unexpectedly, since these apply to all software, not just cryptography software. > The more specific inspiration for the general form of the remailer > syntax is Jon Bentley's theme of "Little Languages". I'm hopeful that the recent interest in TCL, Safe-TCL [...] The "little" in little languages might be taken to mean "Not Turing Complete". His expository language, as I recall, is the language of floating point numbers, which, alternately, is the question "how do you write down a mantissa and an exponent." Another little language would be email addresses -- still not completely standardized, although blessedly mostly so. We "locally clear" (approximately the same as "readable on its face") cash and commercial paper because of an assumption that forgery is difficult and unlikely. When forgery becomes common in some area, merchants carry lists of suspected numbers, IDs, etc., and the "readable on its face" criterion erodes. These two are not the same at all! "Readable on its face" means that you can actually determine _entirely from the front side of the document_ what the instrument says. If there is an inclusion by reference, then it's not readable on its face. If there is a condition external to the instrument, such as a condition of services rendered, then it's not readable on its face, since some event external to the instrument determines its value. "Readable on its face" just means that one knows what is said, _not_ whether one believes it or not. Those actions which turn the note into a lie are called "conversions" as a group, and forgery is just one form of conversion. (Stealing a note is another.) With a naive implementation of Chaum's blind signature, all you have is a string of bits that can be verified only with some public key. Nowhere in the bits themselves is there an explicit representation of how much the bill is worth, what currency it's denominated in, when it expires, who issued it, etc. These signatures alone are not facially readable. We need to find a way to get back to exploring the various nifty systems that are being described in the crypto papers, but which lack any real implementation. Fandom and enthusiasm will only carry so far in prototyping. One of the reasons that the remailers have attracted such interest is that they do something proximately useful. The questions of reliability and utility that are mentioned here really are key to getting more people trying out stuff. Eric From anonymous-remailer at shell.portal.com Thu Nov 17 14:24:09 1994 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Thu, 17 Nov 94 14:24:09 PST Subject: PGP DLL, library Message-ID: <199411172223.OAA01007@jobe.shell.portal.com> Cypherpunks, I see some people thinking about encryption API's and related code. I suggest interested parties take a look at Pr0duct Cypher's PGP Tools and RSAREF. PGP Tools is based on PGP 2.3a, and provides a library of routines upon which applications can be built (magic money for example). RSAREF provides 15 or 18 routines which provide various services, such as encryption, key generation, digital signatures, hashes, etc. I'm not saying necessarily use RSAREF due to licensing restrictions, but take a look at it's overall design. And there is other code available at ripem.msu.edu for example. I know there is a tendency/desire to support PGP, but I think anybody who wants to create a PGP DLL/library version will have to be part of the PGP development team, since PGP is a fairly fast moving target. I don't know what is in store for PGP's future, but future enhancements will probably include PEM support (or whatever standard becomes popular), a new format for keyrings, an API, larger key sizes, etc. I mean, by the time you "update" the current version of PGP to a DLL/library version, a new version will appear which may be very different. I guess what I'm saying is either roll your own encryption, join the PGP development team, or wait patiently. From andrew_loewenstern at il.us.swissbank.com Thu Nov 17 14:28:50 1994 From: andrew_loewenstern at il.us.swissbank.com (Andrew Lowenstern) Date: Thu, 17 Nov 94 14:28:50 PST Subject: Islands in the Net Message-ID: <9411172229.AA01226@ch1d157nwk> tcmay at netcom.com (Timothy C. May) writes: > What's the common theme? Agents. Chunks of code which also have > local processing power (brains, knowledge). > > Someone sent me private e-mail on this "Islands in the Net" topic, > and talked about "payloads of data carrying their own instructions," > in reference to the Telescript model of agents. (I wish he'd post > his comments here!) This approach, also typified in some > object-oriented approaches, seems to be the direction to go. Naked data is dumb and computers aren't much smarter. Computers need instructions from humans to act on that data, and when you separate the data from the instructions that act on it you have problems. If a hunk of data arrives on your machine and you don't have any code to make sense of it, you are SOL. Likewise if the code that interprets that data isn't "correct" for that data you run into problems. By making the instructions that act on data an integral part of that data, you can avoid problems. This is just the object-oriented programming concept of encapsulation of course. Of course, encapsulation (or OOP for that matter) is no silver bullet for solving this problem at least in the way we are approaching it. It takes a lot of code and a lot of agreement among people. I think it's the human error (including shortcuts) and the lack of communication among humans that contributes the most to software fragility and lack of robustness. What's more is the distinction between data and code is very well entrenched in modern computing. The executable code is nearly always a separate entity from the data it acts on. Not only does the hardware and OS make the distinction between code and data, most programmers do as well. Even though C++ seems like the de facto standard for new software these days, few applications written with it practice strict encapsulation. There is a blurb in last month's Wired (the one with "Rocket Science" on the cover) where they touch on this subject a bit (I don't have it handy), but the author there draws the same conclusion as I: it will take a very radical and fundamental change in computing before this becomes reality. No amount of committee meeting (CORBA) or application level software sugar (OpenDoc, OLE, whatever) is going to change this, or at least make it work. At the core every machine makes the distinction between data and code. Operating systems make distinctions between applications and data files. Until the hardware and the OS start believing that data and code are one as well as the programming languages and APIs, we won't get anywhere. Heck, computers have been around for 40+ years and the primary data interchange format between systems is still just a dumb stream of bit encoded characters. Maybe.... Agents like TeleScript really intrigue me... and I think the are closer to what we need to do this than any of the myriad suggestions coming out of the OOP community (like CORBA, OLE, OpenDoc, etc...). Intelligent agents carrying their payload of data through the network. However, the agents have to be able to run their code on any machine and without having the capability to do 'damage' (most institutions _prefer_ to be islands on the net because of fear of 'hackers'). In addition, the agents, as a collection of code and data, have to mutatable is some way to be able to process the data in new ways. What if remailers were implemented using 'agents'? Instead of me sending a dumb message to a smart remailer, what if I could send smart remailer, with an encrypted message embedded in it, to a friendly machine offering agents access to SMTP (i.e. a machine that allowed any authorized agent to arrive and initiate an outgoing tcp stream to the SMTP port of any other machine). Now I can make my remailer system as convoluted as I want, simply by programming this agent to cruise around machines that answer when it knocks. Once it has moved between enough hosts, it moves to a host that offers outgoing SMTP connections and delivers it's payload. No longer am I limited by the time and effort of the remailer operators to implement fancy new features. Any machine that gives access to my agent becomes another hop in my remailer chain (or whatever purpose I want). All my remailer agent needs to operate is one host, the final destination, that will let it make an outgoing SMTP connection, which could be provided by the hosts currently running remailers. What if this e-mail message you are reading was really an agent instead of just data? A basic e-mail message protocol would be needed for your mail-reading software to interact with it. I'm using protocol here in the sense that NeXT uses it in their version of the Objective-C language. Protocols there are a formal interface definition for an object that isn't tied to a class. If my mail message object (or agent) conformed to the mail protocol, it would have to implement all of the methods defined in the protocol (maybe methods like "giveMeTheMessageContents", "deliverThisReply:", "forwardToThisAddress:", etc...). Wow, now I have a smart e-mail message. I could recode the "deliverThisReply" method to go through anonymous remailer systems or basically anything it wanted. Now instead of praying that the recipient is savvy enough to handle using an encrypted remailer reply block, the recipient just replies as normal and their mail-reader hands the reply to my agent which goes off and does it's magic. I know very little of TeleScript (i.e. I haven't gotten my grubby little hands on it), but I do know that it implements some crypto features for authentication and the like. This type of system won't work unless people are absolutely sure it's secure. By secure I mean people should be confident that when they open their hosts to agents there is no way for agents to access services not explicitly granted to them... I think this is the future of distributed network computing... servers on the network provide basic services (by basic I mean CPU time, network connections, disk storage, etc...) to be utilized by smart agents, as well as smart agents carrying payloads and interacting with 'normal' software (like in my mail message example). There is pretty much no chance that a fundamental paradigm shift in the relationship between code and data will occur at all levels, at least not all at once, there's just too much stuff out there already. But it seems to me that a well-engineered agent system could be a decent compromise, or a move towards the end of code/data duality, that has a good chance of gaining widespread acceptance. enough, andrew From eric at remailer.net Thu Nov 17 14:30:28 1994 From: eric at remailer.net (Eric Hughes) Date: Thu, 17 Nov 94 14:30:28 PST Subject: Islands in the Net In-Reply-To: <199411171946.AA26822@metronet.com> Message-ID: <199411172229.OAA29684@largo.admate.com> Again, as a wanna-be programmer, I *try* to use binary formats only where the data or information is peculiar to a particular program; if there's a chance that it will be shared with something else, I try to use text. The thing about all data is that most all of it eventually gets shared, even the stuff that one program might think proprietary to itself. >The general issue may be quite profound. If we want to use textual >representations and general purpose text tools, then a digital >signature _qua_ authenticator loses its use, since a text tool, >because it is a general purpose text tool, cannot verify the >signature. Sorry - you lost me on this one. When I see a PGP signature on a posting, isn't that an ascii-fied digital signature? Doesn't the textual representation of that signature have value/meaning? The word "_qua_" (Latin, therefore italicized, represented by underlining) roughly means "as". The textual representation of a signature *as* text has no value *as* a signature; it's just an arbitrary collection of symbols. The value of a signature only arises when one performs a cryptographic operation on it, which by definition is not a textual operation. We all know the standard for displaying (length-limited) text. But the first characters at the top from left to right until the end-of-line. Move down one line and repeat. But how does one represent the _authentication_ information in text. Typeface? Color? A vertical bar? Enclosure? One solution might simply be to discard before viewing any text whose authentication information doesn't match, and then one can assume that all information that looks like it's authenticated actually is authenticated. The PGP cleartext signature format, for example, suffers seriously in facial readability because the signer is only implicitly identified by the Key ID, and that's inside the armor block! Eric From klbarrus at owlnet.rice.edu Thu Nov 17 14:31:42 1994 From: klbarrus at owlnet.rice.edu (Karl Lui Barrus) Date: Thu, 17 Nov 94 14:31:42 PST Subject: changes to remailer@jpunix.com Message-ID: <9411172231.AA27739@fast.owlnet.rice.edu> I read about some changes that John Perry made to his remailer, since it is being abused. (Sorry to hear it!) I thought he said he is doing source blocking (I deleted the message and can't check.) Is this true? Were there no hops between the abuser and the remailer? How can you prevent the abuser from just chaining through different paths to reach your remailer and continuing to use it? Or am I remembering incorrectly ;) Random Factor suggested (among other things) > * require encryption for incoming messages. Requiring encryption is OK, as long as you don't require the remailing header and message body to be encrypted together. If you do, like the extropia remailer does, then you can't form reply blocks that include such a remailer (since the reply block is created by a sender who obviously doesn't have the message body that his recipient will use the reply block to respond to). From perry at jpunix.com Thu Nov 17 14:36:31 1994 From: perry at jpunix.com (John A. Perry) Date: Thu, 17 Nov 94 14:36:31 PST Subject: Changes to remailer@jpunix.com In-Reply-To: <199411171606.AA18990@xtropia> Message-ID: <199411172235.QAA19976@jpunix.com> # you write: >here are some other ideas to consider in addition to or instead of the >20k limit: > * require encryption for incoming messages. Good idea in theory but won't work in practice. The stats generated by the anonymous remailer show that less than 40% of the messages passing thru are encrypted. Most people would find being forced to encrypt a huge inconvenience. BTW everyone, when I say stats, I mean the primitive stats generated by the remailer and are available to anyone sending email to remailer at jpunix.com with the subject being remailer-stats. Don't start asking me if I get these stats by logging! I don't log. > * require that the sender, the receiver, or both be a known remailer > address. at least one other remailer has to be involved. You are talking about fortress remailers. This is currently under discussion. Stay tuned. > * impose a 20k limit on message unless they are received from a known > remailer and sent to a known remailer. Good in theory once again, but bad in practice. This would entice the abusers to jeopardize several remailers instead of just one. Every remailer that spam/proprietary-stuff goes through would be potentially at risk also. If remailers are going to be legally jeopardized, I would think the impact would be less if it were one instead of many. But, there is also safety in numbers. Hmm... John A. Perry - KG5RG - perry at jpunix.com WWW - http://jpunix.com PGP 2.62 key for perry at jpunix.com is on the keyservers. PGP-encrypted e-mail welcome! Finger kserver at jpunix.com for PGP keyserver help. Finger remailer at jpunix.com for remailer help. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Finger kserver at jpunix.com for PGP keyserver help. iQCVAwUBLsvawFOTpEThrthvAQGQQgP/RMC1DZXKPfGQzQd+3TQv8czp9AGRvuAq 8sTiJ+vt8XLrSumZ+2UUHSv/wJovA5pq64lC0U4EtrZY9t6rexnSmgDrBnLyn5VJ wZ/bi+0GQa7xxfcxJWgqf372n/RjNT3Kbpg6XhNF1dQtwpq3VMkKbHqfsvwDdR2h 65kzLPGd5VA= =P/Bk -----END PGP SIGNATURE----- # From rah at shipwright.com Thu Nov 17 15:02:06 1994 From: rah at shipwright.com (Robert Hettinga) Date: Thu, 17 Nov 94 15:02:06 PST Subject: Fundies! Message-ID: <199411172258.RAA01268@zork.tiac.net> At 10:33 AM 11/17/94 -0800, James A. Donald wrote: >This thread is totally irrelevant to cypherpunks. I'm beginning to understand Mssrs May and Hughes' peeves about this kind of cruft. Could you folks please take this discussion offline. Thanks, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) "There is no difference between someone Shipwright Development Corporation who eats too little and sees Heaven and 44 Farquhar Street someone who drinks too much and sees Boston, MA 02331 USA snakes." -- Bertrand Russell (617) 323-7923 From rah at shipwright.com Thu Nov 17 15:13:04 1994 From: rah at shipwright.com (Robert Hettinga) Date: Thu, 17 Nov 94 15:13:04 PST Subject: Fundies! Message-ID: <199411172310.SAA01718@zork.tiac.net> Oops. That's what I get for not finishing my mail before firing off those zingers... Tim, as usual, said it better than I could. I don't retract the following, I just apologize for it's redundance.. >At 10:33 AM 11/17/94 -0800, James A. Donald wrote: > >>This thread is totally irrelevant to cypherpunks. > >I'm beginning to understand Mssrs May and Hughes' peeves about this kind of >cruft. > >Could you folks please take this discussion offline. > >Thanks, >Bob Hettinga > ----------------- Robert Hettinga (rah at shipwright.com) "There is no difference between someone Shipwright Development Corporation who eats too little and sees Heaven and 44 Farquhar Street someone who drinks too much and sees Boston, MA 02331 USA snakes." -- Bertrand Russell (617) 323-7923 From kaseyu at acad.stedwards.edu Thu Nov 17 15:17:39 1994 From: kaseyu at acad.stedwards.edu ('Kasey Uthurusamy') Date: Thu, 17 Nov 94 15:17:39 PST Subject: NSA gif/bmp/jpg... Message-ID: <9411172317.AA17772@toad.com> Seeing as how the CIA has gotten on the information 'superhighway'... (www.ic.gov) Does anyone have a gif/jpg/pcx...of the NSA logo...or possibly a collection of Fed logos...I downloaded the CIA logo and everyone at work was clammering for it... :) Kurgan -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- _O_ "Ah...the KURGAN...he kurgan at gnu.ai.mit.edu \/\ /\/=<---- is the strongest of the punisher at ccwf.cc.utexas.edu * immortals...." kaseyu at acad.stedwards.edu / \ _/ |_ "INVICTUS MANEO" -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= From perry at jpunix.com Thu Nov 17 15:32:20 1994 From: perry at jpunix.com (John A. Perry) Date: Thu, 17 Nov 94 15:32:20 PST Subject: changes to remailer@jpunix.com In-Reply-To: <9411172231.AA27739@fast.owlnet.rice.edu> Message-ID: <199411172331.RAA20855@jpunix.com> A non-text attachment was scrubbed... Name: not available Type: text/x-pgp Size: 1141 bytes Desc: not available URL: From frissell at panix.com Thu Nov 17 15:51:22 1994 From: frissell at panix.com (Duncan Frissell) Date: Thu, 17 Nov 94 15:51:22 PST Subject: Lock & Key Message-ID: <199411172350.AA01007@panix.com> >From Nat Hentoff's column in this week's Voice: In 1952, A. J. Muste--in an essay, "Of Holy Disobedience"--spoke of Georges Bernanos, the novelist, who refused to stay in France under the Nazis. One of the Bernanos passages quoted by Muste is not without contemporary relevance: "The moment, perhaps, is not far off when it will seem...natural for us to leave the front-door key in the lock at night so the police may enter, at any hour of the day or night...." (Remember the Bill Clinton-Henry Cisneros proposal last spring that people who live in public housing projects should sign an agreement allowing the police--without a warrant--to enter any time to seize drugs and perpetrators? Our wholly irrelevant attorney general, Janet Reno, did not object.) From dmorgan at uoguelph.ca Thu Nov 17 15:57:51 1994 From: dmorgan at uoguelph.ca (Deanne Morgan) Date: Thu, 17 Nov 94 15:57:51 PST Subject: IRC & HTTP proxy servers (fwd) Message-ID: This is a copy of my reply to Jonathan Cooper's request for legitimate uses of anonymous services... DHM. ---------- Forwarded message ---------- Date: Wed, 16 Nov 1994 18:47:58 -0400 (EDT) On Wed, 16 Nov 1994, Jonathan Cooper wrote: > Is there any interest in IRC and HTTP anonymizing proxy servers? Yes. > My question (which I have about most anonymized services) is what the > legitimate uses would be. I'm currently in a code-till-I-drop mindset, > but I really don't want people using these services just to sling > porn-o-the-day or to irritate people on irc. An example of use of anonymous servers: There is a newsgroup called alt.sexual.abuse.recovery [among others], a healing forum for survivors of sexual abuse/assault [often childhood sexual abuse], their significant others, and other support people. For obvious reasons, for many there is a need for anonymity [many of those who post would be killed VERY quickly if their true location/identity were discovered]. There is also an irc channel, #**** which is used by "asarians" for "live" discussions of many issues, ranging from very serious survivor issues to having electronic snowball fights. Again, for many, anonymity is VERY important. So yes, there ARE some very legitimate uses for anonymous servers, whether irc or email or netnews posting... If you want any further info, please ask. DHM. From lmccarth at bali.cs.umass.edu Thu Nov 17 16:22:39 1994 From: lmccarth at bali.cs.umass.edu (L. McCarthy) Date: Thu, 17 Nov 94 16:22:39 PST Subject: Insisting on encryption/Picking remailer for abuse In-Reply-To: <199411172235.QAA19976@jpunix.com> Message-ID: <199411180018.TAA02807@bali.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- John Perry writes: > Anonymous writes: > > * require encryption for incoming messages. > Good idea in theory but won't work in practice. The stats generated by the > anonymous remailer show that less than 40% of the messages passing thru > are encrypted. Most people would find being forced to encrypt a huge > inconvenience. [Underdog's remailer-stats for the past 24 hours show just under 50% use of encryption.] I suspect, though, that there's a fairly effective process of self-selection in determining whether encryption is used. On the one hand, we have the folks planning the Quayle `96 campaign strategy, who demand maximal privacy w.r.t. the content of their messages, and are liable to face increased scrutiny by eavesdroppers in virtue of their address subdomains anyway. These people realize they're under the microscope, and should *ahem* take great precautions as a result. OTOH, there are high school students posting to asar about their abusive stepfathers. With very high probability, no-one operating packet sniffers really cares about the content of this traffic. In fact, since the messages ultimately appear in public, the only significant need is anonymity. I hate to say it, but these users inherit by default a fair amount of security through obscurity. The few people who might wish to identify them as the authors of these messages often aren't even aware that they should be looking, which is quite different from the situation in the previous case. The latter group probably doesn't bother with encryption much, but they probably don't really need it much from their POV. Obviously it would be beneficent from the anti-traffic analysis perspective were everyone to encrypt, but at present it requires far too much effort (relatively speaking) with too little personal gain for the latter group of users to bother. It's worth remembering that seamless integration of encryption with standard communication tools passively enlists the help of all the people who don't give a damn about using encryption, not just those who eagerly await improved interfaces. > If remailers are going to be legally jeopardized, I would > think the impact would be less if it were one instead of many. But, there > is also safety in numbers. Hmm... I've been meaning to respond to your announcement of the latest abuse of jpunix, and this appears to be an ideal opportunity. You evince a degree of puzzlement about the reasons for the popularity of remailer at jpunix.com for "abuses" such as software copyright infringement. I can't help thinking that, if I were an aspiring member of the copyright violation squad *and* a dedicated cypherpunk, I would have paid close attention to the discussion of fortress remailers. I would have noted that you (among others) offered your remailer as a fortress remailer. To minimize the chances of crashing part of the remailer bramble, I might well deliberately pick a fortress remailer to release the sensitive material, reasoning that it's less likely to face foreclosure in the aftermath of the incident. If you build a bulletproof Popemobile for the pontiff, his chauffeur will enter the demolition derby in it in preference to nailing some steel sheets onto a weekend special from Avis. "Build it and they will come !" :} -L. Futplex McCarthy; use "Subject: remailer-help" for an autoreply PGP key by finger or server; "Better watch what you say, or they'll be calling you a radical...a liberal" --Supertramp "[CIA/KGB mole Aldrich Ames] took information in shopping bags out the front door" --miscellaneous Congressperson -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBLsvylmf7YYibNzjpAQEltwP+PaXLVOnyPkt6cjbVj76UxBo1sgSPER8C 2+jmOr9l7FsduYJDceoyGPgRLEWp+zrSVchSFfegPkIe+lb0MnAaawtpNcbYxSRs dlqcOP1bC0FS9SFYoj0RygW1MJAdmyjh72NKvZdzRMmQITKVZ1RYAaPr/4pOHhG4 ZVFlMfMANmE= =Ic3H -----END PGP SIGNATURE----- From lmccarth at bali.cs.umass.edu Thu Nov 17 16:33:43 1994 From: lmccarth at bali.cs.umass.edu (L. McCarthy) Date: Thu, 17 Nov 94 16:33:43 PST Subject: "source blocking" In-Reply-To: <199411172331.RAA20855@jpunix.com> Message-ID: <199411180026.TAA02840@bali.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- John Perry writes: > There were no hops and the person that did it signed the message. That is > why it was so easy to track. *quizzical look* Any idea, then, why the person bothered with remailing at all ? - -L. McCarthy -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBLsv0lWf7YYibNzjpAQG+AAP/eSuWa9P6tjNe8u87nNOmcJkHaLfKakYS wMzvD05xqwvJn1VXwpTBNs6WFmAdRsQZT90X5Absr1Ntvr19JMF8AVqqggE+JqNf L9o3xj3Vnln1VajpGvPtloW5nw/JG8gn7IZJZX5yUePuzF+ywtNV81RgLPs8tIzT SMEgSJJl0MQ= =/1Cj -----END PGP SIGNATURE----- From tcmay at netcom.com Thu Nov 17 16:41:53 1994 From: tcmay at netcom.com (Timothy C. May) Date: Thu, 17 Nov 94 16:41:53 PST Subject: Remailer Blocking and Negative Reputations Message-ID: <199411180041.QAA14839@netcom18.netcom.com> Just a quick note: Blocking the sources of messages deemed offensive is a "negative reputation" approach, easily bypassed by creating a new source name. (And this can be done easily by using another remailer first.) I'm not arguing for a positive rep system here, as I'm not sure how it would work. I just wanted to the note that the solution of blocking offending sources has limited use. (Unless the blocking propagates back to the first-non-remailer use...require remailers to cooperate on maintaining a black list.) --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. Cypherpunks list: majordomo at toad.com with body message of only: subscribe cypherpunks. FAQ available at ftp.netcom.com in pub/tcmay From sameer at c2.org Thu Nov 17 17:06:03 1994 From: sameer at c2.org (sameer) Date: Thu, 17 Nov 94 17:06:03 PST Subject: Remailer Blocking and Negative Reputations In-Reply-To: <199411180041.QAA14839@netcom18.netcom.com> Message-ID: <199411180103.RAA06662@infinity.c2.org> It seems the case, however, that most people who abuse the remailers have No Clue, and wouldn't even think to do that, or even have the resources to do that.. The case with jpunix for example was pretty simple as Perry was able to figure out who to block simply because the 'abuse'r (I put 'abuse' in quotes because everyone's definition of abuse differs) didn't chain.. I.e. the 'abuser' had No Clue. I don't think this is much of a problem. -- sameer Voice: 510-841-2014 Network Administrator Pager: 510-321-1014 Community ConneXion: The NEXUS-Berkeley Dialin: 510-549-1383 http://www.c2.org (or login as "guest") sameer at c2.org From tomaz at cmir.arnes.si Thu Nov 17 17:08:38 1994 From: tomaz at cmir.arnes.si (Tomaz Borstnar) Date: Thu, 17 Nov 94 17:08:38 PST Subject: : Anon III - RFM Message-ID: <199411180108.CAA17863@cmir.arnes.si> Key for user ID: Tomaz Borstnar 1024-bit key, Key ID BC52F895, created 1993/12/06 -----BEGIN PGP SIGNED MESSAGE----- Hello! This is one of proposals for anonymous irc on IRC network called Undernet (servers: undernet.org, us.undernet.org, eu.undernet.org). Author is Denis Holmes (dholmes at rahul.net) - ------- Forwarded Message date: Wed, 16 Nov 1994 22:22:58 -0800 (Note, non-list mail) Hmm, I wasn't gonna just send ya the proposal again, but on second thought, I guess I will. I've put the test servers back up so you can see it if you want. My recommendation is that if there is a user desire for anonymity, having them post to the newsgroup or wastelanders would probably have the strongest impact. A statement of why they feel it is necessary and/or beneficial would be heard best I expect. I can give a couple reasons offhand why I didn't pursue this further: - - - Very few people expressed support for the idea. - - - It looked like I would be expected to upgrade it to the latest server level, yet I have not been provided with details of code changes despite my requests. And my suggestions to consult with others prior to any non-trivial code change (basically) have not been well-received. - - - Arguing about it became a waste of too much time. Well, that's not entirely true; one of the goals I was after has started to happen. Maybe that's a more legitimate reason than any of the others for laying off a bit. Subject: Anon III - RFM Revised summary of ideas for an anonymous IRC service. This proposal is dated 2 October 1994 (version III). Proposal: (n.) something put forth for consideration. RFM: Request For Mail. If you realize a way the service described below can be abused by users, please mail dholmes at rahul.net with the information, and be as specific as possible. Thoughts on how the service might be improved are also welcome. If needed, additional mail discussion will be used to try to determine the least intrusive solutions to problems received. A new revision or status will be posted to wastelanders when appropriate. Please do not send me your wonderful ideas on registering users, restricting mode changes, or other "problemless solutions" (unless requested or it concerns one of the particular points below). While these ideas may have merit, if they do not address specific abuses peculiar to this service, then they will most likely not fall into the category of "least intrusive solutions" being sought as described above. An implementation of Anon III is currently available for testing at jive.rahul.net port 5853. A standard Undernet server is connected to it and runs on port 5854. Please send me your observations, bug reports, and results (good and bad) from using various clients. The following points describe features of the proposed service, or restrictions to be placed on its users. "Registration" as used below refers to the normal process of a client signing onto a server and having its presence propagated across the net. * Use a special server to provide a high level of service, so that users are able to operate in the environment to which they are accustomed. After connecting to this server and registering in the normal fashion, a client becomes anonymous by sending a specific command to the server, upon which the server performs any checking, signs the user off the net, and reregisters the user. * Insure that each anonymous client is registered with a unique user at host combination so that individual users can still be banned from channels, ignored, etc. (User appears as anon376@, and must disconnect from the server (signoff) in order to change this. Also provides for banning of all anonymous users from a channel.) * Furthermore, a user becoming anonymous more than once within a certain period (let's say a day, for now, but this may vary at the admin's discretion) will receive the same anonymous identification on subsequent invokations after the first. This provides further protection against ban and ignore evasion. * Users of the service will be logged. (It should be noted, however, that, in general, this information will not be released except as required by law. The purpose here is to assist the administrator in assuring appropriate use of the service.) * Disallow anonymous oper (IRC/server operator) status. (This means that opers becoming anonymous will also be de-opered.) This prevents unidentifiable discontent operators from disrupting the net. * Block CTCP CLIENTINFO and USERINFO requests. This protects against users deliberately attempting to cause other users to flood or overload their connections without being identified. * Block CTCP FINGER and USERINFO replies, to protect client anonymity. * Lower the flood detection threshhold for anonymous users, so they're killed more quickly upon trying to flood. * Detect reconnecting users who were anonymous (users connecting who disconnected less than [60] seconds ago and were anonymous) and prevent them from joining channels or sending messages/notices for [30] seconds. This will stop queued messages within the client (from a would-be flooder) while still protecting the user's anonymity. * Ability to allow or deny anonymity based on address. This allows the administrator to deny known abusers the privelege of using the service. * Disallow multi-mode changes (i.e. allow only one channel mode change per MODE command). Also allow mode change or kick only once every "few" seconds. This provides channel operators time to react if an anonymous user attempts to take over a channel. Ensor. +----------------+-------------------+------------------------------------+ | Dennis Holmes | dholmes at rahul.net | "We demand rigidly defined | | San Jose, CA +-------------------+ areas of doubt and uncertainty!" | +------=>{ Meanwhile, as Ford said: "Where are my potato chips?" }<=------+ - ------- End of Forwarded Message -----BEGIN PGP SIGNATURE----- Version: 2.6.i iQCVAgUBLsv+dlheSYu8UviVAQEzdAP7BHVj0RjYWrlTuTRdMfpCLTCuiKMW3PQf cj9t2x811Z1E1LLXl+45i7KTCjcygmdh8OdyTU0B/xCvivzwSTq+OeXhlUZ6+AdN TjPz1hUt+s/TDT1n2RRgKFHhKCTCw/UuI3yPVnRy+/+2Bkpai6byVBSXRqJiGa6X HiM4L4BdrBY= =WIGV -----END PGP SIGNATURE----- From perry at jpunix.com Thu Nov 17 17:16:50 1994 From: perry at jpunix.com (John A. Perry) Date: Thu, 17 Nov 94 17:16:50 PST Subject: "source blocking" In-Reply-To: <199411180026.TAA02840@bali.cs.umass.edu> Message-ID: <199411180112.TAA22319@jpunix.com> A non-text attachment was scrubbed... Name: not available Type: text/x-pgp Size: 1207 bytes Desc: not available URL: From perry at jpunix.com Thu Nov 17 17:23:13 1994 From: perry at jpunix.com (John A. Perry) Date: Thu, 17 Nov 94 17:23:13 PST Subject: Remailer Blocking and Negative Reputations In-Reply-To: <199411180041.QAA14839@netcom18.netcom.com> Message-ID: <199411180122.TAA22458@jpunix.com> A non-text attachment was scrubbed... Name: not available Type: text/x-pgp Size: 1204 bytes Desc: not available URL: From abostick at netcom.com Thu Nov 17 18:12:40 1994 From: abostick at netcom.com (Alan Bostick) Date: Thu, 17 Nov 94 18:12:40 PST Subject: Changes to remailer@jpunix.com In-Reply-To: <199411172235.QAA19976@jpunix.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- In article <199411172235.QAA19976 at jpunix.com>, "John A. Perry" wrote: > > In message <199411171606.AA18990 at xtropia> you write: > > >here are some other ideas to consider in addition to or instead of the > >20k limit: > > * impose a 20k limit on message unless they are received from a known > > remailer and sent to a known remailer. > > Good in theory once again, but bad in practice. This would entice the > abusers to jeopardize several remailers instead of just one. Every > remailer that spam/proprietary-stuff goes through would be potentially at > risk also. If remailers are going to be legally jeopardized, I would > think the impact would be less if it were one instead of many. But, there > is also safety in numbers. Hmm... But (except for monitoring messages going into and out of the remailer, or operator logging) how is anyone to know which remailers were involved in a chain? Isn't this one of the things that chaining is supposed to prevent? A more accurate objection might be that if spam/proprietary data is chained through remailers, then EVERY remailer is at risk. BTW, I think your safeguards (which I am _not_ objecting to) only make it a little bit harder to use your remailer to post stolen code or whatever. Someone could easily break the posts up into pieces and chain them through your remailer, perhaps through different chains as well, e.g.: >:: >Anon-Subject: RC5.ZIP [06/37] {Sources for RSADSI's proprietary cipher} You could block multiple messages with the same or similar subject fields, but anyone chaining remailers intelligently would probably not use a single remailer as the final sending point -- unless they had it in for that remailer! Or are you going to block posts from remailers that forward spam to you? (A cure worse than the disease, IMHO). | In the other room I passed by Ellen Leverenz as Alan Bostick | someone asked her "Do you know any monopole abostick at netcom.com | jokes?" finger for PGP public key | "Sure," she said. "In fact, I know two of them." Key fingerprint: | -- Terry Carr, GILGAMESH 50 22 FB 46 41 A3 17 9D F7 33 FF E1 4E 1C 89 79 +legal_kludge=off -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQB1AgUBLsvw/OVevBgtmhnpAQGstwL+JT8t6D13VsAE0fEy8LJK7CZ6E86qqEvi UIBh/f6qIxyMd4/QxBhSpdUUXEqLi9VdA8Vk2+ApFIoR3uDN97uRiGuVgIWUzZVR D05Q0XE5x6uSYdjM3u/Vz2UKJ7k205+a =AZK2 -----END PGP SIGNATURE----- From CCGARY at MIZZOU1.missouri.edu Thu Nov 17 19:33:59 1994 From: CCGARY at MIZZOU1.missouri.edu (Gary Jeffers) Date: Thu, 17 Nov 94 19:33:59 PST Subject: CEB6 1 of 2 Message-ID: <9411180333.AA24644@toad.com> CYPHER-REBELS ELECTRONIC BOOK (CEB) NOVEMBER 17, 1994 ISSUE 6 Publisher Gary Lee Jeffers ccgary at mizzou1.missouri.edu THE ORIGINAL, FIRST, & OTHER "OFFICIAL" "ORGAN" OF THE CYPHERPUNKS LIST (That is still in existence.) NOTE: Items bounded by /* & */ are new text - Differ from last issue. IS YOUR SOFTWARE TYRANNICIDAL? If so, Cypherpunks & the CEB want to hear about it! A compendium of the best software & info for today's electronic privacy Freedom Fighters. This text may be distributed in part or in full anywhere you want. It may be given away freely or copies may be sold. CEB wants to be free & valuable. If, as Chairman Mao says: "Political power grows out of the barrel of a gun.", then what is democracy? /* Currently, we have Fortress Cryptography & State Sufferance remailers, mailing lists & newsgroups. We must have Fortress: remailers, mailing lists & newsgroups! */ This file may or may not be found on ftp.csua.berkeley.edu pub/cypherpunks/ ? with filename CEB5. TABLE OF CONTENTS Chapter 1. PGP Section 1. PGP general Section 2. Michael Johnson's PGP FAQ contribution Section 3. Stealth PGP. /* Section 4. PGP2.6.2 from Sameer. */ Chapter 2. Steganography. "A picture is worth a thousand words." Chapter 3. Shells for PGP Section 1. Christopher W. Geib's WinPGP26.ZIP Section 2. Ross Barclay's WinFront 3.0 /* ftp information added. */ /* Section 3. Ed Carp's PGPWIND ver 0.1.g */ Chapter 4. Generally cool things. Section 1. Loompanics sources. Section 2. Viruses sources. Chapter 5A. Getting the Cypherpunks' archived & indexed list. /* ITS GONE! ITS GONE! */ /* Chapter 5B. Secure Drive download location from Raph. */ Chapter 6. Remailers & chained remailers. /* text correction for anon.penet.fi */ Chapter 7. Current problems in Crypt. Chapter 8. Text sources. Section 1. Books Part 1. Simson Garfinkel's PGP book. Part 2. Bruce Schneier's cryptography book. Part 3. William Stallings PGP book. Section 2. Rants Section 3. CYPHERNOMICON - Tim May's "official" Cypherpunks' FAQ. Chapter 9. Cypherpunks' mailing list. getting on etc.. Chapter 10. IRC chat strong encryption? Section 1. prig(cryptical)'s offering. /* Section 2. Ed Carp's offer. */ CCCCCCCCCC YYYY YYYY PPPPPP HH HH EEEEEEE RRRRRRRRR CCCCCCCCCC YY YY PP PP HH HH EEEEEEE RRRRRRRRR CCC YY YY PP PP HH HH EE RR RR CCC YY YY PPPPPP HHHHHHHH EE RR RR CCC YYY PP HHHHHHHH EEEEEEE RR RR CCC YYY PP HH HH EEEEEEE RRRRRRRR CCC YYY PP HH HH EE RRRRRRR CCC YYY PP HH HH EE RRRRRR CCCCCCCCCC YYY PP HH HH EE RR RR CCCCCCCCCCC YYY PP HH HH EEEEEEE RR RR PP HH HH EEEEEEE RR RR RRRRRRRRRRR RR RR RRRRRRRRRRRRRR RRRRRRRRRRR EEEEEEEEEEE BBBBBBBBBBB SSSSSSS RRRRRRRR EEEEEEEEE BBB BBBBBBB SSSSSSSSS RR RRRR EEEEEEEEEE BB BBBBBB SSSSSSSSS RRR RRRR EEEEEEEE BBB BBBBB SSSSSSSSS RRR RRRRR EEEEEE BBBBBBBBB SSSSSSSSS RRRRRRRRRRRRRR EEEEEEE BBBBBB SSSSSSSSSS RRRRRRRRRRRRRR EEEEEEEEEE BBBBB SSSSSSS RRRRRRR RRRR EEEEEEEEEE BBBBBB SSSSSSSSSSSSS RRR RRRRR EEEEEEEEEEEE BBBBBBBB SSSSSSSSSSSS RRRRR RR EEEEEEEE BBBBBBBBBB SSSSSSSSSS RR RRRRR EEEEEE BBB BBBBBBB SSSSSSSSSS RR RRRRR EEEEEE BB BBBBBB SSSSSSSSSS RRR RRRRRR EEEEEEEEEEE BB BBBBBBB SSSSSSSSSSS RRRR RRRRRRR EEEEEEEEEEEEE BBBBBBBBBB SSSSSSSSSSSS PPPPPPPPPPP GGGGGGGGG PPPPPPPPPPP PPPPPPPPPPP GGGGGGGGG PPPPPPPPPPP PPP PP GGG PPP PP PPPPPPPPPPPP GGG GGGGGGG PPPPPPPPPPP PPPPPPPPPP GGG GGGGGGG PPPPPPPP PPP GGG GG PPP PPP GGGGGGGGGGGGG PPP PPP GGGGGGGGGGGG PPP Chapter 1. PGP general. PGP is Pretty Good Privacy from Phil Zimmermann. It is currently the best available encryption available to civilians at large. Zimmermann is the programmer on the original PGP versions but now, apparently, just guides other programmers in making improved versions. PGP uses two encryption algorithms: RSA for its Public Key powers & IDEA for its bulk encryption. The advantages of PGP over other crypt/decrypt systems are: 1. RSA algorithm. Allows users to communicate without needing a secure channel to exchange keys. - PUBLIC KEY ENCRYPTION. 2. The program system has been very well done & has huge development support. 3. It has huge popularity. 4. Security is guaranteed with distribution of source code & public investigation. 5. Its free. 6. Both RSA & IDEA are "STRONG" algorithms. Section 2: Michael Johnson's PGP FAQ contribution Michael Paul Johnson has an excellent faq on Subject: Where to Get the Latest PGP (Pretty Good Privacy) FAQ /* (Last modified: 31 October 1994 by Mike Johnson) */ You can get this faq by anonymous ftp to: ftp.csn.net /mpj/getpgp.asc It is also posted monthly on alt.security.pgp The latest versions of PGP are VIACRYPT PGP 2.7 , MIT PGP 2.6.2 & PGP 2.6ui & the new PGP 2.6.i . Which is best? I would say MIT PGP 2.6.2 although PGP 2.6.i is a close contender. MIT's has source code, Phil Zimmerman's blessing & is US legal. For a further discussion of variations, consult Michael Johnson's FAQ. Section 3: Michael Johnson's PGP bomb contribution. From: Michael Johnson Subject: PGP Time Bomb FAQ PGP TIME BOMB FAQ Michael Johnson writes: "There has been some confusion about the annoying "Time Bomb" in MIT PGP2.6, as well as some other PGP version compatibility issues. This is an attempt to clear up some of that confusion." You can get this faq by anonymous ftp to: ftp.csn.net /mpj/pgpbomb.asc /* Section 4. PGP2.6.2 from Sameer. From: sameer Subject: PGP 2.6.2 on ftp.csua.berkeley.edu Date: Thu, 27 Oct 1994 03:19:19 -0700 (PDT) PGP 2.6.2 is now available on ftp.csua.berkeley.edu in /pub/cypherpunks/pgp/pgp262 Not for export outside of the United States in violation of ITAR restrictions. -- sameer Voice: 510-841-2014 Network Administrator Pager: 510-321-1014 Community ConneXion: The NEXUS-Berkeley Dialin: 510-549-1383 http://www.c2.org (or login as "guest") sameer at c2.org */ Section 3. Stealth PGP 37 Stealth PGP refers to a PGP file that does not have the RSA prefix tag on the beginning of a PGP encrypted file or to PGP utility software that disguises this tag. Possibly, a later version of PGP with have this as an option. The advantages of "Stealthy" PGP are that its files cannot be found by Internet search programs that hunt for the PGP/RSA tag & that a "Stealthy" file may be more securely hidden by a good steganography program. From: Mark Grant Subject: Stealth PGP Responding to my question "Has Stealth PGP been done yet?" Mark Grant says: Kind of, there's a 'stealth' filter available that strips and attaches headers to PGP messages after encryption. It's available from various places, and the documentation is available on my 'other people's PGP addons' WWW page : http://www.c2.org/~mark/pgp/other.html There's also information about Privtool, my PGP-aware mail program for Sun workstations at : http://www.c2.org/~mark/privtool/privtool.html Mark EMAIL: mark at unicorn.com URL : http://www.c2.org/~mark/ Chapter 2. Steganography "A picture is worth a thousand words." ============================================= %% = !I = %% %%% = !!! BB = %%%* *%%%% = **!!** & = *** @** = u \ x! ) < = * *** + m ) c $ = ** = # k } � = � = $%- & u = = ------- = @!p +e$ ~ # = � = h �6& ; | = � = =,# {{ = � = = � � = = � � = = � � ============================================= � � STILL LIFE WITH CRYPT +++++++++++++++++++++++++++++++++++++++++++++ Steganography is the craft of hiding messages in pictures. The text is, of course, encrypted text rather than plain text. The current best steganography program has been done by Arsen Arachelian Below, follows his text contribution: From: rarachel at prism.poly.edu (Arsen Ray Arachelian) WNSTORM is available from: ftp.wimsey.bc.ca:/pub/crypto/software/dist/US_or_Canada_only_XXXXXXX/Steg Usual routine to get it. i.e. cd /pub/crypto/software, get the README file, and if you agree to the terms then follow the instructions. Short description off the top of my head (I wrote the beastie) Another info scrap should be in the same directory as WNSTORM. WNSTORM is a data encryption/steganography utility which is pretty secure for most uses. Unlike some stego systems WNSTORM is expandible, all you have to do is write your own LSB injector/extractor for whatever data format you wish to hide information into. WNSTORM doesn't require the recipient of the host picture, sound, movie, etc. to have the original un-stormed picture. Unlike primitive stego programs, WNSTORM doesn't compare an stormed picture with an unstormed picture. WNSTORM will cover its tracks statistically. If it changes a 0 bit in the LSB data stream to a zero, or a 1 bit to a 1, it does nothing. If it changes a 1 bit to a zero, it will balance itself by changing an unused adjacent 0 bit to a 1. Ditto for a 0->1 transform. WNSTORM will NOT change every bit of the LSB in order to prevent detection. It will use a passkey along with a probabilistic algorithm to decide which bits it will change. The algorithm for picking bits depends on the previous succesfully encoded/decoded cyphertext AND the passkey. Internally WNSTORM works by picking "windows" or "packets" of bytes out of either a random number stream or an LSB stream extracted from a picture, sound, movie, etc. It then injects eight bits of cyphertext into this window. Each window is of variable size. The bit locations where the bits are inserted are randomly exchanged for each pass. The bit values are also randomly exchanged for each pass. WNSTORM includes an injector/extractor for PCX images, however I will write more injecotr/extractor programs for it in the future, and OTHERS can do so as well. Chapter 3. Shells for PGP. Section 1. Christopher W. Geib's WinPGP26.ZIP From: "David K. Merriman" Subject: Christopher W. Geib's Windows PGP shell I've just finished making an ftp deposit to soda in the cypherpunks/ incoming directory of WinPGP26.ZIP; it's the latest version of the Windows PGP shell Shareware, and understands 2.6/2.6ui/2.7. Dave Merriman Section 2. Ross Barclay's WinFront 3.0 From: Ross Barclay Subject: PGP WinFront 3.0 Now Available! (New Windows front end for PGP) To: cypherpunks at toad.com, ~rbarclay at TrentU.ca -----BEGIN PGP SIGNED MESSAGE----- /* signature wrecked due to included text from another contributor. Gary Jeffers */ Announcing PGP WinFront 3.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ A freeware Windows front end for PGP 2.3a and 2.6 Copyright 1994 Ross Barclay (rbarclay at trentu.ca) WHAT IT IS: - PGP WinFront is the most fully featured free (or otherwise) Windows front end available. It will make using PGP easy for beginners, and it will drastically increase the speed at which experts use it too. PGP WinFront is now into is third revision and I have tried to implement as many of the suggestions that I received as possible. PGP WinFront was designed by its users, but was coded by me. Features: - Supports secret key ring placement on floppy drive - Support en/decryption to/from clipboard - Move / Copy / Delete files - Online hypertext help - Online hypertext PGP help - Keyring reader to pick names, view key characteristics - Keyring reader supports less-often used "huge" keyrings - Signature Checker - Very configurable - over 25 user-definable settings - more . . . This program does too much to list here. And it's free! This version is a complete rewrite of the popular PGP WinFront 2.0. The feature-set has largely been set by users who sent in suggestions. Please read the file README.TXT and peruse the help files. Please send me your comments. HOW TO GET IT: At the moment, there are 2 ways to get this program: 1) Via FTP - The PGP WinFront 3.0 filename is called PWF30.ZIP. - It has been uploaded to the incoming directories of the following FTP sites: ftp.cica.indiana.edu ftp.eff.org ftp.wimsey.bc.ca /* from Gary Jeffers. There has been a problem getting pwf30 from these sites. However, it CAN ACTUALLY be ftp'ed with the following info.: ftp.wimsey.bc.ca: /pub/crypto/software/dist/US_or_Canada_only_XXXXXXXX/PGP/Misc/pwf30.zip */ -- Mark Henderson -- markh at wimsey.bc.ca, henderso at netcom.com (personal accounts) RIPEM 1.1 MD5OfPublicKey: F1F5F0C3984CBEAF3889ADAFA2437433 ViaCrypt PGP Key Fingerprint: 21 F6 AF 2B 6A 8A 0B E1 A1 2A 2A 06 4A D5 92 46 cryptography archive maintainer -- anon ftp to ftp.wimsey.bc.ca:/pub/crypto */ black.ox.ac.uk soda.berkeley.edu ftp.informatik.uni-hamburg.de ftp.ee.und.ac.za ftp.demon.co.uk - Hopefully, they will be slotted into the PGP directories soon. On CICA, it will be placed into \pub\pc\win3\utils. That is where PWF20.ZIP was placed. - Once you get the program, please upload it to other FTP sites! 2) From Colorado Catacombs BBS - dial (303)772-1062. The file is called PWF30.ZIP - once you get the program, please upload it to other BBSs. *** The mail access system I had was discontinued. This is because the file was too big to fit into my account. However, you can still register PWF and request certain PGP and PWF related items using my mail access system. Details of these are on the "About" screen of PWF 30. - --Ross Barclay - ------------------------------------------------------------------------- Ross Barclay (rbarclay at trentu.ca), Assistant Editor | To receive my PGP | public key, send PC NEWS Review: Windows Edition | me e-mail with the Bellevue, WA (206) 399-8700 | subject: GET KEY - ------------------------------------------------------------------------- To receive PC NEWS Review, send me e-mail with the subject: GET PNR. - ------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6 iQBVAwUBLmZ7fdgpRteEZ9JhAQFeXgIAxIpvJQeMsx7YecNgtusBDMqL662XFeX2 qL0qF8HcN4ReZ9MYjtn9t8N1zWGxkPOXQEI3KfM7uk8JTzxjZ5LG2g== =gSYT -----END PGP SIGNATURE----- /* Section 3. Ed Carp's PGPWIND version 0.1.g */ From: ecarp at netcom.com (Ed Carp) Subject: PGP For Windows 0.1.g release Date: Thu, 17 Nov 1994 01:44:41 -0800 (PST) -----BEGIN PGP SIGNED MESSAGE----- The latest release of PGP For Windows is in ftp.netcom.com:/pub/ecarp/pgpwind.zip Several bug fixes, and an occasional feature or two :) Now you can set the font for the program if you don't like the default. ;) Thanks to Dave Merriman and D. Morgan for beta testing. The next release will hopefully have online help for the program itself, even though it's pretty straightforward. Comments, bug reports to me. Thanks! - -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com Finger ecarp at netcom.com for PGP public key an88744 at anon.penet.fi If you want magic, let go of your armor. Magic is so much stronger than steel! -- Richard Bach, "The Bridge Across Forever" -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBLssmBSS9AwzY9LDxAQHa/QP/YjxnZJWlK4VWrolr1fe75m/0YjGhHyEN dLsLOUbiR0riz6oO0WaExQUaSh4mefpgniHc9tSkCreL6dBG+hdA6qwNlUVMCANV dxAXw0E9SQUxoLDPY1pbbEcyoDmu7Im2qg52WTMvKELbKWOyiIdtbc+BupCjfhw3 g6YPzIAXaB4= =vYWD -----END PGP SIGNATURE----- Chapter 4. Generally cool things. Section 1. Loompanics sources. Something cool from Vincent: Most of the Loompanics Unlimited catalog is online as: gopher://gopher.well.sf.ca.us/00/Business/catalog.asc And you can send mail to them at: loompanx at pt.olympus.net You can also get their catalog at: Loompanics Unlimited PO box 1197 33 Port Townsend, Wa. 98368 P id Send $5.00 for their general catalog - free with any order. Section 2. Viruses sources. AMERICAN EAGLE PUBLICATIONS Cypherpunks, I have found a source of info. that I just must share! American Eagle Publications, Inc. P. O. Box 41401 Tucson, AZ 85717 I'm sure they will send you a catalog just for the asking. So, what are they about? They are about VIRUSES! They don't just carry a couple of virus things - they are the VIRUSES-ARE-US of the virus world! They have a journal: Computer Virus Developments Quarterly. They have books on viruses, virus protection, cryptanalysis, the science fiction book "Heiland", a CD-ROM for $99.95 of several thousand live viruses, disks of viruses with source code, executable & utilities, programs & cards for boot protection, & even a virus IDEA computer system protector. Copy follows for two items of particular interest to Cypherpunks: POTASSIUM HYDROXIDE, KOH By the "King of Hearts" A sophisticated piece of software which uses ideas first developed by computer virus writers to secure your computer system against those who would like to get their hands on the information in it. You give KOH a pass phrase, & it uses state of the art IDEA data encryption algorithm to encrypt all of the information on your hard disk & your floppies. It is, for all intents & purposes, unbreakable, & works well with DOS & Windows. Many encryption programs offered commercially are easily cracked, but this one is not. Some people call this program a virus, come say it is not. In ways, it acts like a virus to do some of your security housekeeping for you. Yet at worst it is a friendly virus that lets you choose when & how it will replicate. program & manual on disk, $10 program, full source, & manual on disk, $20 (Overseas customers add $12: KOH cannot be exported from the US, but since it was not developed in the US, we will forward your order to the overseas distributor. Please allow 6 weeks for delivery) HEILAND By Franklin Sanders 276 pages, Paperback, 1986 Here's an entertaining book about America in the year 2020. If you wonder if it's proper to use viruses in wartime or if such a virus could be termed "good", this book will give you some food for thought. Sanders makes use of computer "worms" when the oppressed people of the US attack the federal government in an all-out war against tyranny. Sanders uses his worms right too - not as some all-powerful monster. Rather, they are deployed as part of a larger military strategy. For a book written in 1986, that's not bad! And if you're fed up with the government, this book is sure to give you a vision for the future. Sanders has been part of the mounting tax protest in this country. He's fought the IRS in court for years & won some important battles. Unfortunately the government seems to be con- firming some of his worst suspensions about them. Now you can get a good dose of his philosophy & his ideas about remedying our problems. And if you work for the government, don't be offended - this book is doubly recommended for you! Book, $8.00 for shipping add $2 per book. 5% sales tax for AZ. residents. It is my belief that in the next few years more uses for viruses than just being a vandal will be found. Also, they may find a place in protecting our electronic freedom. - for instance virus remailers. Also see my previous post - The FREEDOM DEAMON. Also, they have a place in my CHATTERBOX concept(a remailer for chat mode or commands). "Viruses aren't just for Sociopaths anymore!" Also, I suspect the state may start cracking down on virus tech- nology. Incidentally, did you all know that crypt has a place in modern viruses? Encryption is used to hide "nasty" code & virus signatures until they get into the system & decrypt. Yours Truly, Gary Jeffers PUSH EM BACK! PUSH EM BACK! WWWAAAYYY BBBAAACCCKK! BBBEEEAAATTTTT STATE ! Chapter 5A. Getting the Cypherpunks' archived & indexed list. Vincent also tells us about the complete Cypherpunk's text on line & indexed with fast access times: Eric Johnson has put one together as: /*ERIC JOHNSON HAS CONTACTED ME & SAYS THAT IT NO LONGER EXISTS! *That's too bad. Well, I guess I'll finally stop embarassing Eric * by referring to it.*/ /* LOTS OF BADLY EDITED & NOW OBSOLETE TEXT DELETED. */ /* Chapter 5B. Secure Drive download location from Raph. ftp to ftp.netcom.com mpj/I_will_not_export/crypto?????? From CCGARY at MIZZOU1.missouri.edu Thu Nov 17 19:34:40 1994 From: CCGARY at MIZZOU1.missouri.edu (Gary Jeffers) Date: Thu, 17 Nov 94 19:34:40 PST Subject: CEB6 part 2 of 2 Message-ID: <9411180334.AB24644@toad.com> Hunt around & read his read file. Files in this directory are not for export from the USA and Canada. secdev13.arj -- Secure Device file hosted device driver by Artur Helwig of the Netherlands. sfs110.zip -- Secure File system by Peter Gutman of New Zealand secdr13e.zip -- Secure Drive by Mike Ingle and Edgar Swank of the USA */ Chapter 6. Remailers & chained remailers. From: wcs at anchor.ho.att.com (bill.stewart at pleasantonca.ncr.com +1-510-484-6204) Message-Id: <9408300753.AA22369 at anchor.ho.att.com> To: CCGARY at MIZZOU1.missouri.edu Subject: Re: Using remailers, chained remailers? There's somebody who posts a remailer summary to the list about monthly. /* Text correction follows from Zarr -- Admin at anon.penet.fi (Admin of The Anonymous Contact Service) * There are three or four sets of remailers out there: * - anon.penet.fi, which gives you an account anNUMBER at anon.penet.fi * which people can reply to. Please, send a message to * ping at anon.penet.fi to receive an anon ID. You probably also want * to send a message to help at anon.penet.fi to receive the help file. * Its big use is for anonymous Usenet posting with working replies. end of text correction. */ some also support Usenet posting. Soda is pretty typical. - The cypherpunks remailers, which are mostly one-way no-reply mailers; - Various enhanced cypherpunks remailers, which have features like encrypted reply addresses you can attach at the end. You can get information on using the soda remailer by sending email to remailer at csua.berkeley.edu, with "help" somewhere in the posting; I'm not sure if it wants it in the Subject: or in the body. That's the remailer that posts from "Tommy the Tourist" with random NSA-bait at the bottom of postings. Here's a recent posting on getting status of remailers. Note that some really only remail once per day, so they may be working fine even if it says they're not. ---- Date: Mon, 15 Aug 1994 13:39:33 -0700 From: Raph Levien To: cypherpunks at toad.com Subject: "finger remailer-list at kiwi.cs.berkeley.edu" now operational Hi all, I have written and installed a remailer pinging script which collects detailed information about remailer features and reliability. To use it, just finger remailer-list at kiwi.cs.berkeley.edu There is also a Web version of the same information, at http://http.cs.berkeley.edu/~raph/remailer-list.html Please do not take the uptime figures too seriously, at least for another week or so. The script has only been running reliably for a few days. Please let me know about any other remailers which I missed. I've only included remailers which can mail to arbitrary addresses, so I already know chop and twwells are missing. If you've got a Web page, please feel free to include a link to this page. If you think your Web page is relevant to the subject of remailers, let me know and I'll link it in. Comments and suggestions welcome! Raph Levien ------- # Bill Stewart AT&T Global Information Solutions, aka NCR Corp # 6870 Koll Center Parkway, Pleasanton CA, 94566 Phone 1-510-484-6204 fax-6399 # email bill.stewart at pleasantonca.ncr.com billstewart at attmail.com # ViaCrypt PGP Key IDs 384/C2AFCD 1024/9D6465 Chapter 7. Current problems in Crypt. 1. We need an Internet Chat PGP system for conversations in real time. /* HEY! ITS LOOKS LIKE WE'VE GOT IT! SEE CHAPTER 10. */ 2. Has Arsen Arachelian really solved the problem of discovery of crypt in steganograpy by statistical examination of the least significant bits in his WNSTROM? I have seen no debate on this. 3. If the Feds capture the internet & put their anti-privacy hardware & protocols in place & outlaw remailers, does anyone have any idea how to build secure & effective remailers? A "Fortress remailer"? 4. If the above possibility happens & Cyperpunks' list is outlawed, does anyone have ideas how to make a "Fortress list"? /* Currently, we have Fortress Cryptography & State Sufferance remailers, mailing lists & newsgroups. We must have Fortress: remailers, mailing lists & newsgroups! */ Chapter 8. Text sources. Section 1. Books. Part 1. Simson Garfinkel's PGP book. From: Stanton McCandlish Subject: O'Reilly PGP book Date: Wed, 7 Sep 1994 13:38:58 -0400 (EDT) coming soon, PGP hits the mainstream: PGP: Pretty Good Privacy by Simson Garfinkel 1st Edition November 1994 (est.) 250 pages (est),ISBN: 1-56592-098-8, $17.95 (est) PGP is a freely available encryption program that protects the privacy of files and electronic mail. It uses powerful public key cryptography and works on virtually every platform. PGP: Pretty Good Privacy by Simson Garfinkel is both a readable technical users guide and a fascinating behind-the-scenes look at cryptography and privacy. Part I of the book describes how to use PGP: protecting files and email, creating and using keys, signing messages, certifying and distributing keys, and using key servers. Part II provides background on cryptography, battles against public key patents and U.S. government export restrictions, and other aspects of the ongoing public debates about privacy and free speech. -- Stanton McCandlish
mech at eff.org

Electronic Frontier Fndtn.

Online Activist Part 2. Bruce Schneier's cryptography book. The best book in cryptography is: APPLIED CRYPTOGRAPHY Protocols, Algorithms, and Source Code in C by Bruce Schneier Loompanics advertising copy follows: In Applied Cryptography, data security expert Bruce Schneier details how programmers can use cryptography - the technique of enciphering messages - to maintain the privacy of computer data. Covering the latest developments in practical cryptographic techniques, the book shows programmers who design computer software and systems we use every day. Along with more than 100 pages of actual C source code of working cryptographic algorithms, this pratical handbook: * Explains data encryption protocols and techniques currently in use and likely to be used in the future. * Offers numerous present day applications - from secure correspondence to anonymous messaging. * Includes numerous source code fragments and shows how to incorporate them into larger programs. * Discusses related issues like patents, export laws, and legal rulings. And much more! 1994, 7 1/2 x 9, 636 pp, Illustrated, indexed, soft cover. APPLIED CRYPTOGRAPHY: $44.95 (order number 10062) $4.00 for shipping and handling. UPS ground. Additional $7.50 if you want UPS w day air(blue)- that would be $11.50. Loompanics Unlimited PO Box 1197 Port Townsend, WA 98368 /* Part 3. William Stallings PGP book. From: William Stallings William Stallings says that his new book will be out in a few weeks. d The book's foreword is by Phil Zimmerman who highly praises the book & e states that he prefers it to his own documentation when he needs to look something up! The book's table of contents, then the foreword follows: | Bill Stallings | PGP key available at | also from Stable | Comp-Comm Consulting | gopher.shore.net | Large Email Database | P. O. Box 2405 | in members/ws | contact | Brewster, MA 02631 | | key at Four11.com Protect Your Privacy: The PGP User's Guide William Stallings (Prentice-Hall, ISBN 0-13-185596-4) Table of Contents Foreword by Phil Zimmermann Acknowledgments Reader's Guide to the PGP User's Guide Chapter 1 Protect Your Privacy! 1.1 What is PGP? 1.2 PGP Versions Part I HOW PGP WORKS Chapter 2 Basic Principles of PGP 2.1 Conventional Encryption 2.2 Public Key Encryption 2.3 Secure Hash Functions Chapter 3 Sending and Receiving PGP Messages 3.1 PGP: The Big Picture 3.2 PGP is Not E-Mail 3.3 Public Keys and Private Keys 3.4 Digital Signatures 3.5 Compression 3.6 Message Encryption 3.7 E-Mail Compatibility 3.8 The Order of Operations in PGP Chapter 4 PGP Features 4.1 Multiple Recipients 4.2 Encrypting Local Files 4.3 The Display-Only Option 4.4 Wiping 4.5 Protecting Text Files 4.6 Signature Options Chapter 5 Key Generation and Secret Key Management 5.1 Creating Public/Secret Key Pairs 5.2 Secret Key Management Chapter 6 Public Key Management 6.1 Exchanging Public Keys 6.2 Certifying Public Keys 6.3 Owner Trust and Key Legitimacy Part II USING PGP Chapter 7 DOS PGP: Getting Started 7.1 Getting Started 7.2 Key Generation 7.3 Signing Your Key 7.4 Extracting Your Key 7.5 Preparing a Message for Transmission 7.6 Processing a Received Message 7.7 Adding Keys to Your Public Key Ring 7.8 Certifying PGP Chapter 8 DOS PGP Reference 8.1 Message/File Processing 8.2 Key Management 8.3 Miscellaneous Commands and Options 8.4 The config.txt File 8.5 Using a DOS Shell Chapter 9 Macintosh PGP: Getting Started 9.1 Getting Started 9.2 Key Generation 9.3 Signing Your Key 9.4 Extracting Your Key 9.5 Preparing a Message for Transmission 9.6 Processing a Received Message 9.7 Adding Keys to Your Public Key Ring 9.8 Certifying MacPGP Chapter 10 Macintosh PGP Reference 10.1 PGP Messages Window 10.2 Help Menu 10.3 File Menu 10.4 Key Menu 10.5 Options Menu Chapter 11 Windows PGP 11.1 WinPGP 11.2 PGP WinFront PART III Supplemental Information Chapter 12 The Building Blocks of PGP 12.1 Conventional Encryption: IDEA 12.2 Public Key Encryption: RSA 12.3 Secure Hash Function: MD5 Chapter 13 Choosing Your Passphrase 13.1 How to Guess a Passphrase 13.2 How to Choose an Unguessable Passphrase Chapter 14 Where to Get PGP Chapter 15 Public Key Servers 15.1 How to Use Public Key Servers 15.2 Where to Find Public Key Servers 15.3 Stable Large EMail Database (SLED) Chapter 16 PGP 3.0 Foreword by Philip Zimmermann This book is about Pretty Good Privacy, a program I created to encrypt e- mail using public key cryptography. PGP was electronically published as free software in 1991. Little did I realize what this project would lead to. PGP has become the worldwide de facto standard for e-mail encryption. I've admired Bill Stallings's writings in computer science for some years before PGP, and here he is writing a book about my program. How can I talk about how great his book is, without, by implication, talking about how great PGP is? It's hard to write a foreword for his book about PGP without sliding into some measure of self-indulgence. I've been so close to this project for so long that I sometimes lose sight of the scope of what PGP provides. I got the manuscript for Bill's book in the mail the other day -- the book you are holding. Sitting down with it, flipping through it, endless pages of diagrams, the formal treatment of it, services provided by PGP. It wasn't till I saw his book on PGP that I could step back and see PGP as others see it. The breadth of it. As a software engineer, I'm used to either documenting my own software, or having a random company tech writer document it. All software engineers get that. But having William Stallings do the manual for your software -- it's sort of like having your portrait done by a world-class artist. There are a very small number of software packages that have far- reaching political implications. Most software that fits in such an influential category has negative effects on our civil liberties. For example, government intelligence agencies use a software package called PROMIS, which is a powerful tool of governments to track people's activities, movements, spending, political affiliations, et cetera. Now that is a piece of software with far-reaching political implications. Mostly bad ones. Then there is the software that the Medical Information Bureau uses to classify people who file medical insurance claims, to put them on a medical "black list", so that they cannot purchase any medical insurance ever again. That software has far-reaching political implications -- enough to raise a large- scale backlash in our society to do something about it. In most cases, it seems that software that has powerful political effects is software designed to strengthen the strong and weaken the weak. But PGP also has far-reaching political implications. Mostly good ones. In the Information Age, cryptography affects the power relationship between government and its people. The Government knows this all too well, as evidenced by their recent policy initiatives for the Clipper chip, which would give the Government a back door into all our private communications -- an Orwellian "wiretap chip" built into all our telephones, fax machines and computer networks. PGP strikes a blow against such dark trends, and has become a crystal nucleus for the growth of the Crypto Revolution, a new political movement for privacy and civil liberties in the Information Age. This government has done all they can to stop the emergence of a worldwide encryption standard that they don't have a back door into. And that same government has placed me under criminal investigation for unleashing this free software on the world. If indicted and convicted, I would face 41 to 51 months in a federal prison. Despite the pressure the Government has brought to bear against PGP (or perhaps because of it), PGP has become the most widely used software in the world for e-mail encryption, used by a variety of activists, and anyone else needing protection from the powerful. It's also used by ordinary people to protect their personal and business communications from prying eyes. PGP may have a future as an official Internet standard, as the Internet Engineering Task Force develops an interest in it. No one who wants to work in the area of Internet e-mail privacy should neglect studying PGP. Because of the "fax machine effect", more people who want to encrypt their e-mail are getting PGP because everyone else who encrypts their e-mail is already using it. Naturally, I want people to read the Official PGP User's Guide, which comes with the electronic distribution package of PGP (also in book form from MIT Press), because I wrote it. Also, I'm more entertaining and personable in my book. And more political. But Bill Stallings' book is more comprehensive than mine, more thorough, covering more detail, with a lot more diagrams. He's really good at completely nailing it down in a book. In fact, I'll probably use his book myself as my preferred reference to PGP. Philip Zimmermann Boulder, Colorado PGP Fingerprint: 9E 94 45 13 39 83 5F 70 7B E7 D8 ED C4 BE 5A A6 */ Section 2. Rants. For good rants FTP to soda.berkeley.edu /pub/cypherpunks/rants Section 3. CYPHERNOMICON - Tim May's "official" Cypherpunks' FAQ. This is a giant (1.3MB uncompressed) faq by Tim May. To get it by anonymous ftp: ftp to ftp.netcom.com /pub/tcmay - This directory has it & its associated files. Chapter 9. Cypherpunks' mailing list. getting on etc.. >>>> help This is Brent Chapman's "Majordomo" mailing list manager, version 1.92. In the description below items contained in []'s are optional. When providing the item, do not include the []'s around it. It understands the following commands: subscribe [

] Subscribe yourself (or
if specified) to the named . unsubscribe [
] Unsubscribe yourself (or
if specified) from the named . get Get a file related to . index Return an index of files you can "get" for . which [
] Find out which lists you (or
if specified) are on. who Find out who is on the named . info Retrieve the general introductory information for the named . lists Show the lists served by this Majordomo server. help Retrieve this message. end Stop processing commands (useful if your mailer adds a signature). Commands should be sent in the body of an email message to "Majordomo at toad.com". Commands in the "Subject:" line NOT processed. If you have any questions or problems, please contact "Majordomo-Owner at toad.com". Chapter 10. IRC chat strong encryption? Section 1. prig (cryptical)'s contribution. Do we really have this capability now? According to following post we do! This info has not been verified yet. You may want to experiment for yourself. Section 1. prig(cryptical)'s offering. From: prig0011 at gold.tc.umn.edu Subject: IRC Encryption There was a thread a while back about encrypted conversations on channel #freedom on irc. I came across the software I believe they are using. Its a package called Circ, and it is available from archives of comp.sources.misc volume 38 issue 10. It is interesting in that it uses RSA for key exchange, and triple DES for the encryption. The Circ package includes an earlier implementation "socks" which is a stand alone encrypted irc client. I think this is what they use on #freedom. This is an interesting tool for a couple of reasons. irc can be as anonymous as you want to make it. There are ways of hiding what site you're coming from, your real username, you can change your nick often as you want, and it's got a high enough usage that you can lose yourself in a crowd. It supports background file transfers. You can create a channel and lock it to uninvited people. It is supported pretty much net-wide, if you can telnet, you can irc. Interesting stuff, and I'll be playing more with it in the near future. BTW: my nick is cryptical on irc. :) /* Section 2. Ed Carp's offer. According to Ed Carp, the package has been around for a long time & he's had it on his system for monthes. Ed says: "If anyone wants it, they can email me and I'll send it to them, tarred, gripped, and uuencoded." Ed Carp is ecarp at netcom.com */ PUSH EM BACK! PUSH EM BACK! WWWAAAYYYY BBBAAACCCK! BBBEEEAAATTTT STATE! From vznuri at netcom.com Thu Nov 17 20:32:12 1994 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Thu, 17 Nov 94 20:32:12 PST Subject: WWWing cypherpunks Message-ID: <199411180431.UAA00474@netcom18.netcom.com> It occured to me that a WWW browser could be used as a sophisticated newsreader like interface to a compiled mailing list, stored on a site. The site would archive the mailing list and index/organize the mail under author, time, subject, etc. I have written a lot of scripts to do WWW tasks and otehr mail parsing utilities. I would be willing to donate the programming time to this project if others were willing to donate the computing resources. For the Cypherpunks list the main requirement would be plenty of disk space. I would like to point out that most of the cypherpunk goals relate to defining "what is a society in cyberspace". The cypherpunk answer is "one that allows interaction & communicatin while at the same time preserving privacy and freedom of speech". Note that the Usenet model does not really hold absolute privacy as a design prerequisite. In fact the use of such mechanisms like the "nntp-posting-host" and the closure of the network to "outsiders" actually is hostile to pure anonymity (I will leave to others the question of whether anonymity==privacy). My point is that most cypherpunk goals could be attained by building an infrastructure that embodies the ideas in such a way that Usenet embodies a certain set of ideas for interaction. But the further point is that the system must be self-rewarding in the way that running an NNTP server is rewarding to the site operator. (Note that the oft-noted "stifled" or "lethargic" progress of remailers is probably due to this basic fact that there is no personal positive incentive for an operator to run one, except perhaps "admiration by cypherpunk peers", a novelty that wears off quickly in the face of heated complaints). Anyway, if the cypherpunks were to build a system that allowed "community interaction" the way Usenet does, kept the freedom, but preserved the privacy, and improved the signal-to-noise ratio, it would spread like wildfire. There would be no lamenting the lame progress; it would be intrinsically self propagating like a cyberspatial virus. I am willing to contribute to this by donating programming labor to building a WWW mailing list indexer that could evolve into a full-fledged communications system, if others are willing to donate some resources. ~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^ \ / ~/ |\| | | |> | Vladimir Z. Nuri : : : : : `Imagination is more important \/ /_ | | \_/ |\ | vznuri at netcom.com : : : : : : than knowlege' (Einstein) From ecf at tenet.edu Thu Nov 17 21:02:49 1994 From: ecf at tenet.edu (Ferguson) Date: Thu, 17 Nov 94 21:02:49 PST Subject: WWWing cypherpunks In-Reply-To: <199411180431.UAA00474@netcom18.netcom.com> Message-ID: On Thu, 17 Nov 1994, Vladimir Z. Nuri wrote: > It occured to me that a WWW browser could be used as a sophisticated > newsreader like interface to a compiled mailing list, stored on a > site. The site would archive the mailing list and index/organize > the mail under author, time, subject, etc. > > I have written a lot of scripts to do WWW tasks and otehr mail parsing > utilities. I would be willing to donate the programming time to this > project if others were willing to donate the computing resources. I have seen a system similar to this, but for gophering newsgroups. (Maybe it's not that similar.) I believe it's called Mercury, and you can find it at gopher://gopher.msu.edu:3441 It sorts the groups by threads and date received, and you can choose which display you prefer. Brad From jamesd at netcom.com Thu Nov 17 23:32:26 1994 From: jamesd at netcom.com (James A. Donald) Date: Thu, 17 Nov 94 23:32:26 PST Subject: How to do foreign transactions. Message-ID: <199411180732.XAA01550@netcom7.netcom.com> First and foremost: A chain is as strong as its weakest link. So you do not use a consultant who works in the country where you are making your money. Repeating this for anyone slow witted. If you are making money in the USA, and wish to perform transactions outside the USA that you would prefer to remain private YOU DO NOT TRANSACT THROUGH A USA CONSULTANT. DO NOT USE A USA BASED CONSULTANT! The American IRS, and other bodies hostile to privacy, regularly go after such consultants, accuse them of real or imaginary crimes, threaten them with jail and sometimes with a rubber hose, and force them to sing like canaries. Worse still, a great many of them continue right on in the financial consultancy business while continuing to sing like canaries. So first and foremost you do not use a consultant that is subject to the violence of those that you most fear. Use a friend or a relative who is in a foreign country. Blood is thicker than water, relatives are better. No suitable relatives? Subscribe to foreign financial newspapers, and read the ads, subscribe to some of the newsletters advertised or reviewed in those newspapers. You might wish to subscribe to AGI PO Box 4010 6304 Zug Switzerland. This advertises stockbrokers, banks, and mutual funds all over the world that accept international transactions. That is a suggestion, not a recommendation. Do your own homework, and check your family tree for relatives dispersed around the world. OK, what comes second. Well second, third, fourth and fifth, same as above, do not use a consultant who is subject to the violence of those you most fear. Somewhere way down the list ... About thirty seventh down the list: All financial institutions that are beyond the violence of those you fear the most, are good. All of them! All of them! Even in countries quite hostile to privacy, they do not turn over financial information en masse to a foreign power, even when that foreign power is the USA. Say you fear the USA the most, and you have a bank account in another country. Say you have a bank account in Australia, a country with high taxes, absolutely no banking privacy, a country that routinely and regularly grovels to the USA. Even so, the ones you fear still have to find out that the account exists, information that they discover in the USA and *then* they have to ask their opposite number in Australia, "Hey, I did a favor for you, can you do a favor for me, pretty please with sugar on top?" If the enemy already have that kind of information on your financial doings, and they are keen enough on getting you that they are willing to do things that are special and out of the ordinary, then your goose is cooked anyway, regardless of whether your account is Australia or Liechtenstein. So who gives a tinkers dam? What points one to thirty seven boil down to is quite simple. The key question about any financial institution is: Can the revenuers kick down the door and pistol whip the operator if he fails to make everything in his computer totally and completely available to the revenuers? It really is that simple. If you are afraid of USA revenuers, then the difference between a USA bank, and a USA financial privacy consultant is so slight that it is not even worth thinking about. The difference between a Swiss bank and an Australian bank is small. The big difference is the difference between a USA entity and a foreign entity. Ignore all the mysterious arcane legalistic complexities uttered by the self proclaimed financial experts. It really is not very complicated at all. Simply apply the pistol whip question. Nothing else counts for very much. If a financial institution fails the pistol whip test, then its computers have a line to the IRS echoing everything that happens. If they do not have such a line now, they will very soon. If it passes the pistol whip test, then there is no line to the IRS. The IRS might be able to get information if they ask nicely about a particular person, but they will have to ask nicely and they cannot simply say: "Dump everything you have to our computers and make sure it is in a form that our computers like, and if something makes our computers hiccup, you're gonna sweat." I repeat: The key question is "Can they kick down the door and pistol whip the guy who owns the computers?" All other questions, such as what does the law say, and what legal system the institution operates under, are comparatively insignificant. Now obviously some banks are better than others. For most people this is not an important difference, but there is a difference. Now if you are a big time drug dealer living in exile, yeah, you had better worry about the fine detail of a nations banking secrecy laws. In that case the difference between Switzerland and Liechtenstein might be important to you. But fussing over the details of a countries banking laws is like worrying about sources of randomness in session keys. It is not likely to make the slightest difference in practice. Of all the banks that have some degree of secrecy, Swiss banks are the best, not that they have the strongest secrecy, but because they are real banks, they are not just post office boxes, and the same laws apply to everyone. Your money is safe in Switzerland not because they are trying to lure foreign hot money -- in fact they are trying to exclude foreign hot money. You almost have to sneak your money into Switzerland in the same way you sneak it out of the US. Your money is safe in Switzerland because Swiss property is safe in Switzerland. In Switzerland you are protected by Swiss liberty, not by foreign privilege. For your enemies to get information about your Swiss bank account, they are going to have to know what you have been up to. And, knowing what you are up to, they are not going to merely have to ask a favor, as they would in most countries. They are going to have to go before a foreign court. They are going to have to jump through legalistic hoops that they did not write in a court that they cannot control. They will have to deal with powerful people on those peoples home ground. They are profoundly reluctant to do this. It makes them feel weak and helpless. Unless they know you are up to something *and* they have serious hots for you, they are not going to do it. So unless you are a foreign dictator that the US might wish to overthrow, or unless you got the IRS chief's daughter pregnant and skipped town, you really do not need to give a dam. And if you attract their attention, and seriously upset them, then nothing is safe. They will obtain the key to that Liechtenstein safety deposit box by bribery, illegal methods, and by threatening people with massive baseless lawsuits. (This happened to one famous tax resister. The King of Liechtenstein will tell them to go eat shit, but a lawyer in Liechtenstein will roll over like a puppy dog.) Or they will lock you up in solitary, with your only source of conversation being thirty hour chat sessions with IRS agents with bright lights shining in your eyes, until you are willing to confess that you killed Kennedy and you were Jack the Ripper and you damn well give them the key. Which brings to point thirty eight, the least and slightest of the matters you should keep in mind. Obviously some institutions and some countries are more vulnerable to persuasion and pressure by foreigners than others. I am told the King of Liechtenstein is strongly resistant. Doubtless this is true. But if there are two financial institutions, and one is a major Swiss bank, and one is actually a lawyer operating a mail drop, guess which one rolls over first, even if the lawyer is located in Liechtenstein. One needs to consider both the reputation of the country and the reputation of the institution. (You might also consider that, on the other hand, the hole-in-the-wall lawyer in Liechtenstein can give you facilities that achieve much the same thing as a fiduciary account at a price you can afford, whereas a big Swiss bank would not give you a fiduciary account unless you had serious money. Yet again you might consider that something like a fiduciary account is ridiculous overkill for most people) But I repeat, compared to the vast difference between someone they can pistol whip, and someone they cannot pistol whip, the difference between two people, neither of whom can be pistol whipped, is very slight. It really does not matter that much. Just get your money out of gunshot. Legal technicalities would only matter if the government gave a shit about legal technicalities. Once your money is out of gunshot, it really does not make a very big difference where you put it. Go for decent rates of return, and ignore too-clever-by-half secrecy schemes. -- --------------------------------------------------------------------- We have the right to defend ourselves and our property, because of the kind of animals that we James A. Donald are. True law derives from this right, not from jamesd at acm.org the arbitrary power of the omnipotent state. From hfinney at shell.portal.com Thu Nov 17 23:40:23 1994 From: hfinney at shell.portal.com (Hal) Date: Thu, 17 Nov 94 23:40:23 PST Subject: Islands in the Net In-Reply-To: <9411172229.AA01226@ch1d157nwk> Message-ID: <199411180739.XAA20067@jobe.shell.portal.com> Andrew Lowenstern writes: >What if remailers were implemented using 'agents'? Instead of me sending a >dumb message to a smart remailer, what if I could send smart remailer, with >an encrypted message embedded in it, to a friendly machine offering agents >access to SMTP (i.e. a machine that allowed any authorized agent to arrive >and initiate an outgoing tcp stream to the SMTP port of any other machine). >Now I can make my remailer system as convoluted as I want, simply by >programming this agent to cruise around machines that answer when it knocks. >Once it has moved between enough hosts, it moves to a host that offers >outgoing SMTP connections and delivers it's payload. No longer am I limited >by the time and effort of the remailer operators to implement fancy new >features. Any machine that gives access to my agent becomes another hop in >my remailer chain (or whatever purpose I want). All my remailer agent needs >to operate is one host, the final destination, that will let it make an >outgoing SMTP connection, which could be provided by the hosts currently >running remailers. Yes, I think as Tim mentioned that safe-tcl is a possible way to go here. You could really do a lot of what Telescript promises with safe-tcl, and it is completely open and non-proprietary so anybody could run a server. Basically, safe-tcl is a limited subset of the tcl scripting language designed to allow "active mail", which can contain programs to run either at the time the mail is put into your mailbox or at the time you read it. Most of their interest is in the latter, because since tcl is married to the X scripting package tk, you can actually have an incoming mail message which puts up its own X dialog boxes, etc. Somebody wrote a sample mail-based tictactoe game, where you click in a box and it automatically sends an appropriate program to the other player which will put up the game board and let him click, etc. Imagine this for crypto protocols. But, back to the remailers, as Andrew says this agent-based or "active" mail provides a whole new paradigm for viewing remailers. Rather than being this anarchic threat to the net as they are often pasted, they are simply one of a wide class of servers. If we can move to a model in which semi-autonomous agents do surf the net, then remailers become just a small part of a much bigger picture. I may allow incoming agents to use various resources on my machine, including the mail facilities. A remailer is then just a server which does not enforce a lot of state information on outgoing messages to record their incoming path. I suppose the thing to watch for here will be efforts on the part of net.control freaks to force agents to be carefully authenticated, regulated, ordered and tracked. Just as the mail specs (RFC822) emphasize the importance of a human owner of every piece of mail so you have someone to complain to, similar motivations may play a part in future specs for active mail and similar extensions. This is going to be a continual battle which we will have to be ready for. Hal From perry at jpunix.com Fri Nov 18 02:31:58 1994 From: perry at jpunix.com (John A. Perry) Date: Fri, 18 Nov 94 02:31:58 PST Subject: Changes to remailer@jpunix.com In-Reply-To: Message-ID: <199411181030.EAA00389@jpunix.com> A non-text attachment was scrubbed... Name: not available Type: text/x-pgp Size: 1968 bytes Desc: not available URL: From nowhere at bsu-cs.bsu.edu Fri Nov 18 07:39:07 1994 From: nowhere at bsu-cs.bsu.edu (Anonymous) Date: Fri, 18 Nov 94 07:39:07 PST Subject: No Subject Message-ID: <199411181534.KAA17229@bsu-cs.bsu.edu> Can someone please list the mail-to-news gateways that are available, and any discrepancies aboyr message acceptance based on SUBJECT: line. Thanks, - spooge From LAURENN%smtpgate at earth.wri.org Fri Nov 18 08:22:09 1994 From: LAURENN%smtpgate at earth.wri.org (LAURENN%smtpgate at earth.wri.org) Date: Fri, 18 Nov 94 08:22:09 PST Subject: Online Fraud Case Settled Message-ID: <9411181138.ab21300@earth.wri.org> EDUPAGE - Nov. 17, 1994 ONLINE FRAUD CASE SETTLED Chase Consulting has agreed to reimburse customers who paid it $99 for a credit repair program advertised over American Online. The Federal Trade Commission chairman says: "The commission wants to make it clear that advertisers on the information superhighway will be held to the same standards as advertisers in other media." The case represents the FTC's first legal effort to prosecute online fraud. (Wall Street Journal 11/17/94 A4) ************************************************************************ Educom -- Transforming Education Through Information Technology ************************************************************************ Written by John Gehl & Suzanne Douglas. V: 404-371-1853. F: 404-371-8057 From acspring at knoware.nl Fri Nov 18 08:45:14 1994 From: acspring at knoware.nl (Andrew Spring) Date: Fri, 18 Nov 94 08:45:14 PST Subject: DC net Implementation Message-ID: <9411181747.AA27754@indy.knoware.nl> > >Using a central node to coordinate the DC-net traffic requires that the >participants trust that central node. If the central node is evil, >I think there are things it could do to identify message senders. For >example, instead of doing a single collation of N messages, it could >do N collations of N-1 messages, and find out who sent a message by >seeing in which collation that message doesn't show up. > A collation of N-1 nodes will always produce garbage; the whole set is needed for the message to fall out. Example C wishes to broadcast the number 10. A sends 5 to B B sends 11 to C C sends 7 to D D sends 14 to A A sends 14 - 5 = 9 to Central node B sends 5 - 11 = -6 C sends 11 - 7 + 10 = 14 D sends 7 - 14 = -7 Central node computes 9 - 6 + 14 - 7 = 10; Collating the subset ABC yields 17 Collating ABD yields -4 ACD yields 16 BCD yields 1 What Jim McCoy was talking about (I think: please correct me) was that there are attacks on this protocol, that can prevent messages from being transmitted; or alter messages in transit. Example: B wants to jam the transmission. He simply violates the protocol. A sends 14 - 5 = 9 to Central node B sends 5 - 11 + 8 = 2 (the +8 is static) C sends 11 - 7 + 10 = 14 D sends 7 - 14 = -7 Now the message sums up to 18, instead of 10 as C intended. Worse than that; If B knows that 10 is going to be broadcast, he can force the message to be any value he wants, by properly choosing his jamming signal. There's an even nastier trick you can play with the vanilla DC protocol. Two adjacent members can conspire to set up a 3rd. Let's say the DC Cell gets busted by the Feds for posting the illegal number 10 to the Internet. The guilty party is C, but C and D can lie about the number they shared and make it look like A. C testifies, "I received an 11 from B and sent a -3 to D" D testifies, "I received a 3 from C and sent a 4 to A" That makes A's calculation look off by 10, the number of the message. A testifies, "You liar! You gave me 14!" Who's lying? I'm not sure is these constitute bugs or "features" of the DC protocol; since the goal is to obscure the source of the message, allowing jammers and spoofers may preserve plausible deniability at the cost of network reliability; then again, maybe I'm just being lazy. -- You have violated Robot's Rules of Order and will be asked to leave the future immediately. Thank You. From eric at remailer.net Fri Nov 18 09:14:14 1994 From: eric at remailer.net (Eric Hughes) Date: Fri, 18 Nov 94 09:14:14 PST Subject: Islands in the Net In-Reply-To: <9411171551.AA34415@elfbook.intercon.com> Message-ID: <199411181712.JAA00827@largo.admate.com> I have rearranged quotations from the original for more cogency of response. From: "Amanda Walker" Real assets are unique simply by virtue of being physical objects, and are liquid (in the long run) by virtue of having inherent value. The other is that to be successful, digital cash needs to be liquid. For a token to be liquid, it must be backed by real assets. This is just not what "liquid" means. A liquid asset refers to the speed with which it can be traded, not what kind of value it has. "Liquid" is an adjective about timeliness, not about resolution. There are plenty of liquid assets which don't have "real" value, the "real" in "real estate", i.e. physical existence. Promises, for example, have value, but not "real" value. A negotiable promissory note, i.e. a promise to deliver money (money which may be real or virtual), is a liquid asset, but not a real asset. Currency, however, has no inherent value. Its only value lies in its being made up of unique tokens which can be exchanged for real assets. Currency is not just paper money. Currency also includes minted specie (e.g. gold coins), other minted coins, silver certificates, and federal reserve notes. Sometimes currency _is_ the real asset, as in Krugerrands. Sometimes currency is a promise to deliver real assets, as a silver certificate (the _old_ greenbacks). Sometimes currency represents a fiat value, as with today's greenbacks. If you take a dollar bill to a Federal Reserve Bank, you won't be able to turn that physical representation of a dollar of fiat currency into anything that's still money and at the same time backed by real assets. Just because it's a fiat currency doesn't make it any less a currency. Also, if it loses its ability to be exchanged for real assets it likewise loses its value (e.g., Confederate dollars from the Civil War). Under this reasoning, today's dollar bills should be worthless. They aren't. Real assets are not the only form of value. Governments are the classical examples of entities which have sufficient resources to back a currency, although cartels in the private sector can also do so (VISA/ MasterCard, for example). What currency do Visa or Master Card issue, perchance? They don't issue currency. Not all forms of money transfer involve currency, though, so credit cards can move money around without moving currency around. The constitution of the USA reserve currency making power for Congress and so far they haven't relinquished any of it. So far, though, no one has solved either the uniqueness problem or the liquidity problem for digital cash. As a result, it might be more realistically be called "digital scrip", at least so far. The uniqueness problem is entirely solved by what Chaum calls the "spent number database" (a term I abhor). Some of the other offline techniques can be used to implement a tradeoff between uniqueness and identity. The problem you refer to as liquidity is really the backing problem. It has also been solved, but not yet implemented. All it takes is for someone to incur a legal obligation to return money for digital cash, which means a functioning digital cash business, of which there are not yet any. Right now, digital currency only works by being a pointer to a token, not the token itself. This is an insightful comment. Its truth is unavoidable with any open digital money transfer system. The security of the scheme cannot rely upon secure channels controlled by the bank (since it is an open system), so the items transferred must be entirely informational. Information doesn't obey conservation of mass, and so can't act as a token. Eric From dwa at mirage.svl.trw.com Fri Nov 18 11:26:08 1994 From: dwa at mirage.svl.trw.com (Dana Albrecht) Date: Fri, 18 Nov 94 11:26:08 PST Subject: Cash Message-ID: <9411181925.AA26548@mirage.svl.trw.com> >From alt.2600... In article 8imYglW00iV8M5q0dV at andrew.cmu.edu, Andrew Lewis Tepper writes: > Imbedded in 1991 series $20 bills (and I assume all later and higher > bills) are thin plastic(?) strips with metallic writing on them. If > you're careful you can remove them with a razorblade by slitting the > bill's top edge and gently pulling it out. I've heard that airports will > soon have "Money Detectors" that will count total cash carried per > person. I'd like to figure out how the system works. I also think it > would be cool for people to collect all the strips in any money they > ever came in contact with and keep those in their wallets. Soon it would > look like everyone was walking around with $100K's of cash, rendering > their system useless. > > Andy > In article oh9 at crl2.crl.com, eric at crl.com (Eric Fredricksen) writes: > Anarch (anarch at cse.ucsc.edu) wrote: > : They're in tens, too (don't know about ones and fives). I've never been > : able to remove one completely, but I've exposed the ends. Do you know > : how many there are in each bill, and where? I know in tens there's at > : least one, about a fifth of the way in from the left side (looking at > : the front). > > They're easy to remove. Just rip the bill diagonally from the edge to > the strip on either side of it, and pull the little triangle you just > made. The strip comes with it. Show it to your friends. > Assuming this is true, it would seem that even good, old fashioned, paper currency doesn't provide the level of anonymity that one would think. Scary... Dana W. Albrecht dwa at mirage.svl.trw.com From jamiel at sybase.com Fri Nov 18 11:50:09 1994 From: jamiel at sybase.com (Jamie Lawrence) Date: Fri, 18 Nov 94 11:50:09 PST Subject: Cash Message-ID: At 12:25 PM 11/18/94, Dana Albrecht wrote: >>From alt.2600... > >In article 8imYglW00iV8M5q0dV at andrew.cmu.edu, Andrew Lewis Tepper > writes: >> bill's top edge and gently pulling it out. I've heard that airports will >> soon have "Money Detectors" that will count total cash carried per >> person. I'd like to figure out how the system works. I also think it This one has been flying around ever since the strips were put in place. It has been refuted as techically infeasable. (I don't remember the exact arguement, it had to do with the strips being mostly nonreactive and there being no real way to count how many/what denomination is in a stack.) >Assuming this is true, it would seem that even good, old fashioned, >paper currency doesn't provide the level of anonymity that one >would think. Scary... Also, realize that some places to look for that strip and if you pull it it might not be accepted (most places that check only look at $50s and $100s, though). -j From eb at comsec.com Fri Nov 18 12:08:35 1994 From: eb at comsec.com (Eric Blossom) Date: Fri, 18 Nov 94 12:08:35 PST Subject: DECEMBER '94: Object/Document Security BOF Message-ID: <199411181952.LAA09229@comsec.com> Group Name: Object/Document Security BOF (ios) IETF Area : Security Area Date/Time : Wednesday, December 7, 1994 0930-1200 =============== The purpose of this BOF is to present information and to discuss ideas associated with document/object security, store and forward security, and third-party security services. The general idea of creating protected objects (e.g. signed documents, encrypted files) which can be accessed and transferred by a variety of applications is being discussed in several contexts - store and forward extensions to GSSAPI, PEM-MIME work, www security, etc. We would like to discuss requirements and constraints for a general capability for protected objects and explore the need for a common approach to providing these types of services. The BOF is scheduled for 9:30am Wednedsay December 7th. The IOS (Information Object Security) BOF is within the Security Directorate. If you're interested in this area, we hope you can attend. We are planning to present some of our ideas on the requirements and goals for general protected objects as well as details on an Information Object Security project BBN is currently working on for ARPA (short summary below). This project has developed security tools for protection of documents and objects as well as for invoking and performing trusted third party services. We're looking for anyone else who would like agenda time to either present specific work/ideas or to discuss requirements and other contexts for protected objects. If you'd like to volunteer either send a message to jlowry at bbn.com or just show up and we can sort out the agenda there. Finally there will be a discussion to determine whether there is interest in continuing. Should a mailing-list be formed ? Is there enough interest and focus to attempt creation of a working group charter ? After the BOF, we're prepared to demonstrate prototype IOS tools for any interested parties. ******** IOS Project These tools allow the users to apply multiple parallel and sequential signatures and annotations to objects/documents, and to provide access control and confidentiality protections to these objects/documents. There are a number of utilities available to perform certificate validation and maintain a cache of certificates. Included in the tool set is an ASN.1 to C++ compiler. Third-party services are also under investigation and the issues of a trusted time-stamp server, third-party involvement in non-repudiation, and proof of delivery, submission, and receipt are addressed. Documents describing the IOS project tools and architecture are available for anonymous ftp from the server ftp.bbn.com in the directory /pub/outgoing/ios_docs. From eb at comsec.com Fri Nov 18 12:28:39 1994 From: eb at comsec.com (Eric Blossom) Date: Fri, 18 Nov 94 12:28:39 PST Subject: I-D ACTION:draft-atkinson-ipng-sec-00.txt Message-ID: <199411181954.LAA09252@comsec.com> A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : IPv6 Security Architecture Author(s) : R. Atkinson Filename : draft-atkinson-ipng-sec-00.txt Pages : 13 Date : 11/16/1994 The Internet community is making a transition from version 4 of the Internet Protocol (IPv4) to version 6 of the Internet Protocol (IPv6). [Hi94] This memo describes the security mechanisms integrated into version 6 of the Internet Protocol (IPv6) and the services that they provide. Each security mechanism is specified in a separate document. It also describes how security mechanisms outside the scope of the IPng effort (e.g. key management) relate to the IPv6 security mechanisms. Internet-Drafts are available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-atkinson-ipng-sec-00.txt". A URL for the Internet-Draft is: ftp://ds.internic.net/internet-drafts/draft-atkinson-ipng-sec-00.txt Internet-Drafts directories are located at: o Africa Address: ftp.is.co.za (196.4.160.2) o Europe Address: nic.nordu.net (192.36.148.17) o Pacific Rim Address: munnari.oz.au (128.250.1.21) o US East Coast Address: ds.internic.net (198.49.45.10) o US West Coast Address: ftp.isi.edu (128.9.0.32) Internet-Drafts are also available by mail. Send a message to: mailserv at ds.internic.net. In the body type: "FILE /internet-drafts/draft-atkinson-ipng-sec-00.txt". NOTE: The mail server at ds.internic.net can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e., documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. For questions, please mail to Internet-Drafts at cnri.reston.va.us. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. -------------- next part -------------- A non-text attachment was scrubbed... Name: bin00001.bin Type: application/octet-stream Size: 76 bytes Desc: "draft-atkinson-ipng-sec-00.txt" URL: From tcmay at netcom.com Fri Nov 18 12:30:34 1994 From: tcmay at netcom.com (Timothy C. May) Date: Fri, 18 Nov 94 12:30:34 PST Subject: The Thread Thread In-Reply-To: <9411181925.AA26548@mirage.svl.trw.com> Message-ID: <199411182029.MAA11178@netcom13.netcom.com> The "thread thread," about plastic/metallic threads placed in currency to track our purchases and control our movements, has some up again. (I'm reminded to put something in the Cyphernomicon FAQ about it!) * The threads are an anti-counterfeiting measure, so far as is known. (I saw a "Nova" episode of counterfeiting, and this was the reason give. Consistent with the physics, too.) * A tiny thread cannot be readily detected by "airport scanners," nor by even longer-distance scanners, unless the gain on the detector is turned up so high that many other things trigger the detector. If the threads are mostly plastic, with discontiguous metallic writing on them, then the detection problem is even harder. (Caveat: I admit the slim possibility that detectors could be tuned to resonate with the precise _length_ of such threads. Maybe. Easily thwarted by snipping, scratching, folding, and of course, RF shielding.) Dana Albrecht wrote (quoting from alt.2600) > > Imbedded in 1991 series $20 bills (and I assume all later and higher > > bills) are thin plastic(?) strips with metallic writing on them. If > > you're careful you can remove them with a razorblade by slitting the > > bill's top edge and gently pulling it out. I've heard that airports will > > soon have "Money Detectors" that will count total cash carried per > > person. I'd like to figure out how the system works. I also think it > > would be cool for people to collect all the strips in any money they > > ever came in contact with and keep those in their wallets. Soon it would > > look like everyone was walking around with $100K's of cash, rendering > > their system useless. Yeah, right. Everybody does this and the _total number of threads_ increases. Nope. Think about it. > Assuming this is true, it would seem that even good, old fashioned, > paper currency doesn't provide the level of anonymity that one > would think. Scary... > > Dana W. Albrecht Don't believe everything you read. Imagine what the simplest measures, like folding your currency and placing it in anything metallic would do. (For the paranoid, money clips are usually metal. Some are even full enclosures. Are these to be banned? I don't want to sound insulting here. Some conspiracy theories are interesting, plausible, and worthy of concern. All I'm suggesting is that people do some "due diligence" in estimating the likelihood of something being true. For example, another chestnut is the one about how cable t.v. boxes will be able to use the LED displays as a _camera_ to send pictures back to Big Brother. Simple physics, as well as the bandwidths and configurations involved, shows how implausible this is....and yet this urban legend shows up every few months--even here. Did you know that flashing your headlights during the day will cause gang members to respond by killing you? I know someone who says they saw it happen. Police agencies around the country are warning people not to flash their headlights during the day. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. Cypherpunks list: majordomo at toad.com with body message of only: subscribe cypherpunks. FAQ available at ftp.netcom.com in pub/tcmay From eb at comsec.com Fri Nov 18 12:30:54 1994 From: eb at comsec.com (Eric Blossom) Date: Fri, 18 Nov 94 12:30:54 PST Subject: I-D ACTION:draft-atkinson-ipng-esp-00.txt Message-ID: <199411181955.LAA09263@comsec.com> A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : IPv6 Encapsulating Security Payload (ESP) Author(s) : R. Atkinson Filename : draft-atkinson-ipng-esp-00.txt Pages : 12 Date : 11/16/1994 This memo describes the IPv6 Encapsulating Security Payload (ESP). ESP seeks to provide integrity and confidentiality to IPv6 datagrams. It may also provide authentication, depending on which algorithm and algorithm mode are used. Non-repudiation and protection from traffic analysis are not provided by ESP. The IPv6 Authentication Header (AH) might provide non-repudiation if used with certain authentication algorithms. The IPv6 Authentication Header may be used in conjunction with ESP to provide authentication. Users desiring integrity and authentication without confidentiality should use the IPv6 Authentication Header (AH) instead of ESP. This document assumes that the reader is familiar with the related document "IPv6 Security Architecture", which defines the overall security architecture for IPv6 and provides important background for this specification. Internet-Drafts are available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-atkinson-ipng-esp-00.txt". A URL for the Internet-Draft is: ftp://ds.internic.net/internet-drafts/draft-atkinson-ipng-esp-00.txt Internet-Drafts directories are located at: o Africa Address: ftp.is.co.za (196.4.160.2) o Europe Address: nic.nordu.net (192.36.148.17) o Pacific Rim Address: munnari.oz.au (128.250.1.21) o US East Coast Address: ds.internic.net (198.49.45.10) o US West Coast Address: ftp.isi.edu (128.9.0.32) Internet-Drafts are also available by mail. Send a message to: mailserv at ds.internic.net. In the body type: "FILE /internet-drafts/draft-atkinson-ipng-esp-00.txt". NOTE: The mail server at ds.internic.net can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e., documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. For questions, please mail to Internet-Drafts at cnri.reston.va.us. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. -------------- next part -------------- A non-text attachment was scrubbed... Name: bin00002.bin Type: application/octet-stream Size: 76 bytes Desc: "draft-atkinson-ipng-esp-00.txt" URL: From mpd at netcom.com Fri Nov 18 12:32:35 1994 From: mpd at netcom.com (Mike Duvos) Date: Fri, 18 Nov 94 12:32:35 PST Subject: Cash In-Reply-To: <9411181925.AA26548@mirage.svl.trw.com> Message-ID: <199411182032.MAA16783@netcom16.netcom.com> dwa at mirage.svl.trw.com (Dana Albrecht) writes: >> I've heard that airports will soon have "Money Detectors" >> that will count total cash carried per person. I'd like to >> figure out how the system works. > Assuming this is true, it would seem that even good, old > fashioned, paper currency doesn't provide the level of > anonymity that one would think. Scary... The strips are part of a program by the Feds to gradually introduce features into currency which cannot be replicated on high resolution digital color copiers. I know of no technology that would allow the strips to be detected at a distance which would also be inexpensive enough to use in every bill and pose no health risks to the person carrying the money. Sounds like an urban myth to me, but I am willing to listen if someone wishes to provide an plausable alternative explanation. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From eb at comsec.com Fri Nov 18 12:35:44 1994 From: eb at comsec.com (Eric Blossom) Date: Fri, 18 Nov 94 12:35:44 PST Subject: I-D ACTION:draft-atkinson-ipng-auth-00.txt Message-ID: <199411181956.LAA09274@comsec.com> A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : IPv6 Authentication Header Author(s) : R. Atkinson Filename : draft-atkinson-ipng-auth-00.txt Pages : 10 Date : 11/16/1994 The Internet community is working on a transition from version 4 of the Internet Protocol (IPv4) to version 6 of the Internet Protocol (IPv6). This memo describes the IPv6 Authentication Header. This optional header provides strong integrity and authentication for IPv6 datagrams. Non-repudiation might be provided by an authentication algorithm used with the Authentication Header, but it is not provided with all authentication algorithms that might be used. Confidentiality, and protection from traffic analysis are not provided by the Authentication Header. Users desiring confidentiality should consider using the IPv6 Encapsulating Security Protocol (ESP) either in lieu of or in conjunction with the Authentication Header. [NB: All references to "IPv6 Encapsulating Security Protocol" will be replaced with references to the "IPv6 Security Protocol (IPSP)" if/when such a document appears as an online Internet Draft]. This document assumes the reader has previously read and understood the related "IPv6 Security Overview" document which defines the overall security architecture for IPv6 and provides important background information for this specification. Internet-Drafts are available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-atkinson-ipng-auth-00.txt". A URL for the Internet-Draft is: ftp://ds.internic.net/internet-drafts/draft-atkinson-ipng-auth-00.txt Internet-Drafts directories are located at: o Africa Address: ftp.is.co.za (196.4.160.2) o Europe Address: nic.nordu.net (192.36.148.17) o Pacific Rim Address: munnari.oz.au (128.250.1.21) o US East Coast Address: ds.internic.net (198.49.45.10) o US West Coast Address: ftp.isi.edu (128.9.0.32) Internet-Drafts are also available by mail. Send a message to: mailserv at ds.internic.net. In the body type: "FILE /internet-drafts/draft-atkinson-ipng-auth-00.txt". NOTE: The mail server at ds.internic.net can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e., documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. For questions, please mail to Internet-Drafts at cnri.reston.va.us. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. -------------- next part -------------- A non-text attachment was scrubbed... Name: bin00000.bin Type: application/octet-stream Size: 76 bytes Desc: "draft-atkinson-ipng-auth-00.txt" URL: From perry at imsi.com Fri Nov 18 12:45:15 1994 From: perry at imsi.com (Perry E. Metzger) Date: Fri, 18 Nov 94 12:45:15 PST Subject: I-D ACTION:draft-atkinson-ipng-auth-00.txt In-Reply-To: <199411181956.LAA09274@comsec.com> Message-ID: <9411182044.AA12940@snark.imsi.com> Some of us are participants in the IETF, are even on the IPSEC working group, and are well aware of the pending work on IPng and IPv4 security, and don't want Yet Another Copy of these things. If you insist, why not just note that there are drafts pending and not forward each of the announcement messages? Perry Eric Blossom says: > --NextPart > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > > Title : IPv6 Authentication Header From frissell at panix.com Fri Nov 18 12:47:16 1994 From: frissell at panix.com (Duncan Frissell) Date: Fri, 18 Nov 94 12:47:16 PST Subject: Cash Message-ID: <199411182046.AA16284@panix.com> At 11:25 AM 11/18/94 PST, Dana Albrecht wrote: >Assuming this is true, it would seem that even good, old fashioned, >paper currency doesn't provide the level of anonymity that one >would think. Scary... > A couple of weeks ago, I paid a utility bill with a $50 FRN. I was amused(?) to see the clerk put the bill into the same printer they use to print a little strip of payment receipt info on the bottom of your printed bill and also on the bottom of some of their paperwork. I guess they wanted to trace the bill back to my account if it turned out to be phony. DCF ************************************************************************* ATMs, Contracting Out, Digital Switching, Downsizing, EDI, Fax, Fedex, Home Workers, Internet, Just In Time, Leasing, Mail Receiving, Phone Cards, Quants, Securitization, Temping, Voice Mail. From adam.philipp at ties.org Fri Nov 18 12:54:50 1994 From: adam.philipp at ties.org (Adam Philipp) Date: Fri, 18 Nov 94 12:54:50 PST Subject: Cash Message-ID: >At 12:25 PM 11/18/94, Dana Albrecht wrote: >>>From alt.2600... >>> bill's top edge and gently pulling it out. I've heard that airports will >>> soon have "Money Detectors" that will count total cash carried per >>> person. I'd like to figure out how the system works. It does not work. >This one has been flying around ever since the strips were >put in place. It has been refuted as techically infeasable. >(I don't remember the exact arguement, it had to do with the >strips being mostly nonreactive and there being no real way to >count how many/what denomination is in a stack.) Correct. A number of people have run tests on the strips (no, I didn't archive the articles, they were about 5-6 months back) and they are just what they appear to be, inert plastic strips put in there to make faking money more difficult. Many paper currencies arounf the world use plastic or metal foil strips in their money to make the bills more difficult to reproduce. I am familiar with the Israeli shekel (NIS) that has had foil strips in it for years... The main problem with detecting the strips is that it is faily trivial to have a detector that will determine if some strips have gone through, but having one that detects with any accuracy would be difficult to manufacture and still keep paper currency proportionately cheap. I suppose mini-transmitters in the 400 or so $10,000 bills might not be too far fetched, but it seems ridiculous. >>Assuming this is true, it would seem that even good, old fashioned, >>paper currency doesn't provide the level of anonymity that one >>would think. Scary... Assuming many falsehoods is scary... Now if only I could finish my mind reading aparatus... Chalk this up with the FCC licensing modems and MAKE.MONEY.FAST Adam -- PGP Key available on the keyservers. Encrypted E-mail welcome. Sub rosa: Confidential, secret, not for publication. -Black's Law Dictionary From adam at bwh.harvard.edu Fri Nov 18 13:07:46 1994 From: adam at bwh.harvard.edu (Adam Shostack) Date: Fri, 18 Nov 94 13:07:46 PST Subject: I-D ACTION:draft-ietf-pppext-encryption-00.txt (fwd) Message-ID: <199411182024.PAA12077@bwh.harvard.edu> A while ago, someone asked bout encryptde slip/ppp. Three news drafts are also available on security, authentication, and encapsulation for IPv6. Same place as the other drafts. draft-atkinson-ipng-esp-00.txt draft-atkinson-ipng-sec-00.txt draft-atkinson-ipng-auth-00.txt | From ietf-announce-request at IETF.CNRI.Reston.VA.US Fri Nov 18 14:07:30 1994 | Mime-Version: 1.0 | Content-Type: Multipart/Mixed; Boundary="NextPart" | To: IETF-Announce:; | cc: ietf-ppp at merit.edu | Sender: ietf-announce-request at IETF.CNRI.Reston.VA.US | From: Internet-Drafts at CNRI.Reston.VA.US | Reply-to: Internet-Drafts at CNRI.Reston.VA.US | Subject: I-D ACTION:draft-ietf-pppext-encryption-00.txt | Date: Fri, 18 Nov 94 11:43:13 -0500 | X-Orig-Sender: cclark at CNRI.Reston.VA.US | Message-ID: <9411181143.aa04644 at IETF.CNRI.Reston.VA.US> | | --NextPart | | A New Internet-Draft is available from the on-line Internet-Drafts | directories. This draft is a work item of the Point-to-Point Protocol | Extensions Working Group of the IETF. | | Title : The PPP Encryption Control Protocol (ECP) | Author(s) : G. Meyer | Filename : draft-ietf-pppext-encryption-00.txt | Pages : 8 | Date : 11/17/1994 | | The Point-to-Point Protocol (PPP) [1] provides a standard method for | transporting multi-protocol datagrams over point-to-point links. | PPP also defines an extensible Link Control Protocol. | | This document defines a method for negotiating data encryption | over PPP links. | | Internet-Drafts are available by anonymous FTP. Login with the username | "anonymous" and a password of your e-mail address. After logging in, | type "cd internet-drafts" and then | "get draft-ietf-pppext-encryption-00.txt". | A URL for the Internet-Draft is: | ftp://ds.internic.net/internet-drafts/draft-ietf-pppext-encryption-00.txt | | Internet-Drafts directories are located at: | | o Africa | Address: ftp.is.co.za (196.4.160.2) | | o Europe | Address: nic.nordu.net (192.36.148.17) | | o Pacific Rim | Address: munnari.oz.au (128.250.1.21) | | o US East Coast | Address: ds.internic.net (198.49.45.10) | | o US West Coast | Address: ftp.isi.edu (128.9.0.32) | | Internet-Drafts are also available by mail. | | Send a message to: mailserv at ds.internic.net. In the body type: | "FILE /internet-drafts/draft-ietf-pppext-encryption-00.txt". | | NOTE: The mail server at ds.internic.net can return the document in | MIME-encoded form by using the "mpack" utility. To use this | feature, insert the command "ENCODING mime" before the "FILE" | command. To decode the response(s), you will need "munpack" or | a MIME-compliant mail reader. Different MIME-compliant mail readers | exhibit different behavior, especially when dealing with | "multipart" MIME messages (i.e., documents which have been split | up into multiple messages), so check your local documentation on | how to manipulate these messages. | | For questions, please mail to Internet-Drafts at cnri.reston.va.us. | | | Below is the data which will enable a MIME compliant mail reader | implementation to automatically retrieve the ASCII version | of the Internet-Draft. | | --NextPart | Content-Type: Multipart/Alternative; Boundary="OtherAccess" | | --OtherAccess | Content-Type: Message/External-body; | access-type="mail-server"; | server="mailserv at ds.internic.net" | | Content-Type: text/plain | Content-ID: <19941117165933.I-D at CNRI.Reston.VA.US> | | ENCODING mime | FILE /internet-drafts/draft-ietf-pppext-encryption-00.txt | | --OtherAccess | Content-Type: Message/External-body; | name="draft-ietf-pppext-encryption-00.txt"; | site="ds.internic.net"; | access-type="anon-ftp"; | directory="internet-drafts" | | Content-Type: text/plain | Content-ID: <19941117165933.I-D at CNRI.Reston.VA.US> | | --OtherAccess-- | | --NextPart-- | From perry at imsi.com Fri Nov 18 13:21:43 1994 From: perry at imsi.com (Perry E. Metzger) Date: Fri, 18 Nov 94 13:21:43 PST Subject: pointers to IETF drafts In-Reply-To: <199411182115.NAA10128@gwarn.versant.com> Message-ID: <9411182120.AA12999@snark.imsi.com> The standard thing in these cases is to say "There are some neat RFC drafts on security in ftp://hostname/names; you might be interested." I have already gotten three other copies of each of the three messages associated with Ran's new IPng drafts because every security mailing list on earth seems to operate on the "just forward everything" premise. More aren't needed. strick -- henry strickland says: > THUS SPAKE "Perry E. Metzger" : > # > # Some of us are participants in the IETF, are even on the IPSEC working > # group, and are well aware of the pending work on IPng and IPv4 > # security, and don't want Yet Another Copy of these things. If you > # insist, why not just note that there are drafts pending and not > # forward each of the announcement messages? > > If he were to do that, people would ask (or at least wonder) > 1. just what is this? > and > 2. where can I get it? > > It turns out the announcment is only two or three pages long, > and about 1/3 of it answers question 1, > and the other 2/3 answers (for various clients) question 2. > > I thought it was a very appropriate way of using the list -- > a good comprimise between spamming and being silent. > I was able to quickly determine if I was interested (I was), > and use my favorite way to fetch it (since I'm not in metamail, > I grabbed the URLs and LYNXed them.) > > strick > From strick at versant.com Fri Nov 18 13:27:52 1994 From: strick at versant.com (strick -- henry strickland) Date: Fri, 18 Nov 94 13:27:52 PST Subject: pointers to IETF drafts In-Reply-To: <9411182044.AA12940@snark.imsi.com> Message-ID: <199411182115.NAA10128@gwarn.versant.com> THUS SPAKE "Perry E. Metzger" : # # Some of us are participants in the IETF, are even on the IPSEC working # group, and are well aware of the pending work on IPng and IPv4 # security, and don't want Yet Another Copy of these things. If you # insist, why not just note that there are drafts pending and not # forward each of the announcement messages? If he were to do that, people would ask (or at least wonder) 1. just what is this? and 2. where can I get it? It turns out the announcment is only two or three pages long, and about 1/3 of it answers question 1, and the other 2/3 answers (for various clients) question 2. I thought it was a very appropriate way of using the list -- a good comprimise between spamming and being silent. I was able to quickly determine if I was interested (I was), and use my favorite way to fetch it (since I'm not in metamail, I grabbed the URLs and LYNXed them.) strick From snyderra at dunx1.ocs.drexel.edu Fri Nov 18 13:54:54 1994 From: snyderra at dunx1.ocs.drexel.edu (Bob Snyder) Date: Fri, 18 Nov 94 13:54:54 PST Subject: I-D ACTION:draft-atkinson-ipng-auth-00.txt In-Reply-To: <9411182044.AA12940@snark.imsi.com> Message-ID: <199411182152.QAA08885@dunx1.ocs.drexel.edu> Perry E. Metzger scribbles: > Some of us are participants in the IETF, are even on the IPSEC working > group, and are well aware of the pending work on IPng and IPv4 > security, and don't want Yet Another Copy of these things. If you > insist, why not just note that there are drafts pending and not > forward each of the announcement messages? Because many, probably most of us aren't participants, and these items are of greater cryptological relavence than much, if not most, of the material on the list. How would a note about the drafts being pending and the posting of the announcement be significantly different? I appreciate the MIME encoding of the mail, since my MIME mail reader can go out and pull them for me. Bob From strick at versant.com Fri Nov 18 14:01:10 1994 From: strick at versant.com (strick -- henry strickland) Date: Fri, 18 Nov 94 14:01:10 PST Subject: pointers to IETF drafts In-Reply-To: <9411182120.AA12999@snark.imsi.com> Message-ID: <199411182159.NAA10356@gwarn.versant.com> THUS SPAKE "Perry E. Metzger" : # # The standard thing in these cases is to say "There are some neat RFC # drafts on security in ftp://hostname/names; you might be interested." Yeah, there's always neat RFC drafts on security out there; that hardly needs announceing. Which ones are new & interesting & why? # I have already gotten three other copies of each of the three messages # associated with Ran's new IPng drafts because every security mailing # list on earth seems to operate on the "just forward everything" # premise. More aren't needed. So the perfect solution, from your point of view, is that there be no announcement on cyperpunks. And the perfect solution, from my point of view, is that you unsubscribe from all those other lists, so that you only see one announcement. :) And the perfect solution, from everyone's point of view, is to have a real solution to the document-repost problem. Like a cypherpunk registry web page where you post small announcements and pointers to things, with the ability to scan first and see if anyone else has done that. Then a periodic summary of new stuff gets mailed out on a regular basis, if there is new stuff to announce. Sounds like a good web project for someone ... strick From nobody at nately.UCSD.EDU Fri Nov 18 14:17:44 1994 From: nobody at nately.UCSD.EDU (Anonymous) Date: Fri, 18 Nov 94 14:17:44 PST Subject: The Thread Thread Message-ID: <9411182220.AA03008@nately.UCSD.EDU> Fri, 18 Nov 1994, Tim May writes: >* A tiny thread cannot be readily detected by "airport scanners," nor >by even longer-distance scanners, unless the gain on the detector is >turned up so high that many other things trigger the detector. > >If the threads are mostly plastic, with discontiguous metallic writing >on them, then the detection problem is even harder. This is just a quick thought...does anyone know what kind of metallic ink is used? To add to the conspiracy theory, say the metallic ink is radioactive with a higher radiation count for higher dollar amounts--would it be implausible then to have some sort of radiation counter to gauge a person's total 'radiation count,' and thereby approximate how much currency they are carrying out of the country? I wouldn't take the above seriously though.... _/_/_/ _/_/_/ _/ _/ _/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/_/ _/ _/ _/ _/ _/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/ _/_/_/ _/_/_/ _/_/_/ _/_/_/ _/ _/ _/_/_/ _/ All men recognize the right of revolution; that is, the right to refuse allegiance to, and to resist the government, when its tyranny or its inefficiency are great and unendurable. From Thoreau's "Civil Disobedience" From jamiel at sybase.com Fri Nov 18 14:34:26 1994 From: jamiel at sybase.com (Jamie Lawrence) Date: Fri, 18 Nov 94 14:34:26 PST Subject: Crypto junkmail detector (Was: Re: pointers to IETF drafts) Message-ID: At 2:20 PM 11/18/94, Perry E. Metzger wrote: >I have already gotten three other copies of each of the three messages >associated with Ran's new IPng drafts because every security mailing >list on earth seems to operate on the "just forward everything" >premise. More aren't needed. Hm... Maybe a procmail routine to call MD5 on each incoming message body and compare it to the hashes of the last 100 messages you recieved could solve this problem. From DonMelvin at marlin.ssnet.com Fri Nov 18 14:45:49 1994 From: DonMelvin at marlin.ssnet.com (DonMelvin at marlin.ssnet.com) Date: Fri, 18 Nov 94 14:45:49 PST Subject: Cash In-Reply-To: Message-ID: <9411182243.AA23704@marlin.ssnet.com> I got information from my Senator on the proposed new currency. Not the recent changes, but the new bills coming in a year or two. He got it from the Treasury (big letters across the top) but the FAX id info says DEA. It mentions 'Machine Detectable Thread' and "Additional Machine-Detection Features' but does not elaborate. If it's machine trackable (I remember hearing about machine readable serial numbers a couple of years ago) we can always set up cash exchanges. Might even be able to make a profit at it! -- America - a country so rich and so strong we can reward the lazy and punish the productive and still survive (so far) Don Melvin storm at ssnet.com finger for PGP key. From sdw at lig.net Fri Nov 18 15:07:22 1994 From: sdw at lig.net (Stephen D. Williams) Date: Fri, 18 Nov 94 15:07:22 PST Subject: Imminent death of Corporations Predicted In-Reply-To: <199411101806.KAA10795@netcom8.netcom.com> Message-ID: ... > L. McCarthy writes > > True, but it happened to Wozniak & Jobs. John Sculley came from Pepsi. > > Of course, you may wish to argue against Apple being considered successful > > under Sculley ;) Details have finally started to fade, but Atari was done in partially by being purchased and a manager from Pepsi, I think. Tramiel was too late. Also via poor contracts with Amiga's design company I would expect. sdw -- Stephen D. Williams Local Internet Gateway Co.; SDW Systems 510 503-9227APager LIG dev./sales Internet: sdw at lig.net In Bay Area Aug94-Feb95!!! OO R&D Source Dist. By Horse: 2464 Rosina Dr., Miamisburg, OH 45342-6430 Internet Consulting ICBM: 39 38 34N 84 17 12W home, 37 58 41N 122 01 48W work Newbie Notice: I speak for LIGCo., CCI, myself, and no one else, regardless of where it is convenient to post from or thru. From nobody at nately.UCSD.EDU Fri Nov 18 15:07:33 1994 From: nobody at nately.UCSD.EDU (Anonymous) Date: Fri, 18 Nov 94 15:07:33 PST Subject: Cash Message-ID: <9411182310.AA04328@nately.UCSD.EDU> Fri, 18 Nov 94 11:25:55 PST Dana Albrecht writes: >In article oh9 at crl2.crl.com, eric at crl.com (Eric Fredricksen) writes: >> Anarch (anarch at cse.ucsc.edu) wrote: >> : They're in tens, too (don't know about ones and fives). I've never been >> : able to remove one completely, but I've exposed the ends. Do you know >> : how many there are in each bill, and where? I know in tens there's at >> : least one, about a fifth of the way in from the left side (looking at >> : the front). >> >> They're easy to remove. Just rip the bill diagonally from the edge to >> the strip on either side of it, and pull the little triangle you just >> made. The strip comes with it. Show it to your friends. >> > >Assuming this is true, it would seem that even good, old fashioned, >paper currency doesn't provide the level of anonymity that one >would think. Scary... > >Dana W. Albrecht >dwa at mirage.svl.trw.com The plastic strips are not in fives or ones, but are in tens and higher. All the strip says is USA and give the dollar amount in metallic ink. Fri, 18 Nov 1994 11:55:46 -0700, Jamie Lawrence writes: >Also, realize that some places to look for that strip and if you >pull it it might not be accepted (most places that check only look >at $50s and $100s, though). > >-j What would be interesting to note is whether it is *illegal* to remove the strips. I don't think that banks, et al. would seriously refuse to accept this money as a deposit (or for change, etc.) simply because at the moment there is too much pre-1991 money floating about, and it would be cumbersome to check each and every piece of currency. Then again, I've often tried to get pre-1991 money simply because I do not wish to deal in post-1991 dollars with strips (humor me) and have been told by tellers that they have no pre-1991 money. _/_/_/ _/_/_/ _/ _/ _/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/_/ _/ _/ _/ _/ _/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/ _/_/_/ _/_/_/ _/_/_/ _/_/_/ _/ _/ _/_/_/ _/ All men recognize the right of revolution; that is, the right to refuse allegiance to, and to resist the government, when its tyranny or its inefficiency are great and unendurable. From Thoreau's "Civil Disobedience" From DonMelvin at marlin.ssnet.com Fri Nov 18 15:12:37 1994 From: DonMelvin at marlin.ssnet.com (DonMelvin at marlin.ssnet.com) Date: Fri, 18 Nov 94 15:12:37 PST Subject: Cash In-Reply-To: Message-ID: <9411182310.AA24811@marlin.ssnet.com> The wise _Adam Philipp_ is known to have said... > The main problem with detecting the strips is that it is faily trivial > to have a detector that will determine if some strips have gone through, but > having one that detects with any accuracy would be difficult to manufacture > and still keep paper currency proportionately cheap. I suppose > mini-transmitters in the 400 or so $10,000 bills might not be too far > fetched, but it seems ridiculous. I though all the $10,000 had been accounted for. Are there really some left running around? Any idea how much one is worth? Last time I heard of a $1000 going to auction, it sold in excess of $7000. -- America - a country so rich and so strong we can reward the lazy and punish the productive and still survive (so far) Don Melvin storm at ssnet.com finger for PGP key. From an234 at vox.xs4all.nl Fri Nov 18 15:22:40 1994 From: an234 at vox.xs4all.nl (an234 at vox.xs4all.nl) Date: Fri, 18 Nov 94 15:22:40 PST Subject: mail-to-usenet Message-ID: <199411182322.AA29559@xs1.xs4all.nl> -----BEGIN PGP SIGNED MESSAGE----- On Fri, 18 Nov 1994, Anonymous wrote: > Can someone please list the mail-to-news gateways that are available, > and any discrepancies aboyr message acceptance based on SUBJECT: line. > >Thanks, > >- spooge Many remailers offer a mail-to-usenet feature. From Raph Levien's most recent list of reliable remailers: [....] > You can also get this list by fingering > remailer-list at kiwi.cs.berkeley.edu. >$remailer{"vox"} = " cpunk pgp. post"; >$remailer{"avox"} = " cpunk pgp post"; [...] >$remailer{"penet"} = " penet post"; [...] >$remailer{"usura"} = " cpunk pgp. hash latent cut post"; >$remailer{"desert"} = " cpunk pgp. post"; >$remailer{"underdog"} = " cpunk pgp hash > latent cut post"; [...] >$remailer{"xs4all"} = " cpunk pgp hash latent cut > post ek"; >$remailer{"flame"} = " cpunk pgp hash latent cut > post ek"; [....] > Options and features [...] > post > Post to Usenet using Post-To: or Anon-Post-To: header. [....] In addition, here are the names and syntax requirements of the mail-to-usenet gateways that I know of. Most of these I got by fingering remailer-list at chaos.bsu.edu a few months ago. I make no claims that this list is either current or complete. Additions and corrections are welcome. group.name at demon.co.uk group.name at news.demon.co.uk group.name at bull.com group.name at cass.ma02.bull.com group.name at undergrad.math.uwaterloo.ca group.name at charm.magnus.acs.ohio-state.edu group.name at comlab.ox.ac.uk group.name at nic.funet.fi group.name at cs.dal.ca group.name at ug.cs.dal.ca group.name at paris.ics.uci.edu (removes headers) group.name.usenet at decwrl.dec.com (preserves all headers) group.name at cs.texas.edu group.name at myriad.pc.cc.cmu.edu Note: mail-to-usenet gateways do not anonymize messages before posting. If you want to post anonymously use a remailer to send mail to the gateway. As far as your "message acceptance based on SUBJECT: line," I have never heard of any restrictions. Trying to be helpful, N. Cognito -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLs01AqL3ipYu3mvVAQFG4QP/aGoTU6T1BYR+oN9xNQTqwMDrMn8HPcjb BL+hoe7RSf2mOQP2Ulzl/oHycshuSRkhdkquHscWXBuHEuSo4DAvQwXxncC9eGOr OCoBEyE9C3kWFSsMz0kUsiIrLU3nTQiriv+FlLeyzZMEEP0xBKoEyq5y+kC49av+ mxol9O4427Y= =p9ST -----END PGP SIGNATURE----- From lmccarth at ducie.cs.umass.edu Fri Nov 18 15:32:17 1994 From: lmccarth at ducie.cs.umass.edu (L. McCarthy) Date: Fri, 18 Nov 94 15:32:17 PST Subject: working group draft announcements In-Reply-To: <199411182152.QAA08885@dunx1.ocs.drexel.edu> Message-ID: <199411182332.SAA28162@ducie.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Bob Snyder writes: > How would a note about the drafts being pending and the posting of the > announcement be significantly different? I appreciate the MIME > encoding of the mail, since my MIME mail reader can go out and pull > them for me. Speaking of which, can anyone explain why my usually-MIME-compliant mail reader (ELM 2.4 PL22) pukes on the fancy parts of all these draft announcements ? Personally, I find MIMEd messages very annoying because I'm forced to hit RETURN (not just "any key") several extra times for each message. {Luckily, it's clear that I'd never have time to read any of these, so they get tossed in the bit bucket almost immediately.} - -L. McCarthy -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBLs05aWf7YYibNzjpAQGFKgP7BoFckFIIQ7GzoPiqExUWesbVHi0r4zjp yD/d2ipLQA6ii8VDMviJ6Y2j3wyxk5gNDYBgkHG56D57gD0SwJL8tlCUgvQDkprM AsCiu4ojNDVAdt+jppITPimMIUM5gRRh7uuMcjzunI6PDl3056H+ZGQXJAJV9g21 34UaRN4mSfQ= =jH2A -----END PGP SIGNATURE----- From lmccarth at ducie.cs.umass.edu Fri Nov 18 15:52:11 1994 From: lmccarth at ducie.cs.umass.edu (L. McCarthy) Date: Fri, 18 Nov 94 15:52:11 PST Subject: mail-to-news gateways In-Reply-To: <199411181534.KAA17229@bsu-cs.bsu.edu> Message-ID: <199411182341.SAA28240@ducie.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- spooge writes: > Can someone please list the mail-to-news gateways that are available, > and any discrepancies aboyr message acceptance based on SUBJECT: line. The following is an excerpt from the the result of "finger remailer.help.all at chaos.bsu.edu": - ---------------------------------------------------------------------------- Anonymous postings to usenet can be made by sending anonymous mail to one of the following mail-to-usenet gateways (but the news gateways themselves do not make the message anonymous): group.name at demon.co.uk group.name at news.demon.co.uk group.name at bull.com group.name at cass.ma02.bull.com group.name at charm.magnus.acs.ohio-state.edu group.name at comlab.ox.ac.uk group.name at myriad.pc.cc.cmu.edu (Supports crossposting) group.name at paris.ics.uci.edu (removes headers) group.name.usenet at decwrl.dec.com (Preserves all headers) group.name at undergrad.math.uwaterloo.ca (?) group.name at nic.funet.fi (?) group.name at cs.dal.ca (?) group.name at ug.cs.dal.ca (?) The mail-to-news gateways do not anonymize messages; you must use a remailer if you want the message to be posted anonymously. Not all gateways support all newsgroups. You may have to try several to find one that supports the groups you wish to post to. It would also be advisable to try a post to alt.test before relying on any such system to function as expected. Also note the special syntax required at dec.com (add .usenet). In addition, you can cross-post to several newsgroups by adding the header Newsgroups: with the names of the groups you want to post to and sending it to mail2news at demon.co.uk or mail2news at myriad.pc.cc.cmu.edu (Use the ## feature with the remailers to add the header line) - ------------------------------------------------------------------------------ There's also the UTexas CS mail-to-news gateway (not sure why it's not on this list). Basic format is (note use of '-' in place of '.' in group names): group-name at cs.utexas.edu -L. Futplex McCarthy; use "Subject: remailer-help" for an autoreply PGP key by finger or server; "Better watch what you say, or they'll be calling you a radical...a liberal" --Supertramp "[CIA/KGB mole Aldrich Ames] took information in shopping bags out the front door" --miscellaneous Congressperson -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBLs07iGf7YYibNzjpAQGjFwP/ZUWL44qEIJKvPps5b9z5g8z08gPYfqU2 kkxuhZKWLkK7rLqmu+JPh/GL7AUh9BjULAYWGpTAN4eIbUgD4b2zgoPAev0Un/D9 H7lK8bb2hgI42eGB1i+8CzyMKYVtuzMQ6eEhX9rpU2zwViZ020lb2JyxfyiemBHe A2hyb61AkTY= =pX19 -----END PGP SIGNATURE----- From cactus at bb.hks.net Fri Nov 18 15:57:07 1994 From: cactus at bb.hks.net (L. Todd Masco) Date: Fri, 18 Nov 94 15:57:07 PST Subject: pointers to IETF drafts In-Reply-To: <199411182159.NAA10356@gwarn.versant.com> Message-ID: <3ajf72$65j@bb.hks.net> In article <199411182159.NAA10356 at gwarn.versant.com>, strick -- henry strickland wrote: >So the perfect solution, from your point of view, >is that there be no announcement on cyperpunks. Oh, please. You can announce them without sending them out verbatim to the entire world: established net procedure is to just post a pointer to anything really huge instead of spamming every mailing list where people might be interested. If you want to note why they're interesting, you can explain that with the pointer and provide a real service: people are unlikely to read huge volumes unless you have a reputation for sending Really Interesting Stuff (IE, if Bruce Schneir posted something huge, it'd get read more than if I posted something huge). -- Todd Masco | "I'd rather have my country die for me." - P Kantner cactus at hks.net | "But for now, only our T-shirts cry 'freedom!'." - Fish From wcs at anchor.ho.att.com Fri Nov 18 16:20:52 1994 From: wcs at anchor.ho.att.com (bill.stewart@pleasantonca.ncr.com +1-510-484-6204) Date: Fri, 18 Nov 94 16:20:52 PST Subject: Cash Message-ID: <9411190018.AA08899@anchor.ho.att.com> > Assuming this is true, it would seem that even good, old fashioned, > paper currency doesn't provide the level of anonymity that one > would think. Scary... Hasn't really provided it for quite a while, as long as there's an infrastructure to track serial numbers (you've presumably noticed that each bill a unique serial number, except for counterfeits and maybe printing glitches.) It's quite possible to record the serial numbers of bills before distributing them in applications such as ransom payments or drug-buying stings, and wouldn't be too hard, with current scanning technology, to track them at banks, tax offices, etc. (Of course, neither AT&T GIS (aka NCR) nor Diebold currently makes ATMs with serial-number scanners in them, but it wouldn't be hard to require banks to scan the bills before filling the cash machines.) During one of the "Government's going to replace our Real American Greenbacks with Pink(o) Money" scares before the plastic-strip money arrived, USA Today had an article in their money section showing dollar bills with bar-codes instead of the Arabic-numeral serial number. Bill From wcs at anchor.ho.att.com Fri Nov 18 16:25:55 1994 From: wcs at anchor.ho.att.com (bill.stewart@pleasantonca.ncr.com +1-510-484-6204) Date: Fri, 18 Nov 94 16:25:55 PST Subject: Online Fraud Case Settled Message-ID: <9411190023.AA08929@anchor.ho.att.com> According to a story on the radio, the "Online Fraud" that Chase Consulting is accused of advertising ($99 credit repair) was really a kit for obtaining a new identity. Certainly wouldn't want to have folks selling *those*...... (Though I'd certainly object if somebody charged me money for telling me that a way around my credit problems was to change my name, unless that's the kind of thing I really *wanted* to do.) From wcs at anchor.ho.att.com Fri Nov 18 16:35:24 1994 From: wcs at anchor.ho.att.com (bill.stewart@pleasantonca.ncr.com +1-510-484-6204) Date: Fri, 18 Nov 94 16:35:24 PST Subject: S-HTTP Message-ID: <9411190033.AA09011@anchor.ho.att.com> Jon Cooper, talking about S-HTTP, writes: > I don't much see the point in encrypting _EVERYTHING_, and if you're > only talking about encrypting a credit card number or an occasional > paid-for document, it shouldn't be much of a burden at all with a good > implementation. There are a number of times when you might want to do this, such as delivering an information product as well as paying for it (e.g. a new software release, shipped encrypted to avoid eavesdroppers pirating it for free), or information you want conveniently accessible on the web but only to approved people (e.g. your political campaign's strategy material or your corporate information made available to your sales group who are often out at customer sites instead of behind your firewall), or your corporate complaints web-form (enter your problem in the box below; please type legibly), or of course your politically-incorrect- substance ordering system, which should provide anonymity as well as payment and ordering, (which may be beyond the complexity of S-HTTP.) Bill From wcs at anchor.ho.att.com Fri Nov 18 16:39:13 1994 From: wcs at anchor.ho.att.com (bill.stewart@pleasantonca.ncr.com +1-510-484-6204) Date: Fri, 18 Nov 94 16:39:13 PST Subject: anon ftp/mail Message-ID: <9411190036.AA09039@anchor.ho.att.com> Jon writes: > > Find someone who can give you a temp account that you can download > > from... ...something that will be erased. The only other way would be to > > hack out a copy of ftp to send false information > > Spoofing your DNS info, while certainly possible [ and this is > assuming lame admins, no identd, no tcpwrapper, etc. ] is probably not > the easiest way to go about it. I have to believe that none of the > common ftpd's are brain-dead enough to trust nameservers extensively. Some of them do, some of them don't, at least for anon-ftp. I have accounts behind two different kinds of firewalls - the accounts behind router-based firewalls have difficulty with the FTP servers that authenticate using RFC931 or DNS, since the firewall blocks them, while the accounts behind the AT&T Firewall (ref. Cheswick and Bellovin) need to use proxy ftp clients, but don't have trouble accessing the servers, which think (incorrectly) that the requests are coming from the outside part of the firewall. Bill From hayden at krypton.mankato.msus.edu Fri Nov 18 16:43:57 1994 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Fri, 18 Nov 94 16:43:57 PST Subject: mail-to-usenet In-Reply-To: <199411182322.AA29559@xs1.xs4all.nl> Message-ID: More importantly, are there are usenet-to-mail gateways? ____ Robert A. Hayden <=> hayden at krypton.mankato.msus.edu \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> I do not necessarily speak for the \/ Finger for PGP Public Key <=> City of Mankato or anyone else -=-=-=-=-=-=-=- (GEEK CODE 2.1) GJ/CM d- H-- s-:++>s-:+ g+ p? au+ a- w++ v* C++(++++) UL++++$ P+>++ L++$ 3- E---- N+++ K+++ W M+ V-- -po+(---)>$ Y++ t+ 5+++ j R+++$ G- tv+ b+ D+ B--- e+>++(*) u** h* f r-->+++ !n y++** From tcmay at netcom.com Fri Nov 18 16:49:47 1994 From: tcmay at netcom.com (Timothy C. May) Date: Fri, 18 Nov 94 16:49:47 PST Subject: I Like ASCII, not MIME and Other Fancy Crap In-Reply-To: <199411182332.SAA28162@ducie.cs.umass.edu> Message-ID: <199411190049.QAA26779@netcom8.netcom.com> L. McCarthy wrote: > Speaking of which, can anyone explain why my usually-MIME-compliant mail > reader (ELM 2.4 PL22) pukes on the fancy parts of all these draft > announcements ? Personally, I find MIMEd messages very annoying because I'm > forced to hit RETURN (not just "any key") several extra times for each > message. {Luckily, it's clear that I'd never have time to read any of these, > so they get tossed in the bit bucket almost immediately.} Hear, hear! An increasing fraction of my e-mail is non-ASCII, and has this MIME (or whatever) stuff in it. (The Smalltalk list I'm on is about 50% like this.) I suppose some messages make use of it, as Eric Blossom's just did (in allowing retrieval of more stuff, somehow), but a lot of the "offending" messages just seem to be non-ASCII for the hell of it. Like Lewis, I find myself to easily delete the message and move on. (I'm debating just deleting the messsages, which are marked "M" for Mime, before even starting to read them.) Personally, I like simple ASCII. No fancy fonts, no embedded graphics, no Quicktime movies I have to watch, etc. Just my views. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. Cypherpunks list: majordomo at toad.com with body message of only: subscribe cypherpunks. FAQ available at ftp.netcom.com in pub/tcmay From tcmay at netcom.com Fri Nov 18 17:01:13 1994 From: tcmay at netcom.com (Timothy C. May) Date: Fri, 18 Nov 94 17:01:13 PST Subject: Radioactive Threads In-Reply-To: <9411182220.AA03008@nately.UCSD.EDU> Message-ID: <199411190055.QAA27677@netcom8.netcom.com> This thread has become intensely radioactive, so I suggest we drop it immediately. Anonymous wrote: > This is just a quick thought...does anyone know what kind of metallic ink > is used? To add to the conspiracy theory, say the metallic ink is > radioactive with a higher radiation count for higher dollar amounts--would > it be implausible then to have some sort of radiation counter to gauge a > person's total 'radiation count,' and thereby approximate how much currency > they are carrying out of the country? > > I wouldn't take the above seriously though.... Nor would I. I worked with radioactive materials in my former life, and know a fair amount about counting statistics. To reliably detect a source in a short amount of time would require a fair number of counts. Details are left to the student. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. Cypherpunks list: majordomo at toad.com with body message of only: subscribe cypherpunks. FAQ available at ftp.netcom.com in pub/tcmay From jamiel at sybase.com Fri Nov 18 17:21:56 1994 From: jamiel at sybase.com (Jamie Lawrence) Date: Fri, 18 Nov 94 17:21:56 PST Subject: I Like ASCII, not MIME and Other Fancy Crap Message-ID: At 5:49 PM 11/18/94, Timothy C. May wrote: >Personally, I like simple ASCII. No fancy fonts, no embedded graphics, >no Quicktime movies I have to watch, etc. But Tim, don't you believe in the march of progress? ;) (I agree. I retrieved some of those docs this issue arose over. I got a MIME doc, the header of which told me to fetch a translator, and when translated I text plain text. I know that simple ASCII will be overtaken by fancier tech, but why the hell encode plain text in a non-human readable format?) -j From Critias_the_conspirator at informix.com Fri Nov 18 17:58:58 1994 From: Critias_the_conspirator at informix.com (Critias_the_conspirator at informix.com) Date: Fri, 18 Nov 94 17:58:58 PST Subject: Dummy foreign corporations and lawsuit proofing. Message-ID: <9411190159.AA00879@carbon.informix.com> I, and no doubt many other cypherpunks resident in the USA, have received a lot of junk mail from Costa Rica, offering dummy Costa Rican corporations. The theory is you set up a mail drop in Costa Rica, then you gradually move all your assets to be owned by this mail drop, so that your house, your car etc, all belong to this mail drop. The junk mail claims that this makes you immune to sue happy lawyers -- that this makes you lawsuit proof. I believe this claim. Unfortunately I have also received other junk mail offering competing services, which claims that Costa Rican dummy corporations have the same effect on revenuers as catnip does on cats, and blood in the water does on sharks. This claim also sounds highly plausible to me. Doubtless the services offered by the Costa Ricans would work so long as you never generated documents going to the revenuers that showed the Costa Rican address. This might be a wee bit tricky, as the revenuers get a report whenever any financial asset is sold within America. And remember, if you do set up a dummy foreign corporation, (preferably one that looks more plausible than those offered by the Costa Ricans), if you set it up in consultation with an American advisor, that advisor's next report will probably be to the revenuers. -- Critias_the_conspirator From Critias_the_conspirator at informix.com Fri Nov 18 18:06:18 1994 From: Critias_the_conspirator at informix.com (Critias_the_conspirator at informix.com) Date: Fri, 18 Nov 94 18:06:18 PST Subject: Another pseudonym. Message-ID: <9411190206.AA00885@carbon.informix.com> Critias_the_conspirator is of course another new pseudonym. Critias was a disciple of Socrates. Critias overthrew democracy in Athens and proceeded to demonstrate that even when democracy was thoroughly decadent, brutal, and tyrannical, it was still possible to create an even worse form of government. >From time to time this Critias will comment on financial privacy. -- Critias_the_conspirator From tcmay at netcom.com Fri Nov 18 18:07:34 1994 From: tcmay at netcom.com (Timothy C. May) Date: Fri, 18 Nov 94 18:07:34 PST Subject: I Like ASCII, not MIME and Other Fancy Crap In-Reply-To: Message-ID: <199411190207.SAA04702@netcom8.netcom.com> (Not a lot of crypto relevance, except as it relates to progress and the illusion of progress.) Jamie Lawrence wrote: > At 5:49 PM 11/18/94, Timothy C. May wrote: > > >Personally, I like simple ASCII. No fancy fonts, no embedded graphics, > >no Quicktime movies I have to watch, etc. > > But Tim, don't you believe in the march of progress? > > ;) There's a larger point here, of course, about how much of what we think of as "time-saving" progress actually _isn't_. Many of the things I spend time on, ostensibly to eventually be more productive, will never, ever be "paid back." I won't bore anyone with details. > (I agree. I retrieved some of those docs this issue arose over. I > got a MIME doc, the header of which told me to fetch a translator, > and when translated I text plain text. I know that simple ASCII > will be overtaken by fancier tech, but why the hell encode plain > text in a non-human readable format?) I have an interesting tale to tell, probably as many of you do as well. From simple typewriters to dry transfer fancy fonts (which I did several science faire projects with in the 1960s), back to simple typewriters in the 1970s, then on to daisy-wheel printers in the late 1970s... By the mid-80s, LaserJets, LaserWriters, Helvetica, Times Roman, italics, PostScript, kerning, leading, Macintoshes, and "desktop publishing." Vast amounts of time spend prettifying documents that would just as well have been comprehended if they were simple ASCII! Then came my Second Coming on the Net (my First was an account on the nascent ARPANet, circa 1972-3). Portal, then Netcom. From 1988 onwards, my universe was mainly _text_. (Yes, I favor structured outliners and editors, like MORE and StorySpace, but mainly as a way to organize ideas. The Cyphernomicon shows htis outline structure.) No fancy fonts, no kerning, no monomanical focus on "appearance." Bliss. I saw that the Net had caused the pendulum to swing away from a strange focus on typography and back to a healthier focus on ideas and the arguing of them. Bliss. But now, in the name of "progress," about half the mail messages I get have (apparently) fancy graphics in them, causing my screens to fill up with stuff like "Warning: The message blah blah contains ISO Font 5738937-B2737, which is apparently not installed in this system. You have these choices....blah blah." My French correspondents send me messages no longer readable on my system (elm, Eudora), requiring me to zmodem the attachments to my home machine for reading with a text editor! And now that Mosaic and Netscape are such big deals (which I'm not knocking, though--true to form--I use the character-based "lynx" to access the Web), I expect a swing of the pendulum in the other direction, toward a time-wasting focus on kerning, fonts, leading, whitespace, gutter widths, etc. Gag me with a spoon. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. Cypherpunks list: majordomo at toad.com with body message of only: subscribe cypherpunks. FAQ available at ftp.netcom.com in pub/tcmay From nowhere at bsu-cs.bsu.edu Fri Nov 18 18:26:16 1994 From: nowhere at bsu-cs.bsu.edu (Anonymous) Date: Fri, 18 Nov 94 18:26:16 PST Subject: No Subject Message-ID: <199411190223.VAA24500@bsu-cs.bsu.edu> I have one more comment. Earlier, I wrote: > Critias_the_conspirator is of course another new pseudonym. > >From time to time this Critias will comment on financial > privacy. Hear the words of Critias_the_conspirator: Put your money in ``Greek'' banks. The tentacles are everywhere. Critias_the_conspirator From lmccarth at ducie.cs.umass.edu Fri Nov 18 18:49:44 1994 From: lmccarth at ducie.cs.umass.edu (L. McCarthy) Date: Fri, 18 Nov 94 18:49:44 PST Subject: ``Greek'' banks In-Reply-To: <199411190223.VAA24500@bsu-cs.bsu.edu> Message-ID: <199411190249.VAA29169@ducie.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Anonymous writes: > I have one more comment. > > Earlier, I wrote: > > > Critias_the_conspirator is of course another new pseudonym. > > > >From time to time this Critias will comment on financial > > privacy. > > Hear the words of Critias_the_conspirator: > > Put your money in ``Greek'' banks. ``Greek'' ? Do you mean banks operated by fraternity alumni, or what ? > The tentacles are everywhere. Uh... > Critias_the_conspirator ...needs some authentication, methinks. - -L. McCarthy -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBLs1ns2f7YYibNzjpAQFNhQP/YXuyYWsQP3BU4lp1VGUz/m772KyTMDUW mNZGzbc1GTP8WUOPi9i9ryeMowo7mMueunT9eVAOHmM9DxqL33Auzwcxfozf7M6M K638TczrAu3HMEpMKHeOxFYohWC23H/yq7qRnQp0v6znHQGh2R3gehB9kkNqKm2K 4etzKupvSi4= =7epm -----END PGP SIGNATURE----- From adam.philipp at ties.org Fri Nov 18 19:00:40 1994 From: adam.philipp at ties.org (Adam Philipp) Date: Fri, 18 Nov 94 19:00:40 PST Subject: The Thread Thread Message-ID: >>* A tiny thread cannot be readily detected by "airport scanners," nor >>by even longer-distance scanners, unless the gain on the detector is >>turned up so high that many other things trigger the detector. >>If the threads are mostly plastic, with discontiguous metallic writing >>on them, then the detection problem is even harder. >This is just a quick thought...does anyone know what kind of metallic ink >is used? To add to the conspiracy theory, say the metallic ink is >radioactive with a higher radiation count for higher dollar amounts--would >it be implausible then to have some sort of radiation counter to gauge a >person's total 'radiation count,' and thereby approximate how much currency >they are carrying out of the country? Sorry for taking this seriously, but it has been considered and rejected... It is just inert plastic with metalic letters so that they are opaque to light while the plastic is translucent and provides a backdrop... Can someone snip this thread already? Adam -- PGP Key available on the keyservers. Encrypted E-mail welcome. Sub rosa: Confidential, secret, not for publication. -Black's Law Dictionary From merriman at metronet.com Fri Nov 18 19:36:10 1994 From: merriman at metronet.com (David K. Merriman) Date: Fri, 18 Nov 94 19:36:10 PST Subject: The Thread Thread Message-ID: <199411190336.AA14504@metronet.com> >Fri, 18 Nov 1994, Tim May writes: >>* A tiny thread cannot be readily detected by "airport scanners," nor >>by even longer-distance scanners, unless the gain on the detector is >>turned up so high that many other things trigger the detector. >> >>If the threads are mostly plastic, with discontiguous metallic writing >>on them, then the detection problem is even harder. > >This is just a quick thought...does anyone know what kind of metallic ink >is used? To add to the conspiracy theory, say the metallic ink is >radioactive with a higher radiation count for higher dollar amounts--would >it be implausible then to have some sort of radiation counter to gauge a >person's total 'radiation count,' and thereby approximate how much currency >they are carrying out of the country? Wouldn't work. Radiation is useless for something like this - how to tell the difference between X $20 bills, and Y $100 bills? The roentgen/hour levels would be close enough to make knowing which is which virtually impossible. Radiation is mostly good for yes/no type stuff, unless you're dusting things with particular combinations of very specific isotopes and sampling for them - in which case you've got a completely different set of problems. > >I wouldn't take the above seriously though.... > Seconded. Dave Merriman - - - - - - - - - - - - - - - - - - - - - - - - - - Finger merriman at metronet.com for PGP public key and fingerprint. PGP encrypted Email welcome and encouraged. War is Peace. Freedom is Slavery. Ignorance is Strength. No? From amanda at intercon.com Fri Nov 18 19:44:30 1994 From: amanda at intercon.com (Amanda Walker) Date: Fri, 18 Nov 94 19:44:30 PST Subject: Islands in the Net Message-ID: <9411182243.AA59456@elfbook.intercon.com> > This is just not what "liquid" means. A liquid asset refers to the > speed with which it can be traded, not what kind of value it has. > "Liquid" is an adjective about timeliness, not about resolution. Hmm. I had thought about using "valuable," but that seemed too ambiguous. "Negotiable" maybe? > Sometimes currency represents a fiat value, as with today's greenbacks. It's not entirely a fiat value; in effect, it's backed by the strength of the economy. The difference between a ruble and a dollar was not the fiat value (they were the same, as I remember), but in the fact that it was a lot easier to exchange dollars for real assets. For the record, I think that going off the gold standard was a bad idea, but growing up in the days of double-digit inflation probably gave me a biased opinion of floating currency. > Also, if it loses its ability to be exchanged for real assets > it likewise loses its value (e.g., Confederate dollars from the > Civil War). > > Under this reasoning, today's dollar bills should be worthless. > They aren't. Real assets are not the only form of value. I didn't say that the government had to be the agent of such an exchange. I can buy real assets with my dollars, but not with Confederate dollars. While it has been somewhat eroded since the start of the Drug War, dollars are still exchangable for real assets, even though the government is no longer backing them directly. > What currency do Visa or Master Card issue, perchance? Little plastic tokens that are accepted more places than the government's paper and metal ones. If it quacks like a duck... > Information doesn't obey conservation of mass, and so can't act as a > token. Exactly. On the other hand, with real-time clearing (which the Internet *does* provide the ability to do, with ever-increasing capacity), you can construct something that acts like an "instant check", which is close enough to cash for most practical purposes. Amanda Walker InterCon Systems Corporation From amanda at intercon.com Fri Nov 18 19:49:32 1994 From: amanda at intercon.com (Amanda Walker) Date: Fri, 18 Nov 94 19:49:32 PST Subject: I Like ASCII, not MIME and Other Fancy Crap Message-ID: <9411182248.AA06323@elfbook.intercon.com> > Personally, I like simple ASCII. No fancy fonts, no embedded graphics, > no Quicktime movies I have to watch, etc. Do PGP key blocks bigger than the message body count as "fancy crap"? Fancy and Crap are both in the eye of the beholder :). -------------- next part -------------- A non-text attachment was scrubbed... Name: gif00000.gif Type: application/octet-stream Size: 1754 bytes Desc: "" URL: From mclow at coyote.csusm.edu Fri Nov 18 20:08:20 1994 From: mclow at coyote.csusm.edu (Marshall Clow) Date: Fri, 18 Nov 94 20:08:20 PST Subject: I Like ASCII, not MIME and Other Fancy Crap Message-ID: >> Personally, I like simple ASCII. No fancy fonts, no embedded graphics, >> no Quicktime movies I have to watch, etc. > >Do PGP key blocks bigger than the message body count as "fancy crap"? > >Fancy and Crap are both in the eye of the beholder :). > >Attachment converted: Scratch:Amanda Logo Sig.GIF (GIFf/JVWR) (0000BB28) Well said. Nice .sig, too. ;-) -- Marshall Marshall Clow Aladdin Systems mclow at san_marcos.csusm.edu From rah at shipwright.com Fri Nov 18 20:13:49 1994 From: rah at shipwright.com (Robert Hettinga) Date: Fri, 18 Nov 94 20:13:49 PST Subject: I Like ASCII, not MIME and Other Fancy Crap Message-ID: <199411190411.XAA22380@zork.tiac.net> At 10:48 PM 11/18/94 -0500, Amanda Walker wrote: > >Fancy and Crap are both in the eye of the beholder :). > >Attachment converted: :Amanda Logo Sig.GIF (GIFf/JVWR) (00003907) Indeed. No offense offered Amanda, but a scruffy 200dpi gif of your sig is taking your point over the top, yes? Net Goddess or no... Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) "There is no difference between someone Shipwright Development Corporation who eats too little and sees Heaven and 44 Farquhar Street someone who drinks too much and sees Boston, MA 02331 USA snakes." -- Bertrand Russell (617) 323-7923 From unicorn at access.digex.net Fri Nov 18 20:31:28 1994 From: unicorn at access.digex.net (Black Unicorn) Date: Fri, 18 Nov 94 20:31:28 PST Subject: your mail In-Reply-To: <199411190223.VAA24500@bsu-cs.bsu.edu> Message-ID: On Fri, 18 Nov 1994, Anonymous wrote: > > > I have one more comment. > > Earlier, I wrote: > > > Critias_the_conspirator is of course another new pseudonym. > > > >From time to time this Critias will comment on financial > > privacy. > > Hear the words of Critias_the_conspirator: > > Put your money in ``Greek'' banks. The tentacles are everywhere. How is this a "comment" on financial privacy? I could just as well say "Put your money in your matress." and probably have the same level of education effect. Financial structuring is a highly complex process that earns many people hundreds of dollars (or francs) an hour because there are no blanket rules. I suggest Critias_the_conspitator keep his day job. It will be easier on him, and us. > > Critias_the_conspirator > -uni- (Dark) 073BB885A786F666 nemo repente fuit turpissimus - potestas scientiae in usu est 6E6D4506F6EDBC17 quaere verum ad infinitum, loquitur sub rosa - wichtig! From tcmay at netcom.com Fri Nov 18 20:46:23 1994 From: tcmay at netcom.com (Timothy C. May) Date: Fri, 18 Nov 94 20:46:23 PST Subject: Critias Unmasked! In-Reply-To: Message-ID: <199411190445.UAA25798@netcom3.netcom.com> Before the (unsigned) reputation of Critias_the_conspirator is tossed about further, I was the author of the "anonymous" version. (No, I can't prove this, either, but such is life.) I wanted to remind folks of just how easy such unsigned reps can be "used" by others. (No, I don't sign my own messages, due to hassles with uploading signed messages to my Internet host, but I also rarely use digital pseudonyms.) > > Hear the words of Critias_the_conspirator: > > > > Put your money in ``Greek'' banks. The tentacles are everywhere. I used the ``TeX'' style of quoting to suggest certain Medusan poster. In any case, I have come clean, having made my point, I hope. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. Cypherpunks list: majordomo at toad.com with body message of only: subscribe cypherpunks. FAQ available at ftp.netcom.com in pub/tcmay From unicorn at access.digex.net Fri Nov 18 21:13:54 1994 From: unicorn at access.digex.net (Black Unicorn) Date: Fri, 18 Nov 94 21:13:54 PST Subject: Critias Unmasked! In-Reply-To: <199411190445.UAA25798@netcom3.netcom.com> Message-ID: On Fri, 18 Nov 1994, Timothy C. May wrote: > > Before the (unsigned) reputation of Critias_the_conspirator is tossed > about further, I was the author of the "anonymous" version. A pseudonym taken in by a pseudonym. (Sigh) > > I wanted to remind folks of just how easy such unsigned reps can be > "used" by others. (No, I don't sign my own messages, due to hassles > with uploading signed messages to my Internet host, but I also rarely > use digital pseudonyms.) > Point taken. > > I used the ``TeX'' style of quoting to suggest certain Medusan poster. > > > --Tim May > > > -- > .......................................................................... > Timothy C. May | Crypto Anarchy: encryption, digital money, [...] > > 073BB885A786F666 nemo repente fuit turpissimus - potestas scientiae in usu est 6E6D4506F6EDBC17 quaere verum ad infinitum, loquitur sub rosa - wichtig! From abostick at netcom.com Fri Nov 18 22:06:48 1994 From: abostick at netcom.com (Alan Bostick) Date: Fri, 18 Nov 94 22:06:48 PST Subject: Islands in the Net In-Reply-To: <9411182243.AA59456@elfbook.intercon.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- In article <9411182243.AA59456 at elfbook.intercon.com>, "Amanda Walker" wrote: > > > What currency do Visa or Master Card issue, perchance? > > Little plastic tokens that are accepted more places than the government's > paper and metal ones. If it quacks like a duck... But it _doesn't_ quack like a duck; it hoots like a loon. Credit cards aren't fungible like cash, they aren't anonymous like cash*, they don't operate like cash from the cardholder's point of view, and they don't operate like cash from the merchant's point of view. > > Information doesn't obey conservation of mass, and so can't act as a > > token. > > Exactly. On the other hand, with real-time clearing (which the Internet > *does* provide the ability to do, with ever-increasing capacity), you can > construct something that acts like an "instant check", which is close enough > to cash for most practical purposes. If you write a check, instant or otherwise, to provide funds to your favorite political candidate's campaign committee, and that check is too big, then the election watchdogs start barking. If you pass a satchel full of cash along to the campaign, the watchdogs sleep through the night undisturbed. Checks are not cash; there are important practical purpose for which they differ profoundly. - ------ *I don't see any reason why a credit card couldn't be anonymized, with some kind of "Julf-style" bank account and an any-bearer-gets-to-use-this card. People might want some kind of PIN protection if they're concerned about losing the card. But the banks haven't chosen to offer such a thing, and they just aren't available. | In the other room I passed by Ellen Leverenz as Alan Bostick | someone asked her "Do you know any monopole abostick at netcom.com | jokes?" finger for PGP public key | "Sure," she said. "In fact, I know two of them." Key fingerprint: | -- Terry Carr, GILGAMESH 50 22 FB 46 41 A3 17 9D F7 33 FF E1 4E 1C 89 79 +legal_kludge=off -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQB1AgUBLs2EbOVevBgtmhnpAQHRlwL/cjz7DqVnv5H8v9E1cpTKvw3EQMMl8OVd PN21Xbyzc7XeyK6VUmCRsfD0l+is1+bkaGJrs5RqLv1Mq8pWaTb+ifNsQ8lypKkF pFDE6J09z3Ew4Qy8k0/9h515huvn9BQX =PrvQ -----END PGP SIGNATURE----- From eric at remailer.net Fri Nov 18 22:26:01 1994 From: eric at remailer.net (Eric Hughes) Date: Fri, 18 Nov 94 22:26:01 PST Subject: Islands in the Net In-Reply-To: <9411182243.AA59456@elfbook.intercon.com> Message-ID: <199411190624.WAA01721@largo.admate.com> From: "Amanda Walker" Hmm. I had thought about using "valuable," but that seemed too ambiguous. "Negotiable" maybe? The standard word for something that is worth something is "value". If I sell you a promissory note, I exchange value for a note. That value can be in the form of cash, money on deposit, or even other notes. Negotiable means something else entirely. A negotiable instrument is an instrument that can be transferred with certain protections over and above the transfer of a normal contractual obligations. The requisites for negotiability are, basically, those that make the instrument suitable for sale in a secondary market. The instrument must be in writing (not oral). It must be signed. It must contain an unconditional promise or an order for a particular sum of money and must contain to other promises, orders, etc. It must be payable to order or to bearer. The exact details may be found in your standard commercial paper review guide. > Sometimes currency represents a fiat value, as with today's greenbacks. It's not entirely a fiat value; in effect, it's backed by the strength of the economy. Backing specifically refers to the relationship between the currency and the issuer of the currency. A fiat currency means that the government created the currency by fiat, i.e. out of the blue. A dollar may derive value from the underlying economy, but it is not backed by the economy, since the economy is not an entity. The difference between a ruble and a dollar was not the fiat value (they were the same, as I remember), but in the fact that it was a lot easier to exchange dollars for real assets. Both rubles and dollars are fiat currencies, yes. The dollar is a relatively well managed currency and the ruble was not. Therefore the dollar was in greater demand than the ruble, and hence easier to use. The difference is entirely in degree. For the record, I think that going off the gold standard was a bad idea, but growing up in the days of double-digit inflation probably gave me a biased opinion of floating currency. Well, when you finance a war with an inflating fiat currency, that leads to price increases. Inflation is a tax which the government does not need the IRS to collect. Thankfully the foreign exchange markets now quickly penalize any country that mismanages its currency supply. While it has been somewhat eroded since the start of the Drug War, dollars are still exchangable for real assets, even though the government is no longer backing them directly. The USA gov't, howeve, is backing the dollar still; it's just not backing the dollar with specie (gold and silver metal). The reason that Confederate dollars are no longer valuable as money is that the Confederate government no longer exists. A fiat currency is backed by several properties of active governments: legal tender laws, income taxes paid in the national currency, procurements, etc. > What currency do Visa or Master Card issue, perchance? Little plastic tokens that are accepted more places than the government's paper and metal ones. If it quacks like a duck... A credit card is not a currency. It is a means of payment. Not all means of payment are accomplished through currency. One does not say, for example, that checks are a currency merely because I can pay for things with them. Eric From jrochkin at cs.oberlin.edu Fri Nov 18 22:35:45 1994 From: jrochkin at cs.oberlin.edu (Jonathan Rochkind) Date: Fri, 18 Nov 94 22:35:45 PST Subject: I Like ASCII, not MIME and Other Fancy Crap Message-ID: tcmay at netcom.com (Timothy C. May) wrote: >And now that Mosaic and Netscape are such big deals (which I'm not >knocking, though--true to form--I use the character-based "lynx" to >access the Web), I expect a swing of the pendulum in the other >direction, toward a time-wasting focus on kerning, fonts, leading, >whitespace, gutter widths, etc. Actually, I see the benefit of html to be that you really _don't_ spend time on pretty visual effects like kerning, fonts, leading, whitespace, gutter widths, etc. You don't deal with any of those things, or anything like it, in a html document. Yes, you spend more time doing formatting then with straight ascii, but the structure you put in is content based structure, rather then pretty-but-useless display based structure. The type that you were doing with outliners and such, although for the goal of making them more readable rather then of helping to organize ideas. But I think html, once you've gotten the hang of it, gives you a pretty good return to the amount of work you put in. A well done html document is, in my opinion, actually much easier to read then a straight ascii document, and the amount of effort neccesary to turn ascii to html is relatively minimal. Just my opinion, of course. I agree with you that there is a problem when too much time and energy is spent on prettifying trimming rather then on content, but I'm not sure that html is really representative of this. Have you tried using MacWeb with the auto-loading of images turned off? Like I said, I find it easier to extract the relevant information quickly out of a html-formatted text then a straight ascii text. And we all know that when you are on the net, being able to extract relevant information quickly is vital. (There's a whole nother treatise waiting to be written there.) From tcmay at netcom.com Fri Nov 18 22:38:02 1994 From: tcmay at netcom.com (Timothy C. May) Date: Fri, 18 Nov 94 22:38:02 PST Subject: Islands in the Net In-Reply-To: Message-ID: <199411190638.WAA05397@netcom3.netcom.com> Alan Bostick wrote: ... > But it _doesn't_ quack like a duck; it hoots like a loon. Credit cards > aren't fungible like cash, they aren't anonymous like cash*, they don't > operate like cash from the cardholder's point of view, and they don't > operate like cash from the merchant's point of view. I'm beginning to think the ideas of money, instruments, clearing, etc., are confusing to a lot of us. Part of it is that various objects have mix-ins from other classes. Part of it is that the legal system has its own rules. Etc. For example, I tend toward Amanda's point of view, that credit cards "quack like a duck." When I make a purchase with my credit card, and the thing clears, both the merchant and I act as if we've just exchanged money. (In fact, one of my "credit cards," with the little Visa symbol, etc., is actually a "debit card"...when I use it, money is taken _immediately_ out of my account. I assume--but don't know for sure--that the merchant's account is credited quickly, if not immediately. Anyway, there are many forms of "money," with many things that make the forms "money-like." It's be nice if we could chart out all these forms, see the critical things that factor in, etc. Has such an analysis been done? (Especially kept current, with all the various new forms, new rules, new laws.) > *I don't see any reason why a credit card couldn't be anonymized, with > some kind of "Julf-style" bank account and an any-bearer-gets-to-use-this > card. People might want some kind of PIN protection if they're > concerned about losing the card. But the banks haven't chosen to offer > such a thing, and they just aren't available. This has come up several times. I'll let others recount what they know. The consensus about major banks not offering "anonymous cards" is that two factors are at work: 1. The public has not yet woken up and asked for a card which _obscures_ their purchases. (Some people were proposing that we try to convince American Express, as an example, to issue a "Privacy Card.") 2. Truly anonymous cards, like bank accounts in false names, are not encouraged in the U.S. Things like Social Security numbers, IRS reporting requirements (interest paid, for example), etc., all make truly anonymous cards pretty rare. (Even the "cash deposit" cards are not anonymous.) Of course, I'm not saying one can't find ways to get credit cards issued under assumed identities. It probably happens a lot. But this is a different issue, I argue. There could be a legal way to issue true "cash credit cards," similar to the cash-charged-up phone cards, but I have no idea what would be needed. Offshore-based cards may still be the best bet, as several folks (the usual suspects) have noted; a bank in the Caymans issuing a Visa card, for example. (Though the "Frontline" report on money-laundering mentioned ATM and credit card "scams" as a way to launder money that was being stopped, so...) --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. Cypherpunks list: majordomo at toad.com with body message of only: subscribe cypherpunks. FAQ available at ftp.netcom.com in pub/tcmay From lmccarth at ducie.cs.umass.edu Fri Nov 18 22:38:49 1994 From: lmccarth at ducie.cs.umass.edu (L. McCarthy) Date: Fri, 18 Nov 94 22:38:49 PST Subject: Critias Unmasked! In-Reply-To: <199411190445.UAA25798@netcom3.netcom.com> Message-ID: <199411190638.BAA29939@ducie.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Tim May writes: > Before the (unsigned) reputation of Critias_the_conspirator is tossed > about further, I was the author of the "anonymous" version. It's also interesting to note that I managed to form a definite opinion about the "real" identity of the "real" Critias after reading, oh, about five words of Critias' first message. I couldn't so easily slap a label on Tim's mock Critias because he deliberately altered his writing style. Just a reminder for those adopting pseudonyms to consider: if your normal style is known, you need to appropriately pseudonymize the nym's writing style. "Acting the part" is, after all, the main difficulty in maintaining an assumed identity. I'm not sure whether this alters liability issues significantly; if everyone "knows" you're the person behind a nym which gets in trouble, but can't conclusively prove it, does that help you ? I suspect not, especially considering that the standard of evidence for civil cases like libel is relatively weak. (If I'm out of my tree and libel is a criminal offense, please correct me. IANAL, etc.) - -L. McCarthy -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBLs2dWGf7YYibNzjpAQEkhQQAgs8UuF2vuttzK5fAZZwzesKT9+Ul6R0u XO0cje3FU8XzORYAxH+8o3aIswGkaW3HS2zpPFz5AzrDJBXZ3r4Zn0V4t4MBVbOY SO6I22+TiqVN7/ZgmtULZytTO2qKalgfInHF6GdlWLvbHqMHqu0TaqGOc20x8PZs 77DV6RCLRCg= =Oef2 -----END PGP SIGNATURE----- From jrochkin at cs.oberlin.edu Fri Nov 18 22:47:59 1994 From: jrochkin at cs.oberlin.edu (Jonathan Rochkind) Date: Fri, 18 Nov 94 22:47:59 PST Subject: usenet-to-mail Message-ID: "Robert A. Hayden" wrote: >More importantly, are there are usenet-to-mail gateways? My first impression was that that was just a joke. Then I thought it might be a very good idea after all. Then I thought it surely wasn't a joke, but also wasn't a very good idea. Now I'm not sure. :) It seems like it might be a good idea. All the anon remailers could watch a certain newsgroup, alt.remailer.submit perhaps, and take messages with a "anon-remailer-attn: specific at remailer", and deal with them just like normal mail input. Would there by any benefit to doing this at all over the present system? Why would someone submit a message to the remailer "bramble" via newsgroup instead of just mailing it? Unless you find an anonymous way to post to the newsgroup in the first place, your security seems to be seriously compromised. Even if everything is encrypted, you've made traffic analysis a huge amount easier. And if you are finding a way to post the a newsgroup anonymously in the first place, odds are you have some other entry point to the remailer bramble, so why make a stop on the newsgroup opening yourself up to traffic analysis? Now that I think about it, it seems that there isn't really any reason for such a thing. From lmccarth at ducie.cs.umass.edu Fri Nov 18 22:50:17 1994 From: lmccarth at ducie.cs.umass.edu (L. McCarthy) Date: Fri, 18 Nov 94 22:50:17 PST Subject: I Like ASCII, not MIME and Other Fancy Crap In-Reply-To: <199411190411.XAA22380@zork.tiac.net> Message-ID: <199411190650.BAA00142@ducie.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Bob Hettinga writes: > At 10:48 PM 11/18/94 -0500, Amanda Walker wrote: > >Fancy and Crap are both in the eye of the beholder :). > Attachment converted: :Amanda Logo Sig.GIF (GIFf/JVWR) (00003907) You bothered ? $ This message contains data in an unrecognized format, image/gif, $ which can be decoded and written to a file. $ Please enter the name of a file to which the data should be written, $ or just press RETURN to skip writing it to a file. Heh, that was irritating. Did I mention that ELM dumps core sometimes when I "press RETURN to skip writing it to a file" ? Regular mailbombing would be easier to handle. To answer Amanda's question, IMHO PGP blocks longer than message bodies are crap only when they come in weird formats that coerce me to press extra keys. Once I start reading one of these clunkers, I can't even escape to the main menu until I've stepped through the whole damn thing. Sometimes the parts in between the "press RETURN"s are longer than a screen, and scroll off into the ether unread. - -L. McCarthy -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBLs2gGGf7YYibNzjpAQELngQAwqGUGkm07nm4bLS5700ITExiWvItU5V3 YXObHOwXWA8M/6mw7Pchh1kwH32zEdvKFdoyIXXUsyssNZSp7oEkZQE3vdgW6cqF 4+JXHJSnsBKCpsX67EXb3ukROH+9qlJB9vAYDCAVCFbUqtFT/Jk5lBiJQTPFtexN xyosPQKKx9s= =upEv -----END PGP SIGNATURE----- From unicorn at access.digex.net Fri Nov 18 23:06:41 1994 From: unicorn at access.digex.net (Black Unicorn) Date: Fri, 18 Nov 94 23:06:41 PST Subject: Critias Unmasked! In-Reply-To: <199411190638.BAA29939@ducie.cs.umass.edu> Message-ID: On Sat, 19 Nov 1994, L. McCarthy wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > Tim May writes: > > Before the (unsigned) reputation of Critias_the_conspirator is tossed > > about further, I was the author of the "anonymous" version. > > It's also interesting to note that I managed to form a definite opinion > about the "real" identity of the "real" Critias after reading, oh, about > five words of Critias' first message. I couldn't so easily slap a label on > Tim's mock Critias because he deliberately altered his writing style. Just a > reminder for those adopting pseudonyms to consider: if your normal style is > known, you need to appropriately pseudonymize the nym's writing style. > "Acting the part" is, after all, the main difficulty in maintaining an > assumed identity. I thought of some kind of filter that standardized punctuation and such to mask the little changes that cause identity associations.... Any ideas on the practical application of this, or perhaps its feasibility? > > I'm not sure whether this alters liability issues significantly; if everyone > "knows" you're the person behind a nym which gets in trouble, but can't > conclusively prove it, does that help you ? I suspect not, especially > considering that the standard of evidence for civil cases like libel is > relatively weak. (If I'm out of my tree and libel is a criminal offense, > please correct me. IANAL, etc.) > > - -L. McCarthy > > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.1 > > iQCVAwUBLs2dWGf7YYibNzjpAQEkhQQAgs8UuF2vuttzK5fAZZwzesKT9+Ul6R0u > XO0cje3FU8XzORYAxH+8o3aIswGkaW3HS2zpPFz5AzrDJBXZ3r4Zn0V4t4MBVbOY > SO6I22+TiqVN7/ZgmtULZytTO2qKalgfInHF6GdlWLvbHqMHqu0TaqGOc20x8PZs > 77DV6RCLRCg= > =Oef2 > -----END PGP SIGNATURE----- > 073BB885A786F666 nemo repente fuit turpissimus - potestas scientiae in usu est 6E6D4506F6EDBC17 quaere verum ad infinitum, loquitur sub rosa - wichtig! From shamrock at netcom.com Fri Nov 18 23:18:43 1994 From: shamrock at netcom.com (Lucky Green) Date: Fri, 18 Nov 94 23:18:43 PST Subject: I Like ASCII, not MIME and Other Fancy Crap Message-ID: <199411190705.XAA17651@netcom14.netcom.com> L. McCarthy wrote: >Bob Hettinga writes: >> At 10:48 PM 11/18/94 -0500, Amanda Walker wrote: >> >Fancy and Crap are both in the eye of the beholder :). >> Attachment converted: :Amanda Logo Sig.GIF (GIFf/JVWR) (00003907) > >You bothered ? > >$ This message contains data in an unrecognized format, image/gif, >$ which can be decoded and written to a file. >$ Please enter the name of a file to which the data should be written, >$ or just press RETURN to skip writing it to a file. Perhaps Bob is one of the many fortunate people who use a Mac to read their mail ;-) Eudora auto-converts the MIME attachments and dumps them in the folder of your choice. Give it a try. I think you'd like it. -- Lucky Green PGP encrypted mail preferred. From tcmay at netcom.com Fri Nov 18 23:19:28 1994 From: tcmay at netcom.com (Timothy C. May) Date: Fri, 18 Nov 94 23:19:28 PST Subject: I Like ASCII, not MIME and Other Fancy Crap In-Reply-To: Message-ID: <199411190719.XAA08956@netcom3.netcom.com> Jonathan Rochkind wrote: ... > return to the amount of work you put in. A well done html document is, in > my opinion, actually much easier to read then a straight ascii document, > and the amount of effort neccesary to turn ascii to html is relatively > minimal. Well, I've looked at maybe 50 home pages now, with "lynx," and I'm not convinced that html docs are "much easier to read" than straight text. Perhaps the "well done" qualifier is what I haven't yet seen (but 50 home pages is a pretty fair sample). In any case, the problem is not just html. On a Smalltalk mailing list I'm on, for example, they're grappling with how to distribute docs to us over the Net. A tower of Babel! Html, Replica (tm), FrameView (tm), PostScript (tm), and Acrobat (tm) are just some of the options. As of last night, they (the vendor running the list) couldn't even give us a _price list_ because they'd generated the price list using the nice table features of FrameMaker, but then couldn't extract the text...so we had to wait to get onto their ftp site (limit of 3 at a time) and "get" the Replica (tm) version! (Replica is like Adobe's "Acrobat.") (And if _they_ can't get the plain text out of their fancy-formatted document, how the hell can we get it out and into our spreadsheets? Answer, by cutting-and-pasting, if it still works. [Please don't send me "workaounds."]) My point? Much wheel-spinning. Like trying to read Amanda's "X11" GIF, and then wondering if my Netcom disk quota was being sucked up by a hidden file somewhere! Or jumping through hoops to download a PGP-encrypted note to my home machine, decrypting it, only to find a "Like, wow, this PGP sure is neat! Like, rock on, dude!" message awaiting me! I'm trying not to just flame. I see these "neat things" as a tower of Babel. I see mail breaking down as folks deviate from ASCII and "overload" it with extra cruft. I see a proliferation of "gurus" and "wizards" needed to make things work. [A recurring theme of this note is that people are very helpful, and send advice. But little of the advice is usable, for various reasons. So don't send it to me! :-} ] > Just my opinion, of course. I agree with you that there is a problem when > too much time and energy is spent on prettifying trimming rather then on > content, but I'm not sure that html is really representative of this. > > Have you tried using MacWeb with the auto-loading of images turned off? > Like I said, I find it easier to extract the relevant information quickly > out of a html-formatted text then a straight ascii text. And we all know > that when you are on the net, being able to extract relevant information > quickly is vital. (There's a whole nother treatise waiting to be written > there.) No, I haven't tried MacWeb, or NetScape, except as demos and on the machines of others. I don't have a SLIP or PPP connection (Please don't send me helpful tips on how to get such accounts! It seems that every time I mention such things, I get several notes suggesting how all would be solved if I switched to Unix, abandoned Netcom, got my own T1 line, etc. Folks, I'm flattered that you care, but the reason I don't have SLIP or PPP is because I haven't bothered yet. Waiting for 28.8 vs. ISDN to shake out, waiting for a local provider to appear to my satisfaction--don't tell me about either ScruzNet or SenseMedia, as I know about them--and, most importantly, waiting for a _real good reason_ to spend the time switching to a new set of tools. Right now, I'm not in a hurry.) So far, "cruising the Web" and looking at pictures of comets hitting Jupiter or coffeepots about to boil just doesn't cut it. (I get CNN, so I see all the comet hits I need, at higher resolution. Like porno images which are sharper, cheaper, and better in magazines, I just don't "get" the idea of surfing the Net or Web for images.) I'm a text/idea person, as you may have noticed, and the Web is no substitute for either mailing lists or newsgroups. [And anticipating more helpful comments, I understand that some folks use Mosaic, MacWeb, etc., as newsreaders and mailers. Again, I see enough problems and gotchas being debated to make me want to wait...maybe NetScape 1.1 will be my reason to convert.] If I'm ranting, I apologize. I'm not angry at any one person, just at the whole confusing mess it is all becoming. A zillion variants of PGP, front-ends, shells, etc. A mail system that is rapidly losing its "lingua franca" status (how ironic that I can't read the mail sent to me by some French conference organizers, except circuitously). We are getting bogged down in banal details and platform idiosyncracies. Dozens of platforms, dozens of flavors of Unix and other operating systems, half a dozen major display options (as noted above), lots of image formats (at least that's relatively standardized, to GIF, PICT, JPEG, etc....and yet many people spend _days_ trying to convert, download, uncompress, read, display, etc.) There's got to be a better way. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. Cypherpunks list: majordomo at toad.com with body message of only: subscribe cypherpunks. FAQ available at ftp.netcom.com in pub/tcmay From blancw at pylon.com Fri Nov 18 23:28:41 1994 From: blancw at pylon.com (blancw at pylon.com) Date: Fri, 18 Nov 94 23:28:41 PST Subject: Foreign Transactions & The Pistol Whip Test Message-ID: <199411190729.XAA19127@deepthought.pylon.com> Here's a simple checklist for making decisions about foreign transactions & financial institutions. Question: Can they kick down the door and pistol whip this one: Yes No ___ ___ consultant who works in the country ___ ___ consultant who works out of the country ___ ___ relative who is in a foreign country ___ ___ relative who is in the USA ___ ___ friend who is in a foreign country ___ ___ friend who is in the USA ___ ___ bank account in another country ___ ___ bank account in the USA ___ ___ all financial institutions ___ ___ self proclaimed financial experts ___ ___ your puppy dog ___ ___ All of them! All of them! Blanc :>) From dcwill at python.ee.unr.edu Fri Nov 18 23:31:46 1994 From: dcwill at python.ee.unr.edu (Dr. D.C. Williams) Date: Fri, 18 Nov 94 23:31:46 PST Subject: Critias Unmasked! In-Reply-To: <199411190638.BAA29939@ducie.cs.umass.edu> Message-ID: <199411190730.XAA17335@python> > relatively weak. (If I'm out of my tree and libel is a criminal offense, > please correct me. IANAL, etc.) > > - -L. McCarthy Is it coincidental, or a gift from the Gods, that the acronym for "I am not a lawyer" also spells "I ANAL". YIMV * (* Your interpretation may vary) =D.C. Williams From jrochkin at cs.oberlin.edu Fri Nov 18 23:41:25 1994 From: jrochkin at cs.oberlin.edu (Jonathan Rochkind) Date: Fri, 18 Nov 94 23:41:25 PST Subject: I Like ASCII, not MIME and Other Fancy Crap Message-ID: At 2:19 AM 11/19/94, Timothy C. May wrote: >Jonathan Rochkind wrote: >... >> return to the amount of work you put in. A well done html document is, in >> my opinion, actually much easier to read then a straight ascii document, >> and the amount of effort neccesary to turn ascii to html is relatively >> minimal. > >Well, I've looked at maybe 50 home pages now, with "lynx," and I'm not >convinced that html docs are "much easier to read" than straight text. >Perhaps the "well done" qualifier is what I haven't yet seen (but 50 >home pages is a pretty fair sample). I think I might not have made my point clear enough. I meant to say that an html document, viewed with a program that displays different headings in different fonts and sizes and stuff (note that the writer doesn't have to deal with font and size issues herself) are much easier to read. Meaning, "an html document viewed on anything but lynx". In my opinion. An html document viewed with lynx _is_ pretty much straight text, isn't it? So it's not going to be much easier to read then straight text, obviously. >In any case, the problem is not just html. On a Smalltalk mailing list [various problems] I agree there are problems like that. Much of the problem is due to lack of tools on the user-end of it. Which is a completely different thing from the issue of the author spending too much time on inane prettifying, form over content, etc. Still an important issue. Until nearly everyone _is_ able to use a graphical web browser, html isn't going to be as useful as it could be. Until there are easy or automatic ways to use PGP, it's not going to be as easy to send and receive PGP mail as it could be. Until everyone has a MIME-compatible mailer that behaves reasonably and can be configured to do whatever one wants it to do... etc. This is a legitimate issue, but not the same one as the form over content thing you were foaming about earlier. :) > >My point? Much wheel-spinning. Like trying to read Amanda's "X11" GIF, >and then wondering if my Netcom disk quota was being sucked up by a >hidden file somewhere! Or jumping through hoops to download a >PGP-encrypted note to my home machine, decrypting it, only to find a >"Like, wow, this PGP sure is neat! Like, rock on, dude!" message >awaiting me! All due to lack of proper tools to deal with this stuff, I'd argue. If you had a MIME compatible mailer that displayed Amanda's GIF inline, or did something logical with it, or just tossed it in the bit bucket cause you told it to, it wouldn't be so much of a problem. Yes, not everyone (or possibly anyone) has that capability at the moment, and that's a good point. [I know you asked not to have advice, but I'll quickly say that I've found that using the Eudora-compatible PGP-related applescripts makes it _immeasurably_ easier to deal with PGP stuff. Decrypting a PGP-encrypted note is a single mouse click. Lack of tools is what makes it a problem] >We are getting bogged down in banal details and platform >idiosyncracies. Dozens of platforms, dozens of flavors of Unix and >other operating systems, half a dozen major display options (as noted >above), lots of image formats (at least that's relatively >standardized, to GIF, PICT, JPEG, etc....and yet many people spend >_days_ trying to convert, download, uncompress, read, display, etc.) I agree that it's important _not_ to get bogged down in banal details, or platform idiosyncracies. The point of such things as MIME and HTML are to avoid both of these things. The MIME and HTML specifications are completely platform-independent, and their whole purpose is basically to take care of the banal details so humans don't have to. Whether theory matches practice is another issue. > There's got to be a better way. The net is evolving. I _like_ the fact that I can option-click on a ftp URL in my newsreading software, and have that URL automatically fetched. I don't like the fact that Eudora _automatically_ fetched the documents referenced by the MIME voodoo in that recent contribution to the list, but if it had merely shown "referenced document: 1994.Standards", and allowed me to option-click on that (or ignore it) to download it if I wished, I would have liked that too. At one point ASCII _wasn't_ a standard. It was never quite such a problem as we have now, admittedly, but it's not as powerful as what we are on the verge of having now either. Once MIME compatible mailers work right, and the user interaction issues are taken care of the right way, and everyone has a direct high-bandwith net connection, I firmly believe that MIME and html will be of enormous utility. No, I'm not holding my breath for that to happen, but technology has a way of moving faster then you would expect (and at times slower then you would expect too. but unpredictable nearly always). Or maybe I'm just a hopeless techno-phile. From tcmay at netcom.com Sat Nov 19 00:31:01 1994 From: tcmay at netcom.com (Timothy C. May) Date: Sat, 19 Nov 94 00:31:01 PST Subject: I Like ASCII, not MIME and Other Fancy Crap In-Reply-To: Message-ID: <199411190830.AAA03216@netcom3.netcom.com> [I'm enjoying this discussion, and think it may have some relevance to issues about tools and complexity, so I'm leaving it public. If you don't wish to read it, delete it now. No extras "MIME" screenfuls, either!] I will try to limit myself to just a few of Jonathan's points. Jonathan Rochkind wrote: > I think I might not have made my point clear enough. I meant to say that > an html document, viewed with a program that displays different headings in > different fonts and sizes and stuff (note that the writer doesn't have to > deal with font and size issues herself) are much easier to read. Meaning, > "an html document viewed on anything but lynx". In my opinion. An html > document viewed with lynx _is_ pretty much straight text, isn't it? So it's > not going to be much easier to read then straight text, obviously. I wasn't referring to fonts, shapes, sizes, but to logical organization and overall quality. In my view, fonts and differently-sized headers rarely make much of a difference. And to the extent people worry about style sheets for their Web writings, I think my earlier point about form-over-substance applies. > I agree there are problems like that. Much of the problem is due to lack of ^^^^^^^ > tools on the user-end of it. Which is a completely different thing from the ^^^^^^^^^^^^^^^^^^^^^ Ah! Now you've hit on a topic of crucial importance! The "if the user had proper tools, he could read my work" point of view, so often expressed. This comes up in lots of ways. Basically, people just _won't_ adopt a set of tools, usually, Sometimes they will. Some random points related to this (I lack the will this late at night to put the points into proper essay form): * Backward compatibility. Color t.v. needed to work on black and white t.v.s...and, indeed, today's video signal will work on sets built in 1948. There are drawbacks to this, of course, but it's often esential. * ASCII text has heretofore served as the "NTSC" of computer screens, so that my words, written on a PowerMac 7100AV (video digitizer, etc.) can still be "tuned in" by a dumb terminal, an IBM PC, and Apple IIe, etc. * Saying that problems would be solved if only the users would get the latest tools (and perhaps switch platforms, as their platform may not support the tools) is like saying that television viewers should switch to HDTV. They will, many of them, but not for a while. * (This especially applies to the as-expected advice from some that Eudora is the best solution to automatically getting MIME-doohickeyed attachments. Many list subscribers out there just don't have these capabilities...) > All due to lack of proper tools to deal with this stuff, I'd argue. If you > had a MIME compatible mailer that displayed Amanda's GIF inline, or did > something logical with it, or just tossed it in the bit bucket cause you The issue is that our clever tools are, in my opinion, burying us. I don't begrudge folks the fun they have, or the work they get done, by using these new tools. I may start posting Quicktime movies of Cypherpunks meetings..."Hit Escape-Meta-Alt-Control-Shift if you do NOT wish to receive a 650 MB Quicktime file." What I am saying is that I don't plan to spend gobs of times hunting down JPEG-Diddler 4.7 so I can view an image somebody sends me, or Acrobat 3.1 ("upgrade is $99 for Acrobat 3.0 owners") so I can read a document! > I agree that it's important _not_ to get bogged down in banal details, or > platform idiosyncracies. > The point of such things as MIME and HTML are to avoid both of these > things. The MIME and HTML specifications are completely > platform-independent, and their whole purpose is basically to take care of > the banal details so humans don't have to. Whether theory matches practice > is another issue. Perhaps it is time for us to again poll the list about what tools they have, what mailers they use, etc. (Done two years ago, pre-Web, pre-SLIP, etc., mostly to see what mailers and editors needed PGP hooks the most. A tower of Babel, even then.) Until, say, >70% of the list has MIME/HTML/Web capabilities, working without bugs, I say we ought to try to keep our focus on ASCII and not on sound clips, Quicktime movies, etc. (The "without bugs" point bears elaboration. When I sue lynx to access a site, get/fetch a file, and then sz it directly to my home machine, it arrives with a "38376.html" form, and is unopenable by my apps. When, instead, I skip the automatic sz, and manually sz it, it arrives as it should be, e.g., "Eudora2.1.sea" or whatever. I'm sure someone knows the incantation to make it work, but this is the nonobvious banality I'm talking about.) > Or maybe I'm just a hopeless techno-phile. > Indeed, we probably all are, in varous ways. But just as an "audio tweak" can spend all his spare time aligning the polarities of his wall sockets, and just as a desktop publishing "tweak" can spend all of her time fiddling with spacings, sizes of descenders, and can print 17 test copies of a page, so too can we get bogged down in all the neat toys we have to play with. Me, I think I'm just going on a personal crusade to simplify things. Computers should not be making my life _vastly more complicated_. One last note: I read my mail on-line, interspersed with reading NetNews. Although I have Eudora, and of course use it, I don't use it for routine work (for one thing, it may take 20 minutes to download my mail, so I tend to use it when I'm heading out to do something else, or to go to sleep, etc.). So all the "solutions" that involve using Eudora are not my cup of tea. That's just the way it is. The tower of Babel is rising in the shadow of Babylon. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. Cypherpunks list: majordomo at toad.com with body message of only: subscribe cypherpunks. FAQ available at ftp.netcom.com in pub/tcmay From shamrock at netcom.com Sat Nov 19 01:42:01 1994 From: shamrock at netcom.com (Lucky Green) Date: Sat, 19 Nov 94 01:42:01 PST Subject: I Like ASCII, not MIME and Other Fancy Crap Message-ID: <199411190942.BAA27038@netcom20.netcom.com> Tim wrote: [various reasons why television is a bad thing because it can't be received on a radio deleted ] >Me, I think I'm just going on a personal crusade to simplify things. >Computers should not be making my life _vastly more complicated_. Amen. They also should enable people to communicate in more and better ways with more people. MIME, HTML, Maven (phone calls over the net for free), CU-SeeMe (video over the Net for free,) and similar tools are first examples of how these goals might be achieved. I love email, but I would also like to be able to see and hear from some of the friends I made all over the world. >One last note: I read my mail on-line, interspersed with reading >NetNews. Although I have Eudora, and of course use it, I don't use it >for routine work (for one thing, it may take 20 minutes to download my >mail, so I tend to use it when I'm heading out to do something else, >or to go to sleep, etc.). So all the "solutions" that involve using >Eudora are not my cup of tea. That's just the way it is. Twenty minutes for your mail? How fast a modem do you use? As for solutions, the only solutions there are and ever will be involve you getting of that terminal server. The evolution of the Internet will make ASCII terminals obsolete. If it hasn't already done so. Let's take that poll of what people use. I am curious. Happy netting, P.S. If anybody here on the list wants to know how to turn their regular shell account into a SLIP account, email me for info or read alt.dcom.slip-emulators. Please don't ask about it on the list. -- Lucky Green PGP encrypted mail preferred. From gnu Sat Nov 19 03:04:17 1994 From: gnu (gnu) Date: Sat, 19 Nov 94 03:04:17 PST Subject: Verifying RC4 In-Reply-To: <199411170043.QAA04438@comsec.com> Message-ID: <9411191104.AA12123@toad.com> > "RC4" as used herein, is used to identify an apparently reverse-engineered > algorithm recently posted to sci.crypt that claimed it was compatible with > the RC4 sold by RSA Data Security, Inc. (RSADSI) and/or Public Key Partners > (PKP). Although the reaction of RSADSI and the press indicates that the two > algorithms are the same, I could have missed something. I suggest that someone apply for expedited export permission for some small piece of software that uses the "apparent reverse-engineered RC4". Tell them that you want to export crypto software containing RC4 on the 7-day plan. The State Department will send you a set of test-vectors which you can use to prove that you're really using the real RC4. If you pass, and are given export permission, then I guess the rev-eng version is the real thing. Be sure your keys are 40 bits or less (only for purposes of the test export; I don't recommend short keys for any other purpose). Full bureaucratic details are at ftp://ftp.cygnus.com/pub/export/cjr.kit. Search for "test vector". This info is also reachable from my Web page on crypto export, http://www.cygnus.com/~gnu/export.html. Please email me a full copy of any CJ that you submit, so I can add it to the Web page (along with the eventual response from the gov't). John Gilmore From merriman at metronet.com Sat Nov 19 06:09:10 1994 From: merriman at metronet.com (David K. Merriman) Date: Sat, 19 Nov 94 06:09:10 PST Subject: I Like ASCII, not MIME and Other Fancy Crap Message-ID: <199411191409.AA09593@metronet.com> >>One last note: I read my mail on-line, interspersed with reading >>NetNews. Although I have Eudora, and of course use it, I don't use it >>for routine work (for one thing, it may take 20 minutes to download my >>mail, so I tend to use it when I'm heading out to do something else, >>or to go to sleep, etc.). So all the "solutions" that involve using >>Eudora are not my cup of tea. That's just the way it is. > >Twenty minutes for your mail? How fast a modem do you use? That, or how much email do you get? I can d/l the email I found this morning (17 messages, mostly this list) in under 2 minutes. > >Let's take that poll of what people use. I am curious. PC Eudora, Trumpet, the WS_* 'suite', Mosaic. Ran Chameleon for a while, but got tired of GPFs, hiccups, etc - finally concluded that it ate dirt, and scrammed it. Dave Merriman - - - - - - - - - - - - - - - - - - - - - - - - - - Finger merriman at metronet.com for PGP public key and fingerprint. PGP encrypted Email welcome and encouraged. War is Peace. Freedom is Slavery. Ignorance is Strength. No? From eric at remailer.net Sat Nov 19 06:41:45 1994 From: eric at remailer.net (Eric Hughes) Date: Sat, 19 Nov 94 06:41:45 PST Subject: I Like ASCII, not MIME and Other Fancy Crap In-Reply-To: <199411191409.AA09593@metronet.com> Message-ID: <199411191440.GAA02289@largo.admate.com> >Let's take that poll of what people use. I am curious. PC Eudora, Trumpet, the WS_* 'suite', Mosaic. [...] OK, OK. Let's NOT take that poll over the mailing list! Kan't dictum certainly applies here; think about what would happen if everyone else did the same. Hint: there are over 600 addresses on the mailing list. Eric From eric at remailer.net Sat Nov 19 07:41:36 1994 From: eric at remailer.net (Eric Hughes) Date: Sat, 19 Nov 94 07:41:36 PST Subject: Transaction costs in email system In-Reply-To: <199411190719.XAA08956@netcom3.netcom.com> Message-ID: <199411191540.HAA02336@largo.admate.com> From: tcmay at netcom.com (Timothy C. May) My point? Much wheel-spinning. Like trying to read Amanda's "X11" GIF, and then wondering if my Netcom disk quota was being sucked up by a hidden file somewhere! Or jumping through hoops to download a PGP-encrypted note to my home machine, decrypting it, only to find a "Like, wow, this PGP sure is neat! Like, rock on, dude!" message awaiting me! [...] There's got to be a better way. Tim's rant is one of the best illustrations of the effects of transaction costs I've seen recently. Tim's story perfectly illustrates the reason why the computer software industry doesn't move faster. TYLISUM -- Ten Years Later I Still Use Microsoft. The costs here are the of transaction of switching software systems. In order to understand exactly what the transaction cost is, we posit two worlds with respect to, say, email handling. World 1: The status quo. Adequate capability. Zero marginal benefit. This is the baseline we'll use to see if we can make an improvement. World 2: The amazing world of MIMEzine, the mail reader that sucks out your brain into the computer. A $500 value, but available to you at no charge from your friendly ftp site! Note that there is no monetary exchange in either of these worlds. I want to make it perfectly clear that transaction costs are usually non-monetary, even though they are, in a strict sense, paid. In standard bad old economic analysis, the mail reader is a good (i.e. worth something) that is available for no cost, and so clearly would be used by everybody, because it's in everybody's best interest to do so. As Coase pointed out, not so fast. In order to accurately assess the economic effect of this transaction, you have to look at the whole thing, from start to finish. Here is a not so outlandish sequence. Some of the following costs can be shared between multiple transactions, some can't. 1. Which friendly ftp site has MIMEzine? Make an archie query. Cost: time to make an archie query 2. How do I use archie? Find out by reading the documentation. Cost: time to read documentation and figure out how you'd actually use it. 3. How can I possibly find out what ftp site has the file? Have someone tell you Use archie. Cost: time to ask your computer friends, which you've spent a long time cultivating. [See note below on this topic.] Alternate Cost: $25-$40 for one of those internet books. 4. Download MIMEzine using ftp. Cost: see above for archie, and analogize. 5. Compile MIMEzine for Unix. (Binary distributions need not apply.) Cost: Ever ported? 6. Learn how to use MIMEzine. Cost: time to read manual. time to correct screwups created by inadvertent use of your previous mailreader's keyboard bindings. time spent hunting for instruction on how to set up "proactive filter mocking", which you just have to use. 7. Customize MIMEzine for you own environment. Cost: time to learn what all the little configurations options do. time to choose a place in the directory structure. time to twiddle until you've got it just right. 8. With probability p=3/4, decide that you absolutely can't stand MIMEzine because of some braindead misfeature that makes you less productive or because it's not really compatible with everything else you're using. Cost: multiple all the preceding costs by 4=1/(1-p) to reflect that you keep trying packages until you find one you like. In my own experience, I think a multiplier of 4 is on the low side. 9. The benefits of using MIMEzine! Benefit: Savings of an hour or so a week handling your email. Increased ability to handle content types you're not really interested in. Transaction costs are _all_ of the costs above, since, of course, the package is free, or rather, free(?). To summarize: World 1: The status quo. Often acceptable. World 2: The new technology. Frequently an extreme time sink for what you get out of it, even if it's free software. Is it any wonder that software progresses slowly? A note on friendship networks. The need to have a network of friends that you use to find out about computer stuff is an indicator of serious lack of scalability in the technical and social design of computer systems. Not everyone has time to cultivate a techie network, and most people don't. This indicator is both a design criterion and a test. One should design software so that it can be used without needing to ask question, and one can guage success in this by seeing the number of questions that are actually asked. There is much more to be said about categorization of transaction costs and what can be done to alleviate them. Later. Eric From snyderra at dunx1.ocs.drexel.edu Sat Nov 19 08:16:16 1994 From: snyderra at dunx1.ocs.drexel.edu (Bob Snyder) Date: Sat, 19 Nov 94 08:16:16 PST Subject: pointers to IETF drafts Message-ID: At 4:20 PM 11/18/94, Perry E. Metzger wrote: >The standard thing in these cases is to say "There are some neat RFC >drafts on security in ftp://hostname/names; you might be interested." At which time someone will go "Gee, what are they about?" The announcement, in my opinion, *is* pointer. What would be unacceptable is the posting of said document with a note saying "Here's something I thought everyone should read" >I have already gotten three other copies of each of the three messages >associated with Ran's new IPng drafts because every security mailing >list on earth seems to operate on the "just forward everything" >premise. More aren't needed. Were they relavent to each of the lists? I feel they are relavent to this list. You're the one on multiple security lists. Surely it falls on you to cope, not for the list to cope around you. Bob -- Bob Snyder N2KGO MIME, PGP, RIPEM mail accepted snyderra at post.drexel.edu PGP & RIPEM keys on key servers When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl. From eric at remailer.net Sat Nov 19 08:24:19 1994 From: eric at remailer.net (Eric Hughes) Date: Sat, 19 Nov 94 08:24:19 PST Subject: Islands in the Net In-Reply-To: <199411190638.WAA05397@netcom3.netcom.com> Message-ID: <199411191622.IAA02376@largo.admate.com> From: tcmay at netcom.com (Timothy C. May) For example, I tend toward Amanda's point of view, that credit cards "quack like a duck." I don't think I can stress the following enough, but understanding the following principle is necessary (not convenient, or helpful, or replaceable) to understand how payment systems work: ** The most important thing about a transaction system is not how it ** works a transaction succeeds, but what happens when it fails. Failure properties are more important than financial properties. The the expectations about float, rates of interest, time to clear and settle, etc. are all meaningless if the failure properties don't create a robust system. Anyone at all can design a transaction system which works for successful transactions, but designing for failure is enormously and surprisingly difficult. For example, here's a transaction system that works only when there are no failures. Everyone memorizes the amount of money they have. When two people do a transaction, one persons increases their money by the same amount that another person decreases theirs. Now obviously this system doesn't work. But the reason it doesn't work is because of failures -- increasing balances between transactions the obvious one. Note that if all the implicit constraints are met the naive system above does actually work. Let me be blunt. Most transaction systems people run by me show the same naivete as those who design ciphers for the first time. These naive systems just won't work, and those that propose them just haven't thought through the issues, and usually have been ignorantly unaware that there are any. "Why can't you just ..." is, unfortunately, most often said in mock ignorance rather than humility. I should note, though, that almost all these systems _do_ work reasonably well under simple failures. That means that they could be deployed, but that they won't scale to many users. Thus while they might be suitable for a club like the hypothetical Hacker Privacy League (which cypherpunks is _not_), they aren't suitable for universal use. As a primer and milestone, I'll make the bald assertion that bankruptcy of the financial institution is one of the most important failure modes to consider. The argument that this almost never happens is made only by those who haven't estimated the cost of this failure more. Once you have a good appreciation about bankruptcy and payment systems, you'll be well on your way to having the mental framework necessary for dealing with the issues. I don't intend to lecture on this list about these issues. These are extremely arcane yet important details, and I hope to derive part of my livelihood from them. When I make a purchase with my credit card, and the thing clears, both the merchant and I act as if we've just exchanged money. To take this particular example, what happens if it doesn't clear? Is this different that, say, with a check or with cash? Anyway, there are many forms of "money," with many things that make the forms "money-like." A "means of payment" is only one of the functions of "money". It is useful to keep this clear. Eric From snyderra at dunx1.ocs.drexel.edu Sat Nov 19 08:45:39 1994 From: snyderra at dunx1.ocs.drexel.edu (Bob Snyder) Date: Sat, 19 Nov 94 08:45:39 PST Subject: working group draft announcements Message-ID: At 6:32 PM 11/18/94, L. McCarthy wrote: >Speaking of which, can anyone explain why my usually-MIME-compliant mail >reader (ELM 2.4 PL22) pukes on the fancy parts of all these draft >announcements ? Personally, I find MIMEd messages very annoying because I'm >forced to hit RETURN (not just "any key") several extra times for each >message. {Luckily, it's clear that I'd never have time to read any of these, >so they get tossed in the bit bucket almost immediately.} I would suspect because your copy of metamail, which elm's MIME handling requires, isn't configured correctly. It works fine for me in elm, and in Eudora. If you don't like the way elm calls out to metamail, you can set the NOMETAMAIL environmental variable (under csh, "setenv NOMETAMAIL"), and elm will show the messages without calling metamail (which means you lose MIME capabilities, but if that's what you want....) The optimal answer is a better MIME reader, but...... Bob -- Bob Snyder N2KGO MIME, PGP, RIPEM mail accepted snyderra at post.drexel.edu PGP & RIPEM keys on key servers When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl. From snyderra at dunx1.ocs.drexel.edu Sat Nov 19 08:45:44 1994 From: snyderra at dunx1.ocs.drexel.edu (Bob Snyder) Date: Sat, 19 Nov 94 08:45:44 PST Subject: I Like ASCII, not MIME and Other Fancy Crap Message-ID: At 7:49 PM 11/18/94, Timothy C. May wrote: >I suppose some messages make use of it, as Eric Blossom's just did (in >allowing retrieval of more stuff, somehow), but a lot of the >"offending" messages just seem to be non-ASCII for the hell of it. I presume you mean quoted-printable mail messages. Some mail readers do do this inappropriately, and some do it for reasons that may not seem appropriate (like an initial line consisting of "From", to try and keep the message content unmolested by Mail Transport agents. >Like Lewis, I find myself to easily delete the message and move on. >(I'm debating just deleting the messsages, which are marked "M" for >Mime, before even starting to read them.) > >Personally, I like simple ASCII. No fancy fonts, no embedded graphics, >no Quicktime movies I have to watch, etc. Use the "setenv NOMETAMAIL" I mentioned earlier. I thought you used Mac Eudora, though. That, at least in relatively recent versions, is very MIME intelligent. It changes the announcements into an Anarchie document and a Eudora email message document to retrieve it by email. Bob -- Bob Snyder N2KGO MIME, PGP, RIPEM mail accepted snyderra at post.drexel.edu PGP & RIPEM keys on key servers When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl. From perry at imsi.com Sat Nov 19 08:46:28 1994 From: perry at imsi.com (Perry E. Metzger) Date: Sat, 19 Nov 94 08:46:28 PST Subject: I-D ACTION:draft-atkinson-ipng-auth-00.txt In-Reply-To: <199411182152.QAA08885@dunx1.ocs.drexel.edu> Message-ID: <9411191646.AA14092@snark.imsi.com> Bob Snyder says: > How would a note about the drafts being pending and the posting of the > announcement be significantly different? Getting one message instead of three (one for each of the pending drafts) would be an excellent start. Perry From pfarrell at netcom.com Sat Nov 19 08:52:38 1994 From: pfarrell at netcom.com (Pat Farrell) Date: Sat, 19 Nov 94 08:52:38 PST Subject: I Like ASCII, not MIME and Other Fancy Crap Message-ID: <42504.pfarrell@netcom.com> Zero crypto content.... tcmay at netcom.com (Timothy C. May) writes: > We are getting bogged down in banal details and platform > idiosyncracies. Dozens of platforms, dozens of flavors of Unix and > other operating systems, half a dozen major display options (as noted > above), lots of image formats (at least that's relatively > standardized, to GIF, PICT, JPEG, etc....and yet many people spend > _days_ trying to convert, download, uncompress, read, display, etc.) > > There's got to be a better way. The better way is the spontantous order that markets generate. We are too early in the cycle to have figured out that having a standard 2 by 4 is better than cutting boards to custom sizes for each job. But some of this is self inflicted by the folks on this list, and other serious netheads. The vast majority of the world's populations would have no idea what Tim is ranting about. The last figure I saw had the percentage of home computers in the US with modems at 14%, but only 4% had accounts at a service provider of any type. The folks on this list are on the leading edge, and are exposed to more of the leading edge, failure prone experiments. MIME's encryption of ASCII so it is unreadible is just an example of a false start. Tim's approach to SLIP/PPP is the solution to the rest of his problems -- wait until there is a compelling reason to change. Let the academics with time on their hands invent possible standards with incremental improvements at the cost of incompatibility. Eventually the tiller will be replaced with a steering wheel, and the brakes and accelerator controls will be two or three pedals. Contrary to Tim's claim, ASCII is not the ideal way to read information. Fixed font, 78 character lines are hard to read. There is a reason that books are printed using proportional type on lines only two and a half alphabets wide -- it is easier for our eyes to read and our brains to comprehend. But studying typography is like studying cryptogrophy, something that takes time and effort and concentration. Interestingly, the net is a fairly weak place to learn typography, as it is impossible to see what is meant by "color" of a page of text unless it is properly typeset, which requires the fonts, kerning, leading, etc... so get a book :-) Pat Pat Farrell Grad Student pfarrell at cs.gmu.edu Department of Computer Science George Mason University, Fairfax, VA Public key availble via finger #include From perry at imsi.com Sat Nov 19 09:01:14 1994 From: perry at imsi.com (Perry E. Metzger) Date: Sat, 19 Nov 94 09:01:14 PST Subject: No Subject In-Reply-To: <199411190223.VAA24500@bsu-cs.bsu.edu> Message-ID: <9411191701.AA14117@snark.imsi.com> What tells me that a certain old friend of ours is back? .pm Anonymous says: > > > I have one more comment. > > Earlier, I wrote: > > > Critias_the_conspirator is of course another new pseudonym. > > > >From time to time this Critias will comment on financial > > privacy. > > Hear the words of Critias_the_conspirator: > > Put your money in ``Greek'' banks. The tentacles are everywhere. > > Critias_the_conspirator > > > > From perry at imsi.com Sat Nov 19 09:29:11 1994 From: perry at imsi.com (Perry E. Metzger) Date: Sat, 19 Nov 94 09:29:11 PST Subject: Islands in the Net In-Reply-To: <199411190624.WAA01721@largo.admate.com> Message-ID: <9411191729.AA14159@snark.imsi.com> Eric Hughes says: > Negotiable means something else entirely. A negotiable instrument is > an instrument that can be transferred with certain protections over > and above the transfer of a normal contractual obligations. The > requisites for negotiability are, basically, those that make the > instrument suitable for sale in a secondary market. The instrument > must be in writing (not oral). It must be signed. It must contain an > unconditional promise or an order for a particular sum of money and > must contain to other promises, orders, etc. It must be payable to > order or to bearer. The exact details may be found in your standard > commercial paper review guide. It must be for a sum certain in money, payable on a date certain. It must state the place and person (note -- not necessarily a natural person) to whom the money must be delivered. Typical notes contain other conditions, but those are the keys. Checks, promisary notes, bank notes (which most of us have never seen in our lifetimes) and many other similar instruments are all considered "commercial paper" and are similar in form. (Checks are interesting in so far as they are an order to the bank to pay at its premises to the named party, whereas many notes state that the signatory must pay to the holder at his premises on a particular time and place. However, such subtleties aren't particularly important for our purposes.) The fascinating thing about the rules for commercial paper, by the way, is that they come from the Law Merchant, which was developed at medieval trade fairs in merchant courts that had no connection with any government entity and no overt powers of enforcement... Perry From tcmay at netcom.com Sat Nov 19 09:49:02 1994 From: tcmay at netcom.com (Timothy C. May) Date: Sat, 19 Nov 94 09:49:02 PST Subject: How to Mail a Letter Message-ID: <199411191749.JAA22941@netcom8.netcom.com> Well, with the many helpful comments here by fellow Cypherpunks, I've begun to explore how to use the new Postal Service system. I really must say that Al Gore's Reinventing Government Task Farce has outdone itself. The new "PowerVisualMail" system is much more powerful than the old "seal the envelope, put a stamp on it, and mail it" approach. But I'm having some problems in the conversion. Perhaps some of you can help. I did the Archie search and found the Installer script at ftp.gore.gov, fetched it, used MIME_Decode on it, checked the PGP sig to make sure no one had tampered with Tipper's code, then installed it as a client on my Mac (which I bought AUX for, to run this client). After reconfiguring metamail and setting the NOMETAMAIL environmental variable (under csh, "setenv NOMETAMAIL") to the AUX agent symbol, I was able to recompile PowerVisualMail to (sort of) run on my system. I found the new O'Reilly and Associates book, "How to Mail a Letter with PowerVisualMail," to be very helpful, especially Chapter 17. I hope to spend the next couple of days ironing out the bugs and getting my mail client to properly communicate with the PowerVisualMail agent. But it'll all be worth it! This will all be so much easier than licking stamps and sending those b-o-r-i-n-g paper letters. Of course, now I've got to teach my father how to decode my PowerVisualMail letters...and he doesn't even have a computer yet! I've told him that PowerVisualMail just runs too slowly on 486 machines, so I'm hoping he gets a 90 MHz Pentium. And the phone company seems stuck in the Dark Ages, completely unwilling to accept my PowerVisualMail items! I guess they're just late getting on the Information Superhighway. Well, sorry I'll be missing today's Cypherpunks meeting in Mountain View....I'm busy making my life easier. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. Cypherpunks list: majordomo at toad.com with body message of only: subscribe cypherpunks. FAQ available at ftp.netcom.com in pub/tcmay From tcmay at netcom.com Sat Nov 19 10:40:22 1994 From: tcmay at netcom.com (Timothy C. May) Date: Sat, 19 Nov 94 10:40:22 PST Subject: I Like ASCII, not MIME and Other Fancy Crap In-Reply-To: <42504.pfarrell@netcom.com> Message-ID: <199411191840.KAA29626@netcom8.netcom.com> Pat Farrell wrote: > Tim's approach to SLIP/PPP is the solution to the rest of his problems -- > wait until there is a compelling reason to change. Let the academics > with time on their hands invent possible standards with incremental > improvements at the cost of incompatibility. Eventually the tiller > will be replaced with a steering wheel, and the brakes and accelerator > controls will be two or three pedals. Well said! The "bleeding edge" is consuming vast amounts of resources. In my opinion, in this particular area, with little to show for it. > Contrary to Tim's claim, ASCII is not the ideal way to read information. > Fixed font, 78 character lines are hard to read. There is a reason that I wasn't arguing that typeset, well-designed books are not easier on the eyes. I was arguing that the efforts to produce some facsimile of these typeset books in mail and News messages is a disaster. Line length overruns, weird formats, etc. (Since I'm on a roll with my ranting, let me rant about the explosion of > 80 character width messages we're seeing. People have large text windows, apparently, probably loaded with Hiroshige or Stone Serif or whatever proportional font they like. Then they dump this into the 80 character world and, voila!, garbage. Netcom's new "Mosaic Lookalike" does not even have an easy way to set the column width, unbelievably enough! Hence the proliferation of NetCruiser ugly posts.) > books are printed using proportional type on lines only two and a half > alphabets wide -- it is easier for our eyes to read and our brains to > comprehend. But studying typography is like studying cryptogrophy, Oh, I'll go along with this. After all, this is partly why the terminal standard is about 80 columns (there may be some FORTRAN and CRT technology of the 1970s reasons as well). My last, hopefully, word on this subject is that Arthur C. Clarke wrote a short story about this whole matter. "Superiority." It was regularly used in a class at MIT as an illustration of the dangers of constantly being on the bleeding edge (before that term was invented) and of becoming obsessive about having the absolute latest technology. Eric's analysis in terms of Coase-type "transaction costs" is another way to look at this. I shouldn't have to buy a shelf full of O'Reilly and Associates books to do what I used to be able to do easily. (Indeed, some people _love_ to buy such O'Reilly books. And some of these books are indeed wonderful, teaching people how to do things they couldn't have done before. Perl and remailers, for example. Different strokes.) I really do feel we're on the edge of chaos here. Every day that passes I get more junk mail, more MIME mail, more > 80 column mail, etc. Yes, the solution is for me to either filter this junk out or to jump out out to the bleeding edge myself. But many people won't. We risk losing our lingua franca in a transition to chaos. Complexity can be its own punishment. By not making having e-mail easy enough to use, and by not having direct dial e-mail, most of the business community adopted the much-inferior fax machine in the 1980s. Much inferior in ways that are obvious, but also much more "understandable." (You load your paper in the tray, dial the number of your party, and it is done. No O'Reilly books need be read.) John McCarthy wrote a great piece several years back on why and how e-mail failed and fax machines won. E-mail is now making a serious comeback, but may again stumble if ordinary users have to read books on how to create PowerVisualMail clients and configure their SETENV and CHARSET parameters! --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. Cypherpunks list: majordomo at toad.com with body message of only: subscribe cypherpunks. FAQ available at ftp.netcom.com in pub/tcmay From cyber1 at io.org Sat Nov 19 11:08:00 1994 From: cyber1 at io.org (Cyber City) Date: Sat, 19 Nov 94 11:08:00 PST Subject: tips Message-ID: <199411191907.OAA03802@nudge.io.org> :Request-Remailing-To: snitch at atf.bogus.gov -----BEGIN PGP SIGNED MESSAGE----- Dear ATF, Here is a list of Cypherpunks members who have admitted to me that they did not turn in their assault rifles. Please execute search warrants and send me my anonymous digital reward. - -----BEGIN PGP MESSAGE----- Version: 2.6 hDwCpkY8we5dNykBAX918sq0PCIgfsaVVjD3gfwsTVtumQPb74rPoeUeoWlkBcfI N2Z6OL3es4EnjlZrsgWmAAAAhj5ySLZTPVQ96fngDmbGJ8aoryignRSm43RyrdoA C41To/PJYVW9O2srJZYC+WVG+5dfVTqdRT4wSnEtr1Q6tQOfwtywVGF9djIGUVs/ oQMTxXn42gX6C+6GleUBdgXIgFX7cBVTu+j2xD3gldVOUZMLAcGN1XI/i0zih0bt jduae3T9dFtA =ud0m - -----END PGP MESSAGE----- -----BEGIN PGP SIGNATURE----- Version: 2.6 iQBFAgUBLs5LDShcUzyq2FJRAQGqaQGAoO+oNrEW8lOKpkiPx3wAcinfxJdNg2+W d5r2rlBiFe22k/E6sfM9Werx1F4UNZZQ =Ui8K -----END PGP SIGNATURE----- From prz at acm.org Sat Nov 19 11:22:16 1994 From: prz at acm.org (Philip Zimmermann) Date: Sat, 19 Nov 94 11:22:16 PST Subject: UPS sorters love PGP Message-ID: I was just sorting through my backlog of paper mail after returning from a 3-week trip. I found an envelope sent to me via United Parcel Service from George Washington University. Addressed to Philip Zimmermann, Boulder Software Engineering, at my address. On the back of the outside of the envelope was a scrawled note, "UPS sorters love PGP". :-) From bdolan at well.sf.ca.us Sat Nov 19 11:55:19 1994 From: bdolan at well.sf.ca.us (Brad Dolan) Date: Sat, 19 Nov 94 11:55:19 PST Subject: currency strips "salted" for neutron activation analysis? Message-ID: <199411191955.LAA28746@well.sf.ca.us> Re. detectability of the funny plastic threads in recent U.S. currency issues: I think it would be interesting to try neutron activation analysis on currency. To do this, you would bombard the currency with neutrons and then look at the activated gamma spectrum to see how much of what odd trace materials might be present. I don't have any specific knowledge that the threads are "salted" for easy identification but this technique would work very nicely and has been used elsewhere. I used to have ready access to a californium source but don't any longer. Anybody else out there want to give this a try? Brad D.  From shamrock at netcom.com Sat Nov 19 11:55:43 1994 From: shamrock at netcom.com (Lucky Green) Date: Sat, 19 Nov 94 11:55:43 PST Subject: I Like ASCII, not MIME and Other Fancy Crap Message-ID: <199411191955.LAA20292@netcom12.netcom.com> Tim wrote: >I really do feel we're on the edge of chaos here. Every day that >passes I get more junk mail, more MIME mail, more > 80 column mail, >etc. Yes, the solution is for me to either filter this junk out >or to jump out out to the bleeding edge myself. Re-reading the above paragraph, you know that in the long tern there is only one answer. >But many people won't. We risk losing our lingua franca in a >transition to chaos. There are a lot of new tools out there. Some will survive the test of time, others won't. But if anything, there is less chaos today than there was two years ago. Two years ago, nobody used URLs. They typically described the location of a file as such: "You can get the file at ftp foo.bar.com, its in the pub/mac directory, I think it's called wonder.sit." So you hit ^Z to get out of tin, type ncftp, type all the stuff above, hope it is right - it probably isn't - find the file, get it, type "quit", type sz wonder.sit, get up to fetch a cup of coffee instead of just sitting there and staring at the screen while the file is being transfered to your machine, drink the coffee, ten minutes later you type "fg". Back to tin. Neato, isn't it? Today, most posters on USENET have learned to use URLs and it has become easier to do so, because more and more programs supports them. This is how the above exchange works today: I read my news with Newswatcher. Someone mentions the new hot piece of software at ftp://foo.bar.com/pub/mac/wonder.sit. I option-click anywhere on the URL. Newswatcher passes it to Anarchie for retrieval in the background. I read the next post. I say, burn all the VT52 terminals of this world to fuel the fire of progress. Toss the 2400 bps modems in there, too. I know that few folks will feel sad over the long overdue end of the ASCII era. I can, of the top of my head, name five friends with computers who, after seeing the VT100 display of a shell account, refused to have anything to do with the Internet. "You got be joking. I am not dealing with *this*." Now years later and after much evangelizing and MacWeb demonstrations, they are finally begining to show interest. The dialog was always the same: "I won't have to do any work in one of those terminal windows, will I?" -- "I promise, you won't." -- "Good, because I hate this ASCII garbage." It typically takes me 1-2 hours to install and configure everything on their machines. Yes, it is true, I have spent many hundered hours obtaining the knowlege in the first place, but I am willing to share my knowledge with anyone who asks. As for my friends, they all have been very happy with their new tools. None of them has so far expressed any interest in the telnet client that I have included. Happy netting, -- Lucky Green PGP encrypted mail preferred. From RGRIFFITH at sfasu.edu Sat Nov 19 12:12:58 1994 From: RGRIFFITH at sfasu.edu (RGRIFFITH at sfasu.edu) Date: Sat, 19 Nov 94 12:12:58 PST Subject: Cash Message-ID: <01HJNZY0ZVGY0007QI@TITAN.SFASU.EDU> > According to Treasury figures as of Mar 31, 1993, there were still 335 $10,000 bills out, 345 $5,000 ones, and 169,645 $1,000 bills (counting FRN only). >I though all the $10,000 had been accounted for. Are there really some >left running around? Any idea how much one is worth? Last time I heard >of a $1000 going to auction, it sold in excess of $7000. >-- >America - a country so rich and so strong we can reward the lazy > and punish the productive and still survive (so far) > >Don Melvin storm at ssnet.com finger for PGP key. > From nobody at jpunix.com Sat Nov 19 12:20:29 1994 From: nobody at jpunix.com (Anonymous) Date: Sat, 19 Nov 94 12:20:29 PST Subject: SPOOF SENDERS? Message-ID: <199411192018.OAA08310@jpunix.com> >More remailers (maybe one that 'spoofs' real identities to hide the fact the it is a remailer?) with transparent PGP (download the whole keyring to the Great idea, at least on the face of it. Those in charge have a history of assuming that if you want privacy and low profile then you must have something to hide. If I use remailers to obtain privacy / low profile, why would I want to use a remailer that advertises itself as such? Rather, I'd prefer a nice little quiet one so my messages would blend in with all the rest of the usenet junk. I hate the five lines of disclaimers. I'd pay for my remailing if I could (and will when the feature becomes available), but I'd take my business to the discreet firm of _Chaemeleon Remailers S.A._ - not to all the _Remailers 'R' Us_ that advertise their business in neon on top of my messages. From amanda at intercon.com Sat Nov 19 12:29:29 1994 From: amanda at intercon.com (Amanda Walker) Date: Sat, 19 Nov 94 12:29:29 PST Subject: I Like ASCII, not MIME and Other Fancy Crap Message-ID: <199411192018.PAA28766@intercon.com> > [...] ELM bombs [...] Well, aside from the fact that I was being intentionally annoying (you will note that I do not normally include my GIF signature in my messages), I will say that the bugs in your mailer are not entirely my concern. MIME is a standard for email on the Internet. If your mailer chokes on it, you can always get another mailer. Pine is good, from what I've heard, and handles MIME just fine. It's just as free as ELM... Amanda Walker InterCon Systems Corporation From mpd at netcom.com Sat Nov 19 13:01:27 1994 From: mpd at netcom.com (Mike Duvos) Date: Sat, 19 Nov 94 13:01:27 PST Subject: currency strips "salted" for neutron activation analysis? In-Reply-To: <199411191955.LAA28746@well.sf.ca.us> Message-ID: <199411192101.NAA13332@netcom4.netcom.com> Brad Dolan writes: > I think it would be interesting to try neutron activation > analysis on currency. To do this, you would bombard the > currency with neutrons and then look at the activated gamma > spectrum to see how much of what odd trace materials might > be present. There are very sophisticated NAA scanners for luggage which can detect minute amounts of explosives. Despite prodding by the Feds, airlines have balked at forking over the hundreds of millions of dollars that would be required to install them at all airports. > I don't have any specific knowledge that the threads are > "salted" for easy identification but this technique would > work very nicely and has been used elsewhere. While the technique works nicely on baggage, I think there would be some resistance to "neutron activation" of passengers. :) That is why I said in my last message that I knew of no method of remotely detecting currency carried by persons which was both inexpensive and posed no health risks. All RF techniques can be pretty easily defeated and NAA is not acceptable for use on living creatures. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From lmccarth at ducie.cs.umass.edu Sat Nov 19 13:08:51 1994 From: lmccarth at ducie.cs.umass.edu (L. McCarthy) Date: Sat, 19 Nov 94 13:08:51 PST Subject: I Like ASCII, not MIME and Other Fancy Crap In-Reply-To: <199411192018.PAA28766@intercon.com> Message-ID: <199411192109.QAA04661@ducie.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- I promised myself I wouldn't send any more mail to the list about this, but I'm veering back into a more general discussion of software standards. And yes, this is getting my goat. Amanda Walker writes: > I will say that the bugs in your mailer are not entirely my concern. I readily agree that the parts where ELM traps me in a sequence of RETURN prompts are entirely my problem (or more properly, the ELM author{'s, s'} problem). I didn't blame anyone for them. > MIME is a standard for email on the Internet. If your mailer chokes on it, > you can always get another mailer. Maybe I should quote myself here. I wrote: $ Speaking of which, can anyone explain why my usually-MIME-compliant mail $ reader (ELM 2.4 PL22) pukes on the fancy parts of all these draft $ announcements ? Emphasis on "usually-MIME-compliant". Most of the MIME mail I've ever received has been processed correctly. But certain objects like this .gif you sent are another story. I've never been a subscriber to alt.binaries.pictures.* and I only know we have a .gif viewer around here because they digitized pictures of everyone in the dept. Now you're expecting me to hunt around for viewers for .gifs and TIFFS and JPEGs and God knows what else you might want to send me ? It's a nontrivial AI task to expect my poor mailer to track down this arbitrarily large set of utilities, and a distinctly aggravating human task to attempt the same. ELM appears to be telling me, "this doesn't fit any of the 937 cases with which I'm familiar, so I don't know what to do", which seems pretty reasonable to me. .GIF is not part of the standard for the format of Internet email, is it ? > Pine is good, from what I've heard, > and handles MIME just fine. It's just as free as ELM... I only switched to ELM a few months ago. I guess I'm actually getting pretty comfortable with using it, which means it's time to ditch it. -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBLs5pUGf7YYibNzjpAQGk8AQAoNnALFpef6wsHX8WYMNSrQ//M8OI83i5 kJJV7YaEuwq1PSL+3BRuLhVD6JvztWMsQMw1XLTYS0rCz+X1Tyu9Ri8E5AmtraJ9 2iXyD0EsVS5CCdCnCePUG2gg2zlpSz2KalT9mpbzE0XGHqFSzjgIaJcoVziAW7Eu DpUiiSe1VLs= =+NV/ -----END PGP SIGNATURE----- From adam.philipp at ties.org Sat Nov 19 13:11:13 1994 From: adam.philipp at ties.org (Adam Philipp) Date: Sat, 19 Nov 94 13:11:13 PST Subject: usenet-to-mail Message-ID: >"Robert A. Hayden" wrote: >>More importantly, are there are usenet-to-mail gateways? > >Would there by any benefit to doing this at all over the present system? >Why would someone submit a message to the remailer "bramble" via newsgroup >instead of just mailing it? Unless you find an anonymous way to post to >the newsgroup in the first place, your security seems to be seriously >compromised. Even if everything is encrypted, you've made traffic analysis >a huge amount easier. And if you are finding a way to post the a newsgroup >anonymously in the first place, odds are you have some other entry point to >the remailer bramble, so why make a stop on the newsgroup opening yourself >up to traffic analysis? > >Now that I think about it, it seems that there isn't really any reason for >such a thing. > Also one very bad reason NOT to do this. Posting to a newsgroup would remove any ECPA protection that your e-mail may have had. Sure, it isn't much, but at least proven interception could discourage traffic analysis. Proving it is left as an exercise for the student. Adam -- PGP Key available on the keyservers. Encrypted E-mail welcome. Sub rosa: Confidential, secret, not for publication. -Black's Law Dictionary From pfarrell at netcom.com Sat Nov 19 13:17:49 1994 From: pfarrell at netcom.com (Pat Farrell) Date: Sat, 19 Nov 94 13:17:49 PST Subject: I Like ASCII, not MIME and Other Fancy Crap Message-ID: <58413.pfarrell@netcom.com> tcmay at netcom.com (Timothy C. May) writes: > Oh, I'll go along with this. After all, this is partly why the terminal > standard is about 80 columns (there may be some FORTRAN and CRT > technology of the 1970s reasons as well). Revisionist history! CRT's were 80 columns because Hollerith cards were 80 columns. They had been that size since the late 1800s. 70s compilers for Fortran and Cobol used the columns. Cobol had A and B margins, Fortran had sequence numbers in columns 1 thru 6, and the continuation column in 7. The compilers weren't changed just because of a new fangled I/O device. In the good old days, there were only two I/O sizes that counted, 80 and 132. Pat Pat Farrell Grad Student pfarrell at cs.gmu.edu Department of Computer Science George Mason University, Fairfax, VA Public key availble via finger #include From an234 at vox.xs4all.nl Sat Nov 19 13:56:26 1994 From: an234 at vox.xs4all.nl (an234 at vox.xs4all.nl) Date: Sat, 19 Nov 94 13:56:26 PST Subject: Critias Unmasked Message-ID: <199411192156.AA05587@xs1.xs4all.nl> -----BEGIN PGP SIGNED MESSAGE----- On Fri, 18 Nov 1994, Timothy C. May wrote: >Before the (unsigned) reputation of Critias_the_conspirator is tossed >about further, I was the author of the "anonymous" version. > >(No, I can't prove this, either, but such is life.) > >I wanted to remind folks of just how easy such unsigned reps can be >"used" by others. (No, I don't sign my own messages, due to hassles >with uploading signed messages to my Internet host, but I also rarely >use digital pseudonyms.) Which is why, in spite of the same sort of hassle that Tim mentioned, I make it a point to sign everything I post to the list. I regard the minor annoyance to be a necessary part of legitimizing this new nym -- for what it provides and especially for what it prevents. N. Cognito =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= N. Cognito "Don't put no constrictions on da people. an234 at vox.xs4all.nl Leave 'em ta hell alone." -- J. Durante =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= public key available via keyserver -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLs5yOqL3ipYu3mvVAQHPSAP8C50Izeg6KxRfgOTpC0vrHxQakvPHRdrk m0rh4BtObR6qdSCywlLz2bJ5z5ZetxrW+d6CsTgHqSLTKyf2t5dTuXoI6xMM6dnk aPSkEyBAr0AETGXA0rgiucEWosP09/t8mOoJCdIut/oqu8A5OarGRILlMuvOZuHC Ki5pNcabPpI= =tsCR -----END PGP SIGNATURE----- From shamrock at netcom.com Sat Nov 19 15:42:13 1994 From: shamrock at netcom.com (Lucky Green) Date: Sat, 19 Nov 94 15:42:13 PST Subject: I Like ASCII, not MIME and Other Fancy Crap Message-ID: <199411192342.PAA06974@netcom13.netcom.com> >> As for solutions, the only solutions there are and ever will be involve you >> getting of that terminal server. The evolution of the Internet will make >> ASCII terminals obsolete. If it hasn't already done so. >> >> Let's take that poll of what people use. I am curious. > >All right, you asked for it. :-) [Long list delete. Wow! But notice, he _is_ getting the stuff of the termial server.] >My best experience with PGP is using perl scripts integrated with elm >(thus a preference for using linux for mail). However it doesn't handle >MIME right. Pine seems to handle MIME, but I haven't figured out how to >add PGP support. There is a Pine with PGP support out there. I don't use mail on UNIX, so I don't have it handy, but I am sure someone else on the list will tell you all about it. >I have yet to play with the PGP Applescripts for Eudora. They're >sitting on my Mac's disk waiting for me to try them. Same here. I have just been to busy helping people get a better net connection. >I'd be curious to hear your commentions/suggestions. How about someone makes up a fill out form that we then send in for analysis? That's how we did it two years ago. >> P.S. If anybody here on the list wants to know how to turn their regular >> shell account into a SLIP account, email me for info or read >> alt.dcom.slip-emulators. Please don't ask about it on the list. > >Is this TIA on the Mac? I haven't tried that yet. I've tried term in >linux, which sounds similar, and it didn't work. And for the moment, I >do have means to get a SLIP connection. If you have a SLIP connection, then use that. Yes, it is TIA, but not on the Mac. TIA runs on the UNIX host only. Your Mac/PC/Whatever just uses standard SLIP software and doesn't have the slightest clue that the other end isn't _really_ a SLIP sever. Unlike term, where you have to recompile the software on the client to work with it. But please, lets keep the SLIP discussion off the list. Anyone who is interested please email me for more info. Happy netting, -- Lucky Green PGP encrypted mail preferred. From mbartley at netcom.com Sat Nov 19 16:41:00 1994 From: mbartley at netcom.com (Matt Bartley) Date: Sat, 19 Nov 94 16:41:00 PST Subject: sorry Message-ID: <199411200040.AA26969@nebula.acs.uci.edu> Sorry about my last posting everyone. I must have missed a cc: header; I didn't intend to send it to the list. From werner at mc.ab.com Sat Nov 19 18:06:30 1994 From: werner at mc.ab.com (tim werner) Date: Sat, 19 Nov 94 18:06:30 PST Subject: usenet-to-mail Message-ID: <199411200206.VAA24081@sparcserver.mc.ab.com> [I accidentally sent this to owner-cypherpunks before. Sorry if it shows up again later. tw] >Date: Sat, 19 Nov 1994 01:51:05 -0500 >From: jrochkin at cs.oberlin.edu (Jonathan Rochkind) > >"Robert A. Hayden" wrote: >>More importantly, are there are usenet-to-mail gateways? > >My first impression was that that was just a joke. Then I thought it might >be a very good idea after all. Then I thought it surely wasn't a joke, but >also wasn't a very good idea. Now I'm not sure. :) I was thinking that Robert meant something like getting a usenet feed via mail. Speaking of which, are there any sort of "public", or "free" NNTP servers? Or even "cheep"? Even just read-only? I'm afraid of losing my full feed along with my account when I finish my masters. I don't want to go for a PhD just so I can keep browsing the alt groups. tw From hfinney at shell.portal.com Sat Nov 19 18:21:48 1994 From: hfinney at shell.portal.com (Hal) Date: Sat, 19 Nov 94 18:21:48 PST Subject: I Like ASCII, not MIME and Other Fancy Crap In-Reply-To: <199411192342.PAA06974@netcom13.netcom.com> Message-ID: <199411200221.SAA07318@jobe.shell.portal.com> Another thing to keep in mind is that, probably, two years from now a considerable majority of people on the net will be people who aren't using it yet. They won't have twenty years of experience with ASCII and Unix and /bin/mail, etc. As Lucky Green says, they will get going with Mosaic or derivatives and never leave it. They will use Internet in a Box (or an equivalent from AOL or Microsoft) and get set up and running easily. They won't have to use Archie to find a JPEG or GIF viewer, it will be built in. Most of them will use a PC running Windows 95, a few will use Macs. That will be the net in two years, IMO. We should be ready for that world and working to keep it safe for privacy. As Phil Z. said in the PGP docs, "skate to where the puck will be." We need to look forward, not look back to the good old days. Hal From shamrock at netcom.com Sat Nov 19 18:36:14 1994 From: shamrock at netcom.com (Lucky Green) Date: Sat, 19 Nov 94 18:36:14 PST Subject: usenet-to-mail Message-ID: <199411200236.SAA25895@netcom19.netcom.com> >Speaking of which, are there any sort of "public", or "free" NNTP >servers? Or even "cheep"? Even just read-only? I'm afraid of losing >my full feed along with my account when I finish my masters. I don't >want to go for a PhD just so I can keep browsing the alt groups. There are at least a dozen that are read-only. Finger lesikar at tigger.stcloud.msus.edu for the full list. There is exactly one that will let you post: newsserver.rrzn.uni-hannover.de However, it won't confirm your posts. Just hit cancel 30 seconds after you hit post. The message will be posted. Better yet, find a private service provider that will let you use their newsserver. How do you inted to access the newsserver without an account, anyway? -- Lucky Green PGP encrypted mail preferred. From crawford at scruznet.com Sat Nov 19 18:59:30 1994 From: crawford at scruznet.com (Michael D. Crawford) Date: Sat, 19 Nov 94 18:59:30 PST Subject: usenet-to-mail Message-ID: <199411200259.SAA24866@scruz.net> tim werner asks: >Speaking of which, are there any sort of "public", or "free" NNTP >servers? Or even "cheep"? Even just read-only? >From The Mac Internet Tour Guide, by Michael Fraase, ISBN 1-56604-062-0, page 255: cc.usu.edu (read only) etl.go.jp (read/post) europa.eng.gtefsd.com (read only) fconvx.ncifcrf.gov (read only) gaia.ucs.orst.edu (read only) hermes.chpc.utexas.edu (read only) newshub.nosc.mil (!) (read only) There are many others, but this should get you started. Are these in a FAQ somewhere? (My first post to CypherPunks, BTW. Greetings.) Michael D. Crawford crawford at scruznet.com crawford at maxwell.ucsc.edu <- Finger me here for PGP Public Key From sandfort at crl.com Sat Nov 19 19:01:20 1994 From: sandfort at crl.com (Sandy Sandfort) Date: Sat, 19 Nov 94 19:01:20 PST Subject: NYC MEETING Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, We had the second monthly meeting of NYC area cypherpunks today. Eleven of us met at a Chinese restaurant near Times Square (up from eight, last month). In addition to good conversation, one of our number, Sal Denaro, graciously provided Cypherpunkish "party favors." Everyone in attendance was given a "Global Key" pre-paid telephone calling card good for five free minutes of long-distance calling anywhere in the US. Sal gave this cautionary advice about privacy. "If you want privacy, don't use the phone." He went on to tell us the sort of information that phone and calling card companies collect. So how do you maximize your calling card privacy? Sal says you should to destroy your calling card when you finish with it. Better yet, memorize the card's ID code and destroy it *before* you use it. He has had LEA types bring in cards they had taken off suspects, and ask for a list of everyone who was called using that card. When they had proper legal authorization, he has had to comply. Sal wasn't very sanguine about my suggestion of physically mixing and redistributing cards at C'punk meetings. He said *he* would not want to use a card without knowing what it had been used for. I still think it's not a bad idea, but I see his point. (Good afternoon Mr. Sandfort. I'm Agent Johnson with the Secret Service and I'd like to ask you a few questions about a call you apparently made to the White House last month...) We covered other territory besides phone cards, but mostly it was an opportunity for local C'punks to get to meet each other in the flesh. Duncan will be making an announcement soon about next months meeting. I hope to see some new as well as familiar faces then. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From greg at ideath.goldenbear.com Sat Nov 19 19:47:40 1994 From: greg at ideath.goldenbear.com (Greg Broiles) Date: Sat, 19 Nov 94 19:47:40 PST Subject: SPOOF SENDERS? In-Reply-To: <199411192018.OAA08310@jpunix.com> Message-ID: <199411200346.AA21554@ideath.goldenbear.com> -----BEGIN PGP SIGNED MESSAGE----- An anonymous author writes: > If I use remailers to obtain privacy / low profile, > why would I want to use a remailer that advertises itself as such? > Rather, I'd prefer a nice little quiet one so my messages would blend in > with all the rest of the usenet junk. > I hate the five lines of disclaimers. > I'd pay for my remailing if I could (and will when the feature becomes > available), but I'd take my business to the discreet firm of _Chaemeleon > Remailers S.A._ - not to all the _Remailers 'R' Us_ that advertise their > business in neon on top of my messages. Why not go to one of the commercial providers or Freenets and ask for an account under a pseudonym? I don't get the impression that Netcom cares what your account name is, and I imagine the other providers are too busy to play identity police. If they're feeling picky and you're feeling accomodating, tell them you want to pay for an account for a roommate/spouse/partner/adopted child who doesn't have a checkbook/VISA card. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLs7GjX3YhjZY3fMNAQHSzwP+LCTo8TrztmRL0m+wtn0AWugS5wsFJqKn VRDqfpiXdJHhIS+MlzuQSZ3wcC0krOW1IPYGShmb5QNU1rD1Y5in5cS0OJsvJl1+ Oc4fxEz1gsKDE6yU9m/ce8uWGcW3GbrXdlIC7LKx8AOaXsfjx2338kpfJ9vYpmWF /+XSeq6K4fs= =plJv -----END PGP SIGNATURE----- From m00012 at KANGA.STCLOUD.MSUS.EDU Sat Nov 19 22:29:15 1994 From: m00012 at KANGA.STCLOUD.MSUS.EDU (m00012 at KANGA.STCLOUD.MSUS.EDU) Date: Sat, 19 Nov 94 22:29:15 PST Subject: Dogwash (sorry if this isn't the proper procedure... Message-ID: <00987B96.4C1B7B40.4411@KANGA.STCLOUD.MSUS.EDU> for posting anouncements...but... ******************************** *Post-Preliminary Announcement:* ******************************** Inspiration: Dogwash was inspired by (some might say stolen from) Bruce Schneier's Blowfish. DogWash: A 128 bit block encryption algorithm/fiestal cipher, product encryption algorithm.... Rounds: The number of rounds can be defined at runtime. The range for the number of rounds is from 0 to 6140. The speed of the algorithm is correlated to the number of rounds used, with 16 rounds being reasonably fast. Keylength: The maximum keylength is determined by the number of rounds. For rounds=0, the maximum keylength is 16 bytes, or 128 bits. For rounds=6140, the maximum keylength is a ridiculous 49136 bytes, or 393088 bits long. For a standard 16 rounds, the maximum keylength is 144 bytes, or 1152 bits. Subkeydata: 64k bytes of high entropy (7.95 bits/char) subkey data are included in a header file. The subkey data is mutated with the key, and the result is used for encryption/decryption. Note that the actual amount of subkey data used is a function of the number of rounds requested. The subkey data is not fixed and may be changed so long as your correspondent is using the same subkey data. (Note: subkey data is later mutated with the session key. I only point out that the subkey data may be changed for those who might want to do that, for whatever reason.) Sourcecode: The program is written in c++. Currently, it requires a compilier that allows a 64 bit unsigned integer addition, %(1<<63). The use of destructors helps ensure that mutated subkey data is automatically destroyed after an encryption or decryption session. However, other risks exist, such as memory being swapped to disk, or the final programmer forgetting to protect his/her key. It should be very easy to convert it to standard C. Description: A PostScript file containing block diagrams and a well written (well, probably better than this) description may become available within the next few months. Security: I believe that DogWash is practically uncrackable, but I haven't the credentials to make such a pronouncement. (The only code I have cracked is the Sunday paper's Cryptogram.) But, unlike blowfish, this is not a fast encryption algorithm. From adam.philipp at ties.org Sun Nov 20 00:32:30 1994 From: adam.philipp at ties.org (Adam Philipp) Date: Sun, 20 Nov 94 00:32:30 PST Subject: Crypto Chip in Eastern Europe Message-ID: Does anyone know any more details on the crypto chip listed in the HTML http://jep.pld.ttu.ee/? It seems that this is a hardware PGP (uses RSA to encrypt IDEA key) project. They mention having prototype available RSN, as in December... or is this just some very interesting vapor-ware? Adam Philipp -- PGP Key available on the keyservers. Encrypted E-mail welcome. Sub rosa: Confidential, secret, not for publication. -Black's Law Dictionary From tcmay at netcom.com Sun Nov 20 00:33:25 1994 From: tcmay at netcom.com (Timothy C. May) Date: Sun, 20 Nov 94 00:33:25 PST Subject: I Like ASCII, not MIME and Other Fancy Crap In-Reply-To: <199411200221.SAA07318@jobe.shell.portal.com> Message-ID: <199411200833.AAA01240@netcom11.netcom.com> Hal wrote: > > Another thing to keep in mind is that, probably, two years from now > a considerable majority of people on the net will be people who aren't > using it yet. They won't have twenty years of experience with ASCII > and Unix and /bin/mail, etc. As Lucky Green says, they will get going > with Mosaic or derivatives and never leave it. They will use Internet > in a Box (or an equivalent from AOL or Microsoft) and get set up and > running easily. They won't have to use Archie to find a JPEG or GIF > viewer, it will be built in. Most of them will use a PC running > Windows 95, a few will use Macs. That will be the net in two years, > IMO. > > We should be ready for that world and working to keep it safe for > privacy. As Phil Z. said in the PGP docs, "skate to where the puck will > be." We need to look forward, not look back to the good old days. I agree, and made exactly this point at today's Cypherpunks meeting, during Raph Levien's talk on his "premail" work. (Note: Colin Plumb was also there, amongst others.) I expect to be switching to Netscape, or something similar, and a SLIP/PPP connection. So I'm all in favor of integrating things. And I agree that "Network" (Microsoft is preparing copyright infringement suits against all those also using the term they invented last week) will account for the majority of Net connections soon. Being built into Windows 95 will ensure this. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. Cypherpunks list: majordomo at toad.com with body message of only: subscribe cypherpunks. FAQ available at ftp.netcom.com in pub/tcmay From tcmay at netcom.com Sun Nov 20 00:36:36 1994 From: tcmay at netcom.com (Timothy C. May) Date: Sun, 20 Nov 94 00:36:36 PST Subject: usenet-to-mail In-Reply-To: <199411200259.SAA24866@scruz.net> Message-ID: <199411200836.AAA01469@netcom11.netcom.com> Michael D. Crawford wrote: > There are many others, but this should get you started. Are these in a FAQ > somewhere? Not in my FAQ. I may put them in. > (My first post to CypherPunks, BTW. Greetings.) > > Michael D. Crawford By the way, I liked you in "Phantom of the Opera." Have you left singing for computers? --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. Cypherpunks list: majordomo at toad.com with body message of only: subscribe cypherpunks. FAQ available at ftp.netcom.com in pub/tcmay From tcmay at netcom.com Sun Nov 20 01:05:17 1994 From: tcmay at netcom.com (Timothy C. May) Date: Sun, 20 Nov 94 01:05:17 PST Subject: (fwd) "Process Mime Article y/n?" Message-ID: <199411200905.BAA03507@netcom11.netcom.com> There was a lot of hilarity at today's Cypherpunks meeting, about the MIME/complexity thread. Others are reporting similar experiences, percolating into newsgroups: > From: sag at hera.EECS.Berkeley.EDU (Steve Goldfield) > Newsgroups: comp.sys.mac.digest > Subject: "Process Mime Article y/n?" > Message-ID: <3ainnf$itf at agate.berkeley.edu> > Date: 18 Nov 94 17:19:42 GMT > Sender: usenet > Distribution: world > Organization: University of California, Berkeley > Approved: info-mac at sumex-aim.stanford.edu > > A day or so ago while trying to read this newsgroup, I got > the prompt, "Process Mime Article? y/n?" I said "y" and was > immediately sorry. Message after message came up and no > character seemed to permit escape from that loop. Seems to > me there should be a warning about such things. I had to > disconnect and relogin to my account and then delete the > message without reading it. I notice today that if I'd said > "n," I'd have got the same old very long message. Anyway, > I'd urge the moderator of the newsgroup to stick in a > warning or tell the unwary reader how to excape from the > Mime loop. > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > Steve Goldfield :<{ {>: sag at coe.berkeley.edu > University of California at Berkeley Richmond Field Station > > -- From jkh at story.com Sun Nov 20 01:55:37 1994 From: jkh at story.com (jkh at story.com) Date: Sun, 20 Nov 94 01:55:37 PST Subject: Karl Hess- L.A. Area Message-ID: <9411200147.D0917Ak@bbs> -----BEGIN PGP SIGNED MESSAGE----- "Extremism in the defense of liberty is no vice, and let me remind you, moderation in the pursuit of justice is no virtue." -- Karl Hess Meeting in Pasadena (near Los Angeles) CALIFORNIA U-S-A- Nobody is leaving town because of the meeting this time 8^) The following text was written by SEK3: --- K A R L H E S S C L U B --- REVOLUTION, REACTION or BETRAYAL? A Special 3-Part Post Election Series 1. Monday, November 21, 1994 You are invited to attend our Sixth Meeting, TRIUMPH OF THE PALEOS? Three speakers were invited tonight. The spokesperson for the Paleoconservatives, Mr. Steven Piper, who publicly agreed last meeting to attend and present his position, decided otherwise after election nigbt. Meanwhile, the former spokesperson for the anti-voting Movement of the Libertarian Left who debated Ted Brown, spokespersons for the Dana Rohrbacher candidacy, and Loy Lefevre, also declined to attend. What does it all mean? Has the Centrist "Libertarian" Party (LP) strategy won by default? Does that strategy win anything? Should libertarians not only embrace voting, but for Republicans, following Rothbard/Rockwell Paleolibs into joining the Paleocons behind a Buchanan-run RP? Or have the Paleos already pulled up the drawbridge behind them? Or should we assume the Right has decisively won -- and all join the tattered remnants of the New Left, the new coffee-house anarchists, and the non-socialist Left in a last-ditch, die-hard defense of what freedoms we can salvage? Or...tonight long-time LP activist, holder of many party offices, and articulate former editor of the LP's newspaper, Ted Brown, recently defeated candidate for California Insurance Commissioner and, incidently, one of the LP's biggest vote getters, presents the case for The Party. At the last minute, Tom Dominy, defeated candidate in a Republican primary for Congress, former LP activist, agreed to appear on behalf of the Republican Option. DINNER at MARIE CALLENDER'S in Pasadena 7 p.m. $13 prix fixe with the following entree choices: * Chicken Broccoli Fettucine * Country Fried Steak * Pot Roast -- includes beverage, tax and tip. For only $2 more, piece of MC's famous pie becomes included! 210 Fwy to Rosemead Bl. South to Foothill Bl. Right to MC's on Foothill (between Sierra Madre and Walnut). Or Colorado Blvd to Sierra Madre, north to Foothill, left to MC's. PROGRAM 8 p.m. Announcements * 8:15 Featured speakers (see column left) * Questions and Answers (moderated by the speaker) * Special Series Opening and Closing by SEK3 * Official Meeting Close at 10 p.m. After-meeting until... 2. Monday, December 19, 1994 ANARCHIST ALTERNATIVES ...and alternative anarchists. Agorists, Discordians, anarcho- syndicalists and punks -- cypher and rock. Does "dropping out" of the hopeless aboveground political system mean less activism -- or more? Is it time to move from the back-room to the coffeehouse? - From the conference committee room to the Usenet? Does feminism mean sharing the same oppression experienced by most males? Does voting for socialism mean bureaucratic capitalism and does voting for free enterprise mean profit...for bureaucrats? Did you vote for change last month...and get betrayed already? Are you ready to get angry...or get even? Or just get something done! If so, come and hear our panel of real alternatives: from (De)center, IWW, and the new improved and revitalized Movement of the Libertarian Left. Find out what's already going on all around you. At Hasmik's in Cheviot Hills (West L.A.). Make sure you are on our mailing list to get the postcard giving you the details! Call (310) 289-4126 or send your mail drop to KHC c/o AI, 291 S. La Cienega Blvd., #749, Beverly Hills, CA 90211. (Or e-mail to jkh at story.com) - JKH 3. Monday, January 16, 1994 (I think he meant 1995, unless Dr. Who's Tardis is available) - JKH "THE NIGHT OF JANUARY 16TH" What have the Objectivists been up to since the death of Ayn Rand? Successors, institutes, new associations...some of whom are actually eager to dialog with libertarians and others. Have they something new for us to consider? Should we go back to our philosophical roots first before wasting more time on inherently impossible solutions? Is A still A? On this most special night for objectivists, come and find out. -----BEGIN PGP SIGNATURE----- Version: 2.3 iQCVAgUBLsw8hA4ciVn87Ra9AQEE/AP/ef4FQxCT8Yor15w+HqchmyqgWS+nQCa2 xOrOmbvJgoSmRvMeTNVPZZ0+h2gKdNLJyCnanypZZ6tmeW/hdbl4INQW4sNnY2lz wbMFutziGc6bjMD64nPce5323tvtfUjIb/WeSm79qP+eqBxs2HZwNWpAVmhGMHNu opsge4xGGzw= =LwUT -----END PGP SIGNATURE----- From perry at jpunix.com Sun Nov 20 05:23:45 1994 From: perry at jpunix.com (John A. Perry) Date: Sun, 20 Nov 94 05:23:45 PST Subject: SPOOF SENDERS? In-Reply-To: <199411200346.AA21554@ideath.goldenbear.com> Message-ID: <199411201323.HAA22870@jpunix.com> In message <199411200346.AA21554 at ideath.goldenbear.com> you write: >-----BEGIN PGP SIGNED MESSAGE----- > >An anonymous author writes: > >> If I use remailers to obtain privacy / low profile, >> why would I want to use a remailer that advertises itself as such? >> Rather, I'd prefer a nice little quiet one so my messages would blend in >> with all the rest of the usenet junk. > >> I hate the five lines of disclaimers. > >> I'd pay for my remailing if I could (and will when the feature becomes >> available), but I'd take my business to the discreet firm of _Chaemeleon >> Remailers S.A._ - not to all the _Remailers 'R' Us_ that advertise their >> business in neon on top of my messages. Or, you can run your OWN remailer. That way you can tailor it to look anyway you want. John A. Perry - KG5RG - perry at jpunix.com WWW - http://jpunix.com PGP 2.62 key for perry at jpunix.com is on the keyservers. PGP-encrypted e-mail welcome! Finger kserver at jpunix.com for PGP keyserver help. Finger remailer at jpunix.com for remailer help. From jya at pipeline.com Sun Nov 20 08:32:50 1994 From: jya at pipeline.com (John Young) Date: Sun, 20 Nov 94 08:32:50 PST Subject: NYT on MS Network Message-ID: <199411201632.LAA23341@pipe1.pipeline.com> Laurie Flynn writes today twofer on MS Network and newbie 1/3 pres Robert Herbold. For combo send blank message with subject: NET_puf From rishab at dxm.ernet.in Sun Nov 20 09:53:30 1994 From: rishab at dxm.ernet.in (rishab at dxm.ernet.in) Date: Sun, 20 Nov 94 09:53:30 PST Subject: DNA solution to Hamiltonian circuit? Message-ID: srctran at world.std.com (Gregory Aharonian): [on Internet Patent News Service] Scientist uses DNA sequences to solve Hamiltonian path problem of combinatorial mathematics, a precursor of the PTO's headache of including biotechnology in it software prior art searches. Think of Hopfield's paper on using neural nets for the traveling salesman problem to predict where DNA computing will end up. Uhh! This was in one of Greg's 'random list of story titles' - he's yet to provide details. As Hopfield didn't really 'solve' the TS problem, but made it easier to solve a class of maps, this may not mean that there will be any significant effect upon Cypherpunk tech based on NP-hard graph problems (such as Zero Knowledge proofs) - but it would be interesting to know _what_ it's all about. ----------------------------------------------------------------------------- Rishab Aiyer Ghosh "Clean the air! clean the sky! wash the wind! rishab at dxm.ernet.in take stone from stone and wash them..." rishab at arbornet.org Voice/Fax/Data +91 11 6853410 Voicemail +91 11 3760335 H 34C Saket, New Delhi 110017, INDIA From agarcia at sugar.NeoSoft.COM Sun Nov 20 10:52:57 1994 From: agarcia at sugar.NeoSoft.COM (Anthony Garcia) Date: Sun, 20 Nov 94 10:52:57 PST Subject: tips In-Reply-To: <199411191907.OAA03802@nudge.io.org> Message-ID: <199411201852.MAA07755@sugar.NeoSoft.COM> :Request-Remailing-To: snitch at atf.bogus.gov That's "snitch at atf.ustreas.gov"... -Anthony, correct domain names-r-us. From pstemari at fsp.fsp.com Sun Nov 20 11:07:55 1994 From: pstemari at fsp.fsp.com (Paul Ste. Marie) Date: Sun, 20 Nov 94 11:07:55 PST Subject: S-HTTP In-Reply-To: <9411190033.AA09011@anchor.ho.att.com> Message-ID: <9411201908.AA12419@fsp.fsp.com> > box below; please type legibly), or of course your politically-incorrect- > substance ordering system, which should provide anonymity as well as > payment and ordering, (which may be beyond the complexity of S-HTTP.) What precisely would be the point of anonymously ordering PIS's (I like that name!)? You'd need some mechanism for anon delivery of physical goods, unless of course what was transmitted was a recipe and your computer was hooked up to a organic synthesis lab. From rishab at dxm.ernet.in Sun Nov 20 11:10:49 1994 From: rishab at dxm.ernet.in (rishab at dxm.ernet.in) Date: Sun, 20 Nov 94 11:10:49 PST Subject: Estonian RSA chip Message-ID: adam.philipp at ties.org (Adam Philipp): > Does anyone know any more details on the crypto chip listed in the HTML > http://jep.pld.ttu.ee/? It seems that this is a hardware PGP (uses RSA to > encrypt IDEA key) project. They mention having prototype available RSN, as > in December... or is this just some very interesting vapor-ware? Jyri Poldre (jp at jep.pld.ttu.ee - probably on the list) was talking about this in May, while working on the design; we had a little discussion on the application of RSA patents in Estonia. The description of the hardware was pretty detailed back then for vapour-ware. ----------------------------------------------------------------------------- Rishab Aiyer Ghosh "Clean the air! clean the sky! wash the wind! rishab at dxm.ernet.in take stone from stone and wash them..." rishab at arbornet.org Voice/Fax/Data +91 11 6853410 Voicemail +91 11 3760335 H 34C Saket, New Delhi 110017, INDIA From amanda at intercon.com Sun Nov 20 11:32:27 1994 From: amanda at intercon.com (Amanda Walker) Date: Sun, 20 Nov 94 11:32:27 PST Subject: I Like ASCII, not MIME and Other Fancy Crap Message-ID: <199411201916.OAA08299@intercon.com> > Now you're expecting me to hunt around for > viewers for .gifs and TIFFS and JPEGs and God knows what else you might want > to send me ? Actually, I'm not, any more than you're expecting me to hunt around for a copy of PGP just so I can verify your signature. Secondly, having to hunt around for viewers is something that has to do with your mailer, not MIME itself. For example, when I receive MIME email with images, they just appear inline with the text. Just because the easiest way for mailers like ELM to support MIME is to call out to metamail or the like doesn't mean that's necessarily how MIME was meant to be used... > .GIF is not part of the standard for the format of Internet email, is it ? Yes, it is. The MIME RFC specifies image/gif and image/jpeg as the standard formats for including images in Internet email messages. > I only switched to ELM a few months ago. I guess I'm actually getting pretty > comfortable with using it, which means it's time to ditch it. That's the problem with depending on UNIX :) :) Just as a reminder, I'll point out that I do in fact sympathize, which is why I refrain from using graphics, styled text, HTML links, and so on in my messages. I just have a strong disagreement with the sentiment expressed by Tim, where limiting email to what can be punched onto Hollerith cards is seen as a feature, not a bug. On the other hand, since designing UIs for Internet software is how I make my living, I'm no doubt biased in favor of it being a bug. Amanda Walker InterCon Systems Corporation From entropy at IntNet.net Sun Nov 20 12:43:54 1994 From: entropy at IntNet.net (Jonathan Cooper) Date: Sun, 20 Nov 94 12:43:54 PST Subject: Here's one for laughter In-Reply-To: <9411170353.AA16196@supra.comm.mot.com> Message-ID: > I know you don't need a lecture at your age---I was there recently. > But, what you have done for this administrator of your school sounds > quite illegal and most definitely immoral. Morality and legality mean one thing when your future is assured, and an entirely different one when your getting into college may depend upon the very people whom you would piss off by refusing. > Have you ever considered quitting your job to remove the legal and > moral questions surrounding the action, bringing the action to the > attention of the local media or helping the FBI nail the bastard. No. I'm a student, not a netadmin proper. And I *REALLY* don't need the headaches involved with getting the FBI involved, even if I thought it was a good idea, which I don't. I am extremely loathe to use the "authorities" on anyone, anytime. > Law related to communications) would do this administrator good. If And would do me extremely bad, unfortunately. > questionable sounds like grounds for an investigation. Threatening a > student to do the dirty work, makes me want to see this person of > power squirm like the dog he is. He is a wee bit of a twit, but on the other hand I would like to go to college and most of what I do is not reflected in my grades (2.3 GPA, 1370 SAT) for reasons which I won't go into here. Recommendations from the technical people at school are about all I've got, and I will do what I have to in order to get them. -jon ( --------[ Jonathan D. Cooper ]--------[ entropy at intnet.net ]-------- ) ( PGP 2.6.2 keyprint: 31 50 8F 82 B9 79 ED C4 5B 12 A0 35 E0 9B C0 01 ) From entropy at IntNet.net Sun Nov 20 12:45:50 1994 From: entropy at IntNet.net (Jonathan Cooper) Date: Sun, 20 Nov 94 12:45:50 PST Subject: PGP .DLL In-Reply-To: <9411170415.AA08055@tucson.Princeton.EDU> Message-ID: > How do you plan to prevent passwords, plaintext, etc. being saved > in swap files, etc.? Munge the memory where they've been stored. There is really no way to protect absolutely, especially on something as unsecure as a PC where someone malevolent could just install a keyboard logger... It comes down to a "how-much-is-enough" question. -jon ( --------[ Jonathan D. Cooper ]--------[ entropy at intnet.net ]-------- ) ( PGP 2.6.2 keyprint: 31 50 8F 82 B9 79 ED C4 5B 12 A0 35 E0 9B C0 01 ) From entropy at IntNet.net Sun Nov 20 12:52:15 1994 From: entropy at IntNet.net (Jonathan Cooper) Date: Sun, 20 Nov 94 12:52:15 PST Subject: School Admins In-Reply-To: <9411171702.AA00767@ch1d157nwk> Message-ID: > You definitely shouldn't be doing that! Unless you make it very clear to > the users that they should not have any expectation of privacy when using > the school's computers, then e-mail is covered by the Electronic Like I've told other people, it's easy to be objective when the rest of your life isn't on the line. But my college plans _DIRECTLY_ involve these people, and I can't afford to piss them off. And yes, the students now know that they're being logged, and I've taught them to use cheesy crypt(1) encryption to handle it. -jon ( --------[ Jonathan D. Cooper ]--------[ entropy at intnet.net ]-------- ) ( PGP 2.6.2 keyprint: 31 50 8F 82 B9 79 ED C4 5B 12 A0 35 E0 9B C0 01 ) From entropy at IntNet.net Sun Nov 20 12:54:57 1994 From: entropy at IntNet.net (Jonathan Cooper) Date: Sun, 20 Nov 94 12:54:57 PST Subject: PGP .DLL In-Reply-To: <9411172028.AA14328@one.owlnet.rice.edu> Message-ID: > I'm way behind on messages currently, so maybe somebody mentioned > this... but have you looked at RSAREF? I know the license is > restrictive, but take a look at it architecturally. That is basically the way that I'd envisioned it functioning. Details have to be nailed down... anyone who is interested in helping, please mail me so we can take this chatter off the main cypherpunks list. -jon ( --------[ Jonathan D. Cooper ]--------[ entropy at intnet.net ]-------- ) ( PGP 2.6.2 keyprint: 31 50 8F 82 B9 79 ED C4 5B 12 A0 35 E0 9B C0 01 ) From CCGARY at MIZZOU1.missouri.edu Sun Nov 20 13:05:02 1994 From: CCGARY at MIZZOU1.missouri.edu (Gary Jeffers) Date: Sun, 20 Nov 94 13:05:02 PST Subject: Making Terminal Remailers Foreign Message-ID: <9411202104.AA21607@toad.com> THIS TEXT FOR EDUCATIONAL USE ONLY. I DO NOT ADVOCATE THE BREAKING OF ANY LAW OR OF PROVOKING CIVIL LAW ACTIONS. MAKING TERMINAL REMAILERS FOREIGN Dear Cypherpunks, I have been concerned about the security of remailers & their ops & I think I have found a scheme to give them an extra magnitude of safety. With some little reflection, it is obvious that an indiscreet user could compromise the safety of a remailer & its op. The reckless user could violate local laws or could provoke civil legal actions, or could be "politically or culturally indiscreet". My general software solution could give a safety net to the remailer w/ op. Firstly, I would like to provide a small glossary: Collector remailer - The 1st remailer in a remailer chain. Fortress remailer - A remailer that, due to technological devices, is safe from all political, legal, & technical attacks. An ideal - no such thing yet. Hardened remailer - A remailer with security between that of a State Sufferance remailer & a Fortress remailer. Does not allow itself to be used as a domestic terminal remailer. It may have other political & technological safeties as well. This kind of remailer is the subject of this post. Inner link remailer - An inner remailer; between the collector & the terminal remailers. State sufferance remailer - A remailer that has no political or software safeties. Allows itself to be used as a domestic terminal remailer. Terminal remailer - The last remailer in the chain. My plan concerns making the terminal remailer more secure. Obviously, the terminal remailer takes the most heat & needs more security. The extra security should be easily achieved by putting code into the remailer that says: "If mail being delivered to another remailer, then continue; If mail being delivered to a foreign country, then continue; If mail being delivered to a a domestic end user (not remailer), then deliver that mail to a foreign remailer & instruct it to deliver to end user." This scheme would insure that for that remailer, all mail deliveries would be foreign. If there were legal or political problems, then that remailer would be protected by its foreign jurisdiction. This safety would not be bulletproof, but it would greatly raise the cost of hassling the remailer. A cautious remailer operator might choose a remailer in a country with really bad diplomatic relations with his own host country. This scheme has the advantage that it could be easily implemented by the concerned remailer operator without depending on cooperation by others. It would also seem to be a fairly simple coding problem. Due to the extra security provided to the terminal remailer, the remailer user should also be more secure. In fact, I believe it would make the whole chain more secure. PUSH EM BACK! PUSH EM BACK! WWWAAAYYY BBBAAACCCCK! BBBEEEAAATTTT STATE! Gary Jeffers From CCGARY at MIZZOU1.missouri.edu Sun Nov 20 13:24:55 1994 From: CCGARY at MIZZOU1.missouri.edu (Gary Jeffers) Date: Sun, 20 Nov 94 13:24:55 PST Subject: test file Message-ID: <9411202124.AA22187@toad.com> This is only a test file. From perry at imsi.com Sun Nov 20 13:33:03 1994 From: perry at imsi.com (Perry E. Metzger) Date: Sun, 20 Nov 94 13:33:03 PST Subject: I-D ACTION:draft-ietf-pppext-encryption-00.txt (fwd) In-Reply-To: <199411182024.PAA12077@bwh.harvard.edu> Message-ID: <9411202132.AA00363@snark.imsi.com> There are going to be IPv4 equivalents of these soon, btw -- the IPSEC wg has more or less come to consensus on a protocol to be called IPSP. .pm Adam Shostack says: > > A while ago, someone asked bout encryptde slip/ppp. > > Three news drafts are also available on security, > authentication, and encapsulation for IPv6. Same place as the other > drafts. > > > draft-atkinson-ipng-esp-00.txt > draft-atkinson-ipng-sec-00.txt > draft-atkinson-ipng-auth-00.txt > > | From ietf-announce-request at IETF.CNRI.Reston.VA.US Fri Nov 18 14:07:30 1994 > | Mime-Version: 1.0 > | Content-Type: Multipart/Mixed; Boundary="NextPart" > | To: IETF-Announce:; > | cc: ietf-ppp at merit.edu > | Sender: ietf-announce-request at IETF.CNRI.Reston.VA.US > | From: Internet-Drafts at CNRI.Reston.VA.US > | Reply-to: Internet-Drafts at CNRI.Reston.VA.US > | Subject: I-D ACTION:draft-ietf-pppext-encryption-00.txt > | Date: Fri, 18 Nov 94 11:43:13 -0500 > | X-Orig-Sender: cclark at CNRI.Reston.VA.US > | Message-ID: <9411181143.aa04644 at IETF.CNRI.Reston.VA.US> > | > | --NextPart > | > | A New Internet-Draft is available from the on-line Internet-Drafts > | directories. This draft is a work item of the Point-to-Point Protocol > | Extensions Working Group of the IETF. > | > | Title : The PPP Encryption Control Protocol (ECP) > | Author(s) : G. Meyer > | Filename : draft-ietf-pppext-encryption-00.txt > | Pages : 8 > | Date : 11/17/1994 > | > | The Point-to-Point Protocol (PPP) [1] provides a standard method for > | transporting multi-protocol datagrams over point-to-point links. > | PPP also defines an extensible Link Control Protocol. > | > | This document defines a method for negotiating data encryption > | over PPP links. > | > | Internet-Drafts are available by anonymous FTP. Login with the username > | "anonymous" and a password of your e-mail address. After logging in, > | type "cd internet-drafts" and then > | "get draft-ietf-pppext-encryption-00.txt". > | A URL for the Internet-Draft is: > | ftp://ds.internic.net/internet-drafts/draft-ietf-pppext-encryption-00.txt > | > | Internet-Drafts directories are located at: > | > | o Africa > | Address: ftp.is.co.za (196.4.160.2) > | > | o Europe > | Address: nic.nordu.net (192.36.148.17) > | > | o Pacific Rim > | Address: munnari.oz.au (128.250.1.21) > | > | o US East Coast > | Address: ds.internic.net (198.49.45.10) > | > | o US West Coast > | Address: ftp.isi.edu (128.9.0.32) > | > | Internet-Drafts are also available by mail. > | > | Send a message to: mailserv at ds.internic.net. In the body type: > | "FILE /internet-drafts/draft-ietf-pppext-encryption-00.txt". > | > | NOTE: The mail server at ds.internic.net can return the document in > | MIME-encoded form by using the "mpack" utility. To use this > | feature, insert the command "ENCODING mime" before the "FILE" > | command. To decode the response(s), you will need "munpack" or > | a MIME-compliant mail reader. Different MIME-compliant mail readers > | exhibit different behavior, especially when dealing with > | "multipart" MIME messages (i.e., documents which have been split > | up into multiple messages), so check your local documentation on > | how to manipulate these messages. > | > | For questions, please mail to Internet-Drafts at cnri.reston.va.us. > | > | > | Below is the data which will enable a MIME compliant mail reader > | implementation to automatically retrieve the ASCII version > | of the Internet-Draft. > | > | --NextPart > | Content-Type: Multipart/Alternative; Boundary="OtherAccess" > | > | --OtherAccess > | Content-Type: Message/External-body; > | access-type="mail-server"; > | server="mailserv at ds.internic.net" > | > | Content-Type: text/plain > | Content-ID: <19941117165933.I-D at CNRI.Reston.VA.US> > | > | ENCODING mime > | FILE /internet-drafts/draft-ietf-pppext-encryption-00.txt > | > | --OtherAccess > | Content-Type: Message/External-body; > | name="draft-ietf-pppext-encryption-00.txt"; > | site="ds.internic.net"; > | access-type="anon-ftp"; > | directory="internet-drafts" > | > | Content-Type: text/plain > | Content-ID: <19941117165933.I-D at CNRI.Reston.VA.US> > | > | --OtherAccess-- > | > | --NextPart-- > | From lmccarth at ducie.cs.umass.edu Sun Nov 20 14:22:04 1994 From: lmccarth at ducie.cs.umass.edu (L. McCarthy) Date: Sun, 20 Nov 94 14:22:04 PST Subject: Making Terminal Remailers Foreign In-Reply-To: <9411202104.AA21607@toad.com> Message-ID: <199411202222.RAA12124@ducie.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Gary Jeffers writes: > This scheme would insure that for that remailer, all mail > deliveries would be foreign. If there were legal or political problems, > then that remailer would be protected by its foreign jurisdiction. > This safety would not be bulletproof, but it would greatly raise the > cost of hassling the remailer. A cautious remailer operator might > choose a remailer in a country with really bad diplomatic relations with > his own host country. Not _too_ awful or else the remailer might become a casualty of war. Barring Blitzkriegen, though, I suppose such problems can be forecast and dealt with as fairly minor inconveniences. Playing countries off against each other can be quite an effective strategy. The trick is finding countries which are a) fairly hostile to other countries, b) fairly permissive of free speech, privacy etc., and c) reasonably net-connected. Most countries would seem to fail at least one of these criteria w.r.t., say, the U.S. I'm waiting to see how much headway the Church of Scientology makes against anon.penet.fi. I've read some rather ominous comments in alt.privacy.anon- server about their endeavors. Admittedly that case deals with a news article, not email, but it is an example of attempted international intervention. I suppose now someone will complain that the Scientologists are just getting a bad rap.... - -L. McCarthy Today's T-shirt-I-couldn't-safely-wear-in-many-countries: "MY GOD IS BIGGER THAN YOUR GOD" (with accompanying illustration) -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBLs/L92f7YYibNzjpAQFpAwQAtQu5xrGlST2IYYoDjCmrR6HkJQb4/oZU AqBWteHeZjGYb/XtIpeqewsm2pznio8FwneZj8EahX7Z+Ka+3P4SeQovmOnvF/kA 8vr0DyDGswUDvNhyKzny2Y1majU0TgnnpTclngxOGIKnznxH+oghwEvBKxoexI9V H5wp7i0k6GM= =EYXc -----END PGP SIGNATURE----- From lcottrell at popmail.ucsd.edu Sun Nov 20 14:48:32 1994 From: lcottrell at popmail.ucsd.edu (Lance Cottrell) Date: Sun, 20 Nov 94 14:48:32 PST Subject: Crypto Chip in Eastern Europe Message-ID: -----BEGIN PGP SIGNED MESSAGE----- >Does anyone know any more details on the crypto chip listed in the HTML >http://jep.pld.ttu.ee/? It seems that this is a hardware PGP (uses RSA to >encrypt IDEA key) project. They mention having prototype available RSN, as >in December... or is this just some very interesting vapor-ware? > > Adam Philipp > >-- >PGP Key available on the keyservers. Encrypted E-mail welcome. > >Sub rosa: Confidential, secret, not for publication. > -Black's Law Dictionary I have been in contact with these people for some time. They are a bit behind schedule, but seem to be a real product. I am planning on using their chip as the basis of a secure phone. -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBLs/RilVkk3dax7hlAQFE2AP+LND1WzVwE4VQq8AM1C0bxYvcRXJf+p0s VYmQouUW9e0JeSNPuAU46PJTuGpYFHZYEp9oyTe0ry+8oBcRwtj1RO7nYYfp02kO CABEInJ+rryJB5M2VMynCbAv5nYRg1wgIkbjITYqCpyaVbM+h/dTuEgJIlkewYc8 gk9kK4qWVls= =pKPa -----END PGP SIGNATURE----- -------------------------------------------------- Lance Cottrell who does not speak for CASS/UCSD loki at nately.ucsd.edu PGP 2.6 key available by finger or server. Encrypted mail welcome. Home page http://nately.ucsd.edu/~loki/ Home of "chain" the remailer chaining script. For anon remailer info, mail remailer at nately.ucsd.edu Subject: remailer-help "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche From jgrubs at voxbox.norden1.com Sun Nov 20 15:48:50 1994 From: jgrubs at voxbox.norden1.com (Jim Grubs, W8GRT) Date: Sun, 20 Nov 94 15:48:50 PST Subject: Islands in the Net Message-ID: <0B14Vc1w165w@voxbox.norden1.com> -----BEGIN PGP SIGNED MESSAGE----- tcmay at netcom.com (Timothy C. May) writes: > bshantz at spry.com wrote: > > (quoting James Donald) > > > >So Tim, in this matter you will very likely wind up being > > >assimilated by the forces of evil located at Redmond. > > > > I disagree, Tim. Stand firm and you will not be assimilated. "I am Bill > > Gates of MicroBorg, resistance is futile. You too will be assimilated just > > Intuit was..." It's not gonna happen. > > For a fraction of the $1.5 billion or so Microsoft paid for Intuit, I > will _gladly_ be assimilated!! "I am Tim, of Borg, VP of the Crypto > Anarchy Product Group." > > (I can't believe a mere checkbook balancing program just got sold for > more than a billion dollars! There are interesting, list-relevant > implications here (*).) Quicken is not Intuit's only product. They also make commercial accounting, payroll, and inventory packages for both small and large businesses. Also, less than a year ago, they acquired the company that makes the popular TurboTax series, both personal and professional. This company is also big into electronic returns. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLs/OFd74r4kaz3mVAQE6+AP9H6FITUprwN1ZKMPw2GPTE/UIAx18/TQ2 +CsUz88B5qp/ojJBEliVfcVuUfwaAUyGa8QtMlcVdGN7uJtTEnM+njA6ityQKzNT kSlH1PMf5GF8befxSUZ6OX0i5KsZL3gMzv+8ayuKl7dvHNCgTWd9wKRDnj5Y+RNL v95AhR21M/M= =0mi9 -----END PGP SIGNATURE----- ... "The greatest dangers to liberty lurk in the insidious encroachment of men of zeal, well meaning but without understanding." - Justice Louis Brandeis -- jgrubs at voxbox.norden1.com (James C. Grubs, W8GRT) Voxbox Enterprises, 6817 Maplewood Ave., Sylvania, Ohio 43560-1956 Tel.: 419/882-2697 From werner at mc.ab.com Sun Nov 20 16:07:21 1994 From: werner at mc.ab.com (tim werner) Date: Sun, 20 Nov 94 16:07:21 PST Subject: usenet-to-mail Message-ID: <199411210007.TAA13280@sparcserver.mc.ab.com> >Date: Sat, 19 Nov 1994 18:35:52 -0800 >From: shamrock at netcom.com (Lucky Green) >> I'm afraid of losing >>my full feed along with my account when I finish my masters. I don't >>want to go for a PhD just so I can keep browsing the alt groups. > > Better >yet, find a private service provider that will let you use their >newsserver. How do you inted to access the newsserver without an account, >anyway? Well, like I said, it's the alt groups that I'm worried about. I have an excellent net connection at work, being employed by a subsidiary of Rockwell, but our news feed is politically correct. I have access to two accounts with full feeds, but one is not a shell account, and the other one is the school account which goes away in a another year (depending on how long I can drag out the degree), unless I start taking post-grad classes. So, my hope is that I can use gnus to talk to some other newsserver than the censored local one. I will try some of the places that were posted. As far as the private newsserver provider goes, I'd go for it (when the time comes), if I could buy just access to Usenet for a discount. For that matter, maybe a couple of years from now the Republicans will have figured out a way to shut down the alt groups. ;-) I'm better off if I keep taking classes, anyway. Don't know about the rest of the folks on this list, but I don't feel like what I know about computers today will carry me through retirement. tw From dawagner at phoenix.Princeton.EDU Sun Nov 20 16:22:43 1994 From: dawagner at phoenix.Princeton.EDU (David A. Wagner) Date: Sun, 20 Nov 94 16:22:43 PST Subject: remailer security, sendmail Message-ID: <9411210020.AA06110@tucson.Princeton.EDU> I just read an interesting post on alt.hackers. Apparently you can figure out who's sending mail to who by repeatedly running the command /usr/lib/sendmail -bp. I just tested this out and it *seems* to work, as does running /usr/ucb/mailq repeatedly. How's that for an obscure feature? Does anyone run a remailer on a multi-user machine where sendmail is used? Is this sendmail feature a problem? If so, how would one fix it? (write a wrapper for sendmail? but that requires root access *sigh*) Am I missing something? ------------------------------------------------------------------------------- David Wagner dawagner at princeton.edu From sandfort at crl.com Sun Nov 20 16:50:12 1994 From: sandfort at crl.com (Sandy Sandfort) Date: Sun, 20 Nov 94 16:50:12 PST Subject: REMAILER PROPOSAL Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, I put together the following proposal to demonstrate a quick and dirty way to implement a pay-to-play remailer system. I don't care much about the details. Change any of them you feel like. My main concern is the basic pre-paid postage system concept. If those of you who are--or plan to be--remailer operators like it, it's yours. No charge. If you don't like it, well, I guess it's back to the old drawing board. S a n d y P.S. I love the name Spoon-E; everyone else will probably hate it. Consider it one of those details that you should feel free to change. * * * THE ELECTRONIC MAIL FORWARDERS GUILD A Proposal In this Proposal, I briefly discuss the elements a mail forwarders guild might include. My main purpose, however, is to outline a low-tech, anonymous postage system that such a guild could deploy today. My proposed system is intended to serve only as a bridge until a more sophisticated, digital postage/money system is available on the Net. MISSION STATEMENT--The purpose of the Electronic Mail Forwarders Guild (EMFG) would be to: 1. Encourage the proliferation and use of privacy oriented electronic mail forwarding sites, 2. Encourage the adoption of privacy oriented electronic mail forwarding standards and protocols, 3. Create and deploy new products and services on existing electronic mail forwarding sites, 4. To provide mutual aid and assistance with regard to technical, legal and other problems, 5. Establish and maintain an anonymous electronic postage system acceptable by all EMFG members. ANONYMOUS ELECTRONIC POSTAGE SYSTEM POSTAGE RATES--The first questions the EMFG will have to decide concern how much the members wished to charge for their services. Such questions would include: Should each forwarding hop cost the same, or should first and/or last hops receive a premium? Should message lengths be limited? Should longer messages cost more than short ones? Should each kilobyte cost the same, or should each successive kilobytes cost less--or more? Will the EMFG support any free forwarding? What net postage-per-service should EMFG member receive? POSTAGE "STAMP" NAME--The basic unit of postage should be given a "brand name." Using a name instead of an amount, permits bulk discounts and allows price adjustments as circumstances warrant. I favor, "Spooner Electronic Postage Unit" or "Spoon-E" for short (pronounced, "spoonie"). Thus, no matter what a Spoon-E costs, it would always take one Spoon-E to go through one forwarder or whatever. SPOON-E STRUCTURE--Spoon-Es are random 12-digit numbers generated by the clients. POSTAGE ISSUER--The EMFG will need someone to issue Spoon-Es. The EMFG could elect any of the following options: Rotate the uncompensated job among its members, Have member bid for the job in exchange for fixed fee or a percentage cut of each Spoon-E issued, Hire a third-party to issue Spoon-Es in exchange for a fixed fee or a cut. PAYMENT AND ISSUANCE MECHANISM--There are various levels of anonymity available to clients. The choice will depend upon the client's degree of paranoia. They all, however, are processed following these steps: 1. Clients randomly generate a series of 12-digit numbers. 2. These random numbers, plus an extra random 12-digit ID number, are encrypted using the Issuer's public key. 3. This encrypted message and payment are sent to the Issuer. 4. After payment has been accepted, the Issuer puts the clients' random numbers into an "Outstanding Spoon-E" database, and lists the corresponding ID numbers on a "Just Issued Spoon-Es" bulletin board. 5. Clients may access the bulletin board to check when their Spoon-Es have been validated for use. The level of anonymity is determined by the clients' method of payment and transmission. Payment via money order is the most anonymous; personal check, the least. (Cash is even more anonymous, but with its own obvious risk.) The least anonymous method of transmitting the client's 12-digit numbers is via direct e-mail. The most anonymous is via an s-mailed floppy. E-mail through a forwarder is somewhere in between. USE OF POSTAGE--The following steps would be performed in order to forward messages through a series of EMFG sites: 1. Clients consult the Issuer bulletin board to verify that their Spoon-Es are valid. 2. Clients write their messages and include the appropriate number of Spoon-Es within each nested and encrypted "envelope" for each forwarding hop they intend to use. 3. Upon receipt, each forwarder strips out the Spoon-Es for that hop. The message is added to a mix file of other messages until a threshold number is reached. 4. When the threshold is reached, the forwarder contacts the Issuer and verifies the validity of the Spoon-Es. Valid Spoon-Es are removed from the "Outstanding Spoon-E" database and the corresponding messages are forwarded out of mix file in random order. The forwarder's account is credited with the appropriate payment. Messages with invalid or missing Spoon-Es go to the bit or into the free service channel if there is one. 5. Step "4" is repeated through each forwarder until the message is delivered to its ultimate destination. The various mix files help defeat traffic analysis and permit the Spoon-Es to be verified before the forwarding service is performed. CONCLUSIONS The existence of a for-profit (or at least self-funding), privacy enhanced, electronic mail forwarding system does not need to await the development of on-line digital money schemes. It can be deployed today, using readily available, low-tech methods. Such a system benefits from economies of scale, and thus argues in favor of the creation of a group of mail forwarders such as the EMFG. Sandy Sandfort 20 November 1994 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From lcottrell at popmail.ucsd.edu Sun Nov 20 17:07:54 1994 From: lcottrell at popmail.ucsd.edu (Lance Cottrell) Date: Sun, 20 Nov 94 17:07:54 PST Subject: 1st Draft Mixmaster chaining instructions Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Here is the first draft of the instructions for using Mixmaster to build remailer messages. I am posting it to give a flavor of what the program does, and to request comments, both on the features and on the clarity of the help file itself. Instructions for using Mixmaster to create type 2 remailer messages. I assume that you have either compiled Mixmaster, or that you have acquired a precompiled copy. While you do not need PGP to use Mixmaster, it is useful for key management, and is required if you desire security of the content of the message you are sending (which will be visible to the last remailer). Theory and purpose of remailers: The purpose of anonymous remailers (hereafter simply remailers), is to provide protection against traffic analysis. Traffic analysis is the study of who you are communicating with, when, and how often. This reveals more than you might expect about your activities. It will indicate who your friends and colleagues are (and they can be told apart by looking at the times you contact them). What your interests are, from which catalog companies you contact, and which ftp and WWW sites you visit. Traffic analysis can even reveal business secrets, e.g. your frequent contact with a rival could give hints of an impending merger. Remailers protect your email from traffic analysis. The original remailers did this by removing all headers, except the subject line, from any message you sent to them and then forwarding them a destination of your choice. The recipient of such a message would not know who had sent it. The addition of encryption to this scheme gave significant protection from attackers who simply look at passing messages for to and from fields. Passing a message through several remailers in a row is much better, but still vulnerable to an attacker who can watch messages go into and out of each remailer. Two more elements are required: messages must be reordered within the remailer before being forwarded (this is being done by a few of the old style remailers), and all messages must be indistinguishable. This last is the primary improvement with the type 2 remailer, Mixmaster. Using type 2 remailers: The trend towards ever more complicated remailer message formats has been clear for some time. Several programs have been written to automatically build messages which will be remailed by several remailers. This process is called chaining. With type 2 remailers it is no longer possible to create these messages by hand. Mixmaster takes a message you wish to send, a list of remailers to chain it through, and a final destination, and builds the packet which the remailers will use. For simplicity I will first describe the interactive use of Mixmaster, then I will discuss how it can be controlled through command line arguments. Interactive use of Mixmaster: If you run Mixmaster with no arguments, you will be prompted for all the required information. First you will be asked to specify the final destination of the message. This is the full email address where you want your message delivered. Remember that the message is being sent by the last remailer in the chain, so you must specify the full internet address (e.g. name at machine.place.com), you may not use local mail aliases. You may enter multiple recipients on separate lines. Hit return on a blank line to stop entering destinations. You must have at least one. Next you will be asked to enter any headers you want to have inserted before the message. These are those lines at the beginning of email messages, like From: fred at bedrock.univ.edu, or Subject: Party invitation. If you want your message to have a subject when it is delivered, you must enter a line Subject: your subject here. Note that Subject must be capitalized, with the : and space as shown. A subject header can be added by using the -s command line argument. When you are done entering headers, hit return (it is OK to have zero headers). You will now be presented with a list of remailers through which you can chain your messages. The order in which you choose them is the order in which they will be traversed by your message. You may choose up to 20 of them, but remember that the reliability and speed of the chain diminish as the number of remailers in the chain increases. Four is a reasonable number of remailers to use. It is fine to use a given remailer more than once in your chain. Press return on a blank line to stop entering remailers. Finally you will be asked what file you want to send. This must be an ASCII file. You may either enter the name of an existing file, or you may choose to enter the message directly by typing "stdin" as the file name. This is intended for use by scripts. There are no editing capabilities when using stdin. Enter the end of file character (EOF is ^D) when you are done entering the file. Mixmaster will now build the type 2 remailer packet, and send it to the first remailer in the chain. Command line arguments to Mixmaster: Mixmaster [-c] [in.filename] [-f] [-s "subject"] [-o "outfile"] [-to a at b.com] [-l 3 2 6 ...] -c this indicates that chaining rather than remailer functions are desired. It is a NOP since chaining is the default operation. "filename" if a filename is given, then this will be used as the input file. As in the interactive mode, you may choose "stdin". No filename will be prompted for. -f filter mode. All prompts suppressed, but input still accepted as described in the interactive section. The remailer list must be specified on the command line. -s "subject" Adds a subject line to the message. The user should NOT include Subject: in this string. Mixmaster will not prompt for other headers if -s is used. -o "outfile" Specify an output file rather than sending the message to the first remailer automatically. If outfile is "stdout", then the remailer packet will be printed to stdout. -to foo at bar.org specifies the final destination of the message. Only one destination can be specified. Mixmaster will not prompt for other destinations if -to is used. -l 4 3 5 ... Specifies the list of remailers to chain through. This must be the last argument on the command line. A maximum of 20 remailers may be specified. Mixmaster will not prompt for other remailers if -l is used. - -------------------------------------------------- Lance Cottrell who does not speak for CASS/UCSD loki at nately.ucsd.edu PGP 2.6 key available by finger or server. Encrypted mail welcome. Home page http://nately.ucsd.edu/~loki/ Home of "chain" the remailer chaining script. For anon remailer info, mail remailer at nately.ucsd.edu Subject: remailer-help "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBLs/ymFVkk3dax7hlAQFKqgP9Enq5xOZm2Dm1WudNeRjssV/VeJ7YLr0V 2n5ZaRnMaPqHe5efeMY3N7Ry1YoqGaQdYfD7Ar9koDUFPA0Lizh9QtDSLdeG8IVv RWcz7CxWjtt02yc1/PLY3TO9b3VRb0zSFzcwu0QBI17ZVK+rF6cT/SEuZFAjgW9D CJ5rWJH25Vk= =i4cN -----END PGP SIGNATURE----- From lmccarth at ducie.cs.umass.edu Sun Nov 20 17:43:03 1994 From: lmccarth at ducie.cs.umass.edu (L. McCarthy) Date: Sun, 20 Nov 94 17:43:03 PST Subject: remailer security, sendmail In-Reply-To: <9411210020.AA06110@tucson.Princeton.EDU> Message-ID: <199411210143.UAA13516@ducie.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- David Wagner writes: > I just read an interesting post on alt.hackers. Apparently you > can figure out who's sending mail to who by repeatedly running > the command /usr/lib/sendmail -bp. I just tested this out and > it *seems* to work, as does running /usr/ucb/mailq repeatedly. > How's that for an obscure feature? Well, since it's in the first couple of man pages for sendmail, it's not very obscure :] I would have expected better material from alt.hackers.... > Does anyone run a remailer on a multi-user machine where sendmail > is used? Yes; we had some discussion about this here a few weeks ago. I, for one, am doing just that. > Is this sendmail feature a problem? If so, how would > one fix it? (write a wrapper for sendmail? but that requires root > access *sigh*) Am I missing something? As I understand sendmail, it only sticks outgoing messages in the queue if you tell it to do so. Otherwise they can be sent pre-emptively or in the background. This can be specified on the command line: dx Set the delivery mode to x. Delivery modes are `i' for interactive (synchronous) delivery, `b' for background (asynchronous) delivery, and `q' for queue only - that is, actual delivery is done the next time the queue is run. In any case, this doesn't provide any information about incoming mail. Besides, with ps -aux you get to see all the invocations of sendmail, and the invocations of pgp, and so on. I'd worry more about that than about the sendmail queue. Convincing sysadmins that they should somehow disable the -a option on ps doesn't sound like an easy task to me. All this ultimately argues for placing terminal remailers on private machines, which I think we've agreed is a Good Thing. -L. Futplex McCarthy; use "Subject: remailer-help" for an autoreply PGP key by finger or server; "Better watch what you say, or they'll be calling you a radical...a liberal" --Supertramp "[CIA/KGB mole Aldrich Ames] took information in shopping bags out the front door" --miscellaneous Congressperson -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBLs/6/2f7YYibNzjpAQFU2wP/Vq3k6/S8S34cdd0DCcH17yYBIfe1hP5K nX//G/OE3b1yJe7k7uql8aKOyf8xMqd5o3UQY/o0qL7Kl+rHiMP6GEd+QUZunHkF AyrjqS9nrgfls9klmXWVO3tjxllBW6ZZXuhQti4h0dMU+Kj6mu9Wva+zLPqyoSIP lDpPV6t1FkE= =H70i -----END PGP SIGNATURE----- From merriman at metronet.com Sun Nov 20 18:11:28 1994 From: merriman at metronet.com (David K. Merriman) Date: Sun, 20 Nov 94 18:11:28 PST Subject: usenet-to-mail Message-ID: <199411210211.AA19685@metronet.com> > >I'm better off if I keep taking classes, anyway. Don't know about the >rest of the folks on this list, but I don't feel like what I know about >computers today will carry me through retirement. > Hmmmmph. If you're gonna stay in school until you know enough about computers to carry you through retirement, you're gonna be there a *long* time. Best you can hope for is to be current when you get out, and keep up with it (or at least, not lose _too_ much ground each year as things evolve_. Dave Merriman - who remembers stuff like "64K? *64K*?! I don't know what I'd _do_ with 64K!" and when only the filthy rich had hard drives. - - - - - - - - - - - - - - - - - - - - - - - - - - Finger merriman at metronet.com for PGP public key and fingerprint. PGP encrypted Email welcome and encouraged. War is Peace. Freedom is Slavery. Ignorance is Strength. No? From merriman at metronet.com Sun Nov 20 18:44:32 1994 From: merriman at metronet.com (David K. Merriman) Date: Sun, 20 Nov 94 18:44:32 PST Subject: Back in the mists of time..... Message-ID: <199411210244.AA24191@metronet.com> Having turned 40 earlier this month (jeez - if I'd known I was gonna live this long, I'd have taken care of myself :-), I'm apparently feeling the effects of Reagan's Disease. Could someone kindly refresh my memory as to when the Gummit decided it was okay to: * seize alleged drug money and not have to give it back unless the person could prove it was 'honest' money; * make banks and others tell them when someone moved more than $10,000; * take away our gold & silver coins for nickeled copper slugs (Kennedy-era, I believe; I seem to recall the tv coverage); * take us off the gold standard (Nixon?); Email preferred, so I don't waste any (more) bandwidth..... Dave Merriman - - - - - - - - - - - - - - - - - - - - - - - - - - Finger merriman at metronet.com for PGP public key and fingerprint. PGP encrypted Email welcome and encouraged. War is Peace. Freedom is Slavery. Ignorance is Strength. No? From jdwilson at gold.chem.hawaii.edu Sun Nov 20 18:53:53 1994 From: jdwilson at gold.chem.hawaii.edu (NetSurfer) Date: Sun, 20 Nov 94 18:53:53 PST Subject: I Like ASCII, not MIME and Other Fancy Crap In-Reply-To: Message-ID: On Fri, 18 Nov 1994, Jamie Lawrence wrote: > (I agree. I retrieved some of those docs this issue arose over. I > got a MIME doc, the header of which told me to fetch a translator, > and when translated I text plain text. I know that simple ASCII > will be overtaken by fancier tech, but why the hell encode plain > text in a non-human readable format?) Especially when it makes it impossible to forward a message without extra steps to include the attachments... -NetSurfer #include >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> == = = |James D. Wilson |V.PGP 2.7: 512/E12FCD 1994/03/17 > " " o " |P. O. Box 15432 | finger for full PGP key > " " / \ " |Honolulu, HI 96830 |====================================> \" "/ G \" |Serendipitous Solutions| Also NetSurfer at sersol.com > >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> From jdwilson at gold.chem.hawaii.edu Sun Nov 20 19:00:05 1994 From: jdwilson at gold.chem.hawaii.edu (NetSurfer) Date: Sun, 20 Nov 94 19:00:05 PST Subject: I Like ASCII, not MIME and Other Fancy Crap In-Reply-To: <9411182248.AA06323@elfbook.intercon.com> Message-ID: On Fri, 18 Nov 1994, Amanda Walker wrote: > Do PGP key blocks bigger than the message body count as "fancy crap"? Why not just include it in the text of the message? -NetSurfer #include >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> == = = |James D. Wilson |V.PGP 2.7: 512/E12FCD 1994/03/17 > " " o " |P. O. Box 15432 | finger for full PGP key > " " / \ " |Honolulu, HI 96830 |====================================> \" "/ G \" |Serendipitous Solutions| Also NetSurfer at sersol.com > >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -------------- next part -------------- A non-text attachment was scrubbed... Name: gif00001.gif Type: application/octet-stream Size: 1754 bytes Desc: "" URL: From rah at shipwright.com Sun Nov 20 19:26:31 1994 From: rah at shipwright.com (Robert Hettinga) Date: Sun, 20 Nov 94 19:26:31 PST Subject: e$ spam: New First Virtual mailing list Message-ID: <199411210326.WAA03869@zork.tiac.net> >From: nsb at nsb.fv.com >Date: Sun, 20 Nov 1994 21:47:20 -0500 (EST) >Original-From: Nathaniel Borenstein >To: www-buyinfo at allegra.att.com, com-priv at psi.com, edi-new at tegsun.Harvard.EDU >Subject: New First Virtual mailing list >X-UIDL: 785388160.006 > >We have set up a new mailing list, fv-users, for public discussions >about First Virtual's payment system and associated products and >technologies. To subscribe send mail to fv-users-request at fv.com, with >the single word "subscribe" in the subject. > >For any of you who haven't heard about First Virtual yet, we're a >fully-operational system that lets anyone on the Internet buy or sell >information using real money, without requiring any special software or >encryption. For more information, send mail to info at fv.com or spider >over to http://www.fv.com. > >-- Nathaniel Borenstein > Chief Scientist, First Virtual Holdings Incorporated > > ----------------- Robert Hettinga (rah at shipwright.com) "There is no difference between someone Shipwright Development Corporation who eats too little and sees Heaven and 44 Farquhar Street someone who drinks too much and sees Boston, MA 02331 USA snakes." -- Bertrand Russell (617) 323-7923 From rah at shipwright.com Sun Nov 20 19:28:33 1994 From: rah at shipwright.com (Robert Hettinga) Date: Sun, 20 Nov 94 19:28:33 PST Subject: I Like ASCII, not MIME and Other Fancy Crap Message-ID: <199411210328.WAA03906@zork.tiac.net> At 4:58 PM 11/20/94 -1000, NetSurfer wrote: >Attachment converted: Amanda Logo Sig.GIF (GIFf/JVWR) (00003952) It was funny(?) the first time. Stop it. You're annoying people. Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) "There is no difference between someone Shipwright Development Corporation who eats too little and sees Heaven and 44 Farquhar Street someone who drinks too much and sees Boston, MA 02331 USA snakes." -- Bertrand Russell (617) 323-7923 From werewolf at io.org Sun Nov 20 20:17:51 1994 From: werewolf at io.org (Mark Terka) Date: Sun, 20 Nov 94 20:17:51 PST Subject: 1st Draft Mixmaster chaining instructions In-Reply-To: Message-ID: <9I0qkOwscMeA072yn@io.org> Where does one pick up a compiled copy of Mixmaster? I assume it can be run under DOS from a PC? From lcottrell at popmail.ucsd.edu Sun Nov 20 20:27:24 1994 From: lcottrell at popmail.ucsd.edu (Lance Cottrell) Date: Sun, 20 Nov 94 20:27:24 PST Subject: REMAILER PROPOSAL Message-ID: Lets call all the "Spoon-E"s you buy at one time, using one ID number, a roll. If the "Spoon-E" issuer, and the first remailer in one of your chains, collude they can identify all of your messages using any stamps from that roll. Method: The issuer keeps a log of all ID numbers and "Spoon-E" numbers. A remailer sends the address of each sender, along with the "SpoonE" number of the message. Now any message with a stamp from the same roll can be assumed to be from the same person. Unless you are sending many messages through the bramble at the same time, you are providing wonderful traffic analysis to the issuer. He will know when and approximately when each of your hops was. This almost collapses you chain to the security of a single hop. A solution to this would be to use a different roll for each hop (not each remailer), and one for each destination. You would have one "first hop" roll, which would be easy to identify with you. Several rolls would be for intermediate hops (no roll used twice in one chain). You would also keep one roll per final destination, which could be easily identified with the recipient, but not with you. -------------------------------------------------- Lance Cottrell who does not speak for CASS/UCSD loki at nately.ucsd.edu PGP 2.6 key available by finger or server. Encrypted mail welcome. Home page http://nately.ucsd.edu/~loki/ Home of "chain" the remailer chaining script. For anon remailer info, mail remailer at nately.ucsd.edu Subject: remailer-help "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche From tcmay at netcom.com Sun Nov 20 21:26:38 1994 From: tcmay at netcom.com (Timothy C. May) Date: Sun, 20 Nov 94 21:26:38 PST Subject: Erratic Primitives of Shifting Parameters Message-ID: <199411210526.VAA27138@netcom9.netcom.com> Apparently the Army War College has some choice views on the citizenry. Caveat: This item apeared in talk.politics.guns, from a self-described Idaho Minuteman. If these things offend you, read no further. Erratic Primitives of Shifting Parameters need encryption, too. --Tim > Xref: netcom.com talk.politics.guns:166397 > From: Terry.Liberty-Parker at libertybbs.ima.infomail.com (Terry Liberty-Parker) > Date: 18 Nov 94 12:20:07 > Newsgroups: talk.politics.guns > Subject: Govt's New Enemy > Message-ID: <294_9411181451 at ima.infomail.com> > -=> Note: > Forwarded (from: AEN_NEWS) by Terry Liberty-Parker using timEd. > Originally from PHIL HURLEY (176:200/36.0) to all. > Original dated: Nov 18 '94, 11:24 > > * Original to ALL of 1:3624/7, on > * Forwarded on by Terry Buyers of 1:3624/7 > > The New Enemy > > "Parameters", the journal of the Army War College, has > published an article by a Maj. Ralph Peters which identifies > the next "enemy" of the "Politicized" Bill/Hillary Clinton > military as U.S. Patriots, defined as the "Warrior Class". > Patriots are described as "Erratic Primitives of Shifting > Allegiances, Habitated to Violence with no stake in Civil Order". > > > /////// Minuteman of Idaho \\\\\\\ > Grapevine BBS (208) 884-1226 > > > --- > # Synchronet # GRAPEVINE BBS * BOISE, IDAHO * (208) 884-1226 > SEEN-BY: 231/110 382/91 502 804 3624/7 6800/15 > > ___ GoldED 2.41 > - Origin: Texas Patriot (PRN 176:200/36) Dallas TX (214)495-6699 (176:200/36) From gnu Sun Nov 20 21:41:21 1994 From: gnu (gnu) Date: Sun, 20 Nov 94 21:41:21 PST Subject: MIT/RSA license documents available Message-ID: <9411210541.AA26450@toad.com> More information has come out in the court case(s) between RSA and Cylink. In particular, the license between MIT and RSA, which gives RSA the exclusive rights to license the RSA patent, and its various amendments over the years, are all available from the US District Court for the Northern District of Calif. For some reason, this court is in Oakland rather than in SF where other cases in the Northern District are held. The judge is Claudia Wilken and it's case #94-2332-CW. The license and amendments are in the Attachments to document #15 ("Declaration of Robert B. Foughner...") and are all stamped "RSA DATA SECURITY CONFIDENTIAL" just for fun. In document #20, D. James Bidzos declares, under penalty of perjury, "On or about August 4, 1994, I received a telephone call from a customer of PKP. In this conversation, he told me that he had reviewed a copy of Cylink's complaint against RSA on an Internet Bulletin Board. Since then, I have myself reviewed Cylink's complaint against RSA on the Internet, as well as copies of RSA's motions to dismiss and to stay the arbitration. "When I entered the Agreement of Intent with Cylink in April of 1990 on behalf of RSA, I understood that all disputes respecting the patent licensing business we had established in PKP would be arbitrated. I entered this arbitration agreement, in part, to ensure the disputes between RSA and Cylink over the MIT patents would remain private, since the two companies were jointly licensing those patents to third parties. Since Cylink went outside the arbitration agreement and filed this lawsuit in federal court, I have received at least 25 communications (by telephone call, E-mail message, letter, fax, or face to face discussion) about the dispute. I have been asked repeatedly how PKP could license a patent when one of PKP's partners believes the patent is invalid. "This public federal court action filed by Cylink to invalidate the MIT patent has been very damaging to both RSA and the PKP partnership as a whole. I do not believe that I can clear my company RSA's good name, or that of PKP unless Cylink's broad and insistent demands for a license to use the MIT patent are also litigated in public." So, even Jim seems to think that spreading this information is a good idea. If somebody (the Information Liberation Front?) wants to scan this stuff in, I'll be glad to provide a Web/FTP site where people can get it. John From hfinney at shell.portal.com Sun Nov 20 21:56:10 1994 From: hfinney at shell.portal.com (Hal) Date: Sun, 20 Nov 94 21:56:10 PST Subject: DNA solution to Hamiltonian circuit? In-Reply-To: Message-ID: <199411210556.VAA26633@jobe.shell.portal.com> rishab at dxm.ernet.in writes: >srctran at world.std.com (Gregory Aharonian): [on Internet Patent News Service] > Scientist uses DNA sequences to solve Hamiltonian path problem of > combinatorial mathematics, a precursor of the PTO's headache of > including biotechnology in it software prior art searches. Think > of Hopfield's paper on using neural nets for the traveling salesman > problem to predict where DNA computing will end up. There is an interesting crypto connection here in that the work was done by Len Adelman of USC, the "A" of RSA. This research was reported in a recent issue of Science, but I am going by a report in Science News. What I will describe is the gist of the work, but I may have some details wrong. The Hamiltonian path problem asks whether there is a path through a given graph which passes through each node exactly once. Adelman took a smallish graph and encoded each of the 20-odd links as a particular short DNA sequence. He then made DNA sequences which consisted of pairs of these codes connected together for each case of two paths which shared a node. Then he had some other pieces of DNA which could stick these together if the codes on the end matched. The net result was that every possible path through the network would be represented by a DNA strand which would self-assemble. Then it was a matter of filtering the DNA for strands of the proper length which did not have any duplicate nodes. The SN article wasn't clear about how this was done. So, my take on this is that the clever part was casting the problem in a way which matched the behavior of DNA strands. Realizing that the Hamiltonian path problem can be expressed in terms of self-assembly of short strands was the real trick. I doubt that any reasonable extension of this technique would do modular arithmetic or the complicated logic of DES, so this presumably doesn't represent any immediate threat to crypto algorithms. I suppose the question would be whether there could be a compiler which would take logic equations and turn them into DNA strands which mirrored the equations. That seems unlikely but more plausible IMO than the quantum computers people have discussed. Hal From Rolf.Michelsen at delab.sintef.no Mon Nov 21 00:31:58 1994 From: Rolf.Michelsen at delab.sintef.no (Rolf Michelsen) Date: Mon, 21 Nov 94 00:31:58 PST Subject: Europe and the global information society Message-ID: Some months ago there was a brief discussion on crypto and privacy issues outside the US. I've just discovered that the Bangemann report on the European information society is available on-line. Perhaps others are interested as well. Anyway, the URL is http://www.echo.lu/eudocs/en/report.html. -- Rolf ---------------------------------------------------------------------- Rolf Michelsen "Standards are wonderful-- Email: rolf.michelsen at delab.sintef.no everyone should have one" Phone: +47 73 59 87 33 WWW : http://www.delab.sintef.no/~rolfm ---------------------------------------------------------------------- From jkh at story.com Mon Nov 21 02:25:11 1994 From: jkh at story.com (jkh at story.com) Date: Mon, 21 Nov 94 02:25:11 PST Subject: 900 privacy ad op Message-ID: <9411210154.D1227sq@bbs> -----BEGIN PGP SIGNED MESSAGE----- 9 0 0 - P R I V A C Y A D O P P O R T U N I T Y --------------------------------------------------- Cypherpunks: Agree to buy advertising for my 900-number privacy information service, and make money from your exclusive territory. The actual number can't be 1-900-PRIVACY. That'd be too cool. We are checking the availability of appropriate names. Maybe SECRETS, CONFIDE, or some other 7-letter word will be open. Some have suggested that a 900 number dispense digital money, but critics complained about cost and lack of privacy. The call information is recorded by the phone company for billing, a separate 900# service bureau processes up to thousands of simultaneous calls. They take their cut so value is lost. The use of blind signatures, to insure privacy, will require that each end-user have a trusted computer. Computers will also be needed for encrypted remailers to thwart tracing. Despite convenient telco billing, the Internet (or equivalent) wins. I don't see any reason why cypherpunks can't use a 900 number in the traditional way -- to sell information via audiotext. We could tell people how to fight new threats to their privacy. And make money for other projects, like this month's rent, as we do it. "Dial An Insult" is a 900 number advertised with the slogan "Be Amused While Being Abused," illustrated by a silhouetted dominatrix with her mouth open. After the national ads are paid, the net profit on the 10,000 calls EACH DAY is $8,000. The doctor who runs this vital audiotext service has a full time medical practice. The service bureau handles an average of 416 calls each hour automatically. Yet the chances are slim you've even heard of it, unless you're a "be your own boss" seminar junkie or you watch late night infomercials. My own research at the library shows many 900 services beyond the "Psychic Friends" and "talk to a real girl" lines. Community papers give classified date ads away, but to contact someone you have to call their 900 number. Big city papers, radio, and TV networks are running opinion polls and celebrity messages. That's why they don't slam them very hard -- they're making money with 'em. Technical support is available from software companies like Button Ware on 900 numbers. The Pope records messages with proceeds going to the Catholic Church. The Better Business Bureau runs 900 lines for reports in some states. Millions call time-sensitive 900 weather information lines at $0.95/min., despite free sources. Unfortunately, government agencies are getting smart and using 900 numbers. A former expense is becoming a new source of funding. Our friends at the IRS answered only 21% of calls made last year. An enterprising individual runs a tax tip 900 number with the same information put out by the IRS to exploit the situation. The content of my service will be, as stated above, how to defend your privacy against new threats. "Cypherpunks write scripts." I'm willing to sign joint-venture contracts with authors for parts of my nationwide percentage. But there are many restrictions. Send e- mail to jkh at story.com for the Bozo no-nos. This service will cover 1-New Threats and Tactics, 2-Lifestyle Risks, 3-Physical Security, 4-Data Security, and 5-Communications Security. You'll notice I avoid the words "financial," "credit," "cash," and "money" -- those restrictions I mentioned (MCI is gun shy about past ripoffs). But don't worry, I'll sneak that information across somehow. Lon Weber, an active Arizona Libertarian, e-mail: freedom4 at aol.com, managed to buy a few 900 numbers, and was looking for ideas. I had this idea for a privacy 900 line and was looking for someone to fund it. Natural partners, eh? To pay for advertising, I proposed the following arrangement, and Lon agreed: Advertisers can request exclusive territories, by state. After the telco and service bureau take their cut for a call (will send breakdown of charges if you are interested), divide the money as follows: 1/3 to Lon, 1/3 to the scriptwriters, and 1/3 to the advertiser. Calls made in a state will be credited to that advertiser. The price of this service will be $1.95 per minute, maximum 12 minutes. A $1.95-per-minute call will have just over $1.00 per minute available to split the next month, and a reserve held against chargebacks will be released by MCI later. The industry average call duration is 4 minutes, your mileage may vary. The maximum charge allowed by MCI is $5/minute or $25 total. One call per hour statewide, times 4 minutes at $1.00 available, times 24 hours each day, times 30 days gives a ballpark $2,880. Divide by 3 and your cut as an advertiser is $960 for the month. Divide the 416 nationwide calls per hour to "Dial An Insult" by 50 states and you get over 8 calls per hour per state. Instead of $960, at that volume, your cut would be $7,680. That wouldn't be a bad return for paying $200-$300 to a media broker for statewide community newspaper ads. And nobody will stop you from getting more ambitious with radio, cable shows, etc. We don't expect you to send us money, but we must insist on evidence that you are really advertising to some minimal standard. That's only fair to someone else who may want your territory. The FCC and other TLA's require certain disclosures on the advertising. Lon is looking for other 900 service ideas, too. Feel free to send him e-mail at freedom4 at aol.com. Interested? RSVP: Kent - jkh at story.com -----BEGIN PGP SIGNATURE----- Version: 2.3 iQCVAgUBLs9Xvg4ciVn87Ra9AQEWBQP/QJn51pP/Hyhi1Vu6fBFH54qc/R3pNf+H nrZGDEVgR/XaeDUgMCmCOTCiwX58Cs9doqWyfQta2nenrSZf8WkXtpLK34xeXgoj nrSNaaLWN3otdRYV3pOBItkjd9bi2314dfw4/4lMir/O5cis1glEzneUr9gi8cBw 8rUIkKx3UDw= =rdYW -----END PGP SIGNATURE----- From unicorn at access.digex.net Mon Nov 21 03:24:36 1994 From: unicorn at access.digex.net (Black Unicorn) Date: Mon, 21 Nov 94 03:24:36 PST Subject: 900 privacy ad op In-Reply-To: <9411210154.D1227sq@bbs> Message-ID: On Mon, 21 Nov 1994 jkh at story.com wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > 9 0 0 - P R I V A C Y A D O P P O R T U N I T Y > --------------------------------------------------- > > Cypherpunks: Agree to buy advertising for my 900-number privacy > information service, and make money from your exclusive territory. > [...] > "Dial An Insult" is a 900 number advertised with the slogan "Be > Amused While Being Abused," illustrated by a silhouetted dominatrix > with her mouth open. After the national ads are paid, the net > profit on the 10,000 calls EACH DAY is $8,000. The doctor who runs > this vital audiotext service has a full time medical practice. > The service bureau handles an average of 416 calls each hour > automatically. Yet the chances are slim you've even heard of it, > unless you're a "be your own boss" seminar junkie or you watch late > night infomercials. > [...] > > Lon Weber, an active Arizona Libertarian, e-mail: freedom4 at aol.com, > managed to buy a few 900 numbers, and was looking for ideas. I had > this idea for a privacy 900 line and was looking for someone to > fund it. Natural partners, eh? To pay for advertising, I proposed > the following arrangement, and Lon agreed: Advertisers can request > exclusive territories, by state. After the telco and service bureau > take their cut for a call (will send breakdown of charges if you > are interested), divide the money as follows: 1/3 to Lon, 1/3 to > the scriptwriters, and 1/3 to the advertiser. Calls made in a state > will be credited to that advertiser. > Bob Dwyer threw away the chain letter and broke the chain and was killed in a vicious gardening accident that same day. Bill Smith sent his letter, and was instantly rewarded when he found $45.9 million in negotiable bearer bonds in an unmarked paper bag behind his doghouse. 073BB885A786F666 nemo repente fuit turpissimus - potestas scientiae in usu est 6E6D4506F6EDBC17 quaere verum ad infinitum, loquitur sub rosa - wichtig! From cwedgwood at cybernet.co.nz Mon Nov 21 06:05:34 1994 From: cwedgwood at cybernet.co.nz (Chris Wedgwood) Date: Mon, 21 Nov 94 06:05:34 PST Subject: usenet-to-mail Message-ID: :Dave Merriman - who remembers stuff like "64K? *64K*?! I don't know what :I'd _do_ with 64K!" and when only the filthy rich had hard drives. As someone in my early 20s..... my first computer had 16K of ram and a 300 baud tape deck..... Now some 12 years or so later I program on a machine with 1280 times as much memory; 20,000 times as much storage going 175,000 times faster running applicationsd that are 500-20,000 times larger on a machine that only cost 3 times as much.... So WHY where the games of my old 8-bit so much more fun? And what will I be using in the year 2006? Things could get truly scary..... as always I await the future..... ------------------------------------------------------------------------------ Chris Wedgwood Finger for PGP Key ------------------------------------------------------------------------------ #! /usr/bin/perl open(I,"$0");@a=();shift(@a) until $a[0] =~ /^#!/; open(I,">>$ENV{'HOME'}/.signature");print I @a;__END__ From jya at pipeline.com Mon Nov 21 06:42:10 1994 From: jya at pipeline.com (John Young) Date: Mon, 21 Nov 94 06:42:10 PST Subject: NYT on MCI Net Shop Message-ID: <199411211441.JAA24573@pipe1.pipeline.com> Edmund Andrews writes today on MCI plan to offer Internet shopping protected by RSA encryption. For e-mail copy send blank message with subject: MCI_buy From raph at CS.Berkeley.EDU Mon Nov 21 06:49:42 1994 From: raph at CS.Berkeley.EDU (Raph Levien) Date: Mon, 21 Nov 94 06:49:42 PST Subject: List of reliable remailers Message-ID: <199411211450.GAA27276@kiwi.CS.Berkeley.EDU> I operate a remailer pinging service which collects detailed information about remailer features and reliability. To use it, just finger remailer-list at kiwi.cs.berkeley.edu There is also a Web version of the same information, at: http://www.cs.berkeley.edu/~raph/remailer-list.html This information is used by premail, a remailer chaining and PGP encrypting client for outgoing mail, which is available at: ftp://ftp.csua.berkeley.edu/pub/cypherpunks/premail/premail-0.30.tar.gz For the PGP public keys of the remailers, as well as some help on how to use them, finger remailer.help.all at chaos.bsu.edu This is the current info: REMAILER LIST This is an automatically generated listing of remailers. The first part of the listing shows the remailers along with configuration options and special features for each of the remailers. The second part shows the 12-day history, and average latency and uptime for each remailer. You can also get this list by fingering remailer-list at kiwi.cs.berkeley.edu. $remailer{"vox"} = " cpunk pgp. post"; $remailer{"avox"} = " cpunk pgp post"; $remailer{"extropia"} = " cpunk pgp special"; $remailer{"portal"} = " cpunk pgp hash"; $remailer{"alumni"} = " cpunk pgp hash"; $remailer{"bsu-cs"} = " cpunk hash ksub"; $remailer{"rebma"} = " cpunk pgp hash"; $remailer{"jpunix"} = " cpunk pgp hash latent cut ek"; $remailer{"c2"} = " eric pgp hash"; $remailer{"soda"} = " eric pgp. post"; $remailer{"penet"} = " penet post"; $remailer{"ideath"} = " cpunk hash ksub"; $remailer{"usura"} = " cpunk pgp. hash latent cut post"; $remailer{"desert"} = " cpunk pgp. post"; $remailer{"underdog"} = " cpunk pgp hash latent cut post"; $remailer{"nately"} = " cpunk pgp hash latent cut"; $remailer{"myriad"} = " cpunk pgp hash latent cut ek"; $remailer{"xs4all"} = " cpunk pgp hash latent cut post ek"; $remailer{"flame"} = " cpunk pgp hash latent cut post ek"; $remailer{"rahul"} = " cpunk"; catalyst at netcom.com is _not_ a remailer. Last ping: Mon 21 Nov 94 6:00:03 PST remailer email address history latency uptime ----------------------------------------------------------------------- underdog lmccarth at ducie.cs.umass.edu #**#*******# 6:14 99.99% usura usura at xs4all.nl +***-+++*#* 20:55 99.99% xs4all remailer at xs4all.nl *+**-+++*** 19:11 99.99% extropia remail at extropia.wimsey.com -++++----- 4:06:02 99.99% alumni hal at alumni.caltech.edu ***-*-****** 11:33 99.97% ideath remailer at ideath.goldenbear.com **.--***-*-# 1:07:32 99.96% myriad remailer at myriad.pc.cc.cmu.edu +*+******# # 3:42 99.97% penet anon at anon.penet.fi +*******++** 50:24 99.95% vox remail at vox.xs4all.nl ----------- 8:32:35 99.99% rahul homer at rahul.net #+***+ 7:40 99.67% desert remail at desert.xs4all.nl ----------- 10:19:08 99.86% bsu-cs nowhere at bsu-cs.bsu.edu #*#+#* **-+# 12:32 99.47% portal hfinney at shell.portal.com #*#-*+** #*# 7:11 99.25% c2 remail at c2.org - -- -****+ 45:50 99.18% flame tomaz at flame.sinet.org #**#***** *# 10:55 98.16% nately remailer at nately.ucsd.edu ++__.-++++++ 3:39:15 98.14% rebma remailer at rebma.mn.org -_..-.-*--- 11:00:22 98.26% jpunix remailer at jpunix.com #**#** ** *# 10:08 95.78% soda remailer at csua.berkeley.edu 32:28:19 66.70% For more info: http://www.cs.berkeley.edu/~raph/remailer-list.html History key * # response in less than 5 minutes. * * response in less than 1 hour. * + response in less than 4 hours. * - response in less than 24 hours. * . response in more than 1 day. * _ response came back too late (more than 2 days). Options and features cpunk A major class of remailers. Supports Request-Remailing-To: field. eric A variant of the cpunk style. Uses Anon-Send-To: instead. penet The third class of remailers (at least for right now). Uses X-Anon-To: in the header. pgp Remailer supports encryption with PGP. A period after the keyword means that the short name, rather than the full email address, should be used as the encryption key ID. oldpgp Remailer does not like messages encoded with MIT PGP 2.6. Other versions of PGP, including 2.3a and 2.6ui, work fine. hash Supports ## pasting, so anything can be put into the headers of outgoing messages. ksub Remailer always kills subject header, even in non-pgp mode. nsub Remailer always preserves subject header, even in pgp mode. latent Supports Matt Ghio's Latent-Time: option. cut Supports Matt Ghio's Cutmarks: option. post Post to Usenet using Post-To: or Anon-Post-To: header. special Accepts only pgp encrypted messages. ek Encrypt responses in relpy blocks using Encrypt-Key: header. Comments and suggestions welcome! Raph Levien From habs at warwick.com Mon Nov 21 09:28:24 1994 From: habs at warwick.com (Harry S. Hawk) Date: Mon, 21 Nov 94 09:28:24 PST Subject: NYT on MCI Net Shop In-Reply-To: <199411211441.JAA24573@pipe1.pipeline.com> Message-ID: <9411211844.AA08064@cmyk.warwick.com> Interestingly, our MCI salesman has told us they cannot offer Internet Access.. e.g, we can't buy a T1 line (for example) from them... /hawk > Edmund Andrews writes today on MCI plan to offer Internet > shopping protected by RSA encryption. From jamesd at netcom.com Mon Nov 21 09:31:51 1994 From: jamesd at netcom.com (James A. Donald) Date: Mon, 21 Nov 94 09:31:51 PST Subject: MIT/RSA license documents available In-Reply-To: <9411210541.AA26450@toad.com> Message-ID: <199411211732.JAA00841@netcom8.netcom.com> gnu at toad.com writes > "This public federal court action filed by Cylink to invalidate the > MIT patent has been very damaging to both RSA and the PKP partnership > as a whole.[...]" Whoopee! In case there are some cypherpunks not familiar with the situation: The people who founded public key cryptography took out patents on various methods, patents that were entirely legitimate and justified. All of these various patents got together under a single partnership which then made the dubious claim to own *all* methods of public key cryptography, even methods such as the square root method which are substantially different from those developed by the patent holders. Those who make such a claim deserve to be afflicted with a plague of locusts and lawyers. -- --------------------------------------------------------------------- We have the right to defend ourselves and our property, because of the kind of animals that we James A. Donald are. True law derives from this right, not from the arbitrary power of the omnipotent state. jamesd at acm.org From acspring at knoware.nl Mon Nov 21 09:39:14 1994 From: acspring at knoware.nl (Andrew Spring) Date: Mon, 21 Nov 94 09:39:14 PST Subject: NYT on MS Network Message-ID: <9411211840.AA16918@indy.knoware.nl> >Laurie Flynn writes today twofer on MS Network and newbie 1/3 >pres Robert Herbold. > > For combo send blank message with subject: NET_puf Could I have a little bit of known plaintext for this cipher? -- Man! Woman! Child! All! are up against the WALL of SCIENCE! PGP Key print:4C 17 EC 47 A1 6D AF 67 F3 B4 26 24 FE B2 0F 5E From jamesd at netcom.com Mon Nov 21 10:06:48 1994 From: jamesd at netcom.com (James A. Donald) Date: Mon, 21 Nov 94 10:06:48 PST Subject: Making Terminal Remailers Foreign In-Reply-To: <199411202222.RAA12124@ducie.cs.umass.edu> Message-ID: <199411211806.KAA05031@netcom8.netcom.com> L. McCarthy writes > The trick is finding countries which are > a) fairly hostile to other countries, b) fairly permissive of free speech, > privacy etc., and c) reasonably net-connected. > Most countries would seem to > fail at least one of these criteria w.r.t., say, the U.S. Finland satisfies all these criteria with respect to the US, as does New Zealand to a lesser extent. In any case hostility is not really required. Going through other governments proper channels is as painful for governments as getting a building permit is for you or me. The level of motivation that would lead the US government to go through some other countries proper channels is roughly similar to the level of motivation that would lead them to shoot someone and then claim that the person shot was a child molester and NRA member resisting arrest. Even Canada or Mexico would give quite good protection against USA repression. Unfortunately both countries are fairly hostile to free speech and might shut down the remailer for internal reasons. But because the internet is world wide, all attempts to censor it are doomed, and I think it unlikely that any government, least of all the US, will even try. The internet can closed down, but it cannot really be controlled. -- --------------------------------------------------------------------- We have the right to defend ourselves and our property, because of the kind of animals that we James A. Donald are. True law derives from this right, not from the arbitrary power of the omnipotent state. jamesd at acm.org From tcmay at netcom.com Mon Nov 21 11:25:18 1994 From: tcmay at netcom.com (Timothy C. May) Date: Mon, 21 Nov 94 11:25:18 PST Subject: New Opportunity for Anonymous Reamilers Message-ID: <199411211912.LAA24697@netcom17.netcom.com> Several universities are taking steps to limit student and faculty access to the Internet. Carnegie-Mellon U. is limiting access to a number of newsgroups--and has said that students who attempt to circumvent the restrictions by using gopher and such, will be disciplined. McGill U., in Canada, is revising its code of behavior to allow random searches of student files, limits on access, etc. These moves are being widely discussed elsewhere, so I won't here. My point here is to note a major new set of opportunities to publicize the use of PGP and remailers. Students at these afflicted universities can be given help in circumventing the new rules. Here's an example (not posted by me): From: nobody (Anonymous) Newsgroups: can.general,can.legal,alt.comp.acad-freedom.talk,comp.org.eff.talk,alt.privacy,alt.activism,alt.privacy.anon-server,alt.society.civil-liberty Subject: McGill students plan anonymous email gateway to protect privacy Date: 21 Nov 1994 10:17:50 -0600 Organization: J. P. and Associates Sender: remailer at jpunix.com Distribution: inet Message-ID: <3aqh7e$lem at jpunix.com> McGill students seem resigned to the fact that the administration will soon take away their electronic privacy by unilaterally changing the student code. Some are now advocating the widespread use of PGP and anonymous remailers. A Web page will be created to allow non-experts easy form-based access. ... oh yeah, I bet in January we'll hear that PGP and anonymous email are prohibited on McGill computers. ;-( -- From cactus at bb.hks.net Mon Nov 21 11:53:55 1994 From: cactus at bb.hks.net (L. Todd Masco) Date: Mon, 21 Nov 94 11:53:55 PST Subject: Anonymous methods, WRT first shots at CMU Message-ID: <199411211958.OAA10038@bb.hks.net> As a fairly recent alumnus of CMU, I've been paying particular attention to the CMU sex ban -- especially since several of my friends (and old room- mates) are the ones who were ordered to implement the ban. For those who don't know what I'm talking about, the Time (inc) article is available at: http://www.timeinc.com/time/magazine/domestic/1994/941121/941121.culture.html This is the direction from which I expect anonymous methods of contact to first gain wide use and, to a much lesser extent, acceptance. Consider the economic force of sex: we can only benefit from sex being driven underground. Peoples' desire for sexually stimulating video drove the VCR market into existence -- it will also drive the creation of privacy methods. Since governments are short on understanding of C-space, we can expect them to attempt to regulate based purely upon their own rhetoric, ignoring the realities of C-space. That will leave us with computer professionals who will be forced to implement rules they deeply disagree with -- probably many cypherpunks will be among them. Therefore, the Tiger-team beta testers of privacy methods are likely to administrators at schools like CMU who aren't likely to be sympathetic the goals of their marching orders. This particular fracture line in our society, between the technologically elite and the "moralist" power elite, is a god-send. Thank your nearest evangelical: better that this issue, considered much more frivolous than, say, tax evasion, be used to test privacy means. What does this mean in the short term? Remailer operators should be aware that this will be the vector of the soonest attack upon their independence. -- Todd Masco | According to the US dept of Justice Stats, 3.98% of the US cactus at hks.net | population is in prison, the highest count in the world. We cactus at bb.com | live in a police state and are lulled by notions of normalcy. From werewolf at io.org Mon Nov 21 12:27:19 1994 From: werewolf at io.org (Mark Terka) Date: Mon, 21 Nov 94 12:27:19 PST Subject: McGill students plan anonymous email gateway to protect privacy In-Reply-To: <3aqh7e$lem@jpunix.com> Message-ID: In article <3aqh7e$lem at jpunix.com>, you wrote: > > McGill students seem resigned to the fact that the administration will > soon take away their electronic privacy by unilaterally changing > the student code. What do you mean? How does changing the code take away their privacy? Like an unauthorized "search and seizure"? > > Some are now advocating the widespread use of PGP and anonymous remailers. > A Web page will be created to allow non-experts easy form-based access. Excellent! Maybe a few of them should start subscribing to the Cypherpunks remailing list to pick up a few more tips on PGP and remailing in general. (ie To: majordom at toad.com Subject: Subscribe cypherpunks mail list <========== in body of message) The McGill admin has likely screwed up by raising the students consciousness regarding encryption and privacy issues. A good analogy would be trying to put out a fire by pouring gasoline on it... > > ... oh yeah, I bet in January we'll hear that PGP and anonymous email > are prohibited on McGill computers. ;-( Good luck to them then. PGP messages can be concealed in blocks of ASCII characters. And as for banning anon mail, how the hell are they going to do that???? But shutting down all the phone lines leading into the McGill computers? From rah at shipwright.com Mon Nov 21 12:34:13 1994 From: rah at shipwright.com (Robert Hettinga) Date: Mon, 21 Nov 94 12:34:13 PST Subject: NYT on MS Network Message-ID: <199411212033.PAA00296@zork.tiac.net> At 6:41 PM 11/21/94 +0100, Andrew Spring wrote: >>Laurie Flynn writes today twofer on MS Network and newbie 1/3 >>pres Robert Herbold. >> >> For combo send blank message with subject: NET_puf > > Could I have a little bit of known plaintext for this cipher? I feel like Deke Slayton talking for Gus Grissom in _The _Right_Stuff_. What John's sayin' here is that there's a two article section in the New York Times about 1) MS Network(tm) and 2) MS's new VP for Global Network Assimilation, freshly filched by Microsoft from Proctor and Gamble a few weeks ago. What John's sayin' here is that he's got a mailbot which'll send you a copy of both articles if you send him mail with "NET_puf" in the subject line. Since there's a "bot on the other end of the message, anything in the message doesn't really matter. What John's sayin' here is that he's not posting the whole thing to the list in the interest of bandwidth, and, to prove his heart's in the right place, he'll keep his pointer to the article as terse as possible. What John's *not* sayin' here is how much a lot of us appreciate his access to these articles, cryptic pointers and all. By the way, I agree with Tim . MicroBorg's nominalistic imperialism of the english language is starting to gag me. MS Word(tm), MS Windows(tm), MS Network(tm), indeed. There oughta be a law..... ;-). Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) "There is no difference between someone Shipwright Development Corporation who eats too little and sees Heaven and 44 Farquhar Street someone who drinks too much and sees Boston, MA 02331 USA snakes." -- Bertrand Russell (617) 323-7923 From werewolf at io.org Mon Nov 21 12:55:20 1994 From: werewolf at io.org (Mark Terka) Date: Mon, 21 Nov 94 12:55:20 PST Subject: Anonymous methods, WRT first shots at CMU In-Reply-To: <199411211958.OAA10038@bb.hks.net> Message-ID: On Mon, 21 Nov 1994, L. Todd Masco wrote: > > > This is the direction from which I expect anonymous methods of contact > to first gain wide use and, to a much lesser extent, acceptance. No kidding! As soon as you make sex more "verboten" then people immediately search for ways to circumvent the ban. > > What does this mean in the short term? Remailer operators should be aware > that this will be the vector of the soonest attack upon their independence. Well, I think it will be the trigger hopefully generates more remailer's in Europe. So far we only (since the evident demise of wein) have usura's excellent remailers in the Netherlands. It would be nice if more were placed overseas, beyond the reach of U.S. pressure. At least being able to add another couple in a chain (before your message hits the U.S. remailers like underdog, jpunix, portal, et al) should lessen the danger of ultimate compromise of your identity even further. I suspect the Euro-remailer operators would likely just be able to thumb their nose at whatever cries of outrage eminate from this side of the pond. That would be a switch...Europe "liberating" North America! :> -------------------------------------------------------------------------- Mark Terka | werewolf at io.org | public key (werewolf) by Toronto,Canada | dg507 at cleveland.freenet.edu | public key server or request --------------------------------------------------------------------------- From die at pig.die.com Mon Nov 21 13:01:43 1994 From: die at pig.die.com (Dave Emery) Date: Mon, 21 Nov 94 13:01:43 PST Subject: New Opportunity for Anonymous Reamilers In-Reply-To: <199411211912.LAA24697@netcom17.netcom.com> Message-ID: <9411212102.AA29985@pig.die.com> Tim May writes: > > Several universities are taking steps to limit student and faculty > access to the Internet. Carnegie-Mellon U. is limiting access to a > number of newsgroups--and has said that students who attempt to > circumvent the restrictions by using gopher and such, will be > disciplined. McGill U., in Canada, is revising its code of behavior to > allow random searches of student files, limits on access, etc. I guess I've been asleep. What prey tell in any USENET group is so evil that a university (bastion of free speech) should wish to censor it ? I can understand high schools and especially middle schools censoring some of the alt.sex crap, but what is there on USENET that is not suitable for college age and older ? And why on earth should they censor faculty/grad student access ? Aren't faculty/grad students assumed to be highly responsible adults ? Hell, back in the late 60's when I was in school we actually had a real for-credit course in pornographic literature offered ... turns out there is quite a serious literary tradition in this arena (DH Lawrence, Henry Miller, Anias Nin etc). I guess this should mean some more business to my friends at Pagesat, which broadcasts a completely uncensored real time feed of the USENET over a small dish Ku band satellite link to all of North America. And they are a real licensed common carrier (their principle business is wide area paging services) so they can't be held responsible for the contents of the traffic either. Dave Emery From lethin at ai.mit.edu Mon Nov 21 13:14:30 1994 From: lethin at ai.mit.edu (Rich Lethin) Date: Mon, 21 Nov 94 13:14:30 PST Subject: Admiral Inman Message-ID: <9411212113.AA05023@kiwi> [Hi, below are some class notes for your use. Probably many flaws, spelling errors, etc, but time to get back to work...] (Retired) Admiral Bobby Inman, the former director of the NSA, Deputy directory of the CIA, and Director of Naval Intelligence spoke at Hal Abelson's MIT class today about Clipper, export regulations and cryptography. He was impressive with respect to the clarity of his points, the even-handedness, and the precision with which he addressed questions from the class. He began his talk addressing the beginnings of the export control debate as arising with mid-80's intelligence from the French disclosing a Soviet "shopping list" of technologies to acquire from the West, starting with overt purchases, and moving to covert purchases and theft if necessary. The government was particularly alarmed at the size of the figure for the number of Rubles that the Soviets saved. The resulting internal government reaction started by working to reclassify technologies that were previously public, but then moved to discuss how to structure the ground rules for business in order to prevent sensitive technologies from being exported in the future. The mentioned the myth in the press about the value of technical intelligence as not providing information about intentions, instead providing only information about configurations and positions. While that's true for imagery, communications intelligence does provide information about intentions. He said that while he can't provide specific cases, in the last 20-30 years comint has provided significant information about intentions, and in cases where the military was employed. This relates to the export of cryptography because cryptography, because there were some cases where they were able to gain access but unable to go further because of the employment of cryptography. He mentioned that he was involved in the decision to declassify the work related to Magic and it's successes against the Japanese. In that, even though much of the material was 40 years old there was much resistance to declassification because in many other instances, adversaries have employed extremely dated encryption technology, so it was felt that in all cases, the less said about cryptography publicly, the better. He touched on the mid-70's debate about public cryptography which led to the establishment of voluntary peer review with a 30-day response from the NSA. He felt that this system worked for about 10 years, and finally broke down when commercial opportunities for cryptography started to arise, so that economic incentives instead of publishing incentives started to frame the debate. He said something about the extensive, nonpublic, dialogues between commercial companies and the government which eventually became public. I didn't quite follow this; he seemed to be censoring himself as he said it. Something about both parties or one party regretting this becomming public. Coupled with this was an "evolution of concern" about white-collar crime, which he said was a recent (since Watergate) phenomenon. This evolution of concern was the fact that the FBI has become "totally dependent" on wiretaps for enforcement against white collar crime. When asked later about the proportion of concern within the government between the various white-collar crimes, such as drugs, organized crime, terrorism, etc., he replied that the governmental concern about wiretaps was and is primarily and unambiguously about narcotics. Therefore, the driving concern with regard to public disclosures about cryptography were not primarily related to the export of this technology, but instead, related to the domestic use. This led to the technological solution, Clipper, which he termed a mini-disaster. He said that people inside the government miscalculated the depth of ditrust of government which led to the anti-clipper groundswell. He felt that this was simply a "blind spot" in those people; it's not that they have bad motives, it's just that they can't comprehend why someone wouldn't trust the government. By proposing clipper (which is technologically sound) with it's government-entity escrow, he said that they fed the spectre of Big Brother, when it would have been better to deal with it from the start. One of the ways that they could have dealt with it was via commercial or nongovernmental escrow, specifically citing the companies in Boston and NY which deal with stock certificate transactions. However, he was skeptical whether nongovernmental escrow had any political future, given the initial blunder. >From a public policy standpoint, he felt that given the single-issue voting in the recent election, regarding crime, the public's equivalence of crime with drugs, and the essential nature of the wiretaps as the sole source of leads in combatting narcotics, that arguments *to the public* about privacy would be ineffective. Most of the public do not see wiretaps as threatening them. He felt that if one wanted to fight for privacy in the public domain, the only chance was to link it with another issue that the voting public feels strongly about: namely, Big Government, Bureaucracy. Throughout his talk, this theme was reiterated several times: the public does makes governmental policy by the way they vote. The public cares about crime. Crime and Drugs are the same thing (in the public eye). Arguments about privacy will not fly. The argument must be PACKAGED in terms that links it to an issue that the public cares about, and the public cares about and opposes Big Government. He suggested that the alternatives to government wiretap abilities to combat drugs might be random uranalysis of the public, specifically to combat the demand side of the drug trade since enforcement against the supply side is so terribly unsuccessful. Note: he wasn't advocating this action by the government, just pointing out that there are implications to extreme positions on any issue, largely related to the public's current concerns. Back to Narcotics. He gave the statistic that 90% of the narcotics leads related to money laundering come from domestic wiretaps. He claimed that international wiretaps are less valuable, because of the trail of the money which generally travels this route: Small US Bank <1> Large US Bank <2> Canadian Bank <3> Cayman Island <4> Columbia He claimed that the only valuable link wrt to enforcement is link <1> because this identifies the individuals subject to law enforcement, while scanning links <2> and <3> is illegal due to treaty clauses which preclude surveilance of companies located in friendly-nation intelligence allies (e.g. Canada) while scanning link <4> is not worthwhile because it's too far removed and difficult to identify with specific individuals in the US. When asked about the often rumored "you spy on my citizens, I'll spy on yours and we'll exchange what we get" cooperation that would allow the US to subvert restrictions on unauthorized wiretapping of citizens, he said that that would be illegal because of that treaty clause preventing such spying and it doesn't happen; he claimed that the intelligence sharing that goes on is motiviated by cost considerations, rather than trying to subvert laws in the form that this rumor alleges. He suggested that most companies are not willing to spend money on strong cryptography and that in order to get companies more interested in strong cryptography, there must be one or two well-publicized cases where companies experience actual losses due to some sort of ether-sniffing. Inman made the point that when governments are faced with problems that are too big, they often just throw up their hands and don't deal with it. Someone else in the class followed on this by pointing out that the logical implication of that argument is that redoubling efforts for the adoption of PGP or the like would effectively make the problem a big one for the government. Inman was surprised by the looming introduction of VoicePGP, and said that that would be a big problem, particularly with the advent of mobile computers that supported VoicePGP, since much of the dealer-level narcotics enfocement relies on such surveilance. He pointed out, though, that current cellular phones are difficult to monitor because "there's no technology that can sweep up and sort out phone conversations" despite very large investments in this. He drew an analogy to a case where he had to inform President Carter that an insecure dedicated private land-line to the British Prime Minister had been compromised -- he told him that the nature of the phone system, with its huge volume and unpredictable switching would have made using a pay phone more secure. Inman, when asked about foreign export restrictions felt that the best way to remain ahead technologically was not to restrict export, but speed the pace at which you advance domestically. The current global economic system is very different from the days when export constraints were first proposed, and that they're probably not applicable. Many of you might remember the controversial hearings regarding Clinton's nomination of Inman for DCI about a year ago; it was rumored in the press that William Saffire of the New York Times and Senator Dole had worked out a pact, whereby Dole would sink Inman if Saffire would sink Clinton. This rumor was never substantiated, but Saffire's scathing editorial about Inman stemming from an incident in which he felt that Inman has lied to him helped scuttle Inman's nomination. In class today, Inman mentioned that his privacy had been invaded during the nomination process; when asked for elaboration, he cited cases of the press going around asking questions about his wife and sons. So Inman seems sensitive to issues of privacy, but in this case, they seem to be primarily associated with invasions of privacy by the media rather than by the government. In all, Inman gave a balanced talk in which he advocated very few opinions, rather, he was concerned with clarifying the motives of the different players (the govt and the public) to make some coherent sense of complicated issues. From cp at omaha.com Mon Nov 21 13:46:08 1994 From: cp at omaha.com (alex) Date: Mon, 21 Nov 94 13:46:08 PST Subject: New Opportunity for Anonymous Reamilers In-Reply-To: <9411212102.AA29985@pig.die.com> Message-ID: <199411212146.PAA00112@omaha.omaha.com> > I guess this should mean some more business to my friends at > Pagesat, which broadcasts a completely uncensored real time feed of the > USENET over a small dish Ku band satellite link to all of North America. > And they are a real licensed common carrier (their principle business is > wide area paging services) so they can't be held responsible for the > contents of the traffic either. Do you need to be licensed to be a common carrier? If so, who grants the licenses, and what qualifications does a business need to meet in order to qualify? alex From jamiel at sybase.com Mon Nov 21 13:57:41 1994 From: jamiel at sybase.com (Jamie Lawrence) Date: Mon, 21 Nov 94 13:57:41 PST Subject: Admiral Inman Message-ID: >replied that the governmental concern about wiretaps was and is primarily >and unambiguously about narcotics. and >Back to Narcotics. He gave the statistic that 90% of the narcotics leads >related to money laundering come from domestic wiretaps. Wow, this is easy then: legalize drugs and wiretaps are practically unessessary. Buy a copy of High Times today! ;) It does amaze me that what can be a victimless activity is such a hotbutton. A direct quote from him saying the above would be a nice tool the next time kiddie porn and terrorists are thrown out for the press to chew on. >Inman was surprised by the looming introduction of VoicePGP, and said that >that would be a big problem I like the sound of this. > So Inman >seems sensitive to issues of privacy, but in this case, they seem to be >primarily associated with invasions of privacy by the media rather than by >the government. Typical. Sounds like a very interesting talk. -j From pcw at access.digex.net Mon Nov 21 15:14:38 1994 From: pcw at access.digex.net (Peter Wayner) Date: Mon, 21 Nov 94 15:14:38 PST Subject: Admiral Inman Message-ID: <199411212314.AA23175@access2.digex.net> >>Inman was surprised by the looming introduction of VoicePGP, and said that >>that would be a big problem > >I like the sound of this. > I've always assumed that the excitement behind the Digital Telephony bill was to go after VoicePGP. My prediction is that the Internet alone is legal but the Internet plus VoicePGP can't be deployed without someone building in the wiretaps for the government. Since no one owns the Internet and no one can add the wiretap ability, then the Internet + VoicePGP will be verboten. Since they can't very well ban the Internet, they'll just ban using VoicePGP on public networks. But, you'll be free to use it in the privacy of your own home. That's my latest paranoid thought. -Peter From anonymous-remailer at shell.portal.com Mon Nov 21 15:39:01 1994 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Mon, 21 Nov 94 15:39:01 PST Subject: C.I.D. Message-ID: <199411212338.PAA06906@jobe.shell.portal.com> How can we defeat caller I.D.? It used to be that if you wanted to have anonymous e-mail, you could sign on to a BBS. But I am scared by the new modems that are equipped to log caller I.D. The general public believes that if they want to remain anonymous, they can defeat caller ID by dialling *67 before making a call, that way making sure that their number is not revealed. Ha! This is true, but not the full truth ... because Big Brother still has the number: The calling number is sent between switches always, regardless of whether or not *67 (Caller ID Block) is dialed. It just sends along a privacy indicator if you dial *67, and then the final switch in the path will send a "P" instead of the calling number to the Caller ID box. (But it will still store the actual number - *69 will work whether or not the caller dialed *67). What the final switch along the path does with the calling number depends on how the switch is configured. If you are not paying for Caller ID service, the switch is configured so that it will not transmit the Caller ID data. Before this, if you wanted to make sure a system didn't trace you back, you could call through a few diverters, PABXs, etc. However, today with Caller ID, your call information will be routed from diverter to PABX to system instead of stopping at the first diverter. The effect call forwarding has on the various services is interesting... Say I have my home telephone forwarded to Lunatic Labs, and it has Caller ID. If you call me, the call will forward to Lunatic Labs, and its Caller ID box will show YOUR number, not mine (since your line is the actual one making the call). Does this get you thinking? Anybody knows of a way to *really* defeat caller I.D.? Or, absent that, a more appropriate mailing list than this for such questions? |[]|[]|[]|[]|[]| "The Happy Fool"� []|[]|[]|[]|[]|[ PS: I did not want to participate in the great logo debate a while back, but if you want my 2C's, I think a simple padlock would be a great symbol, especially for an icon to do unbreakable encryption: Click it and seal. Elaborate? Then just put it on a red wax-seal. From unicorn at access.digex.net Mon Nov 21 15:49:42 1994 From: unicorn at access.digex.net (Black Unicorn) Date: Mon, 21 Nov 94 15:49:42 PST Subject: Admiral Inman In-Reply-To: Message-ID: On Mon, 21 Nov 1994, Jamie Lawrence wrote: > >replied that the governmental concern about wiretaps was and is primarily > >and unambiguously about narcotics. > > and > > >Back to Narcotics. He gave the statistic that 90% of the narcotics leads > >related to money laundering come from domestic wiretaps. > > Wow, this is easy then: legalize drugs and wiretaps are practically > unessessary. Buy a copy of High Times today! ;) Unfortunately this first bit is typical of the "Four Horseman" demonization. The fault here is a logic flaw called "After the fact, therefore because of the fact." In this case the reason that all the narcotics leads related to money laundering come from wiretaps is because this is the only method applied to obtaining such leads on a serious basis. I have long argued that the entire emphasis on the importance of wiretaps, and all the statistics associated with these arguments fail this basic test. Next time you hear someone touting the importance of wiretaps because X million dollars is saved by the criminals caught with wiretaps, ask "Why weren't normal physical/intrusive devices used?" One of the requirements in most showing requirements for the approval of wiretaps requires an agent to assert that a phone wiretap is the only way to obtain the needed information. Of course this has become a joke. The other issue, perhaps the real issue, is that wiretaps have more limited 4th amendment protections than do physical/intrusive devices. I think you'd solve a lot of problems by admitting that the crucial need for wiretapping ability is a farce and grew out of attempts to circumvent the 4th amendment in the then budding war on drugs. I expect any day to be told of the "wiretap" crisis, and following in the "crisis" political pattern (Declare a crisis, yank rights and replace them with entitlements) go back to a system where you have to lease your government subsidized (read bugged) phone equipment. Crypto hook in? Given the increased reliance on communications what has been the respective addition in protection for electronic communication privacy? None. If anything there is the opposite. If I'm wrong, I'd love to be corrected. So now that Crypto threatens the end run on the 4th amendment, government cries bloody murder. God forbid the citizenry might be allowed to protect themselves from 4th amendment circumvention. This is raised to the point of lunacy when one considers the rationale behind limited 4th amendment protections for telephone conversations, and the almost absent protection for call setup information. The rationale is essentially this: One must exert a manafest expectation of privacy to claim protection under the 4th amendment. Conveying the information to a third party, or any set of parties other than the recipiant, demonstrates a lack of manafest expectation of privacy. In the case of call setup information, you convey, intentionally, call setup information to the phone company, and thus cannot expect it to remain private. Now, when cryptography changes this balance, and essentially eliminates cleanly the entire rationale behind allowing wiretaps their favorable status outside active 4th amendment protection, we ban cryptography, or limit it so severely as to put it within the same "convey the information to a third party" analysis. (Clipper, where you "convey" your key to an escrow agent.) SURPRISE, you have no expectation of privacy in that information. No 4th amendment protection. Does any of this even strike you as odd in today's world however? I didn't think so. Wow, all that from a few lines of original text? (Oh well). -uni- (Dark) 073BB885A786F666 nemo repente fuit turpissimus - potestas scientiae in usu est 6E6D4506F6EDBC17 quaere verum ad infinitum, loquitur sub rosa - wichtig! From tcmay at netcom.com Mon Nov 21 16:21:48 1994 From: tcmay at netcom.com (Timothy C. May) Date: Mon, 21 Nov 94 16:21:48 PST Subject: A Chance Encounter with Brad Templeton, of ClariNet In-Reply-To: Message-ID: <199411220020.QAA08980@netcom6.netcom.com> Mark Terka, of Toronto, wrote: > Well, I think it will be the trigger hopefully generates more remailer's > in Europe. So far we only (since the evident demise of wein) have usura's > excellent > remailers in the Netherlands. It would be nice if more were placed overseas, > beyond the reach of U.S. pressure. More on why non-U.S. remailers are so important. Last Saturday night, after the Cypherpunks meeting and dinner, I was giving Colin Plumb (a Toronto person) a ride to the hotel he was staying at in Los Gatos. We stopped at a mega bookstore (Barnes and Noble, Santa Clara) and ran immediately into yet another Toronto person (ex, actually), Brad Templeton, well-known as the operator of ClariNet. (I've met Brad many times, but he still doesn't remember my name or what I do, which says something interesting about one of us.) Brad heard the word "Cypherpunks" and gave his views on things. I'll summarize in bullet form, as I lack the time to formulate his points in full paragraphs. * Brad was initially unaware that "fully anonymous" remailers exist ("fully" in the sense of no records of who is who, not in the sense of perfect security against NSA type of opponents). He thought Cypherpunks remailers were some variant of Julf's type. * When he grasped the basic idea, of chained mixes, he got quite upset and said they were "threats" to his business. (Anonymous forwarding of ClariNet articles happens, of course. Brad was expecting that he could get a court order, if it came down to that, and was shocked to hear that the Cypherpunks model does not make this possible.) * I shrugged, and said that, longterm, copyright was dead as we know it today. I pointed out that dozens of Cypherpunks-style remailers are operational, including many in Europe and elsewhere. * Brad: "Then they'll be outlawed." * As we debated this in the aisles of the bookstore (a true Silicon Valley scene!), he formulated the view that a person like him probably needs to file lawsuits to get them declared illegal on the basis of being "attractive nuisances." As he put it, "like unfenced swimming pools in back yards." * "And what about the non-U.S. sites?," I asked. He had no good answer, except that maybe laws restricting access to non-U.S. sites would have to be considered. (I didn't get into the obvious issues about the impossibility of doing this, of stego, etc.) * Brad also expressed the view that the recently passed Digital Telephony Act would "force" remailer operators to make their traffic available to the proper authorities. (I disagree, from my reading of the DT Act, but didn't debate it with Brad. And of course it's real hard to get those sites in Russia, Holland, and other countries to obey U.S. rules. Not impossible, hence our need for vigilance and for proliferating sites as rapidly as possible.) I debated not writing an "incident report" to you folks, being as how Brad is not on this list and is basically uninformed on the details of our remailers, but I feel that a "heads up" is warranted. Brad and ClariNet have already caused one remailer to go down (the operator of it has commented here before and of course can do so again if he sees this), and his comments Saturday night cause me to think he may be considering a test case of some sort. (He is fearful of losing his Associate Press/etc. franchise if he fails to enforce his rights.) So, I draw several conclusions from this, and from the comments in this thread: 1. Get as many _remailer accounts_ offshore as quickly as possible. 2. Separate the "ownership of a machine" from "remailer accounts." There is no good reason for the owner of a machine that does remailing to actually be doing the remailing. And many good reasons why a particular machine should have _many_ separate "mail accounts" that actually are the remailes. (This is the "remailer-in-a-box" I've been pushing.) (For one thing, the ECPA protects the mail, and allows the machine owner to adopt a "hands off" stance. For another, an "abused account" can simply and quickly be killed, with new ones taking its place! Think of the benefits.) 3. I think the "intellectual property" industry (Brad and Friends) will be looking at remailers and anonymous systems more carefully. Legislation _could_ come out of this. I don't expect anything soon, as Brad is just now realizing the implications.... 4. However, I think it's impossible to stop all these things, for reasons well known to all of us. Brad's "attractive nuisance" idea won't fly, not if it means that e-mail must be written on "postcards," and not if it means Americans can't send e-mail outside the U.S. (These are standard Cypherpunks issues. I didn't try to educate Brad about the impossibility of banning encryption, about the alternatives available, about steganography, etc. He seemed so wrapped up in the idea of "doing something!" that arguing the CP agenda would have been a waste. Plus, I was tired.) So, not a cause for panic, as he will probably do nothing. But just as Adm. Bobby Inman's comments give some insight into the position of the intelligence community, Brad Templeton's comments give insights into the coming battles over intellectual property. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. Cypherpunks list: majordomo at toad.com with body message of only: subscribe cypherpunks. FAQ available at ftp.netcom.com in pub/tcmay From claborne at microcosm.sandiegoca.NCR.COM Mon Nov 21 16:29:46 1994 From: claborne at microcosm.sandiegoca.NCR.COM (Claborne, Chris) Date: Mon, 21 Nov 94 16:29:46 PST Subject: Pentium bug and CRYPTO Message-ID: <2ED0DE87@microcosm.SanDiegoCA.NCR.COM> -----BEGIN PGP SIGNED MESSAGE----- Will the following error (Re Pentium Floating Point Bug Date: 15 Nov 1994) cause problems with PGP key generation or any other normal operations with PGP or other crypto. I'm not a math mathmatics nerd but I know we generally deal with big numbers. For all of you paranoids out there, YES this is a plot by NSA to weeken our crypto capabilities, this is the only bug that we KNOW about :) NOTE: I'm currently not receiving cypherpunks mailing for some reason. I'm not sure why, so please copy me on your posts. (Hughes, have you had a chance to look at this?) Thanks! ... __o .. -\<, chris.claborne at sandiegoca.ncr.com ...(*)/(*). CI$: 76340.2422 PGP Pub Key fingerprint = A8 FA 55 92 23 20 72 69 52 AB 64 CC C7 D9 4F CA Avail on Pub Key server. PGP-encrypted e-mail welcome! - ---------------------------------------------------------------------------- -- > >>> > > >>> > Subject: Pentium Floating Point Bug Date: 15 Nov 1994 > >>> > Summary: Divisions might give incorrect results on Pentium > >>> > > >>> > Pentium Floating Point Division Bug > >>> > > >>> > There has been a flurry of activity the last fews days on the > >>> > Internet news group, comp.sys.intel, that should interest MATLAB > >>> > users. A serious design flaw has been discovered in the floating > >>> > point unit on Intel's Pentium chip. Double precision divisions > >>> > involving operands with certain bit patterns can produce incorrect > >>> > results. > >>> > > >>> > The most dramatic example seen so far can be extracted from a > >>> > posting last night by Tim Coe of Vitesse Semiconductor. In MATLAB, > >>> > his example becomes > >>> > > >>> > x = 4195835 > >>> > y = 3145727 > >>> > z = x - (x/y)*y > >>> > > >>> > With exact computation, z would be zero. In fact, we get zero on > >>> > most machines, including those using Intel 286, 386 and 486 chips. > >>> > Even with roundoff error, z should not be much larger than eps*x, > >>> > which is about 9.3e-10. But, on the Pentium, > >>> > > >>> > z = 256 > >>> > > >>> > The relative error, z/x, is about 2^(-14) or 6.1e-5. The computed > >>> > quotient, x/y, is accurate to only 14 bits. > >>> > > >>> > An article in last week's edition of Electronic Engineering Times > >>> > credits Prof. Thomas Nicely, a mathematics professor at Lynchburg > >>> > College in Virginia, with the first public announcement of the > >>> > Pentium division bug. One of Nicely's examples involves > >>> > > >>> > p = 824633702441 > >>> > > >>> > With exact computation > >>> > > >>> > q = 1 - (1/p)*p > >>> > > >>> > would be zero. With floating point computation, q should be on > >>> > the order of eps. On most machines, we find that > >>> > > >>> > q = eps/2 = 2^(-53) ~= 1.11e-16 > >>> > > >>> > But on the Pentium > >>> > > >>> > q = 2^(-28) ~= 3.72e-09 > >>> > > >>> > This is roughly single precision accuracy and is typical of the > >>> > most of the examples that had been posted before Coe's analysis. > >>> > > >>> > The bit patterns of the operands involved in these examples > >>> > are very special. The denominator in Coe's example is > >>> > > >>> > y = 3*2^20 - 1 > >>> > > >>> > Nicely's research involves a theorem about sums of reciprocals > >>> > of prime numbers. His example involves a prime of the form > >>> > > >>> > p = 3*2^38 - 18391 > >>> > > >>> > We're not sure yet how many operands cause the Pentium's floating > >>> > point division to fail, or even what operands produce the largest > >>> > relative error. It is certainly true that failures are very rare. > >>> > But, as far as we are concerned, the real difficulty is having to > >>> > worry about this at all. There are so many other things than can > >>> > go wrong with computer hardware, and software, that, at least, we > >>> > ought to be able to rely on the basic arithmetic. > >>> > > >>> > The bug is definitely in the Pentium chip. It occurs at all clock > >>> > rates. The bug does not affect other arithmetic operations, or the > >>> > built-in transcendental functions. Intel has recently made changes > >>> > to the on-chip Program Logic Array that fix the bug and is now > >>> > believed to be producing error free CPUs. It remains to be seen > >>> > how long it will take for these to reach users. > >>> > > >>> > An unnamed Intel spokesman is quoted in the EE Times article as > >>> > saying "If customers are concerned, they can call and we'll replace > >>> > any of the parts that contain the bug." But, at the MathWorks, > >>> > we have our own friends and contacts at Intel and we're unable > >>> > to confirm this policy. We'll let you know when we hear anything > >>> > more definite. In the meantime, the phone number for Customer > >>> > Service at Intel is 800-628-8686. > >>> > > >>> > -- Cleve Moler moler at mathworks.com > >>> > Chairman and Chief Scientist, The MathWorks, Inc. > >>> > > >>> > >> > >> > >>-- > >>Steve > >> > >> > >>-------------------------------------------------------------------------- > >>----- > >>- > >> I am in the field on the Outer Banks of North Carolina until 27 November. > >> From 28 Nov - 4 Dec I will be on the Dream Cruise in the Atlantic. > >> After the cruise I will go to AGU, and finally to Pullman about 8 Dec. > >> > >> > >> Steve Elgar FAX : (919) 261-4432 > >> Army Research Pier ATT : (919) 261-1706 > >> 1261 Duck Road OMNET: s.elgar > >> Kitty Hawk, NC 27949 internet: elgar at eecs.wsu.edu > >> > >> > >> -----BEGIN PGP SIGNATURE----- Version: 2.7 iQCVAwUBLtCzSlzvpSsKhLftAQEvLgQApXWCmyqkp2gh66Kpfk7EQk0XQL9aqb3b i18QnfYFYYtzvK+wZHEtB+AR3ksZGDJ7RgNkRlB3JF1sFF1HnRhUOnjppJGCMqhY f0ZzrwEN+k0jHg6K3sfXdKCmbZ/CKdypc+eZW69Nh2WVtO/RPwIrKo/GlAVSzeK1 1pVXULR+qxE= =SUYe -----END PGP SIGNATURE----- From warlord at MIT.EDU Mon Nov 21 17:05:03 1994 From: warlord at MIT.EDU (Derek Atkins) Date: Mon, 21 Nov 94 17:05:03 PST Subject: Pentium bug and CRYPTO In-Reply-To: <2ED0DE87@microcosm.SanDiegoCA.NCR.COM> Message-ID: <9411220104.AA13269@hodge-podge.MIT.EDU> This floating point bug is only in double-precision floating-point division. No division is used in RSA Key Generation, RSA Encryption, or RSA Decryption, so this bug should not cause any problems in PGP. -derek From adam at bwh.harvard.edu Mon Nov 21 17:06:59 1994 From: adam at bwh.harvard.edu (Adam Shostack) Date: Mon, 21 Nov 94 17:06:59 PST Subject: A Chance Encounter with Brad Templeton, of ClariNet In-Reply-To: <199411220020.QAA08980@netcom6.netcom.com> Message-ID: <199411220104.UAA23437@spl.bwh.harvard.edu> Tim wrote: | * When he grasped the basic idea, of chained mixes, he got quite upset | and said they were "threats" to his business. (Anonymous forwarding of | ClariNet articles happens, of course. Brad was expecting that he could | get a court order, if it came down to that, and was shocked to hear | that the Cypherpunks model does not make this possible.) | | * I shrugged, and said that, longterm, copyright was dead as we know | it today. I pointed out that dozens of Cypherpunks-style remailers are | operational, including many in Europe and elsewhere. | | * Brad: "Then they'll be outlawed." Brad is in the 'intelectual property' buisness. He makes his money selling access to information. There is an entire parasitic class that does nothing useful, but makes money from the idea of copyright. (Most entertainment industries operate like this. The industry puts up seed money in exchange for the profits that an artist generates.) Books, music, film to a lesser extent are all in the path of a digital revolution which eliminates the need for a middleman. If I can download music to DAT, I don't need Sony records. Neither does Peter Gabriel, Robert Fripp or any other musician. When you point out to these people that their jobs are going to be eliminated, you force them to become luddites, in the original sense of the word. Their jobs are being destroyed by technology, and they don't like it. We need to make sure that we paint them as luddites at every step of the way. Any other conception of the middlemen who profit from other people's work is bound to result in stupid laws. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From tcmay at netcom.com Mon Nov 21 17:08:49 1994 From: tcmay at netcom.com (Timothy C. May) Date: Mon, 21 Nov 94 17:08:49 PST Subject: Pentium bug and CRYPTO In-Reply-To: <2ED0DE87@microcosm.SanDiegoCA.NCR.COM> Message-ID: <199411220108.RAA14740@netcom6.netcom.com> Claborne, Chris wrote: > Will the following error (Re Pentium Floating Point Bug Date: 15 Nov > 1994) > cause problems with PGP key generation or any other normal operations with > PGP or other crypto. I'm not a math mathmatics nerd but I know we generally > > deal with big numbers. We do indeed deal with "big numbers," but big INTEGER numbers. Whole numbers. The Pentium FDIV bug shows up only, so far as is known, with certain floating point numerator/denominator combinations. No crypto computation I can imagine would use the FDIV instruction. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. Cypherpunks list: majordomo at toad.com with body message of only: subscribe cypherpunks. FAQ available at ftp.netcom.com in pub/tcmay From jamesd at netcom.com Mon Nov 21 17:32:35 1994 From: jamesd at netcom.com (James A. Donald) Date: Mon, 21 Nov 94 17:32:35 PST Subject: Admiral Inman In-Reply-To: Message-ID: <199411220132.RAA20163@netcom9.netcom.com> Black Unicorn writes > Wow, all that from a few lines of original text? (Oh well). Our enemies are industriously corrupting the language in order to make the ideas of liberty inexpressible. In particular they are seeking to make the concepts behind the declaration of independence and the bill of rights unspeakably and therefore, they hope, unthinkable. Thus it is often necessary to do a lengthy exegesis, in order to explain what they are really saying -- see for example certain recent flame wars. -- --------------------------------------------------------------------- We have the right to defend ourselves and our property, because of the kind of animals that we James A. Donald are. True law derives from this right, not from the arbitrary power of the omnipotent state. jamesd at acm.org From wcs at anchor.ho.att.com Mon Nov 21 17:34:28 1994 From: wcs at anchor.ho.att.com (bill.stewart@pleasantonca.ncr.com +1-510-484-6204) Date: Mon, 21 Nov 94 17:34:28 PST Subject: Admiral Inman Message-ID: <9411220117.AA12742@anchor.ho.att.com> Peter Wayner writes: > I've always assumed that the excitement behind the Digital Telephony > bill was to go after VoicePGP. Not really - Digital Telephony goes after the phone companies, not the end users, which makes it easier for the government to impose. Among other people it *is* going after are cellphone companies which are getting a lot of pressure to include encryption on their radio links (some people are pressuring them to use *real* encryption, the NSA has been pressuring them to use at most wimpy encryption, and some people have been pressuring them to put in _anything_, even rot-13, just so there's _some_ vague privacy protection out there.) It's also, of course, going after carriers who have the _gall_ to use more powerful telephone systems than the FBI can afford to crack :-) Now, VoicePGP may be the next step in banning things - after all, they could declare use of cryptography to be Probable Cause that you're conspiring about something, which would let them confiscate your computer equipment and make you sue to get it back. Bill From mpd at netcom.com Mon Nov 21 17:39:25 1994 From: mpd at netcom.com (Mike Duvos) Date: Mon, 21 Nov 94 17:39:25 PST Subject: Pentium bug and CRYPTO In-Reply-To: <2ED0DE87@microcosm.SanDiegoCA.NCR.COM> Message-ID: <199411220139.RAA05434@netcom19.netcom.com> "Claborne, Chris" writes: > Will the following error (Re Pentium Floating Point Bug > Date: 15 Nov 1994) cause problems with PGP key generation or > any other normal operations with PGP or other crypto. I'm > not a math mathmatics nerd but I know we generally deal with > big numbers. No problems for released versions of PGP, which use only the 8086 instruction set and require neither a floating point coprocessor nor emulation. Most other crypto should be fine as well. Crypto is pretty much an integer exercise. People have been known to use floating point to do multiprecision integer arithmetic on Sparcs and large engineering mainframes which lack a complete integer instruction set, but I've never heard of anyone trying such things on an Intel processor. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From jgrubs at voxbox.norden1.com Mon Nov 21 17:41:09 1994 From: jgrubs at voxbox.norden1.com (Jim Grubs, W8GRT) Date: Mon, 21 Nov 94 17:41:09 PST Subject: New Opportunity for Anonymous Reamilers Message-ID: -----BEGIN PGP SIGNED MESSAGE----- alex writes: > > I guess this should mean some more business to my friends at > > Pagesat, which broadcasts a completely uncensored real time feed of the > > USENET over a small dish Ku band satellite link to all of North America. > > And they are a real licensed common carrier (their principle business is > > wide area paging services) so they can't be held responsible for the > > contents of the traffic either. > > Do you need to be licensed to be a common carrier? If so, who grants the > licenses, and what qualifications does a business need to meet in order > to qualify? The FCC regulates interstate common carriers (plus radio licensing of the microwave/satellite uplinks). State public utility commissions also control certain aspects of intrastate service. I don't know if they have any say in satellite service to intrastate customers. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLtFJgd74r4kaz3mVAQGmbQQAhitU7vGX9OAsEm/grTDWciBf1MlEhV2L +sBf3OcB/GjYuiIuWftH+Qn7E46nzIRC4gTNz+Ibo5ouwkjyggcuVtNyXhFgvXZm hJH+EHz0X1MqqwTkF7fQPv7QPxGwqHI4vbQANeCBnM0eKDAe+r9/wnGPIn2ODdu8 gzLHBQuQlVo= =zac0 -----END PGP SIGNATURE----- ... "The greatest dangers to liberty lurk in the insidious encroachment of men of zeal, well meaning but without understanding." - Justice Louis Brandeis -- jgrubs at voxbox.norden1.com (James C. Grubs, W8GRT) Voxbox Enterprises, 6817 Maplewood Ave., Sylvania, Ohio 43560-1956 Tel.: 419/882-2697 From jgrubs at voxbox.norden1.com Mon Nov 21 17:41:10 1994 From: jgrubs at voxbox.norden1.com (Jim Grubs, W8GRT) Date: Mon, 21 Nov 94 17:41:10 PST Subject: Admiral Inman Message-ID: -----BEGIN PGP SIGNED MESSAGE----- jamiel at sybase.com (Jamie Lawrence) writes: > >replied that the governmental concern about wiretaps was and is primarily > >and unambiguously about narcotics. > > and > > >Back to Narcotics. He gave the statistic that 90% of the narcotics leads > >related to money laundering come from domestic wiretaps. > > Wow, this is easy then: legalize drugs and wiretaps are practically > unessessary. Buy a copy of High Times today! ;) > > It does amaze me that what can be a victimless activity is such > a hotbutton. Drugs are victimless? What about crack babies, which cost a million dollars EACH in medical care, btw. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLtFKT974r4kaz3mVAQGRFQP7BTRsuovvI8ZEb7mty/5as+ranbCph3ix 7XxFyuL7p8O209RKWfH7X1thvO8fmURaWHdEawBLtCorgLWYSe6T8uumVZHFfLXt clyScxRYacEVuI59P0/9Xi1x8ggecQt3s0ckv8IKSA1DfR5C0e/O8bap7wysCxd8 Q5cDTSC1lKs= =IEwo -----END PGP SIGNATURE----- ... "The greatest dangers to liberty lurk in the insidious encroachment of men of zeal, well meaning but without understanding." - Justice Louis Brandeis -- jgrubs at voxbox.norden1.com (James C. Grubs, W8GRT) Voxbox Enterprises, 6817 Maplewood Ave., Sylvania, Ohio 43560-1956 Tel.: 419/882-2697 From cactus at bb.hks.net Mon Nov 21 18:23:35 1994 From: cactus at bb.hks.net (L. Todd Masco) Date: Mon, 21 Nov 94 18:23:35 PST Subject: A Chance Encounter with Brad Templeton, of ClariNet In-Reply-To: <199411220020.QAA08980@netcom6.netcom.com> Message-ID: <3arkvg$di6@bb.hks.net> In article <199411220020.QAA08980 at netcom6.netcom.com>, Timothy C. May wrote: >* I shrugged, and said that, longterm, copyright was dead as we know >it today. I pointed out that dozens of Cypherpunks-style remailers are >operational, including many in Europe and elsewhere. > >* Brad: "Then they'll be outlawed." > >* "And what about the non-U.S. sites?," I asked. He had no good >answer... This is why GATT bothers me. Once we have have an alignment of property laws, particularly IP laws, there's no telling how things will fall. It's a bad set of failure modes. >* Brad also expressed the view that the recently passed Digital >Telephony Act would "force" remailer operators to make their traffic >available to the proper authorities. Brad's very wrong. The Senate hearings were very explicit on this point: Internet providers (as well as people like AOL and Compuserv) are exempt from DT requirements. -- Todd Masco | According to the US dept of Justice Stats, 3.98% of the US cactus at hks.net | population is in prison, the highest count in the world. We cactus at bb.com | live in a police state and are lulled by notions of normalcy. From skaplin at skypoint.com Mon Nov 21 19:18:04 1994 From: skaplin at skypoint.com (Samuel Kaplin) Date: Mon, 21 Nov 94 19:18:04 PST Subject: usenet -> mail gateway Message-ID: -----BEGIN PGP SIGNED MESSAGE----- In view of the situation at CMU and McGill a stray idea crossed my mind. If someone were to set up some mailing lists which routed the content of the particular usenet group to the subscribers, this would stymie big brother to a certain extent. The problem would be that they could possibly block certain domains from incoming e-mail to thwart this. A solution would be to dummy up the from address. Daily the address would or could change, thus frustrating the powers that be. An additional solution would be to throw encryption into the list software so that each message would be encrypted to it's recipient, further frustrating the powers. Another concept would be to daily blast an encrypted packet (SOUP or whatever) to the subscribers of the list. They could then post replies or follow ups through a mail -> usenet gateway. ============================================================================== Doing easily what others find difficult is talent; doing what is impossible for talent is genius. - Henri-Fr�d�ric Amiel, "Journal", 1883 ============================================================================== skaplin at skypoint.com | "...vidi vici veni" - Overheard | outside a Roman brothel. PGP encrypted mail is accepted and | preferred. | Change is the only constant in the | Universe..."Four quarters, please." E-mail key at four11.com for PGP Key or | Finger skaplin at mirage.skypoint.com | Smile!! Big brother is watching. ============================================================================== -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLtFh7gpnimeWAf3FAQFXdAP7ByfEkiuGGzcBYiu7zyT63l4sHYKjiQkl 2Xv4yD0cEh/84QqPZzFayhCBCaSi7prrUWP19QjmJfZPqwIIE2t9mU0QGOvelID2 Qxeg9rYEJtTFRroFDfS6at0GbkfBeNwqyI61St1sZucFXfJx/LJxsC1Z2oylzJMO 7/OAdSG5Xqo= =AXTD -----END PGP SIGNATURE----- From jya at pipeline.com Mon Nov 21 19:28:48 1994 From: jya at pipeline.com (John Young) Date: Mon, 21 Nov 94 19:28:48 PST Subject: (Fwd) electronic signatures for CAD Message-ID: <199411220327.WAA09479@pipe1.pipeline.com> Forwarding message by tommy at Fateepee.CAM.ORG -------------------- From: tommy at Fateepee.CAM.ORG (Tommy Petrogiannis) Subject: Re: electronic signatures Date: Mon, 21 Nov 94 17:08:06 -0500 Organization: SILANIS TECHNOLOGY >On 5 Nov 1994 18:44:14 GMT, >Aaron Rumple, AIA wrote: >Electronic signatures will not make for a paperless environment. They will >add to the lawyers generation of paper when you have to defend yourself >because your file became the basis of another project in which you were >not involved. Once you send a electronic/magnetic form of a document you >lose all control over who has access and what they do to your files. You >can protect yourself in your contract with your client and by making >hardcopy (more paper) the drawing of record. However, anybody can and will >sue if your title block, signature, etc. is found when something goes >wrong. It has happened. >In short, an electonic signature is nice to protect what you sent >electronically, but I would not want it to replace my seal on a paper copy >that could be kept as a record. Forensics can detect changes on paper but >not on electronic files that have been transmitted around. I have to voice the comments that our customers are saying about our electronic approval software for AutoCAD. Many of our customers are still archiving a paper copy of the electronically signed original, however because ERA allows them to sign in the same environment as where the drawing was created (i.e. the electronic environment) it becomes a very simple matter to know if the drawing that you are looking at on your computer screen is the latest electronic approved original. Most companies today create their drawing on a CAD system, plot those drawings for visual verification and sign those drawings in the paper world. The minute those drawings are signed in the paper world they become "originals" that must now be archived and stored in some form of filing cabinet. If we did not need to refer to those archived drawings life would be fine, but unfortunately we do. Today you pull up a drawing on your computer and hope that everyone followed proper procedures and you are looking at the latest copy of the paper signed "original" - you can never be sure because the drawing was approved in a different domain than where it was created, and the only thing linking the two domains (paper and electronic) is procedures. Our ERA system was first designed to be used by a large nuclear generating facility and is now available to the public. What we did was mimick the paper world as much as possible when it came to approving a drawing. With ERA you now approve and sign a document from right inside AutoCAD using a ball point pen and a pressure sensitive digitizer. The key thing here is to allow the approval of the drawing to take place in the same domain as where the drawing was created (i.e. the electronic domain) but still offer all the security expected in the paper world (if not more), and still maintain the ability to generate a signed drawing that can be used in the field or be archived. This is achieved by doing the following: The persons' signatures are not AutoCAD entities and therefore cannot be cut and pasted. The signatures are DES encrypted along with time stamp info and information that uniquely describes the current state of the drawing being approved. The signatures will not be printed on a drawing that has been altered after the drawing was signed. All of the above plus a whole lot more are meant to facilitate the creation of paper, but eliminate the need to go find that paper afterwards - sort of producing a photocopy. The original is in the electronic domain, while the paper becomes a redundant copy. The benefits are HUGE. A drawing can now be sent electronically from desk to desk to be approved. A drawing can be retrieved electronically and by simply clicking on VERIFY our customers can check to see if they are looking at the drawing that was approved or if someone has accidentally or maliciously altered an original rev. We have had such great response to ERA product for AutoCAD that we just announced at COMDEX our ERA product for MS Word so that any wordprocessor type document can be approved in the same fashion. I apologize for rambling on, but I believe that we have really solved the last issue required to achieve the ability of creating, revising, and approving in an electronic domain. One customer went from a 7 week typical approval cycle down to 8 days using this technology - how much is that worth don't really know, but it makes a lot of sense. People don't realize that they are performing electronic approvals every day. When you walk up to an ATM machine and withdraw $100, by entering your PIN you are authorizing the withdrawl to take place. The question every company must ask, is how secure do I feel with the technology. Can someone take my bank card and figure out my PIN to forge my electronic authorization? Yes but it is difficult - not impossible. Can someone forge my handwritten signature? Yes but it is difficult - not impossible. What I tell our customers is to use the electronic approval for the projects where they feel comfortable - for many of them it is the internal based procedures and projects that requires 80% of the time and money and still use traditional methods for high-risk projects. It seems to work for them quite well. -- Tommy Petrogiannis tommy at Fateepee.CAM.ORG _ __o ______ `\<, Going slow just hurts too much. -- O/ O Going fast gets me there sooner - so I can... recover from the pain quicker ------------------- End Forward From cjl at welchlink.welch.jhu.edu Mon Nov 21 19:37:13 1994 From: cjl at welchlink.welch.jhu.edu (cjl) Date: Mon, 21 Nov 94 19:37:13 PST Subject: DNA solution to Hamiltonian circuit? In-Reply-To: <199411210556.VAA26633@jobe.shell.portal.com> Message-ID: On Sun, 20 Nov 1994, Hal wrote: > There is an interesting crypto connection here in that the work was done by > Len Adelman of USC, the "A" of RSA. > > This research was reported in a recent issue of Science, but I am going by > a report in Science News. What I will describe is the gist of the work, but > I may have some details wrong. [ . . . ] reasonably accurate summary elided > Then it was a matter of filtering the DNA for strands of the proper length > which did not have any duplicate nodes. The SN article wasn't clear about > how this was done. It's in the Nov. 11 issue of Science, accompanied by a nice Perspectives piece that someone with a better appreciation of the math might be able to understand. Hal (or anyone else on the list who is willing to explain a little of the math to me, off the list) will get a free lesson in Molecular Biology and the polymerase chain reaction in return that should explain the physical construction of this *genetic AlGorethem* :-) C. J. Leonard ( / "DNA is groovy" \ / - Watson & Crick / \ <-- major groove ( \ Finger for public key \ ) Strong-arm for secret key / <-- minor groove Thumb-screws for pass-phrase / ) From werewolf at io.org Mon Nov 21 19:42:13 1994 From: werewolf at io.org (Mark Terka) Date: Mon, 21 Nov 94 19:42:13 PST Subject: Cell Phones Security?? Message-ID: As one who will be shopping for a cell phone in the next week, what should I look for in terms of security? What features are available in phones on the market....if any? From dwa at mirage.svl.trw.com Mon Nov 21 19:51:27 1994 From: dwa at mirage.svl.trw.com (Dana Albrecht) Date: Mon, 21 Nov 94 19:51:27 PST Subject: Admiral Inman Message-ID: <9411220351.AA01231@mirage.svl.trw.com> > > From owner-cypherpunks at toad.com Mon Nov 21 17:49:07 1994 > Date: Mon, 21 Nov 94 20:17:47 EST > From: wcs at anchor.ho.att.com (bill.stewart at pleasantonca.ncr.com +1-510-484-6204) > To: pcw at access.digex.net > Subject: Re: Admiral Inman > Cc: cypherpunks at toad.com > Sender: owner-cypherpunks at toad.com > Content-Length: 1071 > > Peter Wayner writes: > > I've always assumed that the excitement behind the Digital Telephony > > bill was to go after VoicePGP. > > Not really - Digital Telephony goes after the phone companies, > not the end users, which makes it easier for the government to impose. > Among other people it *is* going after are cellphone companies which > are getting a lot of pressure to include encryption on their radio links > (some people are pressuring them to use *real* encryption, the NSA has > been pressuring them to use at most wimpy encryption, and some people have > been pressuring them to put in _anything_, even rot-13, just so there's > _some_ vague privacy protection out there.) > It's also, of course, going after carriers who have the _gall_ to use > more powerful telephone systems than the FBI can afford to crack :-) > > Now, VoicePGP may be the next step in banning things - after all, > they could declare use of cryptography to be Probable Cause that > you're conspiring about something, which would let them confiscate your > computer equipment and make you sue to get it back. > > Bill > Check out: TIA/EIA Telecommunications System Bulletin Cellular Radiotelecommunications Intersystem Operations: Authentication, Signaling Message Encryption and Voice Privacy TSB51 Their idea of "Voice Privacy" is to repeatedly XOR a 260 bit session key with the data stream. I quote: 8.2.47 VoicePrivacyMask (VPMASK) This parameter contains a 528-bit field consisting of two 260-bit masks used for voice privacy on a digital traffic channel. One mask is for speech transferred in the inward direction (from the CSS toward the MSC) and one is for speech transferred in the outward direction (from the MSC toward the CSS). These masks are calculated using CAVE parameters in effect when the call is established and remain constant for the duration of the call. So, while analog calls are not encrypted, you can look forward to COMPLETELY SECURE (sarcasm) digital transmission. Wonder how much the Gov'mint bribed the phone companies for this stunt... Dana W. Albrecht dwa at mirage.svl.trw.com From roy at cybrspc.mn.org Mon Nov 21 20:02:06 1994 From: roy at cybrspc.mn.org (Roy M. Silvernail) Date: Mon, 21 Nov 94 20:02:06 PST Subject: Admiral Inman In-Reply-To: Message-ID: <941121.212909.0k1.rusnews.w165w@cybrspc.mn.org> -----BEGIN PGP SIGNED MESSAGE----- In list.cypherpunks, jgrubs at voxbox.norden1.com writes: > jamiel at sybase.com (Jamie Lawrence) writes: > >> It does amaze me that what can be a victimless activity is such >> a hotbutton. > > Drugs are victimless? What about crack babies, which cost a million > dollars EACH in medical care, btw. And just where is the requirement to support such babies graven in stone? Yes, flame bait for sure. But please remember that the only victim of the usage of drugs is the drug user. In the case of women of childbearing age, this can possibly extend to a conceived child, but that is the responsibility of the _mother_, not of society at large. Why should society choose to support a crack baby, anyway? Is the mother not responsible for her own pregnancy, and, by extension, the dependant condition of her child? So long as we, as a society, wrest personal responsibility from the person, your argument will continue to be propogated. Understand that I am an avowed Social Darwinist, so I don't even support the idea of state-sponsored welfare. In my view (and you are not required to agree), people should be free to do anything that does not adversely affect another's life. If such a person makes the choice to become addicted to noxious drugs, there should be no support from society. The loss of this person from the breeding pool will benefit future generations. Flame by email, if you must flame, and spare the list the noise. - -- Roy M. Silvernail -- roy at cybrspc.mn.org "Usenet: It's all fun and games until somebody loses an eye." --Jason Kastner -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBLtFpdhvikii9febJAQHxrwQAkmjyYV4x/HsxHgySN6ZB3yKeYvAsQlpm //Cu+YS283iCFVFGMb04uYVtfUbVbQM58B96Cd1KnNQ5hEiT3W8SNefql1hG/aVc pgHaH+honJ8KZpQXFB8VUao++hou7UJ5ZFRpi686O8SYknDMkr0DiL+QM7592qkW Vtmp7pPjFe8= =vQMW -----END PGP SIGNATURE----- From unicorn at access.digex.net Mon Nov 21 20:11:44 1994 From: unicorn at access.digex.net (Black Unicorn) Date: Mon, 21 Nov 94 20:11:44 PST Subject: A Chance Encounter with Brad Templeton, of ClariNet In-Reply-To: <199411220020.QAA08980@netcom6.netcom.com> Message-ID: On Mon, 21 Nov 1994, Timothy C. May wrote: > Mark Terka, of Toronto, wrote: > > > Well, I think it will be the trigger hopefully generates more remailer's > > in Europe. So far we only (since the evident demise of wein) have usura's > > excellent > > remailers in the Netherlands. It would be nice if more were placed overseas, > > beyond the reach of U.S. pressure. > > More on why non-U.S. remailers are so important. > > Last Saturday night, after the Cypherpunks meeting and dinner, I was > giving Colin Plumb (a Toronto person) a ride to the hotel he was > staying at in Los Gatos. We stopped at a mega bookstore (Barnes and > Noble, Santa Clara) and ran immediately into yet another Toronto > person (ex, actually), Brad Templeton, well-known as the operator of > ClariNet. (I've met Brad many times, but he still doesn't remember my > name or what I do, which says something interesting about one of us.) > > Brad heard the word "Cypherpunks" and gave his views on things. I'll > summarize in bullet form, as I lack the time to formulate his points > in full paragraphs [...] > I debated not writing an "incident report" to you folks, being as how > Brad is not on this list and is basically uninformed on the details of > our remailers, but I feel that a "heads up" is warranted. Perhaps a measure of the scope of our job. Even the computer jock is ignorant when it comes to cypher-education. > > (For one thing, the ECPA protects the mail, and allows the machine > owner to adopt a "hands off" stance. For another, an "abused account" > can simply and quickly be killed, with new ones taking its place! > Think of the benefits.) > I'm not sure the ECPA provides the protection you want here. I'll have to look again, and do not assert this as certain, because I'm only pulling of the top of my head what I remember from a quick scan of the Steve Jackson Games opinion. Anyone want to repost it? I recall it limited the ECPA in some interesting way, and I remember being offened, and not surprised at the narrow reading. > So, not a cause for panic, as he will probably do nothing. But just as > Adm. Bobby Inman's comments give some insight into the position of the > intelligence community, Brad Templeton's comments give insights into > the coming battles over intellectual property. Thanks for the contact report! > > > --Tim May > > -- > .......................................................................... > Timothy C. May | Crypto Anarchy: encryption, digital money, [...] > 073BB885A786F666 nemo repente fuit turpissimus - potestas scientiae in usu est 6E6D4506F6EDBC17 quaere verum ad infinitum, loquitur sub rosa - wichtig! From unicorn at access.digex.net Mon Nov 21 20:13:23 1994 From: unicorn at access.digex.net (Black Unicorn) Date: Mon, 21 Nov 94 20:13:23 PST Subject: Admiral Inman In-Reply-To: <199411220132.RAA20163@netcom9.netcom.com> Message-ID: On Mon, 21 Nov 1994, James A. Donald wrote: > Black Unicorn writes > > Wow, all that from a few lines of original text? (Oh well). > > Our enemies are industriously corrupting the language in order > to make the ideas of liberty inexpressible. In particular > they are seeking to make the concepts behind the declaration > of independence and the bill of rights unspeakably and therefore, > they hope, unthinkable. > > Thus it is often necessary to do a lengthy exegesis, in order > to explain what they are really saying -- see for example > certain recent flame wars. > Wow, all that from a few lines of original text? :) > > -- > --------------------------------------------------------------------- > We have the right to defend ourselves and our > property, because of the kind of animals that we James A. Donald > are. True law derives from this right, not from > the arbitrary power of the omnipotent state. jamesd at acm.org > > 073BB885A786F666 nemo repente fuit turpissimus - potestas scientiae in usu est 6E6D4506F6EDBC17 quaere verum ad infinitum, loquitur sub rosa - wichtig! From mkj at october.ducktown.org Mon Nov 21 20:25:02 1994 From: mkj at october.ducktown.org (mkj at october.ducktown.org) Date: Mon, 21 Nov 94 20:25:02 PST Subject: A Chance Encounter with Brad Templeton, of ClariNet Message-ID: <199411220356.WAA06005@october.ducktown.org> Adam Shostack wrote: > There is an entire parasitic > class that does nothing useful, but makes money from the idea of > copyright. (Most entertainment industries operate like this. The > industry puts up seed money in exchange for the profits that an artist > generates.) Books, music, film to a lesser extent are all in the path > of a digital revolution which eliminates the need for a middleman. If > I can download music to DAT, I don't need Sony records. Neither does > Peter Gabriel, Robert Fripp or any other musician. The above is a key insight into what I see as one of the biggest issues of the next couple of decades, certainly one of the biggest issues affecting the networks. A battle is looming between public freedoms on the nets, and powerful copyright-based economic interests. Such a battle is very apt to turn the networks into a minefield of impossible laws, ubiquitous surveillance and unending litigation. Note that the Clinton/Gore administration, and its Information Infrastructure Task Force (IITF), have already taken the (in my opinion extreme and unrealistic) position that intellectual property laws must be not merely preserved but *strengthened* and *expanded* in the context of the National Information Infrastructure. (See the report of the IITF's Intellectual Property Working Group, as well as other relevant reports available at iitf.doc.gov.) And I see no reason to hope that Congress will take a different approach. Such a battle could have far-reaching implications. Taken to its logical conclusions, a "War on Piracy" could make the "War on Drugs" look benign (and inexpensive) by comparison. Averting this disaster may be one of the most important challenges facing the cypherpunks. Just my two cents' worth. --- mkj From sdw at lig.net Mon Nov 21 20:57:08 1994 From: sdw at lig.net (Stephen D. Williams) Date: Mon, 21 Nov 94 20:57:08 PST Subject: I Like ASCII, not MIME and Other Fancy Crap In-Reply-To: <199411192018.PAA28766@intercon.com> Message-ID: > > > [...] ELM bombs [...] > > Well, aside from the fact that I was being intentionally annoying (you > will note that I do not normally include my GIF signature in my messages), > I will say that the bugs in your mailer are not entirely my concern. > MIME is a standard for email on the Internet. If your mailer chokes on it, > you can always get another mailer. Pine is good, from what I've heard, > and handles MIME just fine. It's just as free as ELM... And further, a properly configured and installed elm doesn't have problems either, on a real operating system like Linux! > > Amanda Walker > InterCon Systems Corporation > -- Stephen D. Williams Local Internet Gateway Co.; SDW Systems 510 503-9227APager LIG dev./sales Internet: sdw at lig.net In Bay Area Aug94-Dec95 OO R&D Source Dist. By Horse: 2464 Rosina Dr., Miamisburg, OH 45342-6430 Internet Consulting ICBM: 39 38 34N 84 17 12W home, 37 58 41N 122 01 48W work Newbie Notice: I speak for LIGCo., CCI, myself, and no one else, regardless of where it is convenient to post from or thru. From an234 at vox.xs4all.nl Mon Nov 21 21:23:13 1994 From: an234 at vox.xs4all.nl (an234 at vox.xs4all.nl) Date: Mon, 21 Nov 94 21:23:13 PST Subject: more on twwells Message-ID: <199411220524.AA18961@xs1.xs4all.nl> -----BEGIN PGP SIGNED MESSAGE----- The discussion we've seen here re the reputation of the anon server at twwells.com has found its way to the a.s.a.r. newsgroup. Most, if not all, of the thread has been posted there via the khijol anon-server, including Tim's repost of Mr. Wells' remarks to the list. These posts to a.s.a.r. evidently prompted this from Mr. Wells: >Sat, 19 Nov 1994 10:11:29 >alt.sexual.abuse.recovery >Phui! >bill at twwells.com > >I'm having a nice time at a science fiction convention and a brand >new, well paying job to return to Monday, and other good things >are happening in my life. I'm not going to let Ed and the cohort >of Wells-bashers spoil things for me. I won't play, and that's >that. > >I know that some of you will be concerned about what they're >saying. If you are, you can send me e-mail and ask whatever you >want. Alternately, there are plenty of people on asar who are not >involved in this whole mess, who will give you straight, unbiased >answers. > >I can be reached at: bill at twwells.com, admin at anon.twwells.com, or, >anonymously, at anon-0 at anon.twwells.com. > >Other than that, I'm out of this. The khijol server, being little >more than a blind for Ed and his own, I'm killfiling entirely, as >well as the threads concerning my server (including this one). If >there is going to be yet another (this has been going on for over >two years!) anon server flame-war, I will not be a part of it. > >Take care everyone, and may you find the healing you need. And the posts have apparently caused one user of Wells' service to become a former-user: >Sat, 19 Nov 1994 00:21:55 >alt.sexual.abuse.recovery >Re: T. Wells Anon Service--His Comments >laurahelen at delphi.com > >T W Wells writes: >>> >>>I provide a service to people who, at least in specific areas, >>>are not rational, who are definitely irrational. I know of, for >>>example, one person who went into convulsions simply because they >>>received e-mail from a person who, many years ago, had abused a >>>child. >>> > >this sounds like my fucking father -- I want more respect than this. >No I am not the person he's referring to but I trust an anon server to >be neutral, forward messages and not make highly personal and judgemental >comments on survivors. Fuck him. I'm not using that server any more. > >I suppose this will be labelled "irrational" by some. > >I don't even believe in a separation between the head and the heart. > >It's pretty warped. > >I feel betrayed. > > Laura N. Cognito =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= N. Cognito "Don't put no constrictions on da people. an234 at vox.xs4all.nl Leave 'em ta hell alone." -- J. Durante =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= public key available via keyserver -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLtDWTqL3ipYu3mvVAQHa3wP+MqLly0c3PGbQKOOKI3cEjFVhMBx3aQYf P6/MAaim41+EoL7CTk1TQszSpTeGDwHm8axUeAhManAuPzEBRbLdh6pvFTrnZ3Om 0j2HXDH5zrRHvL8lTRrWtFnK5/VVWdttMGt4qe7YDbu4Ekm60MSagstly1DFfpo2 4l9wiUMEJtc= =MItJ -----END PGP SIGNATURE----- From Tony.Gurnick at nzdairy.co.nz Mon Nov 21 23:20:26 1994 From: Tony.Gurnick at nzdairy.co.nz (DNA) Date: Mon, 21 Nov 94 23:20:26 PST Subject: PGP for VMS Message-ID: <94112220190218@nzdairy.co.nz> Can anyone tell me where I can get a copy of PGP for vms? AXP or VAX. T From adam.philipp at ties.org Tue Nov 22 00:39:14 1994 From: adam.philipp at ties.org (Adam Philipp) Date: Tue, 22 Nov 94 00:39:14 PST Subject: A Chance Encounter with Brad Templeton, of ClariNet Message-ID: >> (For one thing, the ECPA protects the mail, and allows the machine >> owner to adopt a "hands off" stance. For another, an "abused account" >> can simply and quickly be killed, with new ones taking its place! >> Think of the benefits.) >> >I'm not sure the ECPA provides the protection you want here. I'll have >to look again, and do not assert this as certain, because I'm only >pulling of the top of my head what I remember from a quick scan of the >Steve Jackson Games opinion. > >Anyone want to repost it? I recall it limited the ECPA in some >interesting way, and I remember being offened, and not surprised at the >narrow reading. The ECPA offers two levels of protection to e-mail, transmitted e-mail and stored e-mail. The some mail on Illuminati (Steve Jackson's BBS) had been sent but had not been read by the intended recipients. The the first trial found that the there had been a violation of the ECPA with regard to the section on stored mail, but not on transmitted mail. It narrowly defined the transmitted section to include only interception contemporaneous with transmission with the e-mail. Sine the mail had been sitting around on the hard disk, the court refused to call it interception. If anyone really cannot find a copy of the ECPA I can go search for my ASCII edition, but right now I only have a hard copy lying around somewhere on this desk. Adam -- PGP Key available on the keyservers. Encrypted E-mail welcome. Sub rosa: Confidential, secret, not for publication. -Black's Law Dictionary From unicorn at access.digex.net Tue Nov 22 00:46:09 1994 From: unicorn at access.digex.net (Black Unicorn) Date: Tue, 22 Nov 94 00:46:09 PST Subject: A Chance Encounter with Brad Templeton, of ClariNet In-Reply-To: Message-ID: On Tue, 22 Nov 1994, Adam Philipp wrote: > >> (For one thing, the ECPA protects the mail, and allows the machine > >> owner to adopt a "hands off" stance. For another, an "abused account" > >> can simply and quickly be killed, with new ones taking its place! > >> Think of the benefits.) > >> > >I'm not sure the ECPA provides the protection you want here. I'll have > >to look again, and do not assert this as certain, because I'm only > >pulling of the top of my head what I remember from a quick scan of the > >Steve Jackson Games opinion. > > > >Anyone want to repost it? I recall it limited the ECPA in some > >interesting way, and I remember being offened, and not surprised at the > >narrow reading. > > The ECPA offers two levels of protection to e-mail, transmitted e-mail > and stored e-mail. The some mail on Illuminati (Steve Jackson's BBS) had > been sent but had not been read by the intended recipients. The the first > trial found that the there had been a violation of the ECPA with regard to > the section on stored mail, but not on transmitted mail. It narrowly defined > the transmitted section to include only interception contemporaneous with > transmission with the e-mail. Sine the mail had been sitting around on the > hard disk, the court refused to call it interception. Yes, this is what I meant exactly. I see it has less application to Mr. May's post than I thought. I only remembered a narrow reading of interception. Thanks for clairifying. > > If anyone really cannot find a copy of the ECPA I can go search for my > ASCII edition, but right now I only have a hard copy lying around somewhere > on this desk. No no, I wanted the Jackson Opinion. My fault for not being clear, but you cleared it up. > Adam > > -- > PGP Key available on the keyservers. Encrypted E-mail welcome. > > Sub rosa: Confidential, secret, not for publication. > -Black's Law Dictionary > > 073BB885A786F666 nemo repente fuit turpissimus - potestas scientiae in usu est 6E6D4506F6EDBC17 quaere verum ad infinitum, loquitur sub rosa - wichtig! From claborne at microcosm.sandiegoca.NCR.COM Tue Nov 22 01:06:30 1994 From: claborne at microcosm.sandiegoca.NCR.COM (Claborne, Chris) Date: Tue, 22 Nov 94 01:06:30 PST Subject: San Diego CYPHERPUNKS symposium (11/30) Message-ID: <2ED13DD7@microcosm.SanDiegoCA.NCR.COM> -----BEGIN PGP SIGNED MESSAGE----- CPUNKS symposium this next Wed, November 30. Invitation to all Cypherpunks to join the San Diego crowd at Hops Brewery were I hope to discuss "What's your fingerprint?" and other related topics. Don't forget to bring your public key fingerprint. If you can figure out how to get it on the back of a business card, that would be cool (mailing labels work). Place: Hops Brewery at the UTC Mall Time:1800 Directions: University Town Center is at 805 and La Jolla Village Drive. From 805 head west until you get to Genesee and make a left. On Genesee make a left at the first light and turn into the mall. Hops will be directly in front of you. Recon shows that there are lots of alternative locations with lots of tables close by. Try to be there by 1830, as we may decide to move the meeting. I will be standing wearing a BRIGHT PURPLE BICYCLING JACKET. See you there! 2 - -- C -- P.S. Tell your wife/husband you are going to a symposium. Unless she/he looks in the dictionary, she/he won't know that your are really going to a drinking party! BEWARE: There is an anarchist in the group! ... __o .. -\<, chris.claborne at sandiegoca.ncr.com ...(*)/(*). CI$: 76340.2422 PGP Pub Key fingerprint = A8 FA 55 92 23 20 72 69 52 AB 64 CC C7 D9 4F CA Avail on Pub Key server. -----BEGIN PGP SIGNATURE----- Version: 2.7 iQCVAwUBLtC70lzvpSsKhLftAQFD8QQAgpwkFYVjvJnLwGGojX8mPJN/fAHKdfIY HDx9mkIf5uNjiQ8dxWtbaVn8RLFHQy3+mMzMXEeXv5jkzoJO3otgR0dkEbIQIxHT +VgO/GtVsS9MK30COCT6vzAYo+aKZ+lClty72ONoG1PcE11KpXz3kfhalb25Jsqk cPTKcJt20f0= =/7oB -----END PGP SIGNATURE----- From claborne at microcosm.sandiegoca.NCR.COM Tue Nov 22 01:06:33 1994 From: claborne at microcosm.sandiegoca.NCR.COM (Claborne, Chris) Date: Tue, 22 Nov 94 01:06:33 PST Subject: San Diego CYPHERPUNKS symposium (11/30) Message-ID: <2ED13E21@microcosm.SanDiegoCA.NCR.COM> ---------- >From: Claborne, Chris >To: cypherpunks >Cc: 'Cottrell, Lance'; Karn, Phil; Maher, Kevin; Philipp, Adam; Tocher, John; >Witham, Philip >Subject: San Diego CYPHERPUNKS symposium (11/30) >Date: Monday, November 21, 1994 10:25AM > >-----BEGIN PGP SIGNED MESSAGE----- > > >CPUNKS symposium this next Wed, November 30. > Because I'm not currently receiving mail from the CP list (I don't know what's wrong), please respond directly to me. Thanks ... __o .. -\<, chris.claborne at sandiegoca.ncr.com ...(*)/(*). CI$: 76340.2422 PGP Pub Key fingerprint = A8 FA 55 92 23 20 72 69 52 AB 64 CC C7 D9 4F CA Avail on Pub Key server. PGP-encrypted e-mail welcome! From khijol!erc Tue Nov 22 01:31:02 1994 From: khijol!erc (Ed Carp [Sysadmin]) Date: Tue, 22 Nov 94 01:31:02 PST Subject: more on twwells In-Reply-To: <199411220524.AA18961@xs1.xs4all.nl> Message-ID: > The discussion we've seen here re the reputation of the anon > server at twwells.com has found its way to the a.s.a.r. > newsgroup. Most, if not all, of the thread has been posted > there via the khijol anon-server, including Tim's repost of > Mr. Wells' remarks to the list. That the mailing list material was funneled through khijol to asar in an obvious attempt to hide the poster's true identity doesn't bother me a bit. What *does* bother me is taht Bill Wells tries to blame it on *me*, stating that *I* was the one who posted the material. Not that it's really relevent *who* posted it, it just annoys me that the guy is so damned paranoid. I wonder why? What's he afraid of? Gee, sounds a little like LD... -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi ** PGP encrypted email preferred! ** "What's the use of distant travel if only to discover - you're homeless in your heart." --Basia, "Yearning" From skaplin at skypoint.com Tue Nov 22 02:35:40 1994 From: skaplin at skypoint.com (Samuel Kaplin) Date: Tue, 22 Nov 94 02:35:40 PST Subject: Guerrilla Remailers Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Has anyone else given thought to "Guerrilla Remailers?" Basically someone obtains an account on one of the freenets or similar free account, sets up a remailer and lets it sit for a while. (Until telnet and/or phone logs are overwritten) After this time frame the address of the remailer is posted. The remailer then would be used until it is shut down by the Powers that be. The account would be set up under a bogus name etc. This would make the remailer the ideal candidate for the last hop in a remailer chain. (After all if they can't find Juanna DuBone or Jack Mehoff they can't apply any pressure to them or hold them responsible. It seems to me the extent of pressure in this case would be just to shut down the remailer) Just keep a few ahead and keep leap frogging, as one is shut down another is put on line. ============================================================================== A man either lives life as it happens to him, meets it head-on and licks it, or he turns his back on it and starts to wither away. -- Dr. Boyce, "The Menagerie" ("The Cage"), stardate unknown ============================================================================== skaplin at skypoint.com | "...vidi vici veni" - Overheard | outside a Roman brothel. PGP encrypted mail is accepted and | preferred. | Change is the only constant in the | Universe..."Four quarters, please." E-mail key at four11.com for PGP Key or | Finger skaplin at mirage.skypoint.com | Smile!! Big brother is watching. ============================================================================== -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLtHIWApnimeWAf3FAQGLYAQAgon4d7tKmj1qKJuzSHrZUVhULJKEj7AF vdIA4Ul2H/M3Sv3eP4CPPzCZTVun2ani5k0OhF9pM1cg8coTpepGTF/cGdBEhfN5 /YLkDteMAqqnVu6YxCuLwUDvtHm5QUj1Qj+VM8tTgivfbFnGgcLuu2wx+5XQ7FAP bPSwRLwGGXE= =jOD3 -----END PGP SIGNATURE----- From frissell at panix.com Tue Nov 22 03:06:58 1994 From: frissell at panix.com (Duncan Frissell) Date: Tue, 22 Nov 94 03:06:58 PST Subject: Admiral Inman Message-ID: <199411221105.AA20849@panix.com> At 08:30 PM 11/21/94 EST, Jim Grubs, W8GRT wrote: >> It does amaze me that what can be a victimless activity is such >> a hotbutton. > >Drugs are victimless? What about crack babies, which cost a million >dollars EACH in medical care, btw. > Just as I could not sue my parents for being dumb commies who would send me to government schools (not that they are or did), I could not sue my parents for using crack. One takes one's parents as one finds them (at Common Law in any case). The medical care cost *can* be blamed on the government that exacts payments for it. DCF From lethin at ai.mit.edu Tue Nov 22 03:53:54 1994 From: lethin at ai.mit.edu (Rich Lethin) Date: Tue, 22 Nov 94 03:53:54 PST Subject: Admiral Inman In-Reply-To: Message-ID: <9411212216.AA09569@kiwi> A direct quote from him saying the above would be a nice tool the next time kiddie porn and terrorists are thrown out for the press to chew on. I recall hearing that Inman lost a tremendous amount of credibility in the government and the media during the confimation; there appeared the press afterward some articles about how undeserved his sterling repuation was after he "babbled on about his paranoias" during the confirmation. Someone with more information about the hearings could post the transcripts and news articles. My impression of him during the class was that Inman was well informed and on top of things. But it's debatable the degree to which a direct quote from him would sway the press. From m5 at vail.tivoli.com Tue Nov 22 05:33:50 1994 From: m5 at vail.tivoli.com (Mike McNally) Date: Tue, 22 Nov 94 05:33:50 PST Subject: A Chance Encounter with Brad Templeton, of ClariNet In-Reply-To: Message-ID: <9411221330.AA18966@vail.tivoli.com> Timothy C. May writes: > So, not a cause for panic, as he will probably do nothing. I agree that panic is uncalled for, but I don't agree that he will probably do nothing. Eventually, Mr. Templeton or someone in a similar position is certain to "do something"; this is an inevitable result of the clash between traditional (since the 16th century, anyway) views of copyright and what "we" think of the meaning(lessness) of copyright in an online digital world. Put yourself in his place. Mr. Templeton's attitude makes perfect sense. The entire fabric of his business is based upon state-supported protection of the "property" that's his stock in trade. I would think very little of him as a businessperson were he to simple roll over and give up. Indeed, it might actually be advantageous for the "something" to happen sooner rather than later; clumsy attacks on freedom of electronic communication could backfire, resulting in favorable (to e-freedom) judgements that would stand as precedent later on. | GOOD TIME FOR MOVIE - GOING ||| Mike McNally | | TAKE TWA TO CAIRO. ||| Tivoli Systems, Austin, TX: | | (actual fortune cookie) ||| "Like A Little Bit of Semi-Heaven" | From habs at warwick.com Tue Nov 22 07:46:27 1994 From: habs at warwick.com (Harry S. Hawk) Date: Tue, 22 Nov 94 07:46:27 PST Subject: NYT on MCI Net Shop In-Reply-To: <9411220054.AA12566@anchor.ho.att.com> Message-ID: <9411221721.AA13960@cmyk.warwick.com> > > > Interestingly, our MCI salesman has told us they cannot offer Internet > > Access.. e.g, we can't buy a T1 line (for example) from them... > > Ack, Pfft! Little Garden is in the process of getting about 3 T1s from MCI. Now they finallly admited to offering the service... We had a meeting last week where they claimed not to offer this service... /hawkk From adam at bwh.harvard.edu Tue Nov 22 08:03:06 1994 From: adam at bwh.harvard.edu (Adam Shostack) Date: Tue, 22 Nov 94 08:03:06 PST Subject: Cell Phones Security?? In-Reply-To: Message-ID: <199411221601.LAA27180@spl.bwh.harvard.edu> | As one who will be shopping for a cell phone in the next week, what should | I look for in terms of security? What features are available in phones on | the market....if any? Nothing real is available now. There is a Boston company that sells an attachment that does variable split band inversion with 8k variances per second. You can buy two units, or call their computer (via an 800 number) and get connected out. Safecall is the company. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From rsalz at osf.org Tue Nov 22 08:27:54 1994 From: rsalz at osf.org (Rich Salz) Date: Tue, 22 Nov 94 08:27:54 PST Subject: Admiral Inman Message-ID: <9411221624.AA22391@sulphur.osf.org> > I recall hearing that Inman lost a tremendous amount of credibility in the > government and the media during the confimation; He lost even more during his rambling, almost incoherent "I'm withdrawing my name" speech, which apparently took the administration by surprise and wherein he sounded like a paranoid Perot as a victim of drug experiments. Followup articles explained things like "hey, MCC isn't such a sterling success as we all first thought." Even if he were willing to be a spokesman, it'd probably hurt the cause. /r$ From SADLER_C at HOSP.STANFORD.EDU Tue Nov 22 08:42:39 1994 From: SADLER_C at HOSP.STANFORD.EDU (Connie Sadler (415)725-7703) Date: Tue, 22 Nov 94 08:42:39 PST Subject: Admiral Inman Message-ID: <01HJRVB367FO001OVV@MR.STANFORD.EDU> Subject: Re: Admiral Inman From: "Connie Sadler"@MR.STANFORD.EDU Date: Tue, 22 Nov 1994 07:58:00 PDT A1-type: DOCUMENT Posting-date: Tue, 22 Nov 1994 00:00:00 PDT In list.cypherpunks, jgrubs at voxbox.norden1.com writes: > jamiel at sybase.com (Jamie Lawrence) writes: > >> It does amaze me that what can be a victimless activity is such >> a hotbutton. > > Drugs are victimless? What about crack babies, which cost a million > dollars EACH in medical care, btw. Exactly! And this is just one example of the victims. What about the extremely high rate of crime motivated by the need for drugs? I have personally been a victim twice (theft of my car and *nice stereo system* and a breakin to my house where much was taken) in crimes which appeared to be motivated by the the need for drugs. I don't see where legalizing drugs would motivate addicts to start working to legitimately pay for their habits. CJS From perry at imsi.com Tue Nov 22 08:57:44 1994 From: perry at imsi.com (Perry E. Metzger) Date: Tue, 22 Nov 94 08:57:44 PST Subject: Admiral Inman In-Reply-To: <01HJRVB367FO001OVV@MR.STANFORD.EDU> Message-ID: <9411221657.AA04158@snark.imsi.com> "Connie Sadler (415)725-7703" says: > What about the extremely high rate of crime motivated by the need > for drugs? I have personally been a victim twice (theft of my car > and *nice stereo system* and a breakin to my house where much was > taken) in crimes which appeared to be motivated by the the need for > drugs. I don't see where legalizing drugs would motivate addicts to > start working to legitimately pay for their habits. No, but perhaps you could note that the price of drugs is hundreds of times higher than it would be without illegalization. Cocaine and heroin are amazingly cheap per dose before seven layers of smugglers and dealers get into the act. I used to pass by the rummy's in lower manhattan on Bowery and Lafayette Street all the time. I have yet to see a wino on the Bowery rob anyone to support his habit -- he's got plenty of options to get fucked up out of his mind for a few dollars a day. If anything, the currently illegal "white powder" drugs would be far cheaper per dose than thunderbird. We might also note that the bulk of the deadly crime associated with the drug trade is not junkies stealing to pay for their habits but dealers involved in turf wars. No more gang drive-bys if you legalize drugs, folks. When was the last time you saw a pair of liquor store owners having a gun battle over turf? Beyond this, however, is the inherent foolishness in thinking that keeping the drugs illegal will do any good. We have already seen that an order of magnitude increase in the money spent on drug enforcement over the last decade has produced NO noticeable change in the size of the drug trade, and has, if anything, made the problem worse. Drugs are even available in maxium security prisons, where, supposedly, there is absolute control over what enters and what leaves. Given that, there is no quantity of money we could possibly spend that would stop the drug trade -- even unto the point of eliminating all human freedom in our society. I am unwilling to sell my birthright for a mess of pottage. We are sacrificing billions of dollars and all our civil rights for NOTHING VISIBLE AT ALL. Even were you correct that drugs were an intolerable menace to society it has long been obvious that drug law enforcement does no good whatsoever in lowering the rate of drug "crime" and if anything causes harm by driving the price up and creating a huge profit opportunity for the unscrupulous. Perry From jya at pipeline.com Tue Nov 22 09:03:23 1994 From: jya at pipeline.com (John Young) Date: Tue, 22 Nov 94 09:03:23 PST Subject: NYT on DNA Compute Message-ID: <199411221702.MAA03468@pipe2.pipeline.com> If anyone wants to know the NYT has a longish article today on Leonard Adleman's experiment using DNA as a molecular computer. It amplifies the Science article mentioned here earlier and quotes several computer scientists who praise the work. To see it, send a blank message with subject: DNA_la From rsalz at osf.org Tue Nov 22 09:40:30 1994 From: rsalz at osf.org (Rich Salz) Date: Tue, 22 Nov 94 09:40:30 PST Subject: Borenstein Speech Message-ID: <9411221734.AA22523@sulphur.osf.org> Nat Borenstein is speaking nearby on Monday. OPEN PROTOCOLS FOR INFORMATION COMMERCE Nathaniel Borenstein, Chief Scientist First Virtual Holdings Inc. Traditional one-way payment mechanisms, such as cash, credit cards, and digital cash, presuppose the necessity of payment validation in advance of the completion of a transaction. In contrast, a "closed loop" protocol that verifies both payment information and customer satisfaction permits a far simpler payment engine in an open Internet environment, and is well-suited to a broad sub-class of Internet commerce applications. In this talk, I will present the underlying philosophy, design rationale, and specification overview for a recently-developed set of open protocols for information commerce. Send me questions :-) From jamesd at netcom.com Tue Nov 22 09:58:05 1994 From: jamesd at netcom.com (James A. Donald) Date: Tue, 22 Nov 94 09:58:05 PST Subject: Admiral Inman In-Reply-To: <01HJRVB367FO001OVV@MR.STANFORD.EDU> Message-ID: <199411221757.JAA09031@netcom8.netcom.com> Connie Sadler writes > What about the extremely > high rate of crime motivated by the need for drugs? > I have personally been a victim twice (theft of my > car and *nice stereo system* and a breakin to my > house where much was taken) These crimes were not caused by drugs, but by the war on drugs. Now even if heroin was legal, a junkie would be more inclined to lie and steal than a sober person, just as a drunk is more inclined to get into fights than a sober person, but heroin is not in itself a major cause of theft, just as alcohol is not in itself a major cause of violence. Certainly the violence caused by alcohol is vastly less than the violence caused by prohibition. The intrinsic cost of heroin is considerably less than the the intrinsic cost of alcohol. If we abolished the FDA, a junkie could stay stoned for less than it costs a drunk to stay drunk. He would still be a no good human being, but he would be a quite and unobtrusive no good human being. Junkies are quieter than drunks and less likely to assault you. -- --------------------------------------------------------------------- We have the right to defend ourselves and our property, because of the kind of animals that we James A. Donald are. True law derives from this right, not from the arbitrary power of the omnipotent state. jamesd at acm.org From m5 at vail.tivoli.com Tue Nov 22 10:05:10 1994 From: m5 at vail.tivoli.com (Mike McNally) Date: Tue, 22 Nov 94 10:05:10 PST Subject: Wired Whitehall Message-ID: <9411221803.AA27165@vail.tivoli.com> Has anyone heard off or seen a report by a UK firm called "Kable" entitled "Wired Whitehall 1999"? I've just been looking at a summary of parts of it, and it seems scary: national ID cards and a concept called "Single Citizen's Account" for management of money flow from (and certainly to) the government. This fits with what Levy described as the low-resistance path most likely to be taken for online money schemes: more visibility, less privacy. | GOOD TIME FOR MOVIE - GOING ||| Mike McNally | | TAKE TWA TO CAIRO. ||| Tivoli Systems, Austin, TX: | | (actual fortune cookie) ||| "Like A Little Bit of Semi-Heaven" | From jamesh at netcom.com Tue Nov 22 10:07:24 1994 From: jamesh at netcom.com (James Hightower) Date: Tue, 22 Nov 94 10:07:24 PST Subject: A Chance Encounter with Brad Templeton, of ClariNet In-Reply-To: <199411220020.QAA08980@netcom6.netcom.com> Message-ID: <199411221805.KAA13533@netcom18.netcom.com> Tim May wrote> > * I shrugged, and said that, longterm, copyright was dead as we know > it today. I pointed out that dozens of Cypherpunks-style remailers are Still waving red flags at bulls, eh Tim? I vaguely remember something like this controversy occurring when the Xerox machine was new. Can anyone refresh my memory? JJH -- "It is by caffeine alone that I set my mind in motion. It is by the beans of Java that the thoughts acquire speed, the hands acquire shakes, the shakes become a warning. It is by caffeine alone that I set my mind in motion." From blancw at pylon.com Tue Nov 22 10:08:45 1994 From: blancw at pylon.com (blancw at pylon.com) Date: Tue, 22 Nov 94 10:08:45 PST Subject: A Chance Encounter with Brad Templeton, of ClariNet Message-ID: <199411221809.KAA23892@deepthought.pylon.com> Responding to msg by Mike McNally: "Put yourself in his place. Mr. Templeton's attitude makes perfect sense. The entire fabric of his business is based upon state-supported protection of the "property" that's his stock in trade. I would think very little of him as a businessperson were he to simple roll over and give up." ........................................................ Businessmen must find a way to channel their goods & services so that they can reach their customers and receive the desired return on their efforts and their investments. It's a paradoxical quagmire, isn't it, to be both open, available, and accessible, while yet needing to be exclusive, particular, and restricted. Blanc From m5 at vail.tivoli.com Tue Nov 22 10:09:37 1994 From: m5 at vail.tivoli.com (Mike McNally) Date: Tue, 22 Nov 94 10:09:37 PST Subject: Wired Whitehall Message-ID: <9411221809.AA27191@vail.tivoli.com> Duhh. Reading a little further, I find that Kable can be reached at +44 171 410 9046. I called and there's a two-tier pricing policy for the report: about L40 (that's a fancy "pounds sterling" sign) for public sector & university purchases, and about L200 for private-sector purchases. They can't do credit cards, ironically enough. | GOOD TIME FOR MOVIE - GOING ||| Mike McNally | | TAKE TWA TO CAIRO. ||| Tivoli Systems, Austin, TX: | | (actual fortune cookie) ||| "Like A Little Bit of Semi-Heaven" | From cwedgwood at cybernet.co.nz Tue Nov 22 10:11:22 1994 From: cwedgwood at cybernet.co.nz (Chris Wedgwood) Date: Tue, 22 Nov 94 10:11:22 PST Subject: Pentium bug and CRYPTO Message-ID: chris.claborne at sandiegoca.ncr.com writes: [Will the following error (Re [Pentium Floating Point Bug ... cause problems with PGP key generation or] [any other normal operations with PGP or other crypto.] It shouldn't effect PGP in the slightest. Its a bug that effects only certain mantissa (23 are known so far) when doing a floating point divide (double precision). PGP doesn't use floating point for its big-numbers and it has no need for double precision. Since most version of PGP compiled for Intel platforms will be or the MS-DOS or Windows variety then it is very unlikely that even floating point instructions will be used - emulations libraries will be used instead for floating point. NT is a slightly different matter - but as I said PGP doesn't use floating point for the key generation or ANY of the RSA/IDEA code.... An interesting point about this rather obscure bug though. It won't effect over 99% of all Pentium machines in use. It won't effect word, windows or any of the other numerous programs that hold a large market share and high-usage stats.... but people making a big deal out of this and demanding fixes (I have heard new Pentiums don't do this and am going to test this next week) could cost Intel millions potentially..... and I doubt whether it would effect PovRay or whatever things people might actually use floating point for anyways.... Serious scientific work could suffer severely, and since Intel boxes are good power for dollar there are quite a few used in various places for intensive calculations.... (e.g. seismic ray-tracing - but that done of 486-DX2-66 machine because here is NZ they are about half the price of a Pentium so are even better value for money). Chris From rsalz at osf.org Tue Nov 22 10:18:39 1994 From: rsalz at osf.org (Rich Salz) Date: Tue, 22 Nov 94 10:18:39 PST Subject: Borenstein Speech Message-ID: <9411221814.AA23517@sulphur.osf.org> I know better then this. >Nat Borenstein is speaking nearby on Monday. What's the global definition of nearby? :( I'll be the one yelling "thief, thief" as he talks about safe-tcl... MITSUBISHI ELECTRIC RESEARCH LABORATORIES 201 Broadway Cambridge, MA 02139 617-621-7500 OPEN PROTOCOLS FOR INFORMATION COMMERCE Nathaniel Borenstein, Chief Scientist First Virtual Holdings Inc. Date: Monday, November 28, 1994 Time: 9:30 am Abstract: Traditional one-way payment mechanisms, such as cash, credit cards, and digital cash, presuppose the necessity of payment validation in advance of the completion of a transaction. In contrast, a "closed loop" protocol that verifies both payment information and customer satisfaction permits a far simpler payment engine in an open Internet environment, and is well-suited to a broad sub-class of Internet commerce applications. In this talk, I will present the underlying philosophy, design rationale, and specification overview for a recently-developed set of open protocols for information commerce. (Dr. Borenstein is well known for his work at Bellcore on the MIME standard for multimedia messaging; he is also the author of the Andrew Message System, ATOMICMAIL, Metamail, Safe-TCL, and _Programming as if People Mattered_.) Host: David B Anderson Directions to MERL can be found in ftp://ftp.merl.com/pub/directions.map From jamiel at sybase.com Tue Nov 22 10:44:53 1994 From: jamiel at sybase.com (Jamie Lawrence) Date: Tue, 22 Nov 94 10:44:53 PST Subject: Admiral Inman Message-ID: I knocked this off Cypherpunks. It has no relevance there, although I was tempted. I'm also responding to both of you in the same message for my convenience. Also, forgive the spelling. For some reason my spell checker keeps bombing today. At 8:39 AM 11/22/94, Connie Sadler (415)725-7703 wrote: >In list.cypherpunks, jgrubs at voxbox.norden1.com writes: > >> jamiel at sybase.com (Jamie Lawrence) writes: >> >>> It does amaze me that what can be a victimless activity is such ^^^^^^^^^^^ >>> a hotbutton. >> >> Drugs are victimless? What about crack babies, which cost a million ^^^ First, you switched verbs on me. Semantic games are usually pretty pointless, but here you are twisting my meaning. Anyone who doesn't believe that the issue of drugs can be dealt with on a societal level with rationality and respect should read up on or take a trip to Holland (I'm talking drug policy here, not economics or anything else). If you want to talk crack-babies, I'd ask you what are the causes of the situation: some depraved, subhuman need for the drug or an economic and social environment that rapes most people in living it of their self- respect and dignity (I don't see being raised in a U.S. ghetto as being all that far removed from being raised in a totalitarian state, but this is a different conversation topic, and I won't get too into it here). "Gosh, Batman, how can we begin to deal with the root of this issue?" "Well, we have two choices. We can assume that the drug user is a depraved, subhuman beast that deserves to suffer and be incarcerated (and maybe spit on, too), or we can try to find a way to either help them out of a nasty situation, or at least not make their plight any worse than it already is." And we are making it worse, as a nation. As others have noted, legalization would cause prices to fall significantly (less drug related theft), end most related violence (as a smoker, I've never even been *tempted* to mug someone for a butt ;), and probably have significantly better quality, thereby alleviating many of the drug-related health concerns. >> dollars EACH in medical care, btw. > >Exactly! And this is just one example of the victims. What about the extremely ^^^^^^^ If you have this take, look at DCF's comments on the topic. 'Nuff said. >high rate of crime motivated by the need for drugs? I have personally been a Is that 'high rate of crime' attributable to the drugs, the users, the dealers, the economic makeup of the illegal drug industry, the U.S.'s method of responding to what I will agree is a problem, public morality or what? Saying that drugs causes crime is the equivivelent of saying the welfare state causes poverty. Without looking too closely, both statements can seem true, and may have some validity for a particular situation, but is a vast, politically expedient oversimplification that paves the way for a lot of ruthless puritanical moralizing and self-righteous demonization, a lot of public expense in money, human life and human dignity, and a senseless rigidity in response to a situation that can be much better dealt with, any way you measure it. >victim twice (theft of my car and *nice stereo system* and a breakin to my >house where much was taken) in crimes which appeared to be motivated by the ^^^^^^^^^^^^^^^^^^^^ So drugs are nasty becuase you have lost something to someone who *might* have stolen becuase of dependency? "Hey - I think that Republican stole my wallet! Republicans should be illegal!" (Yes, I'm being snide, and no, I won't defend it. I think my point, that this is a rather lame, nonempirical appeal, should be clear. I must say that all of this is so basic that I think some sarcasm is not out of line.) >the need for drugs. I don't see where legalizing drugs would motivate addicts >to start working to legitimately pay for their habits. Look harder. >CJS -j From mccoy at io.com Tue Nov 22 10:53:06 1994 From: mccoy at io.com (Jim McCoy) Date: Tue, 22 Nov 94 10:53:06 PST Subject: A Chance Encounter with Brad Templeton, of ClariNet In-Reply-To: <199411221805.KAA13533@netcom18.netcom.com> Message-ID: <199411221852.MAA23899@pentagon.io.com> jamesh at netcom.com writes: [re: copyright stuff and remailers...] > I vaguely remember something like this controversy occurring when > the Xerox machine was new. Can anyone refresh my memory? It is the same thing that happened with VCR machines (which actually went to court, Universal Pictures v. Sony) and recently with DAT systems. It is probably worth noting that reality _lost_ that last battle on this issue... jim From collins at newton.apple.com Tue Nov 22 11:07:24 1994 From: collins at newton.apple.com (Scott Collins) Date: Tue, 22 Nov 94 11:07:24 PST Subject: Brad Templeton, ClariNet, and remailers Message-ID: >Brad and ClariNet have already caused one remailer to go down (the >operator of it has commented here before and of course can do so again >if he sees this), and his comments Saturday night cause me to think he >may be considering a test case of some sort. (He is fearful of losing >his Associate Press/etc. franchise if he fails to enforce his rights.) I might be the (ex-)remailer operator in question. I find Brad's lack of knowledge about remailers quite surprising in light of almost 4 hours of conversation devoted solely to this topic, by telephone, over the course of a month. My summary analysis of Brad is: he'll try to scare/bully you into getting what he wants by citing (or imagining) laws upon which he will base prosecution. Prosecution never follows. If you debate his law, he resorts to "You are Netcom's customer; Netcom is my customer; if you want to remain Netcom's customer then you had better toe my line." Persection of more or less potency always follows. I try not to flame, but the greater my contact with Brad---the greater my disdain for him. He is an extremely small-minded man. Brad can't yet even demonstrate a crime. He constantly reports remailer abuses in the form of AP Newswire articles distributed anonymously; and thus (_obviously_) stolen from ClariNet. The AP Newswire, however, is already distributed electronically has a vast army of legitimate direct-subscribers. Brad never offers evidence that the posts actually come from ClariNet, and in fact ***he immediately deletes the posts whenever he sees them*** (and saves no copies!). I have no idea how or why he is allowed to do this. Though it certainly cuts down on `competition'. ............................................................ collins at acm.org Scott Collins From jamiel at sybase.com Tue Nov 22 11:10:53 1994 From: jamiel at sybase.com (Jamie Lawrence) Date: Tue, 22 Nov 94 11:10:53 PST Subject: Admiral Inman Message-ID: At 10:50 AM 11/22/94, Jamie Lawrence wrote: >I knocked this off Cypherpunks. It has no relevance there, Er, I thought I did. Sorry all. It is the thought that counts, right? -j From jya at pipeline.com Tue Nov 22 11:32:47 1994 From: jya at pipeline.com (John Young) Date: Tue, 22 Nov 94 11:32:47 PST Subject: Brad Templeton, ClariNet, and remailers Message-ID: <199411221931.OAA19013@pipe2.pipeline.com> Responding to msg by collins at newton.apple.com (Scott Collins) on Tue, 22 Nov 11:5 AM >My summary analysis of Brad is: he'll try to >scare/bully you into getting what he wants by citing >(or imagining) laws upon which he will base >prosecution. Prosecution never follows. If you debate >his law, he resorts to "You are Netcom's customer; >Netcom is my customer; if you want to remain Netcom's >customer then you had better toe my line." Persection >of more or less potency always follows. A couple of months ago a registered threatening letter from who cares appeared near here about my posting a ClariNet article to this list. It was ignored and after a couple of weeks returned itself in shame. End of story. Everyone knows I would never ever post copyrighted material to this list unless an insane over-riding out-of-control compulsion forced me to do so against the scientificly-rational self-preserving law-abiding judgment I've had rammed down my obedient brain since From perry at jpunix.com Tue Nov 22 11:39:51 1994 From: perry at jpunix.com (John A. Perry) Date: Tue, 22 Nov 94 11:39:51 PST Subject: size restrictions on jpunix Message-ID: <199411221931.NAA15293@jpunix.com> -----BEGIN PGP SIGNED MESSAGE----- Hello everyone, Just a quick note to let you know that the 20k size restriction on messages has been lifted from the remailer at jpunix.com. It caused more problems than it solved. John A. Perry - KG5RG - perry at jpunix.com WWW - http://jpunix.com PGP 2.62 key for perry at jpunix.com is on the keyservers. PGP-encrypted e-mail welcome! Finger kserver at jpunix.com for PGP keyserver help. Finger remailer at jpunix.com for remailer help. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Finger kserver at jpunix.com for PGP keyserver help. iQCVAwUBLtJHE1OTpEThrthvAQFoegQAh4dEIxRMIgmtBi2Utt0Dn4Yj0iRbj6l0 LZV0UhMUH2H2+MVK6FyCZz28hndjF9ONrW5adUEI1JYucvJLvWRKAZchIkqX0QVx vsC4k4D9fcq8DpR18OIecorasu4YHxRdM9MUnGe+S2wL481iC5nEUmjDqJgNUrun KseYqtXuk40= =8vy2 -----END PGP SIGNATURE----- From adam at bwh.harvard.edu Tue Nov 22 12:05:12 1994 From: adam at bwh.harvard.edu (Adam Shostack) Date: Tue, 22 Nov 94 12:05:12 PST Subject: Guerrilla Remailers In-Reply-To: Message-ID: <199411222004.PAA08220@spl.bwh.harvard.edu> | Has anyone else given thought to "Guerrilla Remailers?" Basically someone | obtains an account on one of the freenets or similar free account, sets up | a remailer and lets it sit for a while. (Until telnet and/or phone logs | are overwritten) After this time frame the address of the remailer is | posted. The remailer then would be used until it is shut down by the Powers | that be. The account would be set up under a bogus name etc. This would | make the remailer the ideal candidate for the last hop in a remailer chain. | (After all if they can't find Juanna DuBone or Jack Mehoff they can't apply | any pressure to them or hold them responsible. It seems to me the extent of | pressure in this case would be just to shut down the remailer) Just keep a | few ahead and keep leap frogging, as one is shut down another is put on line. The freenet operators will, once they see their "no remailer" policy is being abused, simply prevent people from running arbitrary programs from accounts. This will stop them from using some of the most useful tools (procmail) out there. The way to set up remailers is on a freindly host, such as C2.org. Let systems managers who are our freinds shut down these fake account remailers. Real remailers (with return address features) should probably be advertised in alt.support.* and alt.recovery, in order to build a class of "good" users for them. Nb, I don't see this use as superior to any other, I simply see it as being politically useful to provide anonymous services to a group of people who society seems to think should be anonymous. "But Brad, you can't shut down my remailer. Its used to let victims of sexual abuse post anonymously to the net!" Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From nobody at nately.UCSD.EDU Tue Nov 22 12:27:37 1994 From: nobody at nately.UCSD.EDU (Anonymous) Date: Tue, 22 Nov 94 12:27:37 PST Subject: Freemon vs. AT&T Message-ID: <9411222030.AA02758@nately.UCSD.EDU> This is an excerpt from an Hearing Designation Order adopted by the FCC 20 July 1994 in the case of Freemon vs. AT&T. For more detail, try the FCC Web server: (http://fcc.gov:70/0/Orders/Common_Carrier/orcc4012.txt) I had not seen it mentioned here: >4. The crux of the Freemons' complaint is the allegation that the >AT&T operator who handled Elehue Freemon's May 30, 1988 call improperly >interrupted and divulged the contents of his call and thus violated >Section 705(a) of the Act. According to Mr. Freemon, AT&T's operator >listened to their eight-minute conversation and then interrupted to ask >Lucille Freemon if her son needed medical help. Mr. Freemon claims that >he had already refused two offers of assistance by the operator and that >the operator's subsequent actions were inappropriate. At the outset, AT&T denies that [1] this ever happened and [2] if it did happen the FCC has no jurisdiction in this matter. http://www.fcc.gov/ is the FCC Web Server address. _/_/_/ _/_/_/ _/ _/ _/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/_/ _/ _/ _/ _/ _/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/ _/_/_/ _/_/_/ _/_/_/ _/_/_/ _/ _/ _/_/_/ _/ All men recognize the right of revolution; that is, the right to refuse allegiance to, and to resist the government, when its tyranny or its inefficiency are great and unendurable. From Thoreau's "Civil Disobedience" From rah at shipwright.com Tue Nov 22 12:34:36 1994 From: rah at shipwright.com (Robert Hettinga) Date: Tue, 22 Nov 94 12:34:36 PST Subject: MEMS Message-ID: <199411222033.PAA16199@zork.tiac.net> At 9:15 PM 11/1/94 -0500, John Young wrote: >Benevolent advances on the ankle monitors cherished by >half-free culprits. Position indicators, DNA IDs, body >condition monitors (drugs, anyone), Nicoderm patches, first put >on soldiers for their protection and survival, to ease the way >to more general acceptance, kind of like the G.I. Bill for >tomorrow. One of the first places I read about this personal transponder stuff was in a book by G.K. O'Neill, of space colony fame. The book _2081_ (published in 1981, obviously), talks among other things (he thought magnetic levitated trains in evacuated tunnels were *way* cool) about transponders, and the uses of them in all kinds of computing, including electronic commerce of a sort: pick up the object you want to buy in a store and walk out with it. The store's systems know what the object is, who you are, and sends a message to your bank to deduct the amount from your account. He thought we were going to have to give up privacy to get this boon (and others which I can't remember), but with PKC and blind signatures, we know better now. Of course we also know now that he was copying Xerox PARC ubiquitous computing studies straight into his Apple II, but I had never heard of PARC, much less ubiquitous computing, and was amazed by the idea at the time. Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) "There is no difference between someone Shipwright Development Corporation who eats too little and sees Heaven and 44 Farquhar Street someone who drinks too much and sees Boston, MA 02331 USA snakes." -- Bertrand Russell (617) 323-7923 From jpinson at fcdarwin.org.ec Tue Nov 22 12:35:13 1994 From: jpinson at fcdarwin.org.ec (Jim Pinson) Date: Tue, 22 Nov 94 12:35:13 PST Subject: Snoop program for Linux Message-ID: Thought ya'll might want to know that the latest Slackware Linux distribution has a "ttysnoop" program that watches a users login tty. I haven't tried it, and probably wont', but thought I'd pass it along. Jim Pinson Galapagos. From jpinson at fcdarwin.org.ec Tue Nov 22 12:48:49 1994 From: jpinson at fcdarwin.org.ec (Jim Pinson) Date: Tue, 22 Nov 94 12:48:49 PST Subject: New remailer concept. Message-ID: It occurs to me that most people have more to fear from their neighbors, than they do from the powerful TLA's. Knowing that you are hunting for a new job is not important to the world at large, but could be embarrassing if your current employer found out. Likewise, the people most interested in knowing about that sex list you subscribe to are your coworkers. The answer of course is encryption, but that is a problem when you are writing to your, well... , "crypto challenged" friends. Also, two way encrypted messages to most discussion lists is not possible (to my knowledge). To address these problems I suggest the creation of "crypto remailers". They would work like this: You subscribe to the remailer by sending a request including the account name you wish. This could be either a real name (jpinson) or a pseudonym (lizard). You would also include in the subscription request a copy of your public key. Assuming there are no name collisions with existing users, you would get back a message of acceptance, and a copy of the remailers public key. To use the remailer, you would create a message containing as the first line a "request remail to: USERNAME" , followed by your message. You then encrypt the message with the remailers public key and send it to the "remail" account at the remailer. The remailer then decodes the message you sent, and sends it to its destination as plain text. It sets the "from" field to your account name on the remailer. The recipient of your message can then reply to your remail account in plain text, with no need for any "remail to " commands or special processing. A .forward pipe on your remailer account would run a Perl script to encode the message to you with your public key, and send it to your real address. (for security it could set the "from" field to something other than your remail account name) The advantage is that you have total protection at your end. All mail to and from the remail account is encrypted. You could now subscribe to lists, and receive mail from lists, without your local administrator knowing anything about them. This last feature could be useful for students at universities that limit access. Is there anything like this out there already? Jim Pinson Charles Darwin Research Station, Galapagos From anonymous-remailer at shell.portal.com Tue Nov 22 13:03:50 1994 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Tue, 22 Nov 94 13:03:50 PST Subject: C.I.D. Message-ID: <199411222103.NAA22263@jobe.shell.portal.com> Multiple recipients of list : Some Happy Fool asked how we could defeat caller ID 'cause the *67 still sends along the calling number between switches (it just doesn't display it, but that is not the same as it not being available to the bad guys - *69 will still work, regardless). The discussion should probably be taken off the list, so please direct replies to me personally (or better: let us know of a more appropriate forum. I am disappointed in alt.hackers and 2600 really sucks, are there better places to go with this kind of stuff? Anybody?) To Happy Fool et al: I've got the specs for a program to use with your modem to generate what'll resemble a full CID. So with the computer set up to dial, even standard voice calls too and faxes, too, can be equipped with a fake field (or "header" if you will), displaying a homemade caller ID. Since it uses the exact same structure as the real caller ID, no telco along the entire system will ever doubt it. I can send the full specifications if you are seriously interested in doing the code in full or in part. Sorry, I can't implement it myself (lack of skills). If we get the thing running, it will dial any number and send the counterfeit header along with the call, making the telco switch believe it is dealing with a forwarded call. The beauty of it all is that this way, it will not insert its own header (it only does so when no previous CID header is detected). This is not just for use on the U-S Signaling System 7, because SS7 is now an international standard. Many countries are far more computerized than the U-S. In parts of Europe, some 95% of all areas now have digital switches. Caller ID is probably the most anticipated and feared part of these systems. This service, only available in digital areas, keeps track of the last 10 numbers that called and the time and date they did so. Example: Let's say you are in a digital area. You call a friend with a caller ID device (costing ~=$40). Between the first and second ring, they have your number. It's as easy as that. He doesn't even have to pick up the phone. Even busy calls or calls where no-one is home are registered! WARNING: When whole nations are digitalized, ANY system you call pegs you within 5 seconds of your call. What about diverters, call forwarders and stuff like that? They won't work. To cheat them, you need to produce fake headers. So if the software is not already written, let's write it. Volunteers? @@@@ This message has been brought to you by @ .. @ PETE "THE WIMP" WATKINS...BASICALLY SPINELESS(tm) | __ | \__/ <---Digitized representation of Pete Watkins My e-mail address is From hfinney at shell.portal.com Tue Nov 22 13:43:40 1994 From: hfinney at shell.portal.com (Hal) Date: Tue, 22 Nov 94 13:43:40 PST Subject: Borenstein Speech In-Reply-To: <9411221814.AA23517@sulphur.osf.org> Message-ID: <199411222143.NAA26523@jobe.shell.portal.com> It's kind of ironic, because on the one hand Borenstein is using some nice technology which would lend itsef very well to crypto protocols, electronic cash, and other privacy-protecting transactions. But it is being used to facilitate VISA card payments and many people have raised questions about the security of the system. When you place an order, you get a safe-tcl style "enabled mail" message (which Tim would hate!). This is readable but if you have safe-tcl running it will actually pop up a dialog box or something which you can click on to confirm your payment. I think this would be a good thing for DigiCash to copy if/when they start supporting email transactions. It would be fun for Magic Money too. Borenstein and First Virtual also have a whole set of MIME extensions for electronic transactions which might also serve as a model for more general types of payments. Maybe Rich could ask whether they are considering that. In general, FV has a lot of good ideas IMO, but it's too bad they are still tied to the old models of payment. Hal From merriman at metronet.com Tue Nov 22 13:55:03 1994 From: merriman at metronet.com (David K. Merriman) Date: Tue, 22 Nov 94 13:55:03 PST Subject: CID Message-ID: <199411222155.AA12357@metronet.com> >>I've got the specs for a program to use with your modem to generate >>what'll resemble a full CID. So with the computer set up to dial, even >>standard voice calls too and faxes, too, can be equipped with a fake >>field (or "header" if you will), displaying a homemade caller ID. >> >>Since it uses the exact same structure as the real caller ID, no telco >>along the entire system will ever doubt it. I can send the full >>specifications if you are seriously interested in doing the code in >>full or in part. Sorry, I can't implement it myself (lack of skills). I, for one, would be *very much* interested in receiving the specs and any additional information you could provide. Dave Merriman (not _caring_ who you are, where you're from, etc :-) - - - - - - - - - - - - - - - - - - - - - - - - - - Finger merriman at metronet.com for PGP public key and fingerprint. PGP encrypted Email welcome and encouraged. War is Peace. Freedom is Slavery. Ignorance is Strength. No? From dps at kafka.atinc.com Tue Nov 22 13:57:06 1994 From: dps at kafka.atinc.com (Doug Shapter) Date: Tue, 22 Nov 94 13:57:06 PST Subject: Pentium bug and CRYPTO In-Reply-To: Message-ID: On Wed, 23 Nov 1994, Chris Wedgwood wrote: > chris.claborne at sandiegoca.ncr.com writes: > [Will the following error (Re > [Pentium Floating Point Bug ... cause problems with PGP key generation or] > [any other normal operations with PGP or other crypto.] > > It shouldn't effect PGP in the slightest. Its a bug that effects only > certain mantissa (23 are known so far) when doing a floating point divide > (double precision). > > PGP doesn't use floating point for its big-numbers and it has no need for > double precision. Since most version of PGP compiled for Intel platforms > will be or the MS-DOS or Windows variety then it is very unlikely that even > floating point instructions will be used - emulations libraries will be used > instead for floating point. NT is a slightly different matter - but as I > said PGP doesn't use floating point for the key generation or ANY of the > RSA/IDEA code.... > > An interesting point about this rather obscure bug though. It won't effect > over 99% of all Pentium machines in use. It won't effect word, windows or > any of the other numerous programs that hold a large market share and > high-usage stats.... but people making a big deal out of this and demanding > fixes (I have heard new Pentiums don't do this and am going to test this > next week) could cost Intel millions potentially..... and I doubt whether it > would effect PovRay or whatever things people might actually use floating > point for anyways.... > > Serious scientific work could suffer severely, and since Intel boxes are good > power for dollar there are quite a few used in various places for intensive > calculations.... (e.g. seismic ray-tracing - but that done of 486-DX2-66 > machine because here is NZ they are about half the price of a Pentium so are > even better value for money). > > Chris > Not much crypto relevance, but ... We've been concerned about this bug for precisely that reason-- serious scientific work. We are contemplating purchasing a Pentium and running FreeBSD on it to do scientific computation and while Intel has "fixed" the fp problem, I wonder if there are others that have yet to be discovered. (As to why the bug slipped out from under Intel's quality control, another programmer here pointed out that default fp precision is 6 for a printf call and that the error occurs in the 7th decimal place. Coincidence? Chance? Grist for the conspiracy theory mill?) Granted the bug won't affect PGP much, but you have to wonder about the integrity of a company that lets this kind of hardware slip out the door. Doug Shapter dps at kafka.atinc.com finger dps at kryten.atinc.com for PGP public key From hfinney at shell.portal.com Tue Nov 22 14:12:49 1994 From: hfinney at shell.portal.com (Hal) Date: Tue, 22 Nov 94 14:12:49 PST Subject: California Code online Message-ID: <199411222212.OAA29561@jobe.shell.portal.com> For the "book disadvantaged" among us, I saw a reference today to the California civil code online. It is at: http://www.law.indiana.edu/codes/ca/codes.html. The form of this URL suggests that other states might be there, too, but I didn't look. This is a very nice presentation, structured with each section in a separate page, and a nice table of contents. I was browsing the commercial code which has lot sof interesting info on commercial paper and other subjects of interest with regard to digital cash. Hal From blancw at pylon.com Tue Nov 22 14:15:51 1994 From: blancw at pylon.com (blancw at pylon.com) Date: Tue, 22 Nov 94 14:15:51 PST Subject: Admiral Inman Message-ID: <199411222216.OAA26367@deepthought.pylon.com> Our enemies are industriously corrupting the language in order to make the ideas of liberty inexpressible. In particular they are seeking to make the concepts behind the declaration of independence and the bill of rights unspeakably and therefore, they hope, unthinkable. .................................................... Do you think that 'our enemies' are doing this consciously, purposefully, deliberately? Do you think that they know these concepts well enough to apprehend what it is about their meanings that should be corrupted? Do you think that, having understood what these concepts represent, they are in such abhorrence of them that the only thing they can do, short of physical fighting against the promoters of the concepts, is disorient everyone into a confused state of cognitive indeterminancy & inefficacy? Maybe that's what happened to Inman during his rejection speech! Blanc From an234 at vox.xs4all.nl Tue Nov 22 14:18:34 1994 From: an234 at vox.xs4all.nl (N. Cognito) Date: Tue, 22 Nov 94 14:18:34 PST Subject: White Knight Remailers [was: Guerrilla Remailers] Message-ID: <199411222219.AA17797@xs1.xs4all.nl> -----BEGIN PGP SIGNED MESSAGE----- On Tue, 22 Nov 1994, Adam Shostack wrote: > Real remailers (with return address features) should probably >be advertised in alt.support.* and alt.recovery, in order to build a >class of "good" users for them. Nb, I don't see this use as superior >to any other, I simply see it as being politically useful to provide >anonymous services to a group of people who society seems to think >should be anonymous. > > "But Brad, you can't shut down my remailer. Its used to let >victims of sexual abuse post anonymously to the net!" I have been thinking along these lines lately, too. The situation with the reputation of the twwells.com anon-server and its continued use in spite of those questions by under-informed individuals in the alt.sexual.abuse.recovery newsgroup have motivated me to do a couple of trial postings there. So far I have posted the "remailer.help.all" file from chaos.bsu.edu as a "how-to" and the most recent update posted here of Raph's Reliable Remailers List as a "where-to." Neither has generated any visible response in the newsgroup as of yet. My thinking is that it would be a Good Thing to post this kind of information on a regular basis (weekly?) to some of the "support" and "recovery" newsgroups. Unless I begin drawing a lot of flames for inappropriateness, this is what I plan to do in the immediate future. Introducing the people using those groups to remailers, encryption, etc. would not only be helpful to them, but would also be helpful to the publicly perceived reputation of remailers, etc. in just the manner to which Adam alludes. N. Cognito =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= N. Cognito "Don't put no constrictions on da people. an234 at vox.xs4all.nl Leave 'em ta hell alone." -- J. Durante =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= public key available via keyserver -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLtJrYqL3ipYu3mvVAQGMKwQAnkkKRHVrnqOwXbnNLfZTZ6IZRt4dwrP1 f4ubBMjjva9mvlZVTc2073ZmdwQaiEdGfmM4j7QE7NN71fIILl0/qPsvQsePYiDE a3ZsppzV6HftQPISyoBV+GgA58Sx9eTJe8pTEojpF3xT2KKzPcRnOl3uX/WQo7iR /CcwnT1kx5s= =x95Z -----END PGP SIGNATURE----- From jamesh at netcom.com Tue Nov 22 14:24:49 1994 From: jamesh at netcom.com (James Hightower) Date: Tue, 22 Nov 94 14:24:49 PST Subject: Voice PGP, When? Message-ID: <199411222224.OAA28601@netcom3.netcom.com> Punksters; Do we know when Voice PGP will be available? Can anyone point me to more info about it? I understand that "Call Security" does not include source, so I don't think I can consider using it. I'm wondering if I should continue writing my own. JJH -- Relationships are like modular furniture... Dardy Chang From perry at imsi.com Tue Nov 22 14:37:40 1994 From: perry at imsi.com (Perry E. Metzger) Date: Tue, 22 Nov 94 14:37:40 PST Subject: Voice PGP, When? In-Reply-To: <199411222224.OAA28601@netcom3.netcom.com> Message-ID: <9411222237.AA07082@snark.imsi.com> James Hightower says: > I'm wondering if I should continue writing my own. Why not? Let a thousand flowers bloom... .pm From jwhull at cats.ucsc.edu Tue Nov 22 14:42:15 1994 From: jwhull at cats.ucsc.edu (jwhull at cats.ucsc.edu) Date: Tue, 22 Nov 94 14:42:15 PST Subject: PGP Message-ID: <199411222152.NAA24748@am.ucsc.edu> Hey y'all, I saw Gengis Kahn's note on alt.usenet.kooks. Could you send me over your manifesto or what have you and anything accessible on PGP. Thanks Will Hull From lmccarth at ducie.cs.umass.edu Tue Nov 22 15:00:14 1994 From: lmccarth at ducie.cs.umass.edu (L. McCarthy) Date: Tue, 22 Nov 94 15:00:14 PST Subject: cyphertext-only remailers / cryptanalysis code ? In-Reply-To: <199411222102.NAA26773@infinity.c2.org> Message-ID: <199411222300.SAA27179@ducie.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Alex Strasheim writes: > One solution that I've thought about is only passing messages which are > composed of cyphertext. Does this make any sense? This sounds useful, but I'm curious how you would enforce it. I would think you'd need to do some nontrivial statistical analysis to be reasonably sure you weren't allowing various binaries, uuencoded files, etc. with faked PGP headers, without preventing people from using other encryption schemes. I'd say this is the flip side of the challenge faced by governments trying to outlaw transmissions using strong crypto. Incidentally, I'd love to get pointers to online pieces of code which perform various statistical tests on data to find patterns characteristic of particular encryption schemes, &c. for cryptanalysis. I want to cryptanalyze a couple of encryption algorithms and would like to do some experimental work. Please send me mail directly and I will summarize to the list later on. My starting points are Applied Crypto, the CEB, and Tim's Cyphernomicon. -L. Futplex McCarthy; use "Subject: remailer-help" for an autoreply PGP key by finger or server; "Better watch what you say, or they'll be calling you a radical...a liberal" --Supertramp "[CIA/KGB mole Aldrich Ames] took information in shopping bags out the front door" --miscellaneous Congressperson -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBLtJ3tWf7YYibNzjpAQGOVwQApexTVG/PfeHNQcE+xr5lsCWxtnC13/EL GE8A8T77YavVQDUt3P7zWH8nw05OUosUgwe3QQKu+rRQGV1Y5dLcpxMQIk/iFSE1 3hMzZYCv6L6OQ0wyt8VOuEGmg8ffvBIod9C9i9PndmHZY73j3WPoSbDXLsBXlQu4 my8Oz2NLAP4= =Zxlu -----END PGP SIGNATURE----- From anonymous-remailer at xs4all.nl Tue Nov 22 15:20:25 1994 From: anonymous-remailer at xs4all.nl (Name withheld on request) Date: Tue, 22 Nov 94 15:20:25 PST Subject: Guerilla Remailers Message-ID: <199411222321.AA23584@xs1.xs4all.nl> > From: skaplin at skypoint.com (Samuel Kaplin) > Has anyone else given thought to "Guerrilla Remailers?" Basically someone > obtains an account on one of the freenets or similar free account, sets up > a remailer and lets it sit for a while. (Until telnet and/or phone logs > are overwritten) After this time frame the address of the remailer is > posted. The remailer then would be used until it is shut down by the Powers > that be. The account would be set up under a bogus name etc. This would I think such a scheme would be limited by how difficult it is to integrate the remailer software into the Freenet mail routines. Most Freenets (at least Toronto, Buffalo do) use a generic type of software, Freeport, developed by the Cleveland Freenet. I'd need other's comments as to how easy it is to configure the remailer software to integrate with the Freeport software that you get a working remailer. If that step is possible, then yes, it is certainly possible to set up a guerilla remailer. > make the remailer the ideal candidate for the last hop in a remailer chain. > (After all if they can't find Juanna DuBone or Jack Mehoff they can't apply Both Cleveland and Buffalo, at last check simply require you to send in a signed form (that you can capture when you log in) as to your age, address, etc. No photo ID (ie Drivers license etc) is required so a phoney account is relatively easy to set up.....I know...I had one on the Buffalo Freenet until certain anarchistic activities got it canned :>. However....here is another interesting point. I'm a Canadian, living across the border basically from Buffalo and Cleveland. Not only would the authorities be unable to do anything due to it being a phoney account, but being across the border would also place me beyond the pale of the U.S. authorities even if I actually was ever tracked down. All that would happen is the account would be shut down. Same for a U.S. resident utilizing the Toronto, Victoria or Ottawa Freenets. Overall, this is an interesting concept and I'd be willing to give it a shot. They key facet of it is whether we can configure the Freeport software with the remailer software.....or vice-versa. From m5 at vail.tivoli.com Tue Nov 22 15:22:08 1994 From: m5 at vail.tivoli.com (Mike McNally) Date: Tue, 22 Nov 94 15:22:08 PST Subject: C.I.D. In-Reply-To: <199411222103.NAA22263@jobe.shell.portal.com> Message-ID: <9411222321.AA10063@vail.tivoli.com> [ I tried direct mail, but I haven't the energy to investigate why it didn't work. This is as relevant to the list as the drug war, at least :-) ] How exactly are you going to transmit the synthesized caller ID information from the subscriber equipment up the line to the local CO when that local CO has no expectation whatsoever of seeing the information in the first place? In other words, what existing signalling facility are you going to spoof? The caller ID information originates at the local CO, not at the subscriber drop. Between the time you complete dialing and the time at which a connection is established, the local CO is not listening to the subscriber line. Caller ID information is delivered from the remote CO to the called subscriber between the first and second ring pulses. How are you going to get your data there? Note that I could be wrong; if you know how or why my above assertions are wrong, I'd love to be corrected :-) | GOOD TIME FOR MOVIE - GOING ||| Mike McNally | | TAKE TWA TO CAIRO. ||| Tivoli Systems, Austin, TX: | | (actual fortune cookie) ||| "Like A Little Bit of Semi-Heaven" | From bdolan at use.usit.net Tue Nov 22 15:30:30 1994 From: bdolan at use.usit.net (Brad Dolan) Date: Tue, 22 Nov 94 15:30:30 PST Subject: Admiral Inman In-Reply-To: <199411222216.OAA26367@deepthought.pylon.com> Message-ID: I think some groups actually do deliberately manipulate language. Not commenting on the validity of the positions presented but only the tactic: it seems clear to me that the entry of the term and concept of "homophobia" into public discourse has helped manipulate the debate. I'm pushing the term "hoplophobia" myself. ;-) Brad On Tue, 22 Nov 1994 blancw at pylon.com wrote: > Our enemies are industriously corrupting the language > in order to make the ideas of liberty inexpressible. > > In particular they are seeking to make the concepts > behind the declaration of independence and the bill of > rights unspeakably and therefore, they hope, > unthinkable. > .................................................... > > Do you think that 'our enemies' are doing this consciously, > purposefully, deliberately? Do you think that they know these > concepts well enough to apprehend what it is about their > meanings that should be corrupted? Do you think that, having > understood what these concepts represent, they are in such > abhorrence of them that the only thing they can do, short of > physical fighting against the promoters of the concepts, is > disorient everyone into a confused state of cognitive > indeterminancy & inefficacy? > > Maybe that's what happened to Inman during his rejection > speech! > > Blanc > > From usura at xs4all.nl Tue Nov 22 15:36:11 1994 From: usura at xs4all.nl (Alex de Joode) Date: Tue, 22 Nov 94 15:36:11 PST Subject: Brad Templeton, ClariNet, and remailers Message-ID: <199411222337.AA25145@xs1.xs4all.nl> In article you stated: : I might be the (ex-)remailer operator in question. I find Brad's lack of : knowledge about remailers quite surprising in light of almost 4 hours of : conversation devoted solely to this topic, by telephone, over the course of : a month. My remailers have been used several times, to redistribute ClariNet articles, apperantly ClariNet has an "snitch"-line where people can mail to to get an reward, some people have the courtisy to inform the remail-operator that they have done so. I have *never* received any request for information from ClariNet. (maybe because my 5-line disclaimer says it all: the account used was an anonymous-remailer: so if you donnot like that, start your own !!) Regz, -- Exit! Stage Left. Alex de Joode From rishab at dxm.ernet.in Tue Nov 22 16:03:49 1994 From: rishab at dxm.ernet.in (rishab at dxm.ernet.in) Date: Tue, 22 Nov 94 16:03:49 PST Subject: DC-Net implementation Message-ID: acspring at knoware.nl (Andrew Spring): > >Using a central node to coordinate the DC-net traffic requires that the > >participants trust that central node. If the central node is evil, > A collation of N-1 nodes will always produce garbage; the whole set is > needed for the message to fall out. > Example > ... > A sends 14 - 5 = 9 to Central node > B sends 5 - 11 = -6 Central nodes are not nice for various reasons, including the usual networking and security (trust) advantages of wide distribution. IAC a central node is not necessary; for example, if each node were to output to the next: B sends Anum XOR Brnd (XOR msg) to C where Brnd is B's random number, msg is B's message (if any) and Anum is the similarly generated output of A. This is much closer to the original DCNet _bit_ flipping - the first XOR checks for equality while the second commits the 'lie' In this case whatever number A gets from D is the output of the net. There are lots of interesting cryptographic sub-protocols to make too much trust unnecessary. I also believe that error-correction is best left to lower levels of the network - there's no need for a DC Net not to assume a reliable data channel. ----------------------------------------------------------------------------- Rishab Aiyer Ghosh "Clean the air! clean the sky! wash the wind! rishab at dxm.ernet.in take stone from stone and wash them..." rishab at arbornet.org Voice/Fax/Data +91 11 6853410 Voicemail +91 11 3760335 H 34C Saket, New Delhi 110017, INDIA From rah at shipwright.com Tue Nov 22 16:06:16 1994 From: rah at shipwright.com (Robert Hettinga) Date: Tue, 22 Nov 94 16:06:16 PST Subject: Voice PGP, When? Message-ID: <199411230004.TAA25410@zork.tiac.net> At 5:37 PM 11/22/94 -0500, Perry E. Metzger wrote: >James Hightower says: >> I'm wondering if I should continue writing my own. > >Why not? Let a thousand flowers bloom... Remembering of course what happened when these words were last used seriously... ;-). Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) "There is no difference between someone Shipwright Development Corporation who eats too little and sees Heaven and 44 Farquhar Street someone who drinks too much and sees Boston, MA 02331 USA snakes." -- Bertrand Russell (617) 323-7923 From fhalper at pilot.njin.net Tue Nov 22 16:09:49 1994 From: fhalper at pilot.njin.net (Frederic Halper) Date: Tue, 22 Nov 94 16:09:49 PST Subject: Remailer FAQ? Message-ID: <9411230009.AA08618@pilot.njin.net> Anyone know of a Frequently Asked Questions on remailers? Where is it available? Thanks, -R --------------------------------------------------------------------------------- Reuben Halper I'm not growing up, I'm just burnin' out." Montclair High - Green Day - Montclair, NJ E-mail: fhalper at pilot.njin.net PGP 2.6ui Public Key available upon request --------------------------------------------------------------------------------- From cactus at bb.hks.net Tue Nov 22 16:38:47 1994 From: cactus at bb.hks.net (L. Todd Masco) Date: Tue, 22 Nov 94 16:38:47 PST Subject: DNA solution to Hamiltonian circuit? In-Reply-To: Message-ID: <3au36p$9m@bb.hks.net> In article , cjl wrote: >It's in the Nov. 11 issue of Science, accompanied by a nice Perspectives >piece that someone with a better appreciation of the math might be able >to understand. Yup. Anybody who wants a copy, send me mail. I'll also be putting it up on the Web once I finish typing it in. -- Todd Masco | According to the US dept of Justice Statistics, 3.98% of the cactus at hks.net | US population is in prison -- the highest ratio in the world. There's no place... From dave at esi.COM.AU Tue Nov 22 17:09:11 1994 From: dave at esi.COM.AU (Dave Horsfall) Date: Tue, 22 Nov 94 17:09:11 PST Subject: Pentium bug and CRYPTO In-Reply-To: <199411220139.RAA05434@netcom19.netcom.com> Message-ID: On Mon, 21 Nov 1994, Mike Duvos wrote: > Most other crypto should be fine as well. Crypto is pretty much > an integer exercise. I'd be horrified if a crypto implementation used floating point, with the implied imprecision... -- Dave Horsfall (VK2KFU) | dave at esi.com.au | VK2KFU @ VK2AAB.NSW.AUS.OC | PGP 2.6 Opinions expressed are mine. | E7 FE 97 88 E5 02 3C AE 9C 8C 54 5B 9A D4 A0 CD From abostick at netcom.com Tue Nov 22 18:17:52 1994 From: abostick at netcom.com (Alan Bostick) Date: Tue, 22 Nov 94 18:17:52 PST Subject: Admiral Inman In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- In article , you wrote: > At 10:50 AM 11/22/94, Jamie Lawrence wrote: > >I knocked this off Cypherpunks. It has no relevance there, > > Er, I thought I did. Sorry all. > > It is the thought that counts, right? > > -j > > > Well, it certainly is a new twist on the "Let's kill this crypto-irrelevant thread after I've said my piece" trope. | "Let he that is without sin throw the first Alan Bostick | stone." abostick at netcom.com | finger for PGP public key | "Hey, cut it out, Mom!" Key fingerprint: | 50 22 FB 46 41 A3 17 9D F7 33 FF E1 4E 1C 89 79 +legal_kludge=off -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQB1AgUBLtKUZ+VevBgtmhnpAQFTjAL/dluUAMSQXu52jdtkMWCNt1Sgp+AUzd10 6Vi1xVBhgR8kmvOwZ/FCONUOifSiBTF5LO8Q7HdOWiPr6Jg0wgzrQ/PmdzeNChtl 5Q6PfzSsWuj6HGuVd2blGIVZLGMu7P1e =k5/V -----END PGP SIGNATURE----- From wcs at anchor.ho.att.com Tue Nov 22 18:41:46 1994 From: wcs at anchor.ho.att.com (bill.stewart@pleasantonca.ncr.com +1-510-484-6204) Date: Tue, 22 Nov 94 18:41:46 PST Subject: A Chance Encounter with Brad Templeton, of ClariNet Message-ID: <9411230239.AA28785@anchor.ho.att.com> Adam Shostack writes, incorrectly (:-)) : > Brad is in the 'intellectual property' business. He makes his > money selling access to information. There is an entire parasitic > class that does nothing useful, but makes money from the idea of > copyright. (Most entertainment industries operate like this. [ Economic and political descriptions and predictions deleted. ] Brad's really in the information collection, sorting, and distribution business, which relies primarily on contractual agreements rather than copyright. The newswire services, like AP and Reuters, sell their news stories to newspapers, who print them on paper, and don't redistribute the raw feeds to other places mainly for contractual reasons; otherwise the AP and Reuters would sell them news service. Sure, copyright laws reduce the number of newspaper readers who cut the stories out and sell them to newspapers themselves, but those cutout stories are something far worse than copyright violations - they're Yesterday's News, and hence not worth much. In Brad's business, he buys the wire service reports and sells them to *his* customers, who also agree not to redistribute them without paying Brad and/or the wireservices their fees. Anybody who rips off one of his stories is either violating a contract with Brad, or perhaps with his/her network provider, assuming the network provider has done a proper job of contracting about such items. Unlike newspaper stories, however, stolen Clarinet stories are Five Minutes Ago's news, which may still be worth something. As far as the Marxist-drivel "middlemen are parasites" argument goes, in old-style physical stuff businesses, you had workers who really made stuff, bosses who decided what stuff to buy and bought the raw materials, money-lenders who loaned money to bosses (*with varying splits of the risk), distributors and salesmen who helped stuff-users and stuff-makers get together, and truckers who brought the stuff to the users. NONE of them are inherently parasitic, and markets find ways to avoid paying for parasites because they cost more money than the "services" they may provide - the main parasites in those businesses were the folks who got their cut by threatening to use violence against people who didn't pay them - like tax-collectors and Mafiosi and some of the union folks (not most of them, most years.) In the information business, many of the same people are around, in similar functions. You've got information-generating workers, bosses, venture capitalists, salesdroids, distributors, internet-providers, and the like. The differences are fuzzier - sorting through information to find *interesting* information is somewhat like generation and somewhat like distribution. I tend to agree with Adam's dislike of "intellectual property", since having a copy of a piece of information doesn't deprive the original holder of his/her copy, and if it's an invalid concept, than some use of intellectual property laws (and the government force threat behind them) can be parasitic and abusive - but on the other hand, the so-called "parasites" are usually the information-generating workers themselves or folks who've paid those workers money in return for the privilege of exploiting their work - so be careful who you insult! In the music industry, the reason modern artists have much less need for the producers and distributors and moneylenders isn't because all those people are unnecessary parasites - they were there because they were providing useful services for the artists and/or consumers. The change is because technology has altered the economics of production and distribution, and the services that they used to provide, which were critical at the time, are less useful now because we have other ways to get similar functions done at lower cost. Bill Stewart, Anarcho-Capitalist for Sale or Rent..... From brad at alto.clarinet.com Tue Nov 22 19:09:31 1994 From: brad at alto.clarinet.com (Brad Templeton) Date: Tue, 22 Nov 94 19:09:31 PST Subject: A Chance Encounter with Brad Templeton, of ClariNet In-Reply-To: <9411230239.AA28785@anchor.ho.att.com> Message-ID: <9411221908.aa26411@alto.clarinet.com> Besides, those of us in the parasitic class sometimes actually do something. In my case I have a staff of editors who read the news and say, "There's a story about the internet" and put tags on it which our readers find useful. So we are middlemen, but sometimes middlemen do things. And so they always will. It is folly to suggest that in the information marketplace that there will be a direct channel from authors to readers. Readers want more than what authors produce, and authors are not interested in "doing it all" to reach the level that readers want. So somebody will do this extra work, and they may be paid by authors, or they may be paid by readers, but they will exist and will be paid. Until perhaps the day we have AIs to do all that, and that's a long way away. We parasites do some surprising things. I mean all this info existed before I brought it to the net, but I'm the one who made it come to the net, and people pay me for doing that. It was a non-trivial amount of work, in software and in parasitic deal-making. From adam.philipp at ties.org Tue Nov 22 19:20:43 1994 From: adam.philipp at ties.org (Adam Philipp) Date: Tue, 22 Nov 94 19:20:43 PST Subject: San Diego CYPHERPUNKS symposium (11/30) ID & Fingerprint Message-ID: >How is the person who stands up identified? If the group is small (I expect >less than 10 people) then there is no problem with handing a fingerprint and >a fist full of ID to each person at the table, one at a time. This worked quite well last time, also considering that many of the attendees seem to be repeats there is hardly a need to go through the permutations with every person present. I'll be the one wearing the black motorcycle jacket with a painting of Georgia O'Keefe's "Red White and Blue Cow Skull" on the back. I'll also be holding drafts of a handbook on intellectual property consideration for crypto-system developers/users. Don't ask for it until the meeting, it isn't nearly finished. Adam Philipp -- PGP Key available on the keyservers. Encrypted E-mail welcome. Sub rosa: Confidential, secret, not for publication. -Black's Law Dictionary From alex at omaha.com Tue Nov 22 19:42:36 1994 From: alex at omaha.com (Alex Strasheim) Date: Tue, 22 Nov 94 19:42:36 PST Subject: cyphertext-only remailers / cryptanlysis code ? In-Reply-To: <199411230309.VAA01248@omaha.omaha.com> Message-ID: <199411230343.VAA01315@omaha.omaha.com> -----BEGIN PGP SIGNED MESSAGE----- > > One solution that I've thought about is only passing messages which are > > composed of cyphertext. Does this make any sense? > > This sounds useful, but I'm curious how you would enforce it. I would think > you'd need to do some nontrivial statistical analysis to be reasonably sure > you weren't allowing various binaries, uuencoded files, etc. with faked PGP > headers, without preventing people from using other encryption schemes. I'd > say this is the flip side of the challenge faced by governments trying to > outlaw transmissions using strong crypto. I realize I can't enforce this perfectly. My goal isn't to force people to use encryption, it's to cut down on my risk as a remailer operator. Basically, I'm going to make sure that there are headers, a pgp version number, and that there are no obvious problems with the text (ie. no whitespace, full length lines, etc.) Someone who really wanted to make trouble for me could still do it with my remailer, but I think that someone who wanted to mail death threats or post forbidden material would probably use another remailer as the final hop. Your letter has brought a fairly serious flaw in my plan, though: it's possible to simply ascii-armor a binary with PGP isn't it? A brief scan of the pgp docs hasn't revealed the command, so I can't tell what an ascii-armored binary looks like, but I'll be it's just like cyphertext. That means I'll probably have to read the ascii-armor if I want to do this. == Alex Strasheim | finger astrashe at nyx.cs.du.edu alex at omaha.com | for my PGP 2.6.1. public key -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLtK6HBEpP7+baaPtAQGyCQQAkYssaS1iZ6KMJ3m4AKNLGbIAX3E7Bopq k39a+weRm6hzznbMoCHao5wcZ9V89tvgAg8aABxQ3wB894y71s9sAYs8J5GnbrBE fCqdxMfPxp+XaWh6pQO9ggDnw04eS5bFS1TPr4MeQumjMdx4CmcQegjhp5VNLSVH qZ7M9Q5x+hg= =utlk -----END PGP SIGNATURE----- From cwalton at earthlink.net Tue Nov 22 20:01:07 1994 From: cwalton at earthlink.net (Conrad Walton) Date: Tue, 22 Nov 94 20:01:07 PST Subject: Cell Phones Security - NOT! Message-ID: At 10:34 PM 11-21-94 -0500, Mark Terka wrote: >As one who will be shopping for a cell phone in the next week, what should >I look for in terms of security? What features are available in phones on >the market....if any? Well, as one who owns an AOR 1000 radio frequency scanner that can receive any and all cell phone conversations, I would have to say you have no security unless you use some kind of voice encryption. In order to make you can feel warm and safe, the manufacture or importation of scanners with cell phone capability was outlawed by congress earlier this year, which means that I can still listen to your call with my existing scanner while you feel protected. I bought guns with high capacity magazines this year after they were banned also. I wish I had enough money to buy a good assault rifle before they're all over priced (they'll never be all gone, just over priced.) Conrad Walton cwalton at earthlink.net **************************************************************** "The most foolish mistake we could possibly make would be to allow the ... people to carry arms. -- Adolph Hitler, Edict of March 18, 1938 From skaplin at skypoint.com Tue Nov 22 20:39:06 1994 From: skaplin at skypoint.com (Samuel Kaplin) Date: Tue, 22 Nov 94 20:39:06 PST Subject: Brad Templeton, ClariNet, and remailers In-Reply-To: <199411222337.AA25145@xs1.xs4all.nl> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- In article <199411222337.AA25145 at xs1.xs4all.nl>, you wrote: > I have *never* received any request for information from ClariNet. > (maybe because my 5-line disclaimer says it all: the account used was an > anonymous-remailer: so if you donnot like that, start your own !!) It also probably helps that you are well out of the reach of the U.S. legal system. This probably makes it not worth pursuing. ============================================================================== The secret of success is sincerity. Once you can fake that you've got it made. - Jean Giraudoux ============================================================================== skaplin at skypoint.com | "...vidi vici veni" - Overheard | outside a Roman brothel. PGP encrypted mail is accepted and | preferred. | Change is the only constant in the | Universe..."Four quarters, please." E-mail key at four11.com for PGP Key or | Finger skaplin at mirage.skypoint.com | Smile!! Big brother is watching. ============================================================================== -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLtLF/gpnimeWAf3FAQGtgAP+IujK5+ZjMOWqUk58ZB5sf5NZlcBM695W A2fejnLz/CLGb/felZHexyS8YebGn2YNru5bYlaK1ictl8E6KfX8G/TleskOorh2 1jqez15/BLEyYSSlQN++1a1Bilf90N9LubkvAZMDnsdDIJlthKNvP1YRdIAT/aH5 cgSLadZxb4k= =2vbs -----END PGP SIGNATURE----- From alex at omaha.com Tue Nov 22 20:47:01 1994 From: alex at omaha.com (Alex Strasheim) Date: Tue, 22 Nov 94 20:47:01 PST Subject: New remailer concept. In-Reply-To: <199411230329.VAA01286@omaha.omaha.com> Message-ID: <199411230447.WAA01411@omaha.omaha.com> -----BEGIN PGP SIGNED MESSAGE----- > The answer of course is encryption, but that is a problem when > you are writing to your, well... , "crypto challenged" > friends. Also, two way encrypted messages to most discussion > lists is not possible (to my knowledge). I hacked up some simple stuff which lets you read and send mail from a remote unix account. It's not exactly what you want, but it's pretty easy to do. (This stuff is pretty trivial, so if that bothers you, don't read on.) This lets you get an account on a freenet like nyx which will respect your privacy, and use that address to communicate to the rest of the world. First of all, I used filter and a sh script called secsh which allows me to mail and execute arbitrary sh scripts on the remote account, provided that they bear a valid, authorized pgp signature. If incoming mail has a trigger word in the subject line, it gets piped into a script which checks the sig and runs it if the sig checks out. Here's secsh: #!/bin/sh PGP=/usr/local/bin/pgp # the location of pgp PGPPATH=wherever # the location of config.txt export PGPPATH # and pubring.pgp PATH=a copy of your path export PATH trap 'rm -f /tmp/ss$$; exit 1' 1 2 15 if ($PGP -f +batchmode < $1 > /tmp/ss$$ 2>/dev/null) then /bin/sh /tmp/ss$$ fi rm /tmp/ss$$ It's a good idea to point PGPPATH at a special pgp dir, because this will pass any script with a sig that validates with any key on your keyring. I use another script, mlscpt, which looks sort of like a dumb version of the mail command. It takes a destination address and a subject as input, and reads incoming mail from stdin. A sh script which extracts and mails the letter is emitted to stdout. Here's mlscpt: #!/bin/sh echo "#!/bin/sh sed -e '/BEGINCRM/d' -e '/ENDCRM/d' << \End_of_File | mail -s '$2' $1 BEGINCRM" cat echo "ENDCRM End_of_File" You can use another, trivial script, to call mlscpt, sign the result, and mail it off to the remote account. Mine uses a dummy key to encrypt the output, for no good reason: the secret key, which isn't protected with a passphrase, is on the remote account's key ring, so it unwraps automatically. Here trigger stands for the trigger word which causes the incoming mail to be fed into secsh: #!/bin/sh mlscpt "$1" "$2" | pgp -efs dummy | mail -s trigger account at domain.edu echo " " It's also trivial to cause incoming mail to be encrypted and forwarded to your home account, but I can't find mine and I'm too lazy to look up the PGP command args which are needed. I used to use something similar to mlscpt as a "return address" for the cp remailer system: I'd send people a script which would append a header to their letter and send it off to the first remailer on the chain. I quit using it because lots of sensible people were reluctant to run strange scripts which they had recieved from some anonymous guy through a remailer. == Alex Strasheim | finger astrashe at nyx.cs.du.edu alex at omaha.com | for my PGP 2.6.1. public key -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLtLJWBEpP7+baaPtAQFPlAQAwSFUFRbGaUOZUwiNBfoSCJGPbAkRHeM0 xqKWhBH13HTTH52AIiQWUdBtKN6nJEj7bAf3VQRuSgZ6lxfXEDRI5QrytZJLHzwx LMTiGbdMin264RtFREwn5RSEOkr8oAJqge7srdKyoD1Lu7X8C1Y+TxLPuUcSVWKA EMU5NDBNS3I= =s09x -----END PGP SIGNATURE----- From joshua at dee.retix.com Tue Nov 22 21:02:23 1994 From: joshua at dee.retix.com (joshua geller) Date: Tue, 22 Nov 94 21:02:23 PST Subject: Admiral Inman In-Reply-To: <01HJRVB367FO001OVV@MR.STANFORD.EDU> Message-ID: <199411230503.VAA21941@sleepy.retix.com> > In list.cypherpunks, jgrubs at voxbox.norden1.com writes: > > jamiel at sybase.com (Jamie Lawrence) writes: > >> It does amaze me that what can be a victimless activity is such > >> a hotbutton. > > Drugs are victimless? What about crack babies, which cost a million > > dollars EACH in medical care, btw. > Exactly! And this is just one example of the victims. What about the extremely > high rate of crime motivated by the need for drugs? I have personally been a > victim twice (theft of my car and *nice stereo system* and a breakin to my > house where much was taken) in crimes which appeared to be motivated by the > the need for drugs. I don't see where legalizing drugs would motivate addicts > to start working to legitimately pay for their habits. if drugs were legal, they would be cheap, thus addicts could afford them more readily. this is easily seen in countries which do tolerate drugs. josh From jdwilson at gold.chem.hawaii.edu Tue Nov 22 21:37:32 1994 From: jdwilson at gold.chem.hawaii.edu (NetSurfer) Date: Tue, 22 Nov 94 21:37:32 PST Subject: Pentium bug and CRYPTO In-Reply-To: <9411220104.AA13269@hodge-podge.MIT.EDU> Message-ID: On Mon, 21 Nov 1994, Derek Atkins wrote: > This floating point bug is only in double-precision floating-point > division. No division is used in RSA Key Generation, RSA Encryption, > or RSA Decryption, so this bug should not cause any problems in PGP. Some time ago I checked with Mr. Z as to whether PGP was integer arithmetic and was told yes. This seems to confirm the above. -NetSurfer #include >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> == = = |James D. Wilson |V.PGP 2.7: 512/E12FCD 1994/03/17 > " " o " |P. O. Box 15432 | finger for full PGP key > " " / \ " |Honolulu, HI 96830 |====================================> \" "/ G \" |Serendipitous Solutions| Also NetSurfer at sersol.com > >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> From cactus at bb.hks.net Tue Nov 22 22:28:39 1994 From: cactus at bb.hks.net (L. Todd Masco) Date: Tue, 22 Nov 94 22:28:39 PST Subject: DNA Computation paper on Web. Message-ID: <199411230633.BAA04092@bb.hks.net> Adleman's paper can now be found at http://www.hks.net/~cactus/doc/science/molecule_comp.html All typos are mine, Todd Masco, cactus at hks.net. Please send any corrections to me. -- Todd, cactus at hks.net (I'll be mailing out the Perspectives part tomorrow to anybody who's asked. Since I'm less certain of the copyright issues on that part, I'm only going to send that to individuals rather than putting it up on the web). From lcottrell at popmail.ucsd.edu Tue Nov 22 23:20:26 1994 From: lcottrell at popmail.ucsd.edu (Lance Cottrell) Date: Tue, 22 Nov 94 23:20:26 PST Subject: REMAILER PROPOSAL Message-ID: >If the Spoon-E Issuer is an opponent, you have far worse problems >than mere identification. That is why I specified that the >Issuer would be a creature of the Electronic Mail Forwarders >Guild. The Issuer would be chosen by the remailer operators whom >it served. It is quite a stretch to assume that Guild members >would choose someone that untrustworthy. Given that level of >paranoia, it would be advisable to avoid the use of any remailer. >After all, it is theoretically possible the *every* remailer in a >chain--no matter how long--could be compromised. One might as >well find a "flaw" with all remailers by assuming an opponent who >could read minds. I don't think either threat is credible. > > > S a n d y > I disagree with you assessment of the situation. The "Electronic Mail Forwarders Guild" is not made of mind readers, they are capable of error. You assume that a operator would appear to be untrustworthy. I think that is a poor assumption. As an example, I have been talking to John Perry quite a bit lately, he has been of great help to me, his heart seems to be in the right place, he is certainly militant enough about remailer secutiry. I am not at all convinced that he has not been compromised (nothing personal John). It simply does not require that good an actor. If a TLA wished to infiltrate us, the traitor would seem very trustworthy, gung ho, and paranoid. I think that the odds of the "Electronic Mail Forwarders Guild" choosing a compromised Spoon-E Issuer is much greater than the odds that all members of some subset of my choosing have been compromised. The system you proposed is interesting, and worthy of discussion, but I will not actually use any system where I must put identifying information in each packet. There are ways of implementing postage which do not require this compromise. Blind signed tokens is one method. Having the user pay the first remailer, with remailers charging each other a reduced rate for forwarding is another. You make no mention of my scheme for making your system completely secure (I think). It should not be too difficult to implement, given the software you would already need for Spoon-Es. -------------------------------------------------- Lance Cottrell who does not speak for CASS/UCSD loki at nately.ucsd.edu PGP 2.6 key available by finger or server. Encrypted mail welcome. Home page http://nately.ucsd.edu/~loki/ Home of "chain" the remailer chaining script. For anon remailer info, mail remailer at nately.ucsd.edu Subject: remailer-help "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche From lmccarth at ducie.cs.umass.edu Tue Nov 22 23:22:49 1994 From: lmccarth at ducie.cs.umass.edu (L. McCarthy) Date: Tue, 22 Nov 94 23:22:49 PST Subject: Freenet Remailers In-Reply-To: <199411222321.AA23584@xs1.xs4all.nl> Message-ID: <199411230723.CAA29935@ducie.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Name withheld on request writes: > Most Freenets (at least Toronto, Buffalo do) use a generic type of software, > Freeport, developed by the Cleveland Freenet. I'd need other's comments > as to how easy it is to configure the remailer software to integrate with > the Freeport software that you get a working remailer. > > If that step is possible, then yes, it is certainly possible to set up a > guerilla remailer. OK, can you (or someone else) tell us more about this Freeport mail app ? On which platform(s) does it run ? Can it be (or could it be arranged to be) found on a FTP site somewhere ? - -L. Futplex McCarthy "...so cool & calculated alone in the modern world" -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBLtLttWf7YYibNzjpAQHScQP8CCJLitlAhuMZKUjzB+If4etEdvRWZ/Lj Ff7ZZdXZTlKZSPgZalCbwrwCJXKIkzBj0dvR4ye9jcCBA0YnhVpKZbFWjXxDAo0i bS8QslcNlbvggY25u921xb1sGhAsFy7AJZbR81tPy5/CzJFOOKagkKKDkhiblc3x gDS/FeoHn04= =1AhH -----END PGP SIGNATURE----- From lmccarth at ducie.cs.umass.edu Wed Nov 23 00:15:56 1994 From: lmccarth at ducie.cs.umass.edu (L. McCarthy) Date: Wed, 23 Nov 94 00:15:56 PST Subject: White Knight Remailers In-Reply-To: <199411222219.AA17797@xs1.xs4all.nl> Message-ID: <199411230816.DAA00313@ducie.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Adam Shostack writes: [oddly, I never received the original copy of this; I seem to be missing list messages with increasing frequency recently :( ] > Real remailers (with return address features) should probably > be advertised in alt.support.* and alt.recovery, in order to build a > class of "good" users for them. [...] I commend Ed Carp for his endeavors in this regard; IMHO he's done a splendid job of both advertising and explaining his remailer in asar (name is a relic, it would be in alt.recovery.* if it were created today). khijol seems to command a fair amount of respect there. I think he's seen as part of the community, so to speak, and that helps a great deal. I hoped to participate more actively in asar when I cranked up underdog, but other tasks have distracted me. > "But Brad, you can't shut down my remailer. Its used to let > victims of sexual abuse post anonymously to the net!" This line of defense appeals, but the technical details seem to tell against it. :[ Remailers can quite easily be modified only to post to select groups, so posting to Usenet in general is tough to defend this way. Even then, someone could decide to repost all of clari.news.sex to asar, which would probably piss off everyone in asar as well as BT. Meanwhile, there's no way to restrict use of a remailer to private mail on certain topics, unless you take a page from Bill Wells' book and monitor all the traffic. :< N. Cognito writes: > So far I have posted the "remailer.help.all" > file from chaos.bsu.edu as a "how-to" and the most recent update > posted here of Raph's Reliable Remailers List as a "where-to." > Neither has generated any visible response in the newsgroup as of yet. > My thinking is that it would be a Good Thing to post this kind of > information on a regular basis (weekly?) to some of the "support" and > "recovery" newsgroups. Unless I begin drawing a lot of flames for > inappropriateness, this is what I plan to do in the immediate future. I concur. I recommend directing followups to asar.d (full name is "alt.sexual.abuse.recovery.d") to avoid flames. IMHO John Grohol's Pointers to Psychology & Support Newsgroups biweekly posting establishes a good paradigm. If this hasn't already been done, it would be nice to compile some things like remailer.help.all at chaos and remailer-list at kiwi into an official biweekly FAQ posting to alt.privacy.anon-server, alt.anonymous.messages, alt.answers, and news.answers. (N.B. Crossposting of *anything* in asar is generally taboo. I think the Pointers to Psych Groups list gets away with it, using followups out of asar.) -L. Futplex McCarthy; use "Subject: remailer-help" for an autoreply PGP key by finger or server; "Better watch what you say, or they'll be calling you a radical...a liberal" --Supertramp "[CIA/KGB mole Aldrich Ames] took information in shopping bags out the front door" --miscellaneous Congressperson -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBLtL6KWf7YYibNzjpAQHsoQQAlYXw1L6T6NsAIeVhCHuXu31emmTEM8Ox 6FR/D4tBK7tm1sqVgsAt8l9EKt8iXZ0hxLni6SgG8NXL9RitaQ2SB1az4pN7BFXL 0Py2dI4uqFQHpptqXTxzmikX/KB0PK4WdrDt09w4rq6i+v554G1YbzD+q6I7myJw HTbZ9V9iJr0= =Amvn -----END PGP SIGNATURE----- From skaplin at skypoint.com Wed Nov 23 00:42:22 1994 From: skaplin at skypoint.com (Samuel Kaplin) Date: Wed, 23 Nov 94 00:42:22 PST Subject: Freenet Remailers Message-ID: -----BEGIN PGP SIGNED MESSAGE----- In article <199411230723.CAA29935 at ducie.cs.umass.edu>, you wrote: > [BEGIN PGP SIGNED MESSAGE] > Name withheld on request writes: > > Most Freenets (at least Toronto, Buffalo do) use a generic type of software, > > Freeport, developed by the Cleveland Freenet. I'd need other's comments > > as to how easy it is to configure the remailer software to integrate with > > the Freeport software that you get a working remailer. > > > > If that step is possible, then yes, it is certainly possible to set up a > > guerilla remailer. > > OK, can you (or someone else) tell us more about this Freeport mail app ? > On which platform(s) does it run ? Can it be (or could it be arranged to be) > found on a FTP site somewhere ? > > -L. Futplex McCarthy "...so cool & calculated alone in the modern world" This was the most informative info I could find on the gophers. I have sent mail to freeport-info at po.cwru.edu to get more specifics. I will post them when they come in. ---------------------- Understanding FreePort ---------------------- Andrew Patrick National Capital Freenet August 18 1993 History of FreePort Software - - developed at CWRU by a variety of people - - design objectives - use standard Unix software where possible - use network environment & multiple servers - easily configurable and expandable - portable to different environments (BSD Unix) - - various "flavours" now available (contact NPTN) - - NCF has made extensive local changes, and will continue to diverge Overview of Software Components Themes - software not complicated (shell scripts and C) - small modules for special functions (Unix tradition) - 8 inter-related "systems" for different functions Initialization System - BBmenu - BBguestmenu Menu System - menu (main interface, calls other modules) - (view files) Mail System - m2mbox (put incoming mail in user's home directory) - mr (mail reader) - addr (try to confirm addresses) - BBmail (send the mail via sendmail) - forward (create "legal" .forward files) - mexpire (expire mail older than 30 days) - mquota (implement mail box quotas) Bulletin Board System - Usenet C News with local changes (e.g., moderators) - BBpost (posting front-end) - newspost (posting) - nr / mgnr (news reader - single or multiple groups) Editing System - ce (a version of Emacs) - pico (simple editor) - ispell (interactive spell checker) Work Directory System - dired (full-screen directory tool) - ups (deliver files between users) - kermit & xyz-modem (transfer between user & FreeNet) Internet Access System - telnet (login to other hosts) - gopher (library services) - IRC (real time conversations) Administration System - msglib (server/clients log usage and error messages) - bbinfod (server/client to monitor who is logged in) - who (report who is logged in) - pmdb (database of users with interests, locations, etc.) - fullname (report users name given ID) - umatch (find a user by pattern) - su (take on alternate identity) Lessons Learned - - explore various "flavours" available - - explore alternative packages - - message and info daemons problematic - - ease of use and success determined by specialized services (e.g., BBS, file transfer, editors) - - get automatic registration service early - - be prepared for heavy load early (e.g., psuedo-terminals) - - news readers assume network configuration (NNTP), inefficient with local spool - - requires expertise in number of areas - - be careful of trade-offs between functionality and ease-of-use, power users and novices - - operating a modem & communications software a very difficult step for many new users (terminal configuration) Criteria for Developing Other Modules - - must be VERY easy to use & have good user documentation - - no unauthorized shell access (including pipes and filters) - - all reads and writes to $HOME/work - - all files in $HOME/work visible (no .newsrc) - - all errors trapped, all temporary files cleaned Future Directions - - multilingual support - - client/server model - more power at users' end, but what is standard? - could work for mail & BBS systems - will not work for Internet services - - broadcast systems (1.5 way interaction) ============================================================================== Most religions do not make men better, only warier. --Elias Canetti-- ============================================================================== skaplin at skypoint.com | "...vidi vici veni" - Overheard | outside a Roman brothel. PGP encrypted mail is accepted and | preferred. | Change is the only constant in the | Universe..."Four quarters, please." E-mail key at four11.com for PGP Key or | Finger skaplin at mirage.skypoint.com | Smile!! Big brother is watching. ============================================================================== - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAy5pUekAAAEEAKrDj64Zj9AJU+gC7/Ivdk8b1ef6a1T9K5CGFeu1yFDSXLyD DLIdGunZR/4ilosLMxdlZcNqPwZ3HgxL+Gk3y2SwYfqKpeWExWPgb696lgzf2BRC tED15ZAwi3UDIkcouv2PBiDwPNUUmnLb5diDXdA3qtALb+XzlwpnimeWAf3FAAUT tCRTYW11ZWwgS2FwbGluIDxza2FwbGluQHNreXBvaW50LmNvbT6JAJUDBRAu0Wcv CmeKZ5YB/cUBAd1yA/9/n2PA2VrJ+k++yfOdx5EdmqUyUX4IL0XVmxb2lxNSuBlx It2T+Qzz6Xa03eS1qpjWYeU/lXvmgQe5CDPsmmYl9zVPiy8HKTveOtl+5tbBzeBS RfDBz3Jx/71UVyF273lRWn/cw9E8mjlrc2tUJEsCgLRFQVf8YHzdKoUDRwn1b4kA lQMFEC7QbCjVMiHPX2OluQEBelEEAJ/I2sjy6PdXlwawIrP1hQnb2WcTD2VdoOJ1 OWue3hnfgGc7YrwTOg3IphVgHg6Rt3gQ9qURlOlSVGSXmLdgW23iSXxxqsSm75nR wxDx1Ns/M0S+3Qdt4Vs14x5KC5rwI2OuhBX2i18xWUzRbR+d+WbuoRlcPPJ2CA2e kINgoiuX =O2F0 - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLtL+9wpnimeWAf3FAQE5MQQAm5Jzwj4/jwj8wzGKSny4YLWxXuoJ9l6I b3bwmcemOTQXZAwbGOZ4UaVRQeV/SvKv47YOZ0r+r92J+7f8XoGlBrQil6oo3l2o JqpzML670DrScj4I0w4IKH5totmSWdnuEfJbBEAP8xwwFs37PVOhU2dEZyUBXAmh zjJKbg9z+A4= =D8kA -----END PGP SIGNATURE----- From HSAID at cairo.eun.eg Wed Nov 23 02:20:10 1994 From: HSAID at cairo.eun.eg (HSAID at cairo.eun.eg) Date: Wed, 23 Nov 94 02:20:10 PST Subject: subscription request Message-ID: <01HJTH6X29B6003YAX@FRCU.EUN.EG> alssalam alaukom please i want to subscripe on your mailing list From lee.noon at mgmtsys.com Wed Nov 23 03:41:23 1994 From: lee.noon at mgmtsys.com (Lee Noon) Date: Wed, 23 Nov 94 03:41:23 PST Subject: CARNEGIE MELLON PORNO NOT Message-ID: <90.54088.1@mgmtsys.com> Sex in Cyberspace Now Turning University Into Cyber-Vice Cop By HENRY CUTTER Associated Press Writer PITTSBURGH - In a case that has colleges taking another look at their legal responsibilities in cyberspace, Carnegie Mellon University has blocked access to bulletin boards that students can use to call up dirty pictures. About 300 students protested the move earlier this month as an assault on academic freedom, and a public interest group for computer users suggested Carnegie Mellon overreacted. "It is censorship," said Declan McCullagh, student body president. "We have obscene books in our library, but the University isn't burning them. The university is burning cyberbooks." Carnegie Mellon officials said they fear the school can be prosecuted for distributing pornography to minors if it knowingly allows access to the pictures via the Internet to anyone under 18. Most of the schools students are adults, but children as young as elementary-school age also use the university's computer networks. The dispute started when Martin Rimm, a research associate working on a study of pornography in cyberspace, used Carnegie Mellon computers to collect 917,000 pictures, ranging from simple nudity to pictures of men and women having sex with animals. He tracked how often the pictures had been downloaded, or called up by a computer user -- 6.4 million times. When Rimm took his findings to the administration, Carnegie Mellon could no longer claim ignorance about the material, said Erwin Steinberg, vice provost for education. "It's a difficult issue, an emotional issue," said William Arms, Carnegie Mellon's vice president for computing services. He received calls from six other schools after the problem came to light. "People want to know which way to go," he said. The school decided to block access to both written and photographic pornography. In the face of student opposition, Carnegie Mellon decided not to enforce the block on text. But X-rated pictures remain off limits. "I have not accessed that material, but I feel that each person has a right to choose what kind of shoes, what kind of ties, what kind of information they want," said Cesar Rios, a graduate student in public management. Freshman Jessica Rhodes disagreed. "We sort of have to abide by the laws of the state," she said. "There are other ways of getting pornography. If people want pornography that bad, they should go buy it themselves." Mike Godwin, a lawyer for the Washington-based Electronic Frontier Foundation said the chances of Carnegie Mellon being held liable for carrying the pictures are extremely slim. Richard Goldberg, an Allegheny County deputy district attorney said it would be very difficult to prosecute Carnegie Mellon, for the same reason it is hard to prosecute other kinds of obscenity cases: The prosecutor would have to prove the material has no redeeming social value. "Then you have the problem of where do you prosecute them? Where is it coming from?" he said. Goldberg was referring to the question of what community standards should be applied to obscenity-in- cyberspace cases. * 1st 2.00b #3833 * From sysadm at netcom.com Wed Nov 23 04:08:36 1994 From: sysadm at netcom.com (System Administration) Date: Wed, 23 Nov 94 04:08:36 PST Subject: IMPORTANT: FTP DIRECTORY MOVE Message-ID: <199411231059.CAA01443@netcom20.netcom.com> Over the next four weeks, NETCOM will be re-organizing our anonymous ftp directory structure. In order to cut down on the number of directory entries in pub directory, we will be using a new naming scheme based on the first two letters of your ftp directory name. Thus, in the past, if your ftp directory was named: /ftp/pub/netcom it will be changed to: /ftp/pub/ne/netcom Existing symbolic links will also be moved. If you have a symlink: NETCOM -> netcom in the directory /ftp/pub, it will be changed to: NETCOM -> ../ne/netcom in the directory /ftp/pub/NE. The only directories that will exist in the toplevel pub directory are the directory entries for the two-letter combinations, which will be created as needed. All new ftp directories will also be created according to the new naming scheme. We realize that it will take some time for our customers to prepare for this transition. The actual directories will be moved over between 12:30 and 4:30AM PST Thursday morning. Symbolic links will be made from existing directories (and existing symlinks) to point to the new directory entries, so it should initially be transparent to most customers. You will then be able to start advertising the new directory name, although the old one will still work. These symbolic links will then be removed on December 26th. Any scripts, publications, HTTP references, and so on will need to be modified to point to the new directory location. If you have any questions or comments, please contact sysadm at netcom.com. We hope to make this switchover as smooth as possible for everyone! Bruce ___________________________________________________________________________ Systems Analyst / Systems Administration sysadm at netcom.com Systems Support Staff NETCOM On-line Communication Services From perry at jpunix.com Wed Nov 23 04:24:06 1994 From: perry at jpunix.com (John A. Perry) Date: Wed, 23 Nov 94 04:24:06 PST Subject: Remailer FAQ? In-Reply-To: <9411230009.AA08618@pilot.njin.net> Message-ID: <199411231158.FAA09097@jpunix.com> A non-text attachment was scrubbed... Name: not available Type: text/x-pgp Size: 850 bytes Desc: not available URL: From adam at bwh.harvard.edu Wed Nov 23 04:37:02 1994 From: adam at bwh.harvard.edu (Adam Shostack) Date: Wed, 23 Nov 94 04:37:02 PST Subject: White Knight Remailers In-Reply-To: <199411230816.DAA00313@ducie.cs.umass.edu> Message-ID: <199411231239.HAA18665@hermes.bwh.harvard.edu> | Adam Shostack writes: | [oddly, I never received the original copy of this; I seem to be missing | list messages with increasing frequency recently :( ] | > Real remailers (with return address features) should probably | > be advertised in alt.support.* and alt.recovery, in order to build a | > class of "good" users for them. [...] When I wrote this, I did not mean to claim that remailers w/o return addresses are not real. I meant to say that remailers that rely on operator screning & approval of messages are not what I consider real remailers. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From m5 at vail.tivoli.com Wed Nov 23 05:27:43 1994 From: m5 at vail.tivoli.com (Mike McNally) Date: Wed, 23 Nov 94 05:27:43 PST Subject: Pentium bug and CRYPTO In-Reply-To: <199411220139.RAA05434@netcom19.netcom.com> Message-ID: <9411231326.AA11476@vail.tivoli.com> Dave Horsfall writes: > I'd be horrified if a crypto implementation used floating point, with > the implied imprecision... The imprecision in floating point is a factor only if you choose to pay attention to it. It is possible to use floating point all day long to do what are essentially integer calculations. indeed, there have been CPUs (the CDC 6000 series come to mind) that have no integer multiply or divide instruction. Instead, one used the floating point instructions and then extracted the result (carefully) from the mantissa. Floating point isn't magic, it's just microcode. (Well, not in the CDC 6000 I guess...) | GOOD TIME FOR MOVIE - GOING ||| Mike McNally | | TAKE TWA TO CAIRO. ||| Tivoli Systems, Austin, TX: | | (actual fortune cookie) ||| "Like A Little Bit of Semi-Heaven" | From jya at pipeline.com Wed Nov 23 05:33:20 1994 From: jya at pipeline.com (John Young) Date: Wed, 23 Nov 94 05:33:20 PST Subject: (Fwd) Re: NSA seems to be lobbying against bank use of triple-DES Message-ID: <199411231332.IAA11421@pipe1.pipeline.com> Forwarding Cyberia-L mail by: dcain at pioneer.uspto.gov (David Cain) on Wed, 23 Nov 7:8 AM ------------------- John Thomas writes: > It's clear that NSA is opposed to triple-DES because it cannot break it. > I'm not supprised the banks are going ahead even if triple-DES cannot be > exported; it will be trivial to develop the hardware overseas, since all > the algorithms are public. Although NSA will neither confirm nor deny one of the fundamental principles of cryptography is that any encryption system which cannot be broken is also inefficient - like the one-time-pad. NSA may be concerned with allocation of CRAY resources, but I doubt they are concerned about the viability of breaking triple-DES. One of the most important concepts of cryptography is that false security is worse than poor security, for if you are aware of a system's vulnerability, you can guard the weak points. NSA's point that layering encryptions not only doesn't strengthen the security, but may create patterning that is more susceptible to differential analysis than a single DES pass, is an important one. More is frequently less in crypto. Now, I have no more insight into NSA motivations than the next shmoe, but the objections they raise are legitimate from a security standpoint. As for independent creation in Europe, there is a component to "real" hardware DES which is classified. dc Primary Examiner USPTO Cryptography David Cain * Speaking for no one * Escape to find the shining light dcain at uspto.gov * Borne within evolving sight dcain at osf1.gmu.edu * From dmandl at bear.com Wed Nov 23 05:57:54 1994 From: dmandl at bear.com (dmandl at bear.com) Date: Wed, 23 Nov 94 05:57:54 PST Subject: Remailer FAQ? Message-ID: <9411231352.AA16243@yeti.bsnet> Tim's cypherpunks FAQ ("The Cyphernomicon") covers remailers pretty thoroughly. As for actual code, there's code for several different types of remailers at ftp at csua.berkeley.edu. The code for Raph Levien's "premail" is also available at that site. --Dave. > Anyone know of a Frequently Asked Questions on remailers? Where is it available? > Thanks, > -R > > --------------------------------------------------------------------------------- > Reuben Halper I'm not growing up, I'm just burnin' out." > Montclair High - Green Day - > Montclair, NJ > E-mail: fhalper at pilot.njin.net PGP 2.6ui Public Key > available upon request > --------------------------------------------------------------------------------- From jya at pipeline.com Wed Nov 23 06:42:14 1994 From: jya at pipeline.com (John Young) Date: Wed, 23 Nov 94 06:42:14 PST Subject: (Fwd) news spoke Message-ID: <199411231441.JAA19279@pipe1.pipeline.com> Forwarding Design-L mail by: () on Nov 23 ------------------- This message revealed itself yesterday on my shell account. This could be some arbitrary law going down in the present, even worse than the McCarthy era witchunt. So much silence, even for academic concerns, and system administrators decide whom to prosecute for relevance. _________________________________________________________________ ___________ UNIX(r) System V Release 4.0 (gold.tc.umn.edu) This system is for the use of authorized account holders only. Individuals using this computer system without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by system personnel. In the course of monitoring individuals improperly using this system, or in the course of routine system maintenance, the activities of authorized account holders may also be monitored. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity, system personnel may provide the evidence gathered to law enforcement officials. From sandfort at crl.com Wed Nov 23 07:00:05 1994 From: sandfort at crl.com (Sandy Sandfort) Date: Wed, 23 Nov 94 07:00:05 PST Subject: REMAILER PROPOSAL Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, Lance Cottrell wrote: ... The "Electronic Mail Forwarders Guild" is ... capable of error. You assume that [the Issuer] would appear to be untrustworthy.... If a TLA wished to infiltrate us, the traitor would seem very trustworthy, gung ho, and paranoid. Life has risks; the trick is to minimize them. Yes, the Issuer could be a weak link. This only means that the Guild has to be careful whom it chooses, which security protocols it mandates and what oversight it exercises. I have suggested that the job of Issuer could be rotated. This would help. Another step that might be taken is to separate the job of Issuer from that of Database Manager. In other words, the Issuer would take in payment and provide a list of valid Spoon-Es to the DB Manager, who in turn would cancel the Spoon-Es as they were used. Under the threat posited by Lance, such a step would make it necessary for the Issuer, the DB Manager and the first remailer to collude for their to be a problem. If your paranoia can swallow that much collusion, than the job of Issuer could be further Balkanized into three or more jobs. Beyond these solutions, Lance has proposed a couple of other ways to reduce the risk he has identified. All in all, I think my crude-but-effective suggestion is still the best proposal extant for a pay-to-play remailer system. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From ecarp at netcom.com Wed Nov 23 09:09:06 1994 From: ecarp at netcom.com (Ed Carp) Date: Wed, 23 Nov 94 09:09:06 PST Subject: Brad Templeton.... Message-ID: <199411231709.JAA08096@netcom2.netcom.com> Here's the "reward statement" that comes on the bottom of some of the ClariNet articles, if anyone's interested. I personally think it's pretty predatory, myself. -- C O P Y R I G H T R E M I N D E R This, and all articles in the clari.* news hierarchy, are Copyright 1994 by the wire service or information provider, and licensed to ClariNet Communications Corp. for distribution. Except for articles in the biz.clarinet.sample newsgroup, only paid subscribers may access these articles. Any unauthorized access, reproduction or transmission is strictly prohibited. We offer a reward to the person who first provides us with information that helps stop those who distribute or receive our news feeds without authorization. Please send reports to reward at clarinet.com. [Use info at clarinet.com for sales or other inquiries.] -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com Finger ecarp at netcom.com for PGP public key an88744 at anon.penet.fi If you want magic, let go of your armor. Magic is so much stronger than steel! -- Richard Bach, "The Bridge Across Forever" From pfinerty at seattleu.edu Wed Nov 23 09:13:34 1994 From: pfinerty at seattleu.edu (Patrick J. Finerty Jr.) Date: Wed, 23 Nov 94 09:13:34 PST Subject: (Fwd) news spoke In-Reply-To: <199411231441.JAA19279@pipe1.pipeline.com> Message-ID: -warning banner deleted- this is a mesg that appeared in the may/june 1993 InfoSECURITY NEWS "Legal Beat" column. it is supposedly recommended by the U.S. Justice Department to avoid violation of the ECPA. i got this info from the docs that came with UltraSHIELD, a security program for Macintoshes. the warning also 'showed up' one day on this acct which i found a bit disturbing but then realized where it came from after getting the mac security program. oh, i suppose i should say who the hell i am. my name is patrick finerty. i'm a fourth year grad student in biochemisty at the university of utah. this is an alum acct i have through seattle university and i can also be reached at the accts below. -pat finerty biochem grad student, u of utah finger for pgp key finerty at msscc.med.utah.edu pfinerty at nyx10.cs.du.edu pfinerty at seattleu.edu From xpat at vm1.spcs.umn.edu Wed Nov 23 09:22:29 1994 From: xpat at vm1.spcs.umn.edu (xpat at vm1.spcs.umn.edu) Date: Wed, 23 Nov 94 09:22:29 PST Subject: HTML browser/editor for MS Word 6.0 Message-ID: <9411231722.AA13271@toad.com> >From PC WEEK, Nov 21, 1994, a summary: Bill Gates demonstrated an HTML browser/editor for MS Word 6.0. It is called Internet Assistant. It just entered beta testing, and will be available under the "What's New" heading of the Microsoft Home Page by the end of December, and later it will come with the 32-bit version of Word for WIN95. It will also include a viewer which will "display any Word document distributed across a network." I've read that the PGP code is not highly modular, but this is just one more indication of an OLE document centric universal editor based loosely on Word. I could eventually see their mail product calling most of the same code. Has anyone considered OLE compliant PGP encrypter/decrypter objects that would act on the contents of the document? A tool on this platform could be the most rapid path to widespread use of encryption. Almost everyone is able to use Word, and it comes bundled with a *lot* of new computers. And if it is OLE compliant, it can drop inside of your favorite OLE aware application. -pd- From anonymous-remailer at shell.portal.com Wed Nov 23 09:35:06 1994 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Wed, 23 Nov 94 09:35:06 PST Subject: CID Message-ID: <199411231734.JAA09591@jobe.shell.portal.com> C.I.D.: [ I agree that we should take the discussion off this list. Both the original poster and myself asked for suggestions of more appropriate forums to continue in. I also asked for replies to be directed to me personally, not to list. This is only in reply to Vail's public msg.] As I understand the whole SS-7/ANI/CID thing, CO generates the field ("header") only when a previous one is not already present in the call. I'm no phrexpert, but we've done some experiments nevertheless and emperically our evidence supports this: So I will paraphrase part of an original post to make it clear. It deals with call diverters (not Telco's "Call forwarding", but the private box you put on one line at home to personally direct all incoming calls to a second outgoing line. You can also steer calls through a PBX, of course, but lets keep the example simple. Nevertheless the end result is the same.) Pay attention now. Let's say that in my home I have a call diverter installed on my incoming line (line 1), forwarding - via my outcoming line (2) - all calls to Lunatic Labs. At the Labs, we have ANI. You call my home, but I am not there. Because of the diverter, your call gets steered to the Labs instead. Sit up straight now, this is where to fun part begins. WHICH OF THESE 2 NUMBERS ARE DISPLAYED AS CALLER ID? Your home phone number? (Who made the original call) Or that of my line no.2 at home? (Who actually made the last call, the one to the Labs). Surprise: Your number! (Original poster already said so, of course). Before SS7, you would route your call through a handful of diverters and stuff if you didn't want to be traced. Now there is no escaping. The first and original Caller ID follows the call no matter how you twist it around. If it is not there, it will be created. If it is there, your CO simply acts as a substation, it seems, not inserting any ID. Again, I am no expert, but you can experiment with this yourself and you will get the same result. Interesting. *67 is merely a privacy indicator (a "P" prefix) suppressing the DISPLAYING of the information, but it is still there and still stored in the computer. Because if the system is serious enough about getting your number, it can pick the call information straight up off layer 4 o the call - in other words, your call information, instead of stopping stone cold at the diverter, was passed from node to node up to your intended system. Cute, eh? .. but only if you're BEHIND the trigger. So, what can be done about it? Like I said yesterday, if you have the skills, we can perhaps but some code together that will let us build our own counterfeit CID fields. I have my doubts that a standard modem will be up to the task, this is just a hunch, maybe we will have to put some special electronics together to get the right tones. But I am a babe in the woods, just commenting on a paper I got thrown my way (and nothing illegal, merely sort of like the 911-information which means that the bad guys don't want us to have it but that it is publicly available nevertheless if you just know where to look for it). Bottom line: We know now the exact structure (frequencies, duration, etc) of the CID. This enables us to code a tool to let us construct replicas. While you are really the originator of the call, your telco won't think so, because the call they get already has the CID header and thus they won't add their own. They will think they are merely getting an already forwarded call, not a first. Does this sound like complete hogwash? Comments wanted, please. @@@@ This message has been brought to you by @ .. @ PETE "THE WIMP" WATKINS...BASICALLY SPINELESS(tm) | __ | \__/ <---Digitized representation of Pete Watkins My e-mail address is -- wimp --- (Forwarded via remailer) From brown at eff.org Wed Nov 23 09:37:11 1994 From: brown at eff.org (Dan Brown) Date: Wed, 23 Nov 94 09:37:11 PST Subject: No Subject Message-ID: <199411231351.IAA29032@eff.org> Path: eff!news.kei.com!news.mathworks.com!europa.eng.gtefsd.com!howland.reston.ans.net!cs.utexas.edu!not-for-mail From: marielsn at Hawaii.Edu (Nathan Mariels) Newsgroups: comp.sys.mac.announce,comp.sys.mac.apps Subject: Paranoid 1.0 encryption program available for FTP Followup-To: comp.sys.mac.apps Date: 22 Nov 1994 23:42:37 -0600 Organization: University of Hawaii Lines: 35 Sender: nobody at cs.utexas.edu Approved: werner at rascal.ics.utexas.edu (Comp.sys.mac.announce Moderator) Message-ID: NNTP-Posting-Host: news.cs.utexas.edu Xref: eff comp.sys.mac.announce:563 comp.sys.mac.apps:83645 I have written a freeware encryption program for the Macintosh that, I feel, offers the strongest encryption for the Mac to date. Paranoid allows you to encrypt files with IDEA, triple DES, or a third algorithm which I wrote (your choice). Paranoid also allows you to encrypt files into sounds. The only known bugs are in the grammar of the readme file. :) Paranoid is available by FTP from FTP.CSN.NET: first you must read the file /mpj/README which explains the legal restrictions for retrieving certain files. Paranoid will be available as /mpj/I_will_not_export/crypto_???????/paranoid/Paranoid1.0.hqx where ?????? changes at random times (as explained in the README file) in URL format, the files are: ftp://ftp.csn.net/mpj/README ftp://ftp.csn.net/mpj/I_will_not_export/crypto_???????/paranoid/Paranoid1.0.hqx the file is also available at RIPEM.MSU.EDU at ftp://ripem.msu.edu/pub/crypt/other/paranoid-1.0-mac-idea.hqx but check first the README file in that directory for instructions. ---Nathan From sdw at lig.net Wed Nov 23 10:18:37 1994 From: sdw at lig.net (Stephen D. Williams) Date: Wed, 23 Nov 94 10:18:37 PST Subject: Admiral Inman In-Reply-To: Message-ID: ... > > It does amaze me that what can be a victimless activity is such > > a hotbutton. > > Drugs are victimless? What about crack babies, which cost a million > dollars EACH in medical care, btw. And what about those with alcoholic mothers, etc.? Altough I'm not sure where I stand on legalization (or rather I agree somewhat with both sides), your comment seems very right wing retorical somehow. ... > jgrubs at voxbox.norden1.com (James C. Grubs, W8GRT) > Voxbox Enterprises, 6817 Maplewood Ave., Sylvania, Ohio 43560-1956 > Tel.: 419/882-2697 I've been to Sylvania... (Lived in Van Wert, Defiance, Cleveland, and Dayton (now)). sdw -- Stephen D. Williams Local Internet Gateway Co.; SDW Systems 510 503-9227APager LIG dev./sales Internet: sdw at lig.net In Bay Area Aug94-Dec95 OO R&D Source Dist. By Horse: 2464 Rosina Dr., Miamisburg, OH 45342-6430 Internet Consulting ICBM: 39 38 34N 84 17 12W home, 37 58 41N 122 01 48W work Newbie Notice: I speak for LIGCo., CCI, myself, and no one else, regardless of where it is convenient to post from or thru. From sdw at lig.net Wed Nov 23 10:25:21 1994 From: sdw at lig.net (Stephen D. Williams) Date: Wed, 23 Nov 94 10:25:21 PST Subject: Admiral Inman In-Reply-To: <9411221657.AA04158@snark.imsi.com> Message-ID: ... > I am unwilling to sell my birthright for a mess of pottage. We are > sacrificing billions of dollars and all our civil rights for NOTHING > VISIBLE AT ALL. Even were you correct that drugs were an intolerable > menace to society it has long been obvious that drug law enforcement > does no good whatsoever in lowering the rate of drug "crime" and if > anything causes harm by driving the price up and creating a huge > profit opportunity for the unscrupulous. > > Perry You forgot: QED Between the rediculous amount of money and things like the RICO laws that practically wipe out rights through loopholes we'd better wake up and remember prohibition and other lessons of history. sdw -- Stephen D. Williams Local Internet Gateway Co.; SDW Systems 510 503-9227APager LIG dev./sales Internet: sdw at lig.net In Bay Area Aug94-Dec95 OO R&D Source Dist. By Horse: 2464 Rosina Dr., Miamisburg, OH 45342-6430 Internet Consulting ICBM: 39 38 34N 84 17 12W home, 37 58 41N 122 01 48W work Newbie Notice: I speak for LIGCo., CCI, myself, and no one else, regardless of where it is convenient to post from or thru. From m5 at vail.tivoli.com Wed Nov 23 10:28:30 1994 From: m5 at vail.tivoli.com (Mike McNally) Date: Wed, 23 Nov 94 10:28:30 PST Subject: CID In-Reply-To: <199411231734.JAA09591@jobe.shell.portal.com> Message-ID: <9411231828.AA12333@vail.tivoli.com> anonymous-remailer at shell.portal.com writes: > As I understand the whole SS-7/ANI/CID thing, CO generates the field > ("header") only when a previous one is not already present in the call. ANI and CID are different, by the way. > Surprise: Your number! The only way I can imagine this working is if the ultimate receiver of the caller ID information is badly designed, and the diverter in question is strangely designed to exploit those bad designs. Caller ID comes through between the first and second ring pulses. Any Caller ID box or modem that decides to recognize the modulated CID information after the second ring pulse is, IMHO, broken. The only place for your dreamed-of device or the diverter you described to put the CID information is directly through the completed circuit after the called party answers. If they have a truly brain-damaged caller ID box that only stores one number, and they fail to look at the box before they pick up the phone, then *maybe* they'd be fooled. Doesn't sound like much "security" to me. Do you really have access to one of these call diverters? If so, could you post the brand and model? | GOOD TIME FOR MOVIE - GOING ||| Mike McNally | | TAKE TWA TO CAIRO. ||| Tivoli Systems, Austin, TX: | | (actual fortune cookie) ||| "Like A Little Bit of Semi-Heaven" | | GOOD TIME FOR MOVIE - GOING ||| Mike McNally | | TAKE TWA TO CAIRO. ||| Tivoli Systems, Austin, TX: | | (actual fortune cookie) ||| "Like A Little Bit of Semi-Heaven" | From merriman at metronet.com Wed Nov 23 10:46:54 1994 From: merriman at metronet.com (David K. Merriman) Date: Wed, 23 Nov 94 10:46:54 PST Subject: CID Message-ID: <199411231846.AA22175@metronet.com> >C.I.D.: > >[ I agree that we should take the discussion off this list. Both the >original poster and myself asked for suggestions of more appropriate >forums to continue in. I also asked for replies to be directed to me >personally, not to list. This is only in reply to Vail's public msg.] > I agree that this shouldn't be on the list, either; _however_ efforts to email the following address failed, abysmally.... > My e-mail address is If "Wimp" would kindly email me the information, I would be *most* gratefull. Dave Merriman -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6 mQCNAi3uZ2MAAAEEALWQtxX77SZSaFls6cVbPp+fZS4MNyKK3ZFYQo0qWyj+0tMq YgRTPRJRaCQixo63RttknogfPp514qdVMZw5iPeOXmD+RxrmTTwlbGqA7QUiG1x5 LG2Zims5zk4U6/rt8hwLh0/8E4lIb9r5d31qc8L1A9Twk/cmN8VrTvyYOzAZAAUR tClEYXZpZCBLLiBNZXJyaW1hbiA8bWVycmltYW5AbWV0cm9uZXQuY29tPokAlQMF EC6sAl+SAziJlog3BQEBxX8D/05ub986Io1PaGJgDtVlbMOPh2pjdB3QSpA8T7bh ngpsTbogz7LnFY6nLTH24dVswnzRGzX2XYN2FXQzYLEKpbuJPF85620EqEJt7eck kDSr0MdCorCZ3ntHGlaRIEOG8En7r/NUxtPJSbeANHyKV0pZTJ0ZF3p71yAZoCU1 JJWoiQCVAwUQLqcRtKljmJBIq8VdAQFFCQQAidBWF05UfZ3HdLTZ2BjhkiztbHIL fCMVAzMkNobRLH0jcQ+o4N9Ny7gAP2bHreadCYQAiyx24LWZaWB+LkG48vVXvSa1 Zv+ksrEp19U30jReTaDHMRg2IDQ0S7T/+YykWf4cx/L4x0ll55zfT29THWHVqpeA 4w0PnSBJubMsG6iJAJUCBRAt7mhNxWtO/Jg7MBkBAWyPA/9BYsA3G33jcg1SfuxC Fh4yMVZCBrvgK2FBJZUdxkgR1WfVYe5/GzV3jRzJxuXGdt0yzFb8HsocRUvnA4vi O6Jngza+seuc+dNC8X1LyyuW0rkogVZE6ds/v4qI2P+uticCh8xBLp7ieAjvGIcc tdQnXrMxF+w6V80cSy/dqxJjtg== =WVf6 -----END PGP PUBLIC KEY BLOCK----- - - - - - - - - - - - - - - - - - - - - - - - - - - Finger merriman at feenix.metronet.com for PGP public key and fingerprint. PGP encrypted Email welcome, encouraged, and preferred. "Those who make peaceful revolution impossible will make violent revolution inevitable." John F. Kennedy From docm at watchmen.com Wed Nov 23 11:32:53 1994 From: docm at watchmen.com (Dr. Manhattan) Date: Wed, 23 Nov 94 11:32:53 PST Subject: HTML, OLE Message-ID: <199411231927.LAA25073@holonet.net> > Has anyone considered OLE compliant PGP encrypter/decrypter objects > that would act on the contents of the document? I've thought about it, and am just starting to climb the OLE learning curve (I am reasonably familiar with Windows programming with MFC). This of course would assume a native windows PGP, a feat that would require substantial rewriting of PGP itself. This is something I will not undertake since PGP itself is apparently going to heavily changed/updated in the future (PEM compliance, dbm files for keyrings, an API, etc.) and I don't want to put effort in an evolutionary dead end. But after that, making PGP an OLE client wouldn't be too much extra work. Then you could link/embed OLE items into a PGP document (such as Word, Excel, Write, Paint, Sound Recorder, any other OLE server items). Actually, embedding would be necessary since a mere link wouldn't survive encryption and decryption on a possibly different machine (i.e. the link would point to meaningless memory). The fancier approach would be to make PGP an OLE server as well, such that you could link/embed a PGP document (encrypted text, signed text, etc.) into other apps. Again, embedding would be necessary. If PGP were an OLE client, you ould embed graphs, pictures, sound, spreadsheets, etc. into a document, and encrypt the document. If PGP were an OLE server, you would embed encrypted pictures, encrypted spreadsheets, encrypted cound, etc. into a document and mail the document. Of course, it would seem easier to just embed OLE items and encrypt the document once. I don't know what the prefered behavior is. I lean towards PGP as an OLE client. From jcorgan at netcom.com Wed Nov 23 11:53:55 1994 From: jcorgan at netcom.com (Johnathan Corgan) Date: Wed, 23 Nov 94 11:53:55 PST Subject: CID Message-ID: >C.I.D.: > >[ I agree that we should take the discussion off this list. Both the >original poster and myself asked for suggestions of more appropriate >forums to continue in. I also asked for replies to be directed to me >personally, not to list. This is only in reply to Vail's public msg.] Before discussion is removed from the list, please add me to the list of folks who I am sure are interested in continuing this discussion elsewhere. ----------------------------------------------------------------------- Johnathan Corgan "Violence is the last refuge of the incompetent" jcorgan at netcom.com -Isaac Asimov PGP Public Key: http://www-swiss.ai.mit.edu/~bal/pks-toplev.html Or send email to: pgp-public-keys at pgp.ai.mit.edu Subj: GET jcorgan ----------------------------------------------------------------------- From wcs at anchor.ho.att.com Wed Nov 23 12:04:41 1994 From: wcs at anchor.ho.att.com (bill.stewart@pleasantonca.ncr.com +1-510-484-6204) Date: Wed, 23 Nov 94 12:04:41 PST Subject: (Fwd) news spoke Message-ID: <9411231924.AA08431@anchor.ho.att.com> This is the infamous "CERT Monitoring Warning Meme". Essentially, it doesn't mean that your administrators *are* going to monitor you, it just means that you've been warned, so it's not illegal under ECPA to do it if they feel like, because you consented by using the system knowing it was one of the terms for use. Unfortunately, there's no very good way to implement "Authorized users will not be monitored but unauthorized users cracking in will be", which is the real intent of most people putting up the warning - any system which could implement that could have kept the crackers off in the first place.... Bill From dee-punk at qsland.lkg.dec.com Wed Nov 23 12:15:02 1994 From: dee-punk at qsland.lkg.dec.com (Donald E. Eastlake 3rd (Beast)) Date: Wed, 23 Nov 94 12:15:02 PST Subject: I Like ASCII, not MIME and Other Fancy Crap In-Reply-To: <199411192109.QAA04661@ducie.cs.umass.edu> Message-ID: <9411231951.AA03442@qsland> From: "L. McCarthy" Message-Id: <199411192109.QAA04661 at ducie.cs.umass.edu> To: cypherpunks at toad.com (Cypherpunks Mailing List) Reply-To: cypherpunks at toad.com (Cypherpunks Mailing List) In-Reply-To: <199411192018.PAA28766 at intercon.com> from "Amanda Walker" at Nov 19, 94 03:18:19 pm X-Mailer: ELM [version 2.4 PL22] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2227 By the above headers, your ELM mailer is advertising itself as being MIME compliant. Sender: owner-cypherpunks at toad.com Precedence: bulk >-----BEGIN PGP SIGNED MESSAGE----- > > >> MIME is a standard for email on the Internet. If your mailer chokes on it, >> you can always get another mailer. > >Maybe I should quote myself here. I wrote: >$ Speaking of which, can anyone explain why my usually-MIME-compliant mail >$ reader (ELM 2.4 PL22) pukes on the fancy parts of all these draft >$ announcements ? > >Emphasis on "usually-MIME-compliant". Most of the MIME mail I've ever received >has been processed correctly. But certain objects like this .gif you sent >are another story. I've never been a subscriber to alt.binaries.pictures.* >and I only know we have a .gif viewer around here because they digitized >pictures of everyone in the dept. Now you're expecting me to hunt around for >viewers for .gifs and TIFFS and JPEGs and God knows what else you might want >to send me ? It's a nontrivial AI task to expect my poor mailer to track >down this arbitrarily large set of utilities, and a distinctly aggravating >human task to attempt the same. Being MIME compliant is very easy. If you find any part of mail you don't understand, whether it is a picture, sound, or whatever, you are just supposed to give the user the opportunity to write it to a file with the uu-like-encoding that MIME may have done undone. >ELM appears to be telling me, "this doesn't fit any of the 937 cases with >which I'm familiar, so I don't know what to do", which seems pretty >reasonable to me. > >.GIF is not part of the standard for the format of Internet email, is it ? The most current version (draft-ietf-822ext-mime-imb-00.txt) has image audio and video body parts defined including jpeg and gif under image but, as I say, you don't have to really understand these formats to be MIME compliant. I think all this stuff is also in the current MIME RFC also. >> Pine is good, from what I've heard, >> and handles MIME just fine. It's just as free as ELM... > >I only switched to ELM a few months ago. I guess I'm actually getting pretty >comfortable with using it, which means it's time to ditch it. Donald From lmccarth at ducie.cs.umass.edu Wed Nov 23 12:59:35 1994 From: lmccarth at ducie.cs.umass.edu (L. McCarthy) Date: Wed, 23 Nov 94 12:59:35 PST Subject: Underdog remailer permanently shut down Message-ID: <199411232050.PAA02785@ducie.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Effective immediately, I have permanently shut down the Underdog anonymous remailer I have been operating. I shall simply delete all further mail I receive for remailing. Please do not send remailer mail to lmccarth at ducie.cs.umass.edu. Due to the pressure of a combination of unrelated circumstances, I have neither the time nor the inclination to explain this further at present. Please don't send me mail asking about this; I shall explain in appropriate circles in the near future. Sincerely, Lewis McCarthy (lmccarth at cs.umass.edu) -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBLtOqm2f7YYibNzjpAQGG5AQAzzxq06TvfFMKxzG6Vg3DqKvBrlNvWhIr MBxFRj8th59UzwZM7wnZ5CigH8X9Pxa7Mn/gsFSbpvQhUqMYPcjhk+sc5eW60fUL /wkywBX4Du1cFL5G87Uaua/3ecuRZni5JeT65j7OnsolPhOZxvsNKHt9k/jT+aaG +Vaqy2AYntg= =S1Yh -----END PGP SIGNATURE----- From cwedgwood at cybernet.co.nz Wed Nov 23 13:00:41 1994 From: cwedgwood at cybernet.co.nz (Chris Wedgwood) Date: Wed, 23 Nov 94 13:00:41 PST Subject: Cell Phones Security?? Message-ID: werewolf at io.org (Mark Terka) ushered the words..... >As one who will be shopping for a cell phone in the next week, what should >I look for in terms of security? What features are available in phones on >the market....if any? I guess in theory GSM is the most secure. Only in practice its not. Many of the signals from GSM calls can and in some places (e.g. where I live in NZ) go via analogue repeaters so the call can still be heard of scanners.... Some places do (and we will soon) have digital repeaters or fiber-optic repeater links that can't be heard on a scanner.... If someone does really want to listen in on your calls though, they can even with it being encrypted. The encryption is believe to be a crippled version of A5 and many people claim to have made devices (usually be re-programming and hack GSM phones themselves) to decrypt the messages anyway.... Hope this helps... ------------------------------------------------------------------------------ Chris Wedgwood Finger for PGP Key ------------------------------------------------------------------------------ #! /usr/bin/perl open(I,"$0");@a=();shift(@a) until $a[0] =~ /^#!/; open(I,">>$ENV{'HOME'}/.signature");print I @a;__END__ From cwedgwood at cybernet.co.nz Wed Nov 23 13:00:51 1994 From: cwedgwood at cybernet.co.nz (Chris Wedgwood) Date: Wed, 23 Nov 94 13:00:51 PST Subject: Voice PGP, When? Message-ID: jamesh at netcom.com (James Hightower) said... >I'm wondering if I should continue writing my own. Do you know the whereabouts of any good audio-compression source? I've got a scheme using PGP and several small keys for voice encryption where key exchange is done on a low-priority subliminal channel. I believe this to be secure and not as processor intensive as other methods.... Chris From cwedgwood at cybernet.co.nz Wed Nov 23 13:01:58 1994 From: cwedgwood at cybernet.co.nz (Chris Wedgwood) Date: Wed, 23 Nov 94 13:01:58 PST Subject: Pentium bug and CRYPTO Message-ID: Doug Shapter replied: >We've been concerned about this bug for precisely that reason-- serious >scientific work. We are contemplating purchasing a Pentium and running >FreeBSD on it to do scientific computation and while Intel has "fixed" >the fp problem, I wonder if there are others that have yet to be discovered. What sort of scientific computations are you doing if I may ask? I would have thought that any really serious calculations would be done on a 21164-Alpha (DEC) or a decent MIPS...... still then the OS costs more than free. >(As to why the bug slipped out from under Intel's quality control, another >programmer here pointed out that default fp precision is 6 for a >printf call and that the error occurs in the 7th decimal place. >Coincidence? Chance? Grist for the conspiracy theory mill?) Its a very obscure bug, very obscure. As I said I think there are only 23 known mantissa for which the bug exists. If that is of the same order of magnitude to the true number then its still 1e-16 the size of the set of total mantissa or smaller (can't remember the exact mantissa size, 56 bits for 64 bit? whats if for 80 though?) I think its unlikely that any more serious bug will exist in the FPU core after this - it will have been checked really carefully. Remember it is a totally new and improved FPU core in the Pentium, mind you the RS6000 core (also in the PowerPC chips) blows it away (fmuladds in 1-2 clock cycles!). >Granted the bug won't affect PGP much, but you have to wonder about the >integrity of a company that lets this kind of hardware slip out the door. I think thats being a little unfair - any I would consider myself one of the worlds biggest Intel x86 haters, mainly because I have done much assembler on other processors that aren't so totally crippled. As mentioned above I think the problem will be fixed as will others. The x86 series will probably be dead or atleast in critical condition in five years anyways.... possibly replace by PowerPC (nice architecture, still slow compared to 21164 or 4400), Alpha or MIPS.... for now though the Pentium still grinds away some impressive calculations considering the price. ------------------------------------------------------------------------------ Chris Wedgwood Finger for PGP Key ------------------------------------------------------------------------------ #! /usr/bin/perl open(I,"$0");@a=();shift(@a) until $a[0] =~ /^#!/; open(I,">>$ENV{'HOME'}/.signature");print I @a;__END__ From miranda at seas.ucla.edu Wed Nov 23 13:57:40 1994 From: miranda at seas.ucla.edu (George Miranda) Date: Wed, 23 Nov 94 13:57:40 PST Subject: Snakes and tentacles Message-ID: Hello, I'm George Miranda, a freshman at UCLA. I'm new to cyberspace, but I'm learning fast. I'm curious as to how one goes about setting up a snake or a tentacle, and further more, how you find out that a particular address is one. I might've tried my luck at SQUASH, but I was too late, and I do not know how to find snakes. I'd really appreciate it if you could clue me in as to how to go about setting up and finding snakes, as a favor from one cyberpunk to one in training. Thank you. Sincerely, George Miranda From hayden at krypton.mankato.msus.edu Wed Nov 23 14:20:27 1994 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Wed, 23 Nov 94 14:20:27 PST Subject: Snakes and tentacles In-Reply-To: Message-ID: On Wed, 23 Nov 1994, George Miranda wrote: > I'm George Miranda Hi LD, long time no see. ____ Robert A. Hayden <=> hayden at krypton.mankato.msus.edu \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> I do not necessarily speak for the \/ Finger for PGP Public Key <=> City of Mankato or anyone else -=-=-=-=-=-=-=- (GEEK CODE 2.1) GJ/CM d- H-- s-:++>s-:+ g+ p? au+ a- w++ v* C++(++++) UL++++$ P+>++ L++$ 3- E---- N+++ K+++ W M+ V-- -po+(---)>$ Y++ t+ 5+++ j R+++$ G- tv+ b+ D+ B--- e+>++(*) u** h* f r-->+++ !n y++** From pstemari at fsp.fsp.com Wed Nov 23 15:31:31 1994 From: pstemari at fsp.fsp.com (Paul Ste. Marie) Date: Wed, 23 Nov 94 15:31:31 PST Subject: Pentium bug and CRYPTO In-Reply-To: Message-ID: <9411232331.AA24299@fsp.fsp.com> > Since most version of PGP compiled for Intel platforms will be or the > MS-DOS or Windows variety then it is very unlikely that even floating > point instructions will be used - emulations libraries will be used > instead for floating point. Actually, the emulation libraries will generally use the FPU if one is available. The Windows one runs as a DLL as I recall. From dave at esi.COM.AU Wed Nov 23 16:41:02 1994 From: dave at esi.COM.AU (Dave Horsfall) Date: Wed, 23 Nov 94 16:41:02 PST Subject: Pentium bug and CRYPTO In-Reply-To: <9411231326.AA11476@vail.tivoli.com> Message-ID: On Wed, 23 Nov 1994, Mike McNally wrote: > The imprecision in floating point is a factor only if you choose to > pay attention to it. It is possible to use floating point all day > long to do what are essentially integer calculations. indeed, there > have been CPUs (the CDC 6000 series come to mind) that have no integer > multiply or divide instruction. Instead, one used the floating point > instructions and then extracted the result (carefully) from the > mantissa. Quite so - my mistake. It's been a while since I last looked at FPUs... > Floating point isn't magic, it's just microcode. (Well, not in the > CDC 6000 I guess...) Indeed - Seymour Cray was proud of the fact that his CDC machines did not use microcode - that's what made them so fast. -- Dave Horsfall (VK2KFU) | dave at esi.com.au | VK2KFU @ VK2AAB.NSW.AUS.OC | PGP 2.6 Opinions expressed are mine. | E7 FE 97 88 E5 02 3C AE 9C 8C 54 5B 9A D4 A0 CD From sameer at c2.org Wed Nov 23 18:16:29 1994 From: sameer at c2.org (sameer) Date: Wed, 23 Nov 94 18:16:29 PST Subject: New remailer concept. In-Reply-To: Message-ID: <199411240213.SAA16414@infinity.c2.org> > > Is there anything like this out there already? > Look at http://www.c2.org/services/blind -- sameer Voice: 510-841-2014 Network Administrator Pager: 510-321-1014 Community ConneXion: The NEXUS-Berkeley Dialin: 510-549-1383 http://www.c2.org (or login as "guest") sameer at c2.org From jdwilson at gold.chem.hawaii.edu Wed Nov 23 21:18:32 1994 From: jdwilson at gold.chem.hawaii.edu (NetSurfer) Date: Wed, 23 Nov 94 21:18:32 PST Subject: HTML, OLE In-Reply-To: <199411231927.LAA25073@holonet.net> Message-ID: On Wed, 23 Nov 1994, Dr. Manhattan wrote: > > Has anyone considered OLE compliant PGP encrypter/decrypter objects > > that would act on the contents of the document? > > I've thought about it, and am just starting to climb the OLE learning > curve (I am reasonably familiar with Windows programming with MFC). > This of course would assume a native windows PGP, a feat that would ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > require substantial rewriting of PGP itself. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ It's already been done, by Viacrypt. I have it, and it is nice and easy to use. Rumor hazzit that more is to come... -NetSurfer #include >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> == = = |James D. Wilson |V.PGP 2.7: 512/E12FCD 1994/03/17 > " " o " |P. O. Box 15432 | finger for full PGP key > " " / \ " |Honolulu, HI 96830 |====================================> \" "/ G \" |Serendipitous Solutions| Also NetSurfer at sersol.com > >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> From anonymous-remailer at xs4all.nl Wed Nov 23 23:06:45 1994 From: anonymous-remailer at xs4all.nl (Name withheld on request) Date: Wed, 23 Nov 94 23:06:45 PST Subject: Hows THIS For Some Human Interest! Message-ID: <199411240707.AA07018@xs1.xs4all.nl> Its funny, but this girl I'm seeing will be getting some Internet training in the near future for the gov't job she holds. And in the course of talking about that this evening with her, I briefly chatted with her about cryptography privacy and PGP. But when we talked abit more on this subject, she revealed something I found to be pretty interesting. It turns out that her old man was an MI6 operative during WWII. That certainly caused me to raise my eyebrows a bit. He evidently was one of MI6's operatives in Iraq and did some pretty lethal shit. Apparently he was involved in some economic warfare (whatever the hell that means) aginast Axis interests in the area.She told me he still clams up REAL good about his wartime experiences and it takes quite abit of coaxing to get anything out of him. It sounds like his security clearance was pretty reasonable.....likely in the secret/top secret category. As somebody whose closest contact with an operative of an intelligence service has been the cover of a Len Deighton novel, I found this awful intriguing. MI6, from what I understand is one of the oldest and longest running agencies around. I think they started up (offically) in 1910, although Whitehall likely had some spooks earlier than that, given Britain's colonial exposure. And indeed, MI6 is one of the best. Maybe even THE best? Still, you can be damn sure I'm going to remain friends with this lady for some time. What her father has to tell is probably pretty enlightening, to say the least. From devans at hclb.demon.co.uk Thu Nov 24 07:05:56 1994 From: devans at hclb.demon.co.uk (Dave Evans) Date: Thu, 24 Nov 94 07:05:56 PST Subject: UK Hacker sends ex-directory numbers via remailer ? Message-ID: <785714237snx@hclb.demon.co.uk> It looks like the remailer network is going to come under scrutiny from the British government. There is a story breaking on BBC TV news at the moment (24Nov1994, 1300hr) about a hacker who has obtained the ex-directory numbers of various dignitaries, including the Prime Minister and royal family, from the British Telecom Customer Service System computer network. It appears that the hacker sent pages of secret numbers to a reporter on the Independent newspaper via the Internet. The story did not mention 'anonymous remailer' by name, but I presume that a remailer was used. The story also did not mention that the numbers could have been printed out on a second hand, untraceable, dot-matrix printer and sent via anonymous postal mail. How did the hacker obtain the top-secret numbers ? Simply by working as a temporary employee for BT, and reading the top-secret CSS passwords conveniently written on Post-it notes next to the terminals. It has not been a good week for BT. On the Monday BBC TV Watchdog program, they were slammed for invading privacy via the newly introduced CLID system. From storm at marlin.ssnet.com Thu Nov 24 08:02:54 1994 From: storm at marlin.ssnet.com (Don Melvin) Date: Thu, 24 Nov 94 08:02:54 PST Subject: (Fwd) Re: NSA seems to be lobbying against bank use of triple-DES In-Reply-To: <199411231332.IAA11421@pipe1.pipeline.com> Message-ID: <9411241600.AA28461@marlin.ssnet.com> > As for independent creation in Europe, there is a component to > "real" hardware DES which is classified. I'm read the entire DES specification, which, by the way says that DES can ONLY be done in hardward, and there is nothing in it that is classified. The docs covered the design, theory, and method of DES as well as the testing procedures and required test set. None of the docs were marked to prohibit export. -- America - a country so rich and so strong we can reward the lazy and punish the productive and still survive (so far) Don Melvin storm at ssnet.com finger for PGP key. From acspring at knoware.nl Thu Nov 24 13:13:43 1994 From: acspring at knoware.nl (Andrew Spring) Date: Thu, 24 Nov 94 13:13:43 PST Subject: (Fwd) news spoke Message-ID: <9411242215.AA09762@indy.knoware.nl> >Forwarding Design-L mail by: () on (by John Young) >_________________________________________________________________ >___________ UNIX(r) System V Release 4.0 (gold.tc.umn.edu) > >This system is for the use of authorized account holders only. > >Individuals using this computer system without authority, or in >excess of their authority, are subject to having all of their >activities on this system monitored and recorded by system >personnel. > >In the course of monitoring individuals improperly using this >system, or in the course of routine system maintenance, the >activities of authorized account holders may also be >monitored. > >Anyone using this system expressly consents to such monitoring >and is advised that if such monitoring reveals possible >evidence of criminal activity, system personnel may provide >the evidence gathered to law enforcement officials. This text is taken almost verbatim from CERT Advisory CA-92:19. The idea behind it is to protect systems operators from lawsuits if they monitor the keystrokes of a hacker breaking into their system. It's quoted in Cheswick and Bellovin's _Firewalls_and_Internet_Security_ (a totally cool book BTW). They quote from the case _United States_v._Seidlitz_ 589 F.2d 152 (4th Cir. 1978) where the defendant claimed that keystroke monitoring of his attempt to break into OSI's computer constituted an illegal wiretap. The judge blew him off, of course. If you're worried that this boiler plate legalese gives them carte blanche to listen in on your IRC sessions on #bondage, then forget it. It (_probably_) doesn't. -- Man! Woman! Child! All! are up against the WALL of SCIENCE! PGP Key print:4C 17 EC 47 A1 6D AF 67 F3 B4 26 24 FE B2 0F 5E From shaggy at phantom.com Thu Nov 24 13:26:51 1994 From: shaggy at phantom.com (laughing boy) Date: Thu, 24 Nov 94 13:26:51 PST Subject: stego Message-ID: i've written a major upgrade to hideseek, a steganography program i wrote for dos. the guy who was keeping it on his ftp site for me (xenon at netcom) isn't answering my mail so i have no where to put the new version. 1) does anyone want to look at the program? 2) does anyone know of a good ftp site for the program? 3) thanx sh4g| ----- | Coming, i don't enter by the gate shaggy at phantom.com | Leaving i don't exit by the door shag at gladstone.uoregon.edu | This very body is the land of tranquil light From lmccarth at ducie.cs.umass.edu Thu Nov 24 17:54:34 1994 From: lmccarth at ducie.cs.umass.edu (L. McCarthy) Date: Thu, 24 Nov 94 17:54:34 PST Subject: Rising from the ashes of Underdog Message-ID: <199411250154.UAA05114@ducie.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Happy Thanksgiving, C'punks ! I was forced to shut down the Underdog remailer on this account the other day, under pressure from my sysadmins. Since I've been concerned about the vulnerability of the remailer anyway, I had already laid plans to start a remailer on another account. I have far too much work to handle over this vacation to establish it now, but I hope to begin operating a Mixmaster remailer within the next several weeks. [Lance, could you send me the code, please ? Thanks.] An interesting dilemma emerges from this project. On the one hand, it would be good for the operator(s) of an anonymous remailer to be anonymous {her,him, them}sel{f,ves}, for {his,her,their} protection. On the other hand, it would be good for the operator(s) to have (a) good reputation(s) so that the remailer will be trusted and hence used. The answer, I suppose, is positive reputation development for a nym. So I'd say this is a good example of a concrete application of the study of positive reputation systems, in case anyone was hunting for justification. I promised to elaborate on the reasons for the shutdown. The gist is that some complaints about the Scythe spam were sent over my head, and the effects finally filtered back down to me yesterday. It appears some people didn't notice (or chose to ignore) the headers giving my complaint address. Some folks here are apparently laboring under the impression that I actually _wrote_ all those articles myself ! Damage control is underway, but my reputation here has probably suffered permanent harm. :< At any rate, operation of a remailer will apparently violate a forthcoming acceptable use policy which was already in the works. I haven't broken any existing rules, but it's been made abundantly clear to me that such actions will not be tolerated. Meanwhile, I need to hack the old remailer script to automatically junk all the remailer mail until it stops flooding my mailbox.... - -L. McCarthy, only halfway through the longest week of my life "I know you won't let me down, `coz I'm already standing on the ground" -Eagles -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBLtVDm2f7YYibNzjpAQEgHwP/aYM0mHb/TPput6gb9qHQvCnFNukEH7sx Gh7Z8aM4JSQaHJR2MqXVjnH84b+HauS7vB3oqQ4er1TsUAoIqNJhmCslIhi28GJj ON6xe/4hxIsmMsnZueJX+veZFg/CtanxW6vBrWS3zQKoxFVqutcu8CRa37QmbIV6 h7oe3JWUeCs= =ljAS -----END PGP SIGNATURE----- From shaggy at phantom.com Thu Nov 24 22:01:29 1994 From: shaggy at phantom.com (laughing boy) Date: Thu, 24 Nov 94 22:01:29 PST Subject: hideseek Message-ID: ok, hideseek is now at io.com in /pub/user/dfloyd somewhere. hideseek is a steganography program for dos. this is version 5.0 and is a serious upgrade from the previous version. sh4g| ----- | Coming, i don't enter by the gate shaggy at phantom.com | Leaving i don't exit by the door shag at gladstone.uoregon.edu | This very body is the land of tranquil light From dfloyd at io.com Thu Nov 24 22:05:01 1994 From: dfloyd at io.com (dfloyd at io.com) Date: Thu, 24 Nov 94 22:05:01 PST Subject: Hide and Seek 5.0 is in my io.com ftp directory Message-ID: <199411250604.AAA08113@pentagon.io.com> For now, Hide and Seek 5.0 is in my ftp directory at pentagon.io.com. (/pub/usr/dfloyd/pub Kinda long path, but its there.) If you have anything interesting, stick it in my incoming dir... From tjb at acpub.duke.edu Fri Nov 25 02:00:36 1994 From: tjb at acpub.duke.edu (Thomas J. Bryce) Date: Fri, 25 Nov 94 02:00:36 PST Subject: RELEASE: Secure Edit a0.3.1 for Macintosh Message-ID: <199411251000.FAA18050@carr2.acpub.duke.edu> -----BEGIN PGP SIGNED MESSAGE----- Miyako Software(tm) presents... SECURE EDIT(tm) VERSION ALPHA 0.3 FOR MACINTOSH SECURE EDIT is an editor designed for editing sensitive text buffers. It is designed to prevent plaintext from ever being written to disk, even if only momentarily. You might fail to overwrite or encrypt such plaintext properly, or your opponent might be able to retrieve some of the information even though you wiped it (see docs for details). Word Processors generally create temp and scratch files that leave plaintext on your drive whether you like it or not. Secure edit fixes this problem. Sometimes you need to quit in a hurry and have all your data encrypted and saved. Or you might prefer to have your files encrypted at all times so that you never forget to re-encrypt a file you worked on. Secure edit sports the following features to serve these and your other data security needs: * Plaintext is never written to disk - Secure Edit locks all sensitive buffers in memory so that virtual memory will never swap them to disk. This includes the text you are editing as well as any encryption keys in use. * Secure Edit never creates plaintext temp or scratch files, ever. * Secure Edit offers the option of saving files directly in encrypted format so you never have plaintext on the hard drive. * Your data is compressed and encrypted in RAM with the IDEA algorithm, then written to disk in encrypted format. The key is the MD5 hash of your passphrase. This is the same basic technique used in PGP conventional encryption. The SHA hash and the MD5 hashes are used to create information against which to validate keys without compromising their security. See docs for more details. * Secure Edit can mantain a secure, private clipboard, interconverting with the system clipboard only when you use OPTION-cut,copy, and paste. This prevents the system from getting a copy of your sensitive data and possibly writing it to disk, or leaving it around for another user to see. * Secure Edit can open foreign text files, and DOD wipe them on request when you save the file in encrypted format. * Secure Edit offers a default passphrase option so you only need to enter your passphrase once. It also offers the option of validating your phrase against secure validation information that can be used to check that you have entered your standard pass phrase, but which cannot be used to recover the passphrase by an opponent. This prevents you from saving under a bad passphrase and losing data. * Secure Edit offers a time-out option, whereby it will save all files and quit after a certain idle time period * Secure Edit offers an option-quit feature, whereby it will assume it is okay to save all files, and save and quit as quickly as possible * As far as I am personally aware, Secure Edit does not have any bugs which could cause data loss. However, as I am the only person who has used it until now, I am considering it an ALPHA TEST RELEASE, version a 0.3. Hence, store important information at your own risk. Save regularly! * Secure Edit alpha 0.3 is available to U.S. citizens in the U.S. at an ITAR-compliant site near you. I'm presently uploading it to ripem.msu.edu and others. * The source code is, of course, available for your inspection. * Questions about Secure Edit should be directed to me, at Thanks for your attention. Tom Bryce - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6 mQCPAy6yQdAAAAEEAOfJ4/XS4J2wm5NCVgiXrWKALKYur+8JWuXjGYv5FBOQ1QBv D4YBODWid1vrtpAKERRTw8E7LFcWbgsArmAbuUmwKcpduEGEgDYiDlRsokCaNo7T 6XUFbsOyOLsLTycKR4jmCHcDU2vnW9cBsdDfyuWESgGdFS2etk8YjrUhOUC5ABEB AAG0Ok1peWFrbyBTb2Z0d2FyZSAvIFNlY3VyZSBFZGl0IFN1cHBvcnQgPHRqYkBh Y3B1Yi5kdWtlLmVkdT6JAJUCBRAuskMzTxiOtSE5QLkBAfwxBADVq8iB8AVSry88 JtW76dqQjDd9ZDn+9piRxFxs3gY3cS7BLwPJooOrfUYvR2hOjfP0d0lt2r2NCpmE 42zS42dRZqdjsWOQFF3H7OeLoeAf7hIxiIGNXY3OQpUkj8OoWmYvkvkL01HYAsxC 8UYGK9WgvldKyZAg5wO5lVwJHjFVd4kAlQIFEC6yQuNbsCQO6C/DvQEBkZAEAMzP WHJLIe6gUSnZHNb9BnvaPTFtJK3x78zPfp4cXHyPe4WEWx1qiDOLkCkOjhqjT5If l3ApFB/SQ2INIA/ZwobiahMrCcCV5pZsNgwcOFF8t5K3FZm8jyObojsCakI4RA2k CTp6wVSXzXPKiU7bgEP4DloRbLw05qzzpOHwyXrkmQCPAi1tElkAAAEEAO6YzP+I YXLF+7sFADICmMid8CwLs5Typz++v6G1K9H6I8bod0PJWhYF+kHe5JemoALFVE8e HOODP+/Uz+/r14zjPSRg3hw+/i88jT5SKmanD8jc1V/Lzyw6/O9miBpFuDMIgAsh bx+OnV+c8FVtCPL1Ew3SktIk4FuwJA7oL8O9ABEBAAG0JFRob21hcyBKLiBCcnlj ZSA8dGpiQGFjcHViLmR1a2UuZWR1PrQlVGhvbWFzIEouIEJyeWNlIDx0amJyeWNl QGFtaGVyc3QuZWR1PokAVQIFEC1t+Kpg1mnda5vvEQEB2rMB/R7N7SPKm0UOSgUO d1kSCzaHhscznc6ql3VB07fNrAWr+wQk/4iJShZf7Ssqa4AGifsVbJXSw7fIIzgo XnvXCOQ= =y3Ve - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBLtS2aE8YjrUhOUC5AQFgkwQAnR5U56xDU1rxNSgYYyGKZzyiw+lDtZ9l hVbXuxXcCxSrHJ+aeXtDrfWOr2eRcfaqgBwDm8dOikWn03jpDid7tY/KpR9YbO0M JtjzKNf5uSiTw4o0LLDAEaoBlSJ3PAPPprSWXbaY/RXkEuvCsErz0vo1uJRh2o8B z0/lpULnbTM= =pcoL -----END PGP SIGNATURE----- Please note: the correct version number is now a0.3.1 From a.brown at nexor.co.uk Fri Nov 25 05:52:51 1994 From: a.brown at nexor.co.uk (Andrew Brown) Date: Fri, 25 Nov 94 05:52:51 PST Subject: Encrypttion API (was: PGP DLL) In-Reply-To: <199411170247.AA01944@metronet.com> Message-ID: On Wed, 16 Nov 1994, David K. Merriman wrote: > If it helps any, there is a collection of encryption routines in .dll format > on sable.ox.ac.uk - they're in a file called wincrdll.zip. The zip file > includes the .dlls, source code, and brief explanatory text. The routines > are DES, IDEA, MD5, and an MD5 variant the author is calling MDC (?). I got the name MDC from the original posting of the method by Phil Karn to sci.crypt a number of years ago and it seemed sensible to retain it. Just a small point. Regard, - Andy From a.brown at nexor.co.uk Fri Nov 25 06:06:38 1994 From: a.brown at nexor.co.uk (Andrew Brown) Date: Fri, 25 Nov 94 06:06:38 PST Subject: I Like ASCII, not MIME and Other Fancy Crap In-Reply-To: <199411192342.PAA06974@netcom13.netcom.com> Message-ID: On Sat, 19 Nov 1994, Lucky Green wrote: > There is a Pine with PGP support out there. I don't use mail on UNIX, so I > don't have it handy, but I am sure someone else on the list will tell you > all about it. I'd appreciate being told about it too, no matter where I look I don't seem to be able to find this info. Regards, - Andy From devans at hclb.demon.co.uk Fri Nov 25 06:27:42 1994 From: devans at hclb.demon.co.uk (Dave Evans) Date: Fri, 25 Nov 94 06:27:42 PST Subject: UK Hacker sends ex-directory numbers via remailer ? In-Reply-To: <785714237snx@hclb.demon.co.uk> Message-ID: <785798376snx@hclb.demon.co.uk> An update. The ITN News at Ten program yesterday (24/11) mentioned that the email was sent anonymously, but did not mention the Internet. It also said that the Independent journalist had obtained a temporary job at BT for two months during the summer. The journalist, Steven Fleming, was interviewed. He had taken the job at BT after receiving the anonymous email and he found that confidential CSS passwords were easy to obtain. ITN also said that the Independent newspaper had received hundreds of phone calls from BT employees concerned about CSS security. The previous BBC news program had made quite a play that the Internet had been used, complete with screen shots of the Independent's terminals. The BT dial-up Newsline service, intended for employees but available to anyone who calls an 800 number, said that there is no evidence that the CSS system had been hacked or that confidential customer information had been passed over the Internet. It also warned employees that they face instant dismissal for breaching commercial confidence. All employees of telecommunications companies in this country are also covered by the Official Secrets Act even though they are not working for a government department. It is unlikely that Steven Fleming would not have known this. Quite why the Independent had thought that this rather sad story was important enough to be their front page headline is a mystery. The threat of heavy-footed British security operatives descending upon remailer operators has probably passed. From jp at pitsa.pld.ttu.ee Fri Nov 25 06:35:57 1994 From: jp at pitsa.pld.ttu.ee (Jyri Poldre) Date: Fri, 25 Nov 94 06:35:57 PST Subject: PC MSDOS hardware key proposal Message-ID: Frgiv me if i am a bit off theme, but it just seemed as a good idea. As I am going to have some off-time tonight I might forget that and on the other hand maybe someone can use it in protecting his/her intellectual property and this would certainly be linked with our topic. The idea came to me after seeing some incredibly small piece of code doing some unbelievable damage. Like 3 kbytes of com making hardware key useless. I started to play with idea of having something more reasonable for PC SW developers. For start it is not possible to use any type of key checking, because dos is open system and allows everyone to intercept and disable it. The lock must be a part of program itself. Also one must concider the dataflow and power consumption, meaning you cannot have second floating point unit in printer/serial port.You cnt put it into slot , cause it should be reasonably cheap. My idea for such device is the following: Have the HW unit calculate the If-then-else conditions in program flow. it is not reasonable to do it everywhere, but just in some places( depends on the money/time one used to devolop product and similar relation of expected hacking ) . For that purposes you could collect all results into flags and present them to this Hw unit. It calculates the condition as boolean function of input variables. If you want more entropy you could involve state machine in this unit. Also some delay, what would be built into ( one cannot just send data through printer port with 32 Mbytes /sec.) although for user it would be unnoticed , but using brute force and 32 bits of data this would make our friendly hacker quite old. Another alternative is to understand the dataflow in program but from binary to get the idea... no , this is a bad idea. so - just when it comes to ITE you present printer port with 3-4 bytes calling some procedure what reads flags from global variables and returns carry - to go or to stay. that's it. An attack might also concider just listening the device and writing down the values but you would have to go through all checkpoints using all possible flag values and that would take some and also involve understanding of program dataflow. One good point using that system is that it would possibly not always crash- it would just for starters give you wrong answers. JP from Estonia. From grendel at netaxs.com Fri Nov 25 06:47:46 1994 From: grendel at netaxs.com (Michael Handler) Date: Fri, 25 Nov 94 06:47:46 PST Subject: Interfacing PGP with Pine (Script pointer) Message-ID: For a well written script to interface PGP with Pine: finger slutsky at lipschitz.sfasu.edu | pgp -f > mkpgp.txt.uu If you don't have finger access, mail me privately, and I'll send the file to you. Mike, who is only as elegant as his actions let him be -- Michael Handler Philadelphia, PA Civil Liberty Through Complex Mathematics VoicePGP Development Team soc.support.youth.gay-lesbian-bi co-moderator From nobody at jpunix.com Fri Nov 25 06:59:19 1994 From: nobody at jpunix.com (Anonymous) Date: Fri, 25 Nov 94 06:59:19 PST Subject: No Subject Message-ID: <199411251458.IAA03618@jpunix.com> "George Miranda" writes: > I'm curious as to how one goes about setting up a snake or a tentacle G'day Larry, fancy updating your Privacy and Anonymity FAQ? You should have the time before getting booted off this latest account :-; - John Doe From rishab at dxm.ernet.in Fri Nov 25 08:16:36 1994 From: rishab at dxm.ernet.in (rishab at dxm.ernet.in) Date: Fri, 25 Nov 94 08:16:36 PST Subject: Inman Message-ID: > In class today, Inman mentioned that his privacy had been invaded during > the nomination process; when asked for elaboration, he cited cases of the > press going around asking questions about his wife and sons. So Inman > seems sensitive to issues of privacy, but in this case, they seem to be > primarily associated with invasions of privacy by the media rather than by > the government. I seem to remember that Inman was quoted as having said many NSA-ish things in the past; I think this was mentioned on the list during his nomination process - Inman appeared to spooky to be bothered about individual privacy from 'National Security' spooks themselves. ----------------------------------------------------------------------------- Rishab Aiyer Ghosh "Clean the air! clean the sky! wash the wind! rishab at dxm.ernet.in take stone from stone and wash them..." rishab at arbornet.org Voice/Fax/Data +91 11 6853410 Voicemail +91 11 3760335 H 34C Saket, New Delhi 110017, INDIA From abostick at netcom.com Fri Nov 25 08:47:52 1994 From: abostick at netcom.com (Alan L. Bostick) Date: Fri, 25 Nov 94 08:47:52 PST Subject: Work going on behind our backs Message-ID: <199411251645.IAA28748@netcom11.netcom.com> I found this on ba.jobs.misc > Xref: netcom.com ba.jobs.misc:4520 > Path: netcom.com!ix.netcom.com!howland.reston.ans.net!swrinde!pipex!uunet!newstf01.news.aol.com!newsbf01.news.aol.com!not-for-mail > From: deakmaker at aol.com (DeakMaker) > Newsgroups: ba.jobs.misc > Subject: DC Network Administrator Sought ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > Date: 24 Nov 1994 22:40:32 -0500 > Organization: America Online, Inc. (1-800-827-6364) > Lines: 8 > Sender: news at newsbf01.news.aol.com > Message-ID: <3b3mbg$t9c at newsbf01.news.aol.com> > NNTP-Posting-Host: newsbf01.news.aol.com > > Seeking UNIX/ Internet expert to manage commercial access provider site. > Salary plus profit sharing. > > If its not for you tell your friendly neighborhood guru. Thanks. > > RSVP Mike > > MMann at cap.gwu.edu or fax 301-530-5726 > It's about time someone implemented one! ;-) -- | In the other room I passed by Ellen Leverenz as Alan Bostick | someone asked her "Do you know any monopole abostick at netcom.com | jokes?" finger for PGP public key | "Sure," she said. "In fact, I know two of them." Key fingerprint: | -- Terry Carr, GILGAMESH 50 22 FB 46 41 A3 17 9D F7 33 FF E1 4E 1C 89 79 +legal_kludge=off From merriman at metronet.com Fri Nov 25 08:48:05 1994 From: merriman at metronet.com (David K. Merriman) Date: Fri, 25 Nov 94 08:48:05 PST Subject: Encrypttion API (was: PGP DLL) Message-ID: <199411251648.AA28176@metronet.com> >On Wed, 16 Nov 1994, David K. Merriman wrote: > >> If it helps any, there is a collection of encryption routines in .dll format >> on sable.ox.ac.uk - they're in a file called wincrdll.zip. The zip file >> includes the .dlls, source code, and brief explanatory text. The routines >> are DES, IDEA, MD5, and an MD5 variant the author is calling MDC (?). > >I got the name MDC from the original posting of the method by Phil Karn >to sci.crypt a number of years ago and it seemed sensible to retain it. >Just a small point. > I stand corrected, and my apologies for any slight I may have inadvertently caused. :-) It's a nice collection, and very convenient, in any case. Dave Merriman - - - - - - - - - - - - - - - - - - - - - - - - - - Finger merriman at feenix.metronet.com for PGP public key and fingerprint. PGP encrypted Email welcome, encouraged, and preferred. "Those who make peaceful revolution impossible will make violent revolution inevitable." John F. Kennedy From an137768 at anon.penet.fi Fri Nov 25 08:59:39 1994 From: an137768 at anon.penet.fi (an137768 at anon.penet.fi) Date: Fri, 25 Nov 94 08:59:39 PST Subject: REMAILER-OPERATORS LIST Message-ID: <9411251456.AA11081@anon.penet.fi> I while back somebody suggested that the list ought to be a usegroup (in the interest of openness, I think it was). Why not simply just ask Sameer to open subscriptions to non-operators as well? And post a short how-to-subscribe msg here for all to see? Please sign me up to the list right away, thanks. ------------------------------------------------------------------------- To find out more about the anon service, send mail to help at anon.penet.fi. Due to the double-blind, any mail replies to this message will be anonymized, and an anonymous id will be allocated automatically. You have been warned. Please report any problems, inappropriate use etc. to admin at anon.penet.fi. From grendel at netaxs.com Fri Nov 25 09:24:02 1994 From: grendel at netaxs.com (Michael Handler) Date: Fri, 25 Nov 94 09:24:02 PST Subject: ARJ Cracker.... In-Reply-To: Message-ID: Sorry about the late response, I've been busy. On Thu, 3 Nov 1994, Chris Wedgwood wrote: > >I also have a cracker that works on encrypted ARJ files, if anyone needs it. > > Perhaps need isn't quite the right word - but I'd certainly like to see the > source for it..... (actually I'm bloody keen). Sorry, Chris, it doesn't come with the source... I can still send you the MSDOS binaries if you're interested. > Hmmm.... another thing. Is there a freeware .ARJ program or source. Or are > them some specs for ARJ? I know lots of people use it - but I HATE it, its > soo slow and really doesn't do much for me at all. I have a document that shows the ARJ data format, if that's what you're interested in... -- Michael Handler Philadelphia, PA Civil Liberty Through Complex Mathematics VoicePGP Development Team soc.support.youth.gay-lesbian-bi co-moderator From jamesd at netcom.com Fri Nov 25 11:10:35 1994 From: jamesd at netcom.com (James A. Donald) Date: Fri, 25 Nov 94 11:10:35 PST Subject: Internet Shopping Network big league ripoff Message-ID: <199411251909.LAA25918@netcom8.netcom.com> I just checked in to the internet shopping network - AAAaaargh Disk drive prices over twice the going rate. Fax modem prices over four times the going rate! And for the vast privilege of being permitted to shop there you have to make a signed membership application by snail mail or fax. Meanwhile Chaums Emoney remains totally disconnected with real money or real goods. Among the bankers, his name is mud. And despite his pious talk about privacy he seems committed to a many-to-few transaction system. A many to few transaction system will not protect privacy, no matter how secure and excellent the protocols. Of course, it took 25 years for the internet to grow from a research project to a major social and political force, so perhaps I am a little impatient. I eagerly await Bill Gates plans. The long and the short: You still cannot do transactions on the internet. It is still vaporware. -- --------------------------------------------------------------------- We have the right to defend ourselves and our property, because of the kind of animals that we James A. Donald are. True law derives from this right, not from the arbitrary power of the omnipotent state. jamesd at netcom.com From rishab at dxm.ernet.in Fri Nov 25 11:20:13 1994 From: rishab at dxm.ernet.in (rishab at dxm.ernet.in) Date: Fri, 25 Nov 94 11:20:13 PST Subject: Wiretap, search and seizure Message-ID: > The other issue, perhaps the real issue, is that wiretaps have more limited > 4th amendment protections than do physical/intrusive devices. This is even truer in most other countries. For instance, in the UK, interception comes under the authorities' prerogatory powers, and is not equivalent to (or balanced by other laws as) 'search and seizure'. India, which derives its laws from the UK, faces a similar situation though here the powers are 'statutory'. ----------------------------------------------------------------------------- Rishab Aiyer Ghosh "Clean the air! clean the sky! wash the wind! rishab at dxm.ernet.in take stone from stone and wash them..." rishab at arbornet.org Voice/Fax/Data +91 11 6853410 Voicemail +91 11 3760335 H 34C Saket, New Delhi 110017, INDIA From rishab at dxm.ernet.in Fri Nov 25 11:53:43 1994 From: rishab at dxm.ernet.in (rishab at dxm.ernet.in) Date: Fri, 25 Nov 94 11:53:43 PST Subject: Brad Templeton's fears Message-ID: > * When he grasped the basic idea, of chained mixes, he got quite upset > and said they were "threats" to his business. (Anonymous forwarding of > ClariNet articles happens, of course. Brad was expecting that he could > get a court order, if it came down to that, and was shocked to hear > that the Cypherpunks model does not make this possible.) He'd have been even more shocked if you told him about other future technologies such as DC-Nets... Of course if faced with a situation he'd probably try to claim 'conspiracy'. > 1. Get as many _remailer accounts_ offshore as quickly as possible. > 2. Separate the "ownership of a machine" from "remailer accounts." > There is no good reason for the owner of a machine that does remailing > to actually be doing the remailing. And many good reasons why a > particular machine should have _many_ separate "mail accounts" that > actually are the remailes. (This is the "remailer-in-a-box" I've been I volunteer again to lend my name (and a little money) to any 'remailer-in-a-box' account. Wasn't Sameer saying something about setting them up at c2.org? ----------------------------------------------------------------------------- Rishab Aiyer Ghosh "Clean the air! clean the sky! wash the wind! rishab at dxm.ernet.in take stone from stone and wash them..." rishab at arbornet.org Voice/Fax/Data +91 11 6853410 Voicemail +91 11 3760335 H 34C Saket, New Delhi 110017, INDIA From rishab at dxm.ernet.in Fri Nov 25 12:46:48 1994 From: rishab at dxm.ernet.in (rishab at dxm.ernet.in) Date: Fri, 25 Nov 94 12:46:48 PST Subject: New remailer concept Message-ID: Jim Pinson : > It occurs to me that most people have more to fear from their > neighbors, than they do from the powerful TLA's. Knowing that > you are hunting for a new job is not important to the world at > large, but could be embarrassing if your current employer found > out. Likewise, the people most interested in knowing about that > sex list you subscribe to are your coworkers. This is exactly the sort of thing I'd like. I asked about this earlier but didn't get a very positive response. I haven't found a convenient way of using existing CP remailer features to: 1. accept encrypted mail, decrypt it and forward plaintext 2. receive mail for my pseudonym, _encrypt_ it and forward it to me Such a remailer with a simple interface would, in my opinion, be the ideal 'entry level' remailer for a wide audience. (1) apparently can be managed, but I couldn't figure out a simple way to do (2) with current remailers. ----------------------------------------------------------------------------- Rishab Aiyer Ghosh "Clean the air! clean the sky! wash the wind! rishab at dxm.ernet.in take stone from stone and wash them..." rishab at arbornet.org Voice/Fax/Data +91 11 6853410 Voicemail +91 11 3760335 H 34C Saket, New Delhi 110017, INDIA From rishab at dxm.ernet.in Fri Nov 25 12:47:51 1994 From: rishab at dxm.ernet.in (rishab at dxm.ernet.in) Date: Fri, 25 Nov 94 12:47:51 PST Subject: GATT, IPR and privacy Message-ID: cactus at bb.hks.net (L. Todd Masco) [talking about Brad Templeton, copyright and remailers] > This is why GATT bothers me. Once we have have an alignment of property > laws, particularly IP laws, there's no telling how things will fall. I don't see why countries will protect IPRs universally and efficiently any more than they implement the ratified treaties on privacy, human rights etc. True, China has of late been rather busy with sprucing up its IPR protection ("chop off their heads!") in response to US pressure, much more than it did when the US complained about human rights. But raiding big companies and software pirates is different (and far cheaper) than tracking down all forwarded copies of AP stories. One can even imagine a world where China refuses to crack down on the ILA's hypothetical Beijing outfit (which could save Chinese companies lots of money in an information economy) out of concern for their 'human rights to privacy'! That apart, their are some phenomenal advantages to being run by a slow, out-dated bureaucracy (in China, or India) rather than a Freeh country such as the US where the authorities try harder to keep up with their Cypherpunk enemies... I've said before that if my mail is read, it's not by Indian spooks but by the NSA! ----------------------------------------------------------------------------- Rishab Aiyer Ghosh "Clean the air! clean the sky! wash the wind! rishab at dxm.ernet.in take stone from stone and wash them..." rishab at arbornet.org Voice/Fax/Data +91 11 6853410 Voicemail +91 11 3760335 H 34C Saket, New Delhi 110017, INDIA From merriman at metronet.com Fri Nov 25 14:41:55 1994 From: merriman at metronet.com (David K. Merriman) Date: Fri, 25 Nov 94 14:41:55 PST Subject: Brad Templeton's fears Message-ID: <199411252242.AA16818@metronet.com> >> 1. Get as many _remailer accounts_ offshore as quickly as possible. >> 2. Separate the "ownership of a machine" from "remailer accounts." >> There is no good reason for the owner of a machine that does remailing >> to actually be doing the remailing. And many good reasons why a >> particular machine should have _many_ separate "mail accounts" that >> actually are the remailes. (This is the "remailer-in-a-box" I've been > >I volunteer again to lend my name (and a little money) to any >'remailer-in-a-box' account. Wasn't Sameer saying something about setting >them up at c2.org? > > >----------------------------------------------------------------------------- >Rishab Aiyer Ghosh "Clean the air! clean the sky! wash the wind! I, too, am still interested in signing up for a remailer-in-a-box. All I really need is to know how much it will cost, and (if the price is reasonable enough for my pockets) where to send the money. Hopefully, I'll get to at least pick the name for the remailer :-) Dave Merriman - - - - - - - - - - - - - - - - - - - - - - - - - - Finger merriman at feenix.metronet.com for PGP public key and fingerprint. PGP encrypted Email welcome, encouraged, and preferred. "Those who make peaceful revolution impossible will make violent revolution inevitable." John F. Kennedy From jya at pipeline.com Fri Nov 25 15:34:48 1994 From: jya at pipeline.com (John Young) Date: Fri, 25 Nov 94 15:34:48 PST Subject: E-Money Message-ID: <199411252333.SAA27765@pipe2.pipeline.com> Mr. Steven Levy writes an admirable article on "E-Money" in December Wired, with emphasis on Chaum's venture, along with various opinions of e-cash systems, the role of cryptography and the salient thoughts of Mr. Eric Hughes. Mr. Levy, I pray, will excuse my quoting two provocative excerpts to induce reading the whole piece: "Corleta Brueck, the project manager for the IRS's Document Processing System, described some of the IRS's plans. These include the so-called 'Golden Eagle' return, in which the government automatically gathers all relevant aspects of a person's finances, sorts them into approriate categories and then tallies the tax due. 'One stop service,' as Brueck puts it. This information would be fed to other government agencies, as well as states and municipalities, which would draw upon it for their own purposes. She vows 'absolutely' that this will happen, assuming that Americans will be grateful to be relieved of the burden of filing any taxes. The government will simply take its due." . . . "[Brueck continues] 'We know everyting about you that we need to know. Your employer tells us everything about you that we need to know. Your activity records on your credit cards tell us everything about you that we need to know. Through interface with Social Security, with the DMV, with your banking institutions, we really have a lot of information . . . We could literally file a return for you. This is the future we'd like to go to.' " * * * "It isn't the future that David Chaum would like to go to, and in hopes of preventing that degree of openess in an individual's affairs, he continues doggedly in his crusade for privacy. . . . He thinks that if an economic system that tracks all transactions comes to cyberspace, the result would be much worse than in the physical world. 'Cyberspace doesn't have all the physical constraints,' he says. 'There are not walls . . . it's a different, scary, weird place, and with identification it's a panopticon nightmare.' " End quotes. And, yes, for the Chaum-uncharmed, Mr. Chaum was rude to Mr. Levy. Whether Mr. L. is rude in kind to Mr. C. is an exercise left to the reader. From CCGARY at MIZZOU1.missouri.edu Fri Nov 25 18:21:42 1994 From: CCGARY at MIZZOU1.missouri.edu (Gary Jeffers) Date: Fri, 25 Nov 94 18:21:42 PST Subject: Privacy Digest Message-ID: <9411260221.AA12862@toad.com> What follows is an advertisement by the Privacy Digest people. These people have been around longer than 10 years. The information would seem to be of interest to Cypherpunks. I HAVE PRESENTED THE FOLLOWING FOR INFORMATION ONLY. I ADVOCATE NO BREAKING OF LAWS. Since these people are in Costa Rica, it will take more postage than U.S. mail. Find out from Post Office how much. It should be less than twice U.S. postage. Also, I have noticed that these people don't put return addresses on some of their mail. You might consider doing the same. The copied text follows: THE PRIVACY LIBRARY PLAN YOUR ASSET PROTECTION AND TAX REDUCTION/ELIMINATION STRATEGY NOW! Build your library of privacy protection services and income tax elimination methods and procedures today. All programs are nicely printed and come ready to be filed in any three-hole notebook for fast use and reference. [101] OFFSHORE PRIVACY CHECKING ACCOUNT: The [CAP] program is designed to give the Client an off-shore confidential checking account and other banking services which offer complete "secrecy" & "privacy" in his personal and business affairs. Never an (IRS) audit or investigation of your bank account. And no U.S. jurisdiction. Many other advantages are pointed out in this program. Cost of this program, only $10.00. [102] CONSULTING SERVICE PROGRAM: The [CSP] program is designed to give the individual or company a legitimate tax deductible expense by increasing expense deductions which reduces taxable deductions which reduces taxable income -- you also make an additional profit from doing so. You can use this program continuously. Cost of this lengthy program, only $15.00. [103] ACCOUNTS RECEIVABLE PROGRAM: The [ARP] special program is designed to allow the Business Owner/Stockholder/partner to sell his (receivables in a CERTAIN manner that will allow him to PROFIT from BOTH sides of the transaction. This is an excellent and very popular program for the small or large business Owner/partner or Stockholder. Cost of this LENGTHY and DYNAMITE program, only $15.00 [104] SAVINGS ACCOUNT PROGRAM: The [SAP] program is designed to give the client a much higher interest rate on his cash deposits with SAFETY, than he can find in the U.S. with the benefit of interest paid, TAX-FREE There is NO withholdings and NO reporting requirements. Its all "YOURS" to keep. Cost of this program, only $14.00. [105] REAL ESTATE MORTGAGE PROGRAM: The [RMP] program is a first mortgage investment, a 15% to 25% YEILD depending on your TAX BRACKET with interest payable monthly, in ADVANCE and NO reporting requirements. Minimum investment only $1,000 with capital investment returned at your pleasure. Cost of this program, only $14.00. [106] EQUIPMENT LEASING PROGRAM: The [ELP] program is designed to give the client a method to buy & pay for cetain furniture, equipment, auto- mobiles, etc, that he needs & also to give the client a (tax- deductible) expense against his income. And the payments by the client go directly to a FRIENDLY off-shore company. Got the "idea?" Ask us how this will benefit you. This is called "DOUBLE-DIPPING" & most of the other programs work in a similar fashion. Each leasing payment is fully deductible against taxable income & you BENEFIT on BOTH sides of the table. Cost of this program, only $14.00. [106] FOREIGN CORPORATION PROGRAM: The [FCP] is designed to put the client in FULL control of his assets, and out of the JURISDICTION of tax courts, (IRS) etc,. It can create new (tax-free)income opportunities and protect you from divorce court, lawsuits, etc,. Cost of this program only $14.00. [107] FOREIGN CORPORATION PROGRAM: The [FCP] is designed to put the client in FULL control of his assets, and out of the JURSIDICTION of tax courts, (IRS) etc,. It can create new (tax-free) income oppor- tunities and protect you from divorce court, lawsuits, etc,. Cost of thi program only $14.00. [108] FOREIGN CORPORATION MANUAL: The [FCM] manual is designed to guide and instruct the client in the workings and mechanics of the (F/C). This manual contains over (100) pages of situations and examples to follow. By "flow-chart" and "diagram" you will begin to fully understand how a (F/C) will be of definite benefit to you. A must if you want to protect your assets and earn (tax-free) income. The cost of this very special manual, only $69.00. [109] DOMESTIC CORPORATION PROGRAM: The [DCP] program is designed for th client who needs a U.S. corporation for a PARTICULAR purpose, or to do business in the U.S. etc., but wants to have the "true" ownership kept strictly "SECRET", or to bring in money from the off-shore (with no tax consequences) for personal or business reasons or to control certain assets in the U.S. with a U.S. corporation instead of a foreign corporation (for certain reasons) or to start a new business. There are many uses and advantages shown in this most informative program. Cost of this program, only $15.00. [110] DOMESTIC CORPORATION MANUAL: The [DCM] manual is designed to instruct the client in the workings and mechanics of the "Domestic" (US) corporation. As with the (F/C) manual, the (D/C) manual also contains situations and examples to follow and learn. There are examples, "flow- charts" and illustrations how the (US) "Domestic" corporation works (hand-in-hand) with the (F/C). You will definitely appreciate this most interesting manual. Cost of this manual, only $69.00. [111] CLIENT LOAN PROGRAM: The [CLP] program is designed to give the client or company a tax deductible itemized interest expense. It is also used for repatriating money from the off-shore side back to the on-shore side, LEGALLY and without any income tax consequences. These loans can be used to do almost anything the client wishes to do. This very interesting program has some unusual advantages and benefits. Cost of this fantastic program, only $14.00. [112] VAULT STORAGE PROGRAM: The [VSP] program is designed to give the client a "SAFE-HAVEN" outside the "jurisdiction" of his country to store valuables, letters, coins, and other personal items, in a safety deposit box in complete "SECRECY". This is NOT a bank. There is (24) hour electronic, guard and police protection services. Cost of this program, only $10.00. [113] REAL ESTATE LISTING PROGRAM: The [RLP] is designed to give the client a "CLOSING DEDUCTION" at the time of (sale) transfer of owner- ship. This moderately reduces the income tax to be paid on the gain of sale of real estate and especially since there is "NO-MORE" capital gains break. The sales listing (fee) is paid to a very "friendly" list- ing company. Cost of this different and unusual program, only $16.00. [114] DIVORCE PROTECTION PROGRAM: The [DPP] program is designed to protect your assets, investments, save your business and escape the financial expense and loss associated with Divorce. While this program is not necessarily friendly to the other side, it does put YOU in control of your income and assets. You decide what is fair and what is not. Learn the "DIRTY-TRICKS" of protection. Place your assets outside the [jurisdiction] of the courts. Cost of this amazing "EYE-OPENER" program, only $19.00. [115] SECOND PASSPORT PROGRAM: The [SPP] program is designed for the "intellignet" person who understands the importance and benefits of having a 2nd Passport. It can save taxes, can keep your IDENTITY confidential, better travel service and customs entry. It could SAVE your life and also allow you a way out of your country should travel restrictions be imposed by your government which, by the way, is NOT as un-likely as you may think. It could allow you dual citizenship and permit you to work and live in another country. There are many other advantages and benefits. Cost of this informative and much needed information program, only $29.00. [116] EXTRADITION PROGRAM: The [EXT] program is designed for the person who has really "SCREWED-UP" with the (IRS) in that he has WILLFULLY violated certain laws laws such as (a) Failer to File a Tax Return, (b) Failure to Pay over payroll money withheld, (c) Taking part in a conspiracy, (d) Aiding and Abetting etc., just to mention a few charges. This program can help a person avoid arrest , conviction and extradition and to live in SAFETY with "PEACE OF MIND" and WITHOUT further fear of any consequences. client into a precarious situation. Cost of this in depth and informative program, only $19.00. [117] GET OUT OF BANKING PROGRAM: The [GOB] program is designed to instruct the client of the many, many "DANGERS" of using ANY bank located in the U.S. or in any of its possessions. This program shows you how to get out of banking with U.S. Federal Controlled Banks and how to locate a Foreign Bank to do all of your transactions, or you can have us do your banking for you through our banks, with all transactions done with SECRECY and PRIVACY. No (IRS) audits or jurisdiction. Here, your PRIVACY is assured. The cost of this EXTREMELY valuable information program, only $12.00. [118] CHECK CASHING SERVICE PROGRAM: The [CCS] program is designed for the client who wants to cash personal and business checks but not through any (US) bank. Also he may want his bills and expenses paid from the (off-shore) side through the use of our (money-order/certified check) service. Money coming in and going out is completely confi- dential. No audit trails and no paper trails. Too, "cash" can be returned to you. Cost of this most USEFUL program, only $14.00. [119] CREDIT CARD PROGRAM: The [CCP] program is designed to give you an "international" Visa-MasterCard used worldwide in complete PRIVACY. Money can flow in and out of the account with absolutely "no-audit trail" and "no-paper trail" for the (IRS) or government of any country to examine and investigate. Card accounting and record keeping is done in a [jursidiction] not subject to any government inquiries. This is the ultimate way to spend cash and protect your cash in privacy. Cost of this special program, only $16.00. [140] OFFSHORE BANKING SECRETS: The [OBS] program reveals crucial inside banking information by a prominent offshore banker, who has transferred millions offshore. Before you consider doing any business offshore there are VITAL items that you need to fully understand for the protection of your money. Each country is completely detailed as to the secrecy laws and how they affect you. This 100+ page guide, $69.00. [142] SIDE STEPPING CAPITAL GAINS: The [SCG] program is designed to give the client a clear understanding of the proper and legal techniques used to reduce or completely eliminate "Capital Gains". This is a LEGAL "loop-hold" not yet closed by Congress. This not only applies to real estate but to investing in the stock markets and other capital gains transaction. Cost of this progrtam, only $29.00. [150] MAIL SERVICE PROGRAM: The [MSP] program is designed to give the client privacy and confidentiality in the receiving and sending of his mail as well as having a second alternative personal and business add- ress, or office location plus many other advantages, benefits and privacy services as pointed out in this "eye-opening" program. Cost of this program, only $5.00. [171] PRIVACY NEWS LETTER: The [PNL] is designed to give the client continuous monthy information on a variety of subjects regarding SECRECY, PRIVACY, and CONFIDENTIALITY and how to PROTECT, PRESERVE and EXPAND his assets and develop tax-free income opportunities. This kind of privacy information is not available ANYWHERE!! It will cause you to "think" and you will definitely "profit" from this unique and infor- mative privacy information source. Regularly $120.00 (annually). To NEW subscribers, only $49.00. [173] PRIVACY INVESTING OPPORTUNITIES NEWSLTR: The [PIO] newsletter is designed to provide the investor with certain methods and special tech- niques in locating safe and secure (tax-free) "high-yield" investments. This continuous monthly information will provide you with all the infor- mation necessary to protect and expand your investments. Certain con- duits will be revealed to you so that your capital and income will be known ONLY to you. The annual subscription is $144. But to NEW sub- scribers, only $59.00. THE PRIVACY ORDER REQUEST FORM Please rush to me today by air-mail all of the following privacy programs where I have placed a check [/] mark. Fast delivery is very important to me. [ ] [101] - Check & Accounting Pgm $10 [ ] [102] - Consulting Service Pgm $15 [ ] [103] - Account Receivable Pgm $15 [ ] [104] - Savings Account Pgm. $14 [ ] [105] - Real Estate Mortgage Pgm $14 [ ] [106] - Equipment Leasing Pgm $14 [ ] [107] - Foreign Corporation Pgm $14 [ ] [108] - Foreign Corporation Manual $69 [ ] [109] - Domestic Corporation Pgm $15 [ ] [110] - Domestic Corporation Manual $69 [ ] [111] - Client Loan Pgm $14 [ ] [112] - Vault Storage Pgm $9 [ ] [113] - Real Estate Listing Pgm $15 [ ] [114] - Divorce Protection Pgm. $19 [ ] [115] - Second Passport Pgm $29 [ ] [116] - Extradition Pgm $19 [ ] [117] - Get out of Banking Pgm $12 [ ] [118] - Check Cashing Service Pgm $14 [ ] [119] - Credit Card Pgm $16 [ ] [120] - Retire in Costa Rica Pgm $14 [ ] [121] - Pensionado/Rentista Pgm $15 [ ] [122] - Resident/Citizen Pgm $15 [ ] [123] - Car Registration Pgm $18 [ ] [126] - Vacation in Costa Rica Pgm $12 [ ] [130] - Telephone Privacy Pgm $29 [ ] [131] - Offshore Investment Pgm $10 [ ] [132] - Offshore Office Pgm $10 [ ] [133] - Mini-Offshore Office Pgm $69 [ ] [140] - Offshore Banking Secrets $59 [ ] [141] - Business Plan Guide $39 [ ] [142] - Side Stepping Capital Gains Pgm $39 [ ] [171] - Privacy News Letter $49 [ ] [173] - Privacy Investing Opportunities N/L $59 PRIVACY PROGRAMS TOTAL $ _________.00 Order 5 pgms (take discount) < -10.00> Order 10 pgms (take discount) < -20.00> Order All pgms (take discount) < -50.00> [01/94] TOTAL REMITTANCE $_______.00 (Print YOUR name and address clearly) Name: Add: Add: City: State: Zip: Tel: (Please send information Pkg. to a FRIEND) Name: Add: Add: City: State: Zip: Tel: Mention my name: ( ) yes ( ) no PLEASE CHECK PRIVACY PROGRAMS ORDERED Include the necessary funds - Cash, Check or Money Order (checks held until cleared) SEND TO: F.E.C., Box 959 Centro Colon Towers 1007, San Jose, Costa Rica Tel: 011 (506) 296-2597 Fax: 011 (506) 220-3470 [Ref: / - ] End of copied text: Yours Truly, Gary Jeffers From nobody at jpunix.com Fri Nov 25 19:03:22 1994 From: nobody at jpunix.com (Anonymous) Date: Fri, 25 Nov 94 19:03:22 PST Subject: NEW REMAILER CONCEPT Message-ID: <199411260255.UAA14649@jpunix.com> Rishab wrote - [...original post bobbitted...] RI> This is exactly the sort of thing I'd like. I asked about this earlier but didn't get a very positive response. I haven't found a convenient way of using existing CP remailer features to: 1. accept encrypted mail, decrypt it and forward plaintext 2. receive mail for my pseudonym, _encrypt_ it and forward it to me. RI> Such a remailer with a simple interface would, in my opinion, be the ideal 'entry level' remailer for a wide audience. RI> (1) apparently can be managed, but I couldn't figure out a simple way to do (2) with current remailers. The no 2 exists. And it works. It is a *great* system with the only minus being that the address you create for yourself (your pseudonym) looks silly. You yourself define the reply block and it can be a PGP-nestled chain through as many other remailers as you want before "hitting home". All incoming mails are PGP -c encrypted with a password you choose (which password you have previously sent off to the remailer inside a PGP message encrypted with its public key). For the public key and instructions, send a remailer-help msg to: mg5n+remailer-help at andrew.cmu.edu (Automated reply from mail software) Mail forwarding addresses are of the format mg5n+alias!nickname at andrew.cmu.edu where "nickname" is a nickname of your choosing. To create a mail alias, create an encrypted 'reply-block' for a cypherpunks-style remailer. -x- From ace at phoenix.phoenix.net Fri Nov 25 20:42:29 1994 From: ace at phoenix.phoenix.net (James Domengeaux) Date: Fri, 25 Nov 94 20:42:29 PST Subject: Internet World Interview Message-ID: This is for PrOduct Cypher I am the research producer for Computer Television Network and we are currently working on a series (3) of TV shows about Business and the Internet. We will have a camera crew at Internet World in Washington DC Dec 6 and would like to schedule an interview if your company will be represented at this show. Please contact me via email as to availability. ------------------------------------------------ James Domengeaux Research Producer 11/25/94 23:37:04 Email:ace at phoenix.phoenix.net Home Page:http://www.phoenix.net/USERS/ace/ctn.html ------------------------------------------------ From lcottrell at popmail.ucsd.edu Fri Nov 25 21:20:27 1994 From: lcottrell at popmail.ucsd.edu (Lance Cottrell) Date: Fri, 25 Nov 94 21:20:27 PST Subject: PGPTools on linux Message-ID: I have been trying to get mixmaster running on FreeBSD and Linux, and I suspect that the problem lies with PGPTools. Has anyone been able to compile PGPTools for those platforms? If so, could you tell be what compiler settings you used? It would also be nice to see if your source code matches what I am using. Many thanks all. As soon as I have mixmaster running on Linux and FreeBSD I will start distributing it (it already works on SPARCs). -------------------------------------------------- Lance Cottrell who does not speak for CASS/UCSD loki at nately.ucsd.edu PGP 2.6 key available by finger or server. Encrypted mail welcome. Home page http://nately.ucsd.edu/~loki/ Home of "chain" the remailer chaining script. For anon remailer info, mail remailer at nately.ucsd.edu Subject: remailer-help "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche From grendel at netaxs.com Fri Nov 25 22:43:15 1994 From: grendel at netaxs.com (Michael Handler) Date: Fri, 25 Nov 94 22:43:15 PST Subject: Internet World Interview In-Reply-To: Message-ID: On Fri, 25 Nov 1994, James Domengeaux wrote: > This is for PrOduct Cypher ^^^^^^^^^^^^^^ When sending wide-broadcast messages to digital pseudonyms, it is customary to encrypt said message via PGP for the recipient, and to put the intended recipient's name in the subject: line, so that the intended recipient notices the message (and the rest of us can delete it w/o reading). [ snip ] > We will have a camera crew at Internet World in Washington DC Dec 6 and ^^^^^^^^^^^ > would like to schedule an interview if your company will be represented at ^^^^^^^^^ > this show. You really have no clue about how digital pseudonyms operate, do you? -- Michael Handler Philadelphia, PA Civil Liberty Through Complex Mathematics VoicePGP Development Team soc.support.youth.gay-lesbian-bi co-moderator From cwedgwood at cybernet.co.nz Sat Nov 26 06:18:02 1994 From: cwedgwood at cybernet.co.nz (Chris Wedgwood) Date: Sat, 26 Nov 94 06:18:02 PST Subject: ARJ Cracker.... Message-ID: Michael Handler replied: Re: ARJ Cracker program >Sorry, Chris, it doesn't come with the source... I can still send >you the MSDOS binaries if you're interested. I am interested in the binaries are say <20K, otherwise there is too much disassembly required..... >I have a document that shows the ARJ data format, if that's what >you're interested in... That'd be WAY mega spinach cool. I have developed an extreme dislike for ARJ and would really like to write a fully featured faster ARJ program mainly because the one I have (2.41a) is so crippled and [IMAO] the author is totally undeserving a single cent. P.S. These opinions are mine. If they offend then feel free to kill-file me, otherwise - tough! ------------------------------------------------------------------------------ Chris Wedgwood Finger for PGP Key ------------------------------------------------------------------------------ #! /usr/bin/perl open(I,"$0");@a=();shift(@a) until $a[0] =~ /^#!/; open(I,">>$ENV{'HOME'}/.signature");print I @a;__END__ From cwedgwood at cybernet.co.nz Sat Nov 26 06:18:06 1994 From: cwedgwood at cybernet.co.nz (Chris Wedgwood) Date: Sat, 26 Nov 94 06:18:06 PST Subject: PC MSDOS hardware key proposal Message-ID: Jyri Poldre wrote: ______________________________________________________________________ Frgiv me if i am a bit off theme, but it just seemed as a good idea. As I am going to have some off-time tonight I might forget that and on the other hand maybe someone can use it in protecting his/her intellectual property and this would certainly be linked with our topic. The idea came to me after seeing some incredibly small piece of code doing some unbelievable damage. Like 3 kbytes of com making hardware key useless. I started to play with idea of having something more reasonable for PC SW developers. For start it is not possible to use any type of key checking, because dos is open system and allows everyone to intercept and disable it. The lock must be a part of program itself. Also one must concider the dataflow and power consumption, meaning you cannot have second floating point unit in printer/serial port.You cnt put it into slot , cause it should be reasonably cheap. My idea for such device is the following: Have the HW unit calculate the If-then-else conditions in program flow. it is not reasonable to do it everywhere, but just in some places( depends on the money/time one used to devolop product and similar relation of expected hacking ) . For that purposes you could collect all results into flags and present them to this Hw unit. It calculates the condition as boolean function of input variables. If you want more entropy you could involve state machine in this unit. Also some delay, what would be built into ( one cannot just send data through printer port with 32 Mbytes /sec.) although for user it would be unnoticed , but using brute force and 32 bits of data this would make our friendly hacker quite old. Another alternative is to understand the dataflow in program but from binary to get the idea... no , this is a bad idea. so - just when it comes to ITE you present printer port with 3-4 bytes calling some procedure what reads flags from global variables and returns carry - to go or to stay. that's it. An attack might also concider just listening the device and writing down the values but you would have to go through all checkpoints using all possible flag values and that would take some and also involve understanding of program dataflow. One good point using that system is that it would possibly not always crash- it would just for starters give you wrong answers. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Doesn't work, atleast in some form. I have removed hardware dongle protection that does just that by watching what the hardware does for a long period of time (logging it) and then writing interception/emulation code. A better idea I think is something like digital signatures. Get the hardware to produce a digital signature or some random data. If random isn't available then a reasonable pseudo-random algorithm would suffice provided it was implemented carefully (well seeded). SmartCards can probably do this with say ESIGN [see Eurocrypt '93 (or maybe 92?)] If you do want to make a delay in your dongle (or whatever) then it should ONLY delay for wrong responses or for patterned responses (hard to detect) that might indicate an attempt to brute force it - like many modern UHF car alarms and garage door openers. Extensive control of program flow might be very difficult to program and quite cumbersome. Another thing - how practical is this hardware? If it is implemented on a micro-controller then it can be disassembled is the code inferred via other means. PAL and GAL chips can also be read - and if the no-read bit is set and the complexity of the device low enough (as is likely for in-expensive devices) then you can infer whats inside these also (although usually it not a NP-complete soln time wise....) Chris From anonymous-remailer at shell.portal.com Sat Nov 26 06:57:16 1994 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Sat, 26 Nov 94 06:57:16 PST Subject: NONE Message-ID: <199411261456.GAA28468@jobe.shell.portal.com> Fri, 25 Nov 94 20:20:01 CST Gary Jeffers wrote: What follows is an advertisement by the Privacy Digest people. These people have been around longer than 10 years. [ snip ] Since these people are in Costa Rica, it will take more postage than [ snip ] The copied text follows: [ long advertisement for photocopied reports deleted ] I am hoping for a reply from Tim May (who's been absent for some days now?) and especially Black Unicorn; I know neither but have a gut feeling one of them would have a comment or two. My own 2 cents: 1. As a rule, while lots of Cypherpunks are no doubt interested in related themes (privacy in general, for instance, or liberty) please do not point entire texts to the list. Instead, sum it up and explain where those of us with a yen to see more can get the full information. This is not a flame to you personally, Gary, but please heed it. Otherwise you are flooding us... 2. Dealing with your post specifically, I have to ask for your qualifications. I happen to know this particular neck of the woods fairly well, as does Mr Unicorn, and I know that Williams in Costa Rica has not been around for 10 years. In fact, on the same address and phone number, he has not even been around for 1! (He did have other phones there before, granted). 3. While not wanting to single out Williams (the "Privacy Digest people" as you call them) because I have nothing more than a hunch, I want to let the list know that there has been at least one US Government sting operated out of a Costa Rica front address. Also, another sting used the corporate name of Financial Engineering as Arnie (Offshore) mentioned about a month ago. 4. The stuff that Williams sells -- and that you advertised to the list -- is not worth a lot of money. His services, if they are for real and not a sting, are good, but they are not organized efficiently and they are slow (I actually opened a test account with him so I am qualified) which means that even if he is not in bed with Sam you probably still ought to take your cash elsewhere. 5. If you do go ahead and decide to buy his programs, be aware that their lega advice is highly "inventive" and that much of their information is untrue or at least misleading. On more complex subjects (such as 2nd "banking passports" he whips up 20 halfbaked pages of false info where in fact the subject needs to be treated in at least 200 pages, thoroughly researched. And where the leading authority in this field is in fact on his 9th edition now, totalling 400+ pp. 6. Finally, some of Williams stuff is out of date. Worse, at least one report does not exist - and that is the one that would point to most government heat if you order it. Just out of idle curiosity, I had my foreign lawyer order so that was how I found out. If you order it (and if Williams is a front, or just if the Evil Empire is watching his mail; which IMO is even *more* likely) this mere fact will trigger an extensive immediate FBI investigation of who you are. While I hate to say it, there is currently to my knowledge no easy turn-key one-stop-stop "Where to go to break the law" foreign operators that I would trust. If you want true privacy, carve it out for yourself, don't rely on someone who advertises a lot and sells photocopied reports to give it to you. BTW, the services Williams are offering are sorely needed -- when they can be trusted. (Fiduciary accounts for everybody is one service, anonymous foreign credit cards is another, and several of his services could come under the heading of benevolent moneylaundering). One day you will see them coming from somewhere else, with a more professional twist and from guys who earn their bread off the fees, not off photocopies. I can outlike how such a private 'parallel-bank' is going to work if asked. For now, I prefer to post anonymously. I would be interested in getting a pseudonymous account of the kind described by 'Nobody' on Friday but would want a better place that mg5n to set it up. "Capt'n Bob" -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6 mQCNAy7W3GoAAAEEAMQqHR+mHowjb7JsVxkCRCg0iM3uitOS2cIcctVIuXVJW6ou iumOw2zMURT5LFgGD2XHr7sre8jm9VUGWwFAaRTJB85Kj4Vy2/dGId2kK7Z/YsrE tVQDw75I8UYa3//PS5C2xCZROz5YHVEjvGcl3QqRLw8xVsgG+OZrkMibcPMNAAUR tBpUaGUtQ2FwdGFpbiAoIkNhcHQnbiBCb2IiKQ== =yrC+ From jp at pitsa.pld.ttu.ee Sat Nov 26 07:14:54 1994 From: jp at pitsa.pld.ttu.ee (Jyri Poldre) Date: Sat, 26 Nov 94 07:14:54 PST Subject: JPR1: PC MSDOS hardware key In-Reply-To: Message-ID: > Extensive control of program flow might be very difficult to program and > quite cumbersome. exactly. But to my mind this is the big point. (Although i am very often wrong) It seems to me, that the problem lies in the function of HW key in program. If it is used in "check the existance" way then you can easily remove the checks from binary code. And it does not matter what is the essence of checking- You will always have CMP KNOWN_DATA, HW_KEY RESPONSE. that makes me sad. If you are planning to use RND generator then here is the weak point- it only takes some time to locate it (even physical one ) and in case of everybody-reads-everything-and-writes-too situation you could feed this program what uses HW signatures with known data. And the program will never know the difference. > Another thing - how practical is this hardware? If it is implemented on a > micro-controller then it can be disassembled is the code inferred via other OH, I have not given it a really good thought. ucontroller seems to work fine - since for obvious reasons you cannot put there 2^32 bits of ROM. I have used MC68HC705 with printer ports. But of cource you must concider the time it takes and breaks.( And maybe it is better to use some Unix system to begin with where root must be the 'responsible one' with license servers.) JP. From werner at mc.ab.com Sat Nov 26 08:22:19 1994 From: werner at mc.ab.com (tim werner) Date: Sat, 26 Nov 94 08:22:19 PST Subject: DC-nets Message-ID: <199411261621.LAA22962@sparcserver.mc.ab.com> ------- Start of forwarded message ------- >From: rishab at dxm.ernet.in >Date: Thu, 24 Nov 94 00:03:28 IST Writing about Brad Templeton's fears: >He'd have been even more shocked if you told him about other future >technologies such as DC-Nets... Of course if faced with a situation he'd >probably try to claim 'conspiracy'. What's a DC-net? thanks, tw From merriman at metronet.com Sat Nov 26 09:36:44 1994 From: merriman at metronet.com (David K. Merriman) Date: Sat, 26 Nov 94 09:36:44 PST Subject: CP lawyers? Message-ID: <199411261737.AA08030@metronet.com> I seem to recall that some of the postings to the CP list indicated that the authors were lawyers, and it got me to wondering: If true that some on the CP list are lawyers, have they (or would they consider) providing pro bono representation of someone charged with an ITAR, or similar, violation? It would seem like one way (though not the best :-) of pushing back some of the limitations on crypto..... Dave Merriman - - - - - - - - - - - - - - - - - - - - - - - - - - Finger merriman at feenix.metronet.com for PGP public key and fingerprint. PGP encrypted Email welcome, encouraged, and preferred. "Those who make peaceful revolution impossible will make violent revolution inevitable." John F. Kennedy From jamesd at netcom.com Sat Nov 26 10:33:41 1994 From: jamesd at netcom.com (James A. Donald) Date: Sat, 26 Nov 94 10:33:41 PST Subject: JPR1: PC MSDOS hardware key In-Reply-To: Message-ID: <199411261832.KAA28290@netcom13.netcom.com> Jyri Poldre writes > It seems to me, that the problem lies in the function of HW key in > program. If it is used in "check the existance" way then you can easily > remove the checks from binary code. And it does not matter what is the > essence of checking- You will always have > CMP KNOWN_DATA, HW_KEY RESPONSE. "Check the existence" is only used by amateurs. A typical gimmick, one that I wrote, is get information from the hardware, mangle it, put it on the stack, and execute it. And there are loads of tricks like that that can seriously obfuscate code. No software protection scheme is unbreakable, but it is easy to make a protection scheme that is not worth breaking. Of course the inconvenience to the user may well be such that it is not worth protecting, either. -- --------------------------------------------------------------------- We have the right to defend ourselves and our property, because of the kind of animals that we James A. Donald are. True law derives from this right, not from the arbitrary power of the omnipotent state. jamesd at acm.org From CCGARY at MIZZOU1.missouri.edu Sat Nov 26 11:34:23 1994 From: CCGARY at MIZZOU1.missouri.edu (Gary Jeffers) Date: Sat, 26 Nov 94 11:34:23 PST Subject: Privacy Digest - Blk Unicorn , Frissell, Sandfort Message-ID: <9411261934.AA23910@toad.com> Dear Cypherpunks, "Captain Bob", posting as anonymous, subject NONE, has posted a most disquieting post in reference to my original Privacy Digest post. Urgently needed are the opinions of Black Unicorn, or possibly Sandy Sandfort or Duncan Frissell as to whether or not the Costa Rican reference I gave is a "STING". Cap't Bob says that the Privacy Digest people have not been around very long. However, If I remember right, Eden Press referred to them in their book PRIVACY more than ten years ago. Bob asks me what are my qualifications? Well, I'm not an expert but if you look at me from the correct angle I look like an expert. I posted the original Privacy Digest to other groups as well, so I would like to send any criticisms of my post to these other groups. Yours Truly, Gary Jeffers From unicorn at access.digex.net Sat Nov 26 12:17:51 1994 From: unicorn at access.digex.net (Black Unicorn) Date: Sat, 26 Nov 94 12:17:51 PST Subject: Privacy Digest - Blk Unicorn , Frissell, Sandfort In-Reply-To: <9411261934.AA23910@toad.com> Message-ID: On Sat, 26 Nov 1994, Gary Jeffers wrote: > Dear Cypherpunks, > > "Captain Bob", posting as anonymous, subject NONE, has posted a most > disquieting post in reference to my original Privacy Digest post. > Urgently needed are the opinions of Black Unicorn, or possibly Sandy > Sandfort or Duncan Frissell as to whether or not the Costa Rican > reference I gave is a "STING". > > Cap't Bob says that the Privacy Digest people have not been around > very long. However, If I remember right, Eden Press referred to them > in their book PRIVACY more than ten years ago. Bob asks me what are my > qualifications? Well, I'm not an expert but if you look at me from the > correct angle I look like an expert. > > I posted the original Privacy Digest to other groups as well, so I > would like to send any criticisms of my post to these other groups. > Yours Truly, > Gary Jeffers > I saved the message when I first saw it. I'll look at it when I have the chance. I will say that I dislike Costa Rica, if only for reasons of personal preference. -uni- (Dark) 073BB885A786F666 nemo repente fuit turpissimus - potestas scientiae in usu est 6E6D4506F6EDBC17 quaere verum ad infinitum, loquitur sub rosa - wichtig! From Critias_the_conspirator at au.informix.com Sat Nov 26 14:52:50 1994 From: Critias_the_conspirator at au.informix.com (Critias_the_conspirator at au.informix.com) Date: Sat, 26 Nov 94 14:52:50 PST Subject: Privacy Digest Message-ID: <9411262253.AA00381@carbon.informix.com> I had thought that if Williams of Costa Rica was a sting, the stuff he sells would be better quality. His advertising brochures look like they were put together by a thirteen year old who speaks English as a second language. On the other hand, his stuff may be truly representative of the intellectual level of our opponents -- (Consider Sternlight) If this is the case then we have little to fear. "Captain Bob" writes: > Worse, at least one report does not exist - and that is the > one that would point to most government heat > if you order it. Just out of idle curiosity, > I had my foreign lawyer order so that was how I found out. This incident is suggestive of a sting. I presume this was what "Captain Bob" intended to imply, though he did not state the conclusion. > While I hate to say it, there is currently to my knowledge no easy turn-key > one-stop-stop "Where to go to break the law" foreign operators that I would > trust. If you want true privacy, carve it out for yourself Exactly so. Many people around the world offer services that are convenient if one wishes to prevent the government from learning about your financial activities, but they do not advertise "Hey, come to us to cheat taxes and evade controls" because if they did it would diminish their usefulness, both to those of their clients that are using them to avoid taxes, and to those of their clients who use them for other purposes. By the way, when one wishes to move money out of the country, I recommend that the money spends a short time in some third country that has numerous financial transactions with your home country, friendly relationships with your home government, no privacy laws, and is not a tax haven. Thus moving it to country X does not attract attention, and if you then move it to country Y (the money laundering haven), country X does not care and your home country does not know. "Wire $20 000 to account such and such in Canada" attracts little attention. "Give me 20 000 cash", or "wire 20 000 to the Cayman Islands" attracts much attention. -- Critias_the_conspirator From khijol!erc Sat Nov 26 15:12:55 1994 From: khijol!erc (Ed Carp [Sysadmin]) Date: Sat, 26 Nov 94 15:12:55 PST Subject: money laundering Message-ID: -----BEGIN PGP SIGNED MESSAGE----- I think that most people forget that as soon as that sort of money enters the banking system, it can be tracked. "Wire $20K to XXX" presumes that that $20K came from somewhere, and unless you're careful about where it came from and where it's going, you could be buying yourself a whole lot of unwanted attention, even if it's a prefectly legitimate transaction. Coming in with a suitcase full of money is bound to get you talked about, and writing a check... well... It's getting rather difficult to move large sums of money around nowadays if it either enters or leaves the US banking system, and if it's a friendly nation (which Canada is), if the Feds have a reason to look at you, an international border isn't going to prove much of a drawback. - -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi ** PGP encrypted email preferred! ** "What's the use of distant travel if only to discover - you're homeless in your heart." --Basia, "Yearning" -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBLtfAYSS9AwzY9LDxAQHtHgP/bKm9+giQ9R4rOAOfCTKmdSHlPiVXUsNu PeMNgvzrIrMo8SFmJg5xj8jzHUstbEQZ+ZZJyl7Xp5Fnv2GTTrz/pQYUZha0fm+v B50kUgWVvNtEmlmvOpQcFDobkoYxh8SiflvLTRsoUgvphqUZGOsJ8FkUFNkEm8nf ME2Cv1e2B5c= =Xt7m -----END PGP SIGNATURE----- From njohnson at easynet.com Sat Nov 26 15:29:02 1994 From: njohnson at easynet.com (N. D. Johnson) Date: Sat, 26 Nov 94 15:29:02 PST Subject: Privacy Digest In-Reply-To: <9411262253.AA00381@carbon.informix.com> Message-ID: Critias: > Many people around the world offer services that are convenient > if one wishes to prevent the government from learning about your > financial activities, but they do not advertise "Hey, come to us > to cheat taxes and evade controls" because if they did it would > diminish their usefulness, both to those of their clients that > are using them to avoid taxes, and to those of their clients who > use them for other purposes. How does this follow? I actually makes no sense. With better advertising they would have more customers, more volume, lower overhead, and thus lower prices. Just like any other business. I think rather, a tradition of obscurity has built up, because the offshore havens are based obscure legal legerdemain that requires stiff legal fees. If a business catering to the upper middle class rather than the wealthy were set up, this would require blowing away a lot of the legal obscurity, which the lawyers and fraudsters (who take full advantage of the fine print) are loathe to do. He who dares to cut through the webs of legal bullshit and governmental censorship of offshore techniques will upen up a tremendous market and shake the foundataions of the planet. N.D. Johnson From jya at pipeline.com Sat Nov 26 15:44:10 1994 From: jya at pipeline.com (John Young) Date: Sat, 26 Nov 94 15:44:10 PST Subject: NYT on Hiding Cash (Re: Privacy Digest) Message-ID: <199411262343.SAA24904@pipe2.pipeline.com> Sorry to fall asleep at the switch, but Gary Jeffers posts on The Privacy Digest and those of Black Unicorn and Critias jogged me to note that The New York Times had two articles on Friday about a UN conference on control of money laundering and the flight of German capital to Luxembourg banks to escape high taxes. Both articles describe the resistance of banks to government snooping, and how laws are being modified to try to keep up with increasing demand for cash havens and/or laundering. ------------------- Here's an excerpt from the first, "Laundering of Crime Cash Troubles U.N.": ". . . the skillful manipulation of dirty street money through former Soviet replublics, offshore banks and major stock exchanges, until it emerged as legitimate cash for buying and selling of a hotel in Bogota. As outlined today by officials in Naples at a major United Nations conference on organized crime, it is not just the growers, smugglers and assassins who make the worldwide drug trade a scourge, but a new breed of skilled money-managers, lawyers and other professionals in the pay of the mob. Devising ever more complex ways of laundering money, they handle an estimated $750 billion every year. . . . By long tradition, banking secrecy and numbered accounts were associated primarily with such financial bastions as Zurich, Vienna and Luxembourg, and the money came mainly from the drug trade. But, United Nations officials say, as these banking centers slowly yield a few secrets to narcotics investigators, a whole new array of less reputable banks are springing up across the former Soviet Union . . . . . . The world's increasingly coordinated and sophisticated crime syndicates, by contrast, now deal in everything from organs for transplant to nuclear materials; with their money laundered, they put their investments into legal business." For an e-mail copy of this article send blank message with subject: UN_nab ------------------- >From the second article, "Germans in Tax Revolt Embrace Luxembourg", these excerpts: "Since 1993, when the Finance Ministry in Bonn imposed a 30 percent withholding tax on interest income for residents, Germans by the thousands have used Luxembourg to carry out a quiet but powerful tax revolt. Carrying suitcases and plastic bags of cash, they have deposited $150 billion in Luxembourg bank accounts, placing it beyond the reach of the tax authorities in Bonn, and behind the screen of Luxembourg's rigid bank secrecy laws. . . . [Description of Germany's proposal that all European Union banks agree to withhold taxes on interest income for the various governments and the banks' demurs.] 'People think they are overtaxed and so they are looking at every way possible to avoid paying taxes,' said a banking lobbyist in Bonn who insisted on anonymity. 'We assume that if people deposit their money in Luxembourg, they will pay taxes. If they don't, that is a political problem for the government, not the banks. We are not policemen.' " For an e-mail copy of this article send blank message with subject: LUX_out From adam.philipp at ties.org Sat Nov 26 16:27:50 1994 From: adam.philipp at ties.org (Adam Philipp) Date: Sat, 26 Nov 94 16:27:50 PST Subject: CP lawyers? Pro Bono work... Message-ID: >I seem to recall that some of the postings to the CP list indicated that the >authors were lawyers, and it got me to wondering: > > If true that some on the CP list are lawyers, have they (or would they >consider) providing pro bono representation of someone charged with an ITAR, >or similar, violation? It would seem like one way (though not the best :-) >of pushing back some of the limitations on crypto..... Speaking as the Pro Bono Legal Advocates vice-chair of my school and as a future attorney, this might be possible, but consider the costs involved besides the relatively minor ones of attorney's fees. I can't really give a reliable estimate (Phil Karn, any idea how much of you appeal was spent on hourly fees as opposed to expenses?). Although attorneys on this list may be generally sympathetic the expenses of federal lawsuits can be quite discouraging as pro bono oppurtunities. Personally I find most pro bono volunteers will work in local settings for indigent clients (Domestic Violence cases, AIDS related legal issues, guardianship of minors, juvenile defendants, small claims mediation, and other situations where expenses are low). Any attorneys out there want to take this up? Black Unicorn? Others? Should that be the topic of my next handbook? Adam Philipp -- PGP Key available on the keyservers. Encrypted E-mail welcome. SUB ROSA: Confidential, secret, not for publication. -Black's Law Dictionary GJ/CS d H S:+ g? p? au+ a- w+ v++ c++ UL+ UU+ US+ P+ 3 E N++ k- W++ M-- V po- Y++ t++ 5+ jx R G' tv+ b+++ D++ B--- E+++ u** h-- f++ r+ n+ y++-- From sandfort at crl.com Sat Nov 26 17:34:02 1994 From: sandfort at crl.com (Sandy Sandfort) Date: Sat, 26 Nov 94 17:34:02 PST Subject: PRIVACY DIGEST Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Gary Jeffers wrote: ... Urgently needed are the opinions of Black Unicorn, or possibly Sandy Sandfort or Duncan Frissell as to whether or not the Costa Rican reference I gave is a "STING". Sting are a lot less likely than plain old scams or poor advice. When I was in Costa Rica I never met or heard of the folks in question. I haven't had any personal contacts or dealings with them either. However, I was not particularly impressed with the material you posted. Costa Rica is certainly NOT the best place to set up a privacy business. It's too far from where the offshore action is. A remarkably high number of con men are based there, however. The best places for a sting operation would be in Caribbean islands, especially noted havens such as the Cayman Islands. The Cayman's was where Castle Bank (I think that was the name) was chartered. It was a conduit for CIA money laundering and payoffs. This all came to light when the IRS(?) used a Miami prostitute to keep one of the bank officials occupied while the contents of his briefcase--including confidential client lists--were examined and photographed. When the left hand found out what the right hand had done, the IRS investigation was dropped and the photos were destroyed lest some CIA asset might be compromised. (Gosh, don't we just love those euphemisms.) Anyway, I doubt that the Costa Rica folks are a sting operation, but I also doubt they offer much of value either. S a n d y P.S. "Live Free or Die" is the New Hampshire state motto, NOT the name of a book by Abbie Hoffman and Dr. Jack Kavorkian. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From storm at marlin.ssnet.com Sat Nov 26 18:32:09 1994 From: storm at marlin.ssnet.com (Don Melvin) Date: Sat, 26 Nov 94 18:32:09 PST Subject: Need program pointers Message-ID: <9411270229.AA26574@marlin.ssnet.com> Hey all! I'm looking for some program recommendation and locations pointers. Both for MS-dos. First, a good secure delete program. These I know exists, which are good? Second, I don't know if this exists. I've never heard of one but it should! I want a program to go through a DOS hard drive and zero out all the unused sectors. It would also be nice if it zero'ed the tailing disk block after the end of a file. Suggestions? Thanks, Don -- America - a country so rich and so strong we can reward the lazy and punish the productive and still survive (so far) Don Melvin storm at ssnet.com finger for PGP key. From rah at shipwright.com Sat Nov 26 18:33:58 1994 From: rah at shipwright.com (Robert Hettinga) Date: Sat, 26 Nov 94 18:33:58 PST Subject: PRIVACY DIGEST Message-ID: <199411270233.VAA06586@zork.tiac.net> At 5:33 PM 11/26/94 -0800, Sandy Sandfort wrote: > >P.S. "Live Free or Die" is the New Hampshire state motto, > NOT the name of a book by Abbie Hoffman and Dr. Jack > Kavorkian. Naw, *that* book is called "Steal This Carbon Monoxide Tank". Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) "There is no difference between someone Shipwright Development Corporation who eats too little and sees Heaven and 44 Farquhar Street someone who drinks too much and sees Boston, MA 02331 USA snakes." -- Bertrand Russell (617) 323-7923 From samman at CS.YALE.EDU Sat Nov 26 18:44:14 1994 From: samman at CS.YALE.EDU (Ben) Date: Sat, 26 Nov 94 18:44:14 PST Subject: Need program pointers In-Reply-To: <9411270229.AA26574@marlin.ssnet.com> Message-ID: On Sat, 26 Nov 1994, Don Melvin wrote: > I'm looking for some program recommendation and locations pointers. > Both for MS-dos. > > First, a good secure delete program. These I know exists, which are good? Norton has a decent wipefile. I don't know if it exists with the current distribution, but with 4.5(which I have) it has it. > Second, I don't know if this exists. I've never heard of one but it should! > I want a program to go through a DOS hard drive and zero out all the unused > sectors. It would also be nice if it zero'ed the tailing disk block after > the end of a file. PCTools Compress for PCTools 7.0 would do this, if you specified the option. AGain an old version, I don't know anything about the current versions. Ben. From jya at pipeline.com Sat Nov 26 19:17:06 1994 From: jya at pipeline.com (John Young) Date: Sat, 26 Nov 94 19:17:06 PST Subject: UN_nab (Re: an137768) Message-ID: <199411270316.WAA07863@pipe2.pipeline.com> Responding to msg by an137768 at anon.penet.fi () on Sun, 27 Nov 1:16 AM Dear an137768, Penet.fi middle-digited the Pink Bunny Mailbot here in rejection of UN_nab. PBM is fearfully quivering now awaiting a planetary address to flip your request. Please try again with return-tattoo and blank message with subject: UN_nab. From an448 at FreeNet.Carleton.CA Sat Nov 26 19:30:54 1994 From: an448 at FreeNet.Carleton.CA (Yves Bellefeuille) Date: Sat, 26 Nov 94 19:30:54 PST Subject: Need program pointers Message-ID: <199411270330.WAA02572@freenet3.carleton.ca> Ben wrote: >Norton has a decent wipefile. I don't know if it exists with the current >distribution, but with 4.5(which I have) it has it. Norton's Wipeinfo is not too bad, but I have found one major problem and a few minor problems with versions 7 and 8: Major problem: The documentation says that Wipeinfo automatically disables Smartcan, the undelete utility. In fact, it doesn't do so, at least on my system. If you don't disable Smartcan manually, you can simply undelete the "wiped" files. For this reason, I no longer trust Wipeinfo to automatically disable my cache; I turn the cache off manually before using Wipeinfo. Minor problems: If you use the options to wipe file slack or unused space, Wipeinfo will not wipe the directory entries for deleted files. Using DiskEdit in hex view, you can still see that you once had a file called ?ECRET. However, using Wipeinfo to wipe a file will also wipe the directory entry. And Wipeinfo will only wipe some areas of the disk (track 0, for example), if you choose to do a "government wipe". Doing a "fast wipe" will not wipe these areas, even if you choose to wipe the entire drive. The documentation for Secure File System (SFS) has interesting information on wiping disks. Peter Gutmann says this: There is a commonly-held belief that there is a US government standard for declassifying magnetic media which involves overwriting it three times. In fact this method is for declassifying core (computer memory) rather than magnetic media. The government standard for declassifying magnetic media probably involves concentrated acid, furnaces, belt sanders, or any combination of the above. -- Yves Bellefeuille, Ottawa, Canada an448 at freenet.carleton.ca (finger here for PGP key) ua294 at fim.uni-erlangen.de From nobody at nately.UCSD.EDU Sat Nov 26 19:47:48 1994 From: nobody at nately.UCSD.EDU (Anonymous) Date: Sat, 26 Nov 94 19:47:48 PST Subject: Need program pointers Message-ID: <9411270350.AA12222@nately.UCSD.EDU> From: IN%"storm at marlin.ssnet.com" 26-NOV-1994 21:38:47.14 To: IN%"cypherpunks at toad.com" CC: IN%"storm at marlin.ssnet.com" Subj: Need program pointers >Hey all! > >I'm looking for some program recommendation and locations pointers. >Both for MS-dos. > >First, a good secure delete program. These I know exists, which are good? I presently use Xtree Gold. It has a DoD and 6 pass Wash Disk feature for writing over usused areas of a disk/drive. So far I have been unsucessfull at recovering any data after Wash Disk with Norton Utilities or PC Tools. If there is a weakness in Wash Disk I'd like to hear about it. >Second, I don't know if this exists. I've never heard of one but it should! >I want a program to go through a DOS hard drive and zero out all the unused >sectors. It would also be nice if it zero'ed the tailing disk block after >the end of a file. > >Suggestions? I'm not so sure about this on... From jdwilson at gold.chem.hawaii.edu Sat Nov 26 19:53:14 1994 From: jdwilson at gold.chem.hawaii.edu (NetSurfer) Date: Sat, 26 Nov 94 19:53:14 PST Subject: Privacy Digest In-Reply-To: <9411262253.AA00381@carbon.informix.com> Message-ID: The prices they were listing were comparable to shareware. This looks to fall under the "if it seems too good (cheap?) to be true, it probably is" category based on price alone. -NetSurfer #include >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> == = = |James D. Wilson |V.PGP 2.7: 512/E12FCD 1994/03/17 > " " o " |P. O. Box 15432 | finger for full PGP key > " " / \ " |Honolulu, HI 96830 |====================================> \" "/ G \" |Serendipitous Solutions| Also NetSurfer at sersol.com > >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> From hfinney at shell.portal.com Sat Nov 26 20:48:01 1994 From: hfinney at shell.portal.com (Hal) Date: Sat, 26 Nov 94 20:48:01 PST Subject: Santa uses PGP Message-ID: <199411270447.UAA11063@jobe.shell.portal.com> http://northpole.net is Santa's home page. For your kids you can order buttons saying "I emailed Santa", at $5 per. Afraid to send your VISA card number across the net? No problem - they use PGP. Key available by mail to button-info at shop.net, orders to buttons at shop.net. (I have no connection to this business - but it's nice to imagine a bunch of kids pestering Dad to get PGP so he can order them a button!) Hal P.S. Here's the key. pub 512/44C65CC5 1994/11/23 I e-mailed Santa Buttons -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.3 mQBNAi7S+50AAAECAMPk38olS7RWUpWm3JE+xqlswgmmHqkKP2hupMtrgCiEMe6B v+Qq+I15rTi3IDFH31lDJS643xdIULnZHETGXMUABRO0LEkgZS1tYWlsZWQgU2Fu dGEgQnV0dG9ucyAgPGJ1dHRvbnNAc2hvcC5uZXQ+ =nWwt -----END PGP PUBLIC KEY BLOCK----- From merriman at metronet.com Sat Nov 26 22:01:53 1994 From: merriman at metronet.com (David K. Merriman) Date: Sat, 26 Nov 94 22:01:53 PST Subject: PGP DLL (revisited - kinda) Message-ID: <199411270602.AA29745@metronet.com> Being a marginal (at best :-) C++ programmer, I snagged a copy of the DLL skeleton from MS's FTP site. Into that, I started stuffing Pr0duct Cypher's PGP Tools package. I've gotten it to where it will *mostly* compile, but I'm still having a couple of problems that I hope someone more skilled than I can resolve. Semi-details: I've got a *bunch* (20+) warnings, all about type mismatches (char:int, etc); and _2_ errors that I can't seem to locate. I've been chasing down the errors first, but as I said, can't seem to hammer the little buggers (pun intended :-). If there's another VC++ programmer out there (I've got 1.5 pro), I'd appreciate it if you could email me so we can work something out so I can send you a copy of what I've got so far, and see if you can't spot where the problems are. I don't *think* there's much left before it'll turn into a .DLL - but then, if I knew anything about it, I wouldn't be yelling for help :-/ Dave Merriman - - - - - - - - - - - - - - - - - - - - - - - - - - Finger merriman at feenix.metronet.com for PGP public key and fingerprint. PGP encrypted Email welcome, encouraged, and preferred. "Those who make peaceful revolution impossible will make violent revolution inevitable." John F. Kennedy From hfinney at shell.portal.com Sat Nov 26 23:04:49 1994 From: hfinney at shell.portal.com (Hal) Date: Sat, 26 Nov 94 23:04:49 PST Subject: WWW "remailers" Message-ID: <199411270704.XAA21510@jobe.shell.portal.com> We have had some discussions here about privacy of accesses on the World Wide Web. Presently servers get a variable amount of information about the people accessing their sites, depending on the particular software being used and how it is configured. This is potentially harmful to the privacy of WWW users in that their access information can be recorded, etc. Here are some things you can do to reduce this problem. First, try connecting to: http://www.uiuc.edu/cgi-bin/printenv This just displays environment variables, which shows what information about you is being received by servers. Look particularly at the lines reading HTTP_FROM and REMOTE_HOST. These may contain your user name and computer address. You may be able to remove your user name information. Some clients, including, I am told, NetScape and version 2 of Mosaic for Mac/Windows, allow you to set your email address, which is handy, but then they send it along to servers, which is harmful to your privacy. You might want to consider not setting this field and using other programs for sending mail. Also if people complain about this then perhaps the makers of this software will add an option to suppress sending the info. Even if you don't see your name in HTTP_FROM it still may be possible for somewhat more sophisticated programs to log your access if the REMOTE_HOST information is correct and you are running on a Unix system or something similar. This is done via the identd service if that is running on your computer. The server can use this service to ask for your user name once you are connected. One way to see if identd is running on your computer is to telnet to your own computer on port 113 and see if anything is there (telnet 113). If so then this is potentially another privacy exposure. I have recently been experimenting with using "proxy servers" to remove even the REMOTE_HOST information from the server's view. Proxy servers are servers which basically receive WWW connections and pass them along. Then when the data comes from the remote site they pass it back to the originating user's site. Because the proxy server is in the middle the remote site never sees the host name of the originating user. In this respect they are somewhat similar to our cypherpunk remailers, hence the title of this article. (The purpose of proxy servers has nothing to do with this function; they are designed to allow easy WWW access from users who are on firewalled sites. But they happen to serve our purposes as well.) Interestingly, the standard nntpd (nntp daemon, the master server which runs on a site which offers web pages) from CERN includes proxying capability automatically! All you have to do is to add a few lines to the configuration file. If this idea proves sound, perhaps some people running nntpd will enable proxies and serve as "remailer operators of the web". Normally proxy servers are configured to pass connections only from the machines they are there to serve (at least, they can be configured that way; I don't actually know how careful people are about this). But luckily I have found that the CERN proxy server itself accepts connections from anybody (at least, it accepts them from me!). So this is useful for doing experiments. And, the great part is, almost all web clients are set up now for proxy support. The way you enable it varies from client to client. I believe most of the Mac and Windows clients have a preferences box which allows you to put in the address of your proxy server. On Unix, you can set environment variables. Here is the suggestion from the web page at CERN: #!/bin/sh http_proxy="http://www.cern.ch:911/"; export http_proxy ftp_proxy="http://www.cern.ch:911/"; export ftp_proxy gopher_proxy="http://www.cern.ch:911/"; export gopher_proxy wais_proxy="http://www.cern.ch:911/"; export wais_proxy exec Mosaic This is a little shell script which runs Mosaic, first setting four environment variables to "http://www.cern.ch:911/", which is the proxy server I was referring to, the one which accepts connections from the rest of the world. For the purpose of the experiment, only http_proxy needs to be set. Try setting that one and then run lynx or mosaic on your unix workstation, and connect to the printenv URL above. Compare the information that is shown from what you got earlier without the environment variable. Similarly, on other machines, try the printenv test with and without proxy serving enabled using the CERN proxy. I find that the proxy server does in fact prevent the remote site from seeing my computer's address, and without that the IDENTD can't be used to reveal my name. This technique has many ramifications. For example, if a US proxy server were available, ftp could be done via Mosaic to sites which only allowed connections from American computers. People have been talking about writing special IP redirectors for this, but here it turns out the capability has been around all along. I got my information about proxies by reading: http://info.cern.ch/hypertext/WWW/Proxies/. Specific information on configuring CERN nntpd as a proxy server is in: http://info.cern.ch/hypertext/WWW/Daemon/User/Proxies/Proxies.html. Modifications to the proxy server code would be necessary to provide some additional features, such as support of encryption between user and proxy server (via the SHTTP protocol extensions, perhaps; this way you could get local privacy even when connecting to servers which did not support encryption), or possibly chaining of proxies. I think this is a fertile area for discussion and further work. Hal From werewolf at io.org Sat Nov 26 23:09:14 1994 From: werewolf at io.org (Mark Terka) Date: Sat, 26 Nov 94 23:09:14 PST Subject: Bobby Rae's Internet Address Message-ID: -----BEGIN PGP SIGNED MESSAGE----- According to the Toronto Globe and Mail, Sat. November 26/94 edition, we now have another politician to lobby online. Ontario Premier Bob Rae has publicly advised that his Internet address is premier at gov.on.ca I'm sure that all citizens of the Internet will welcome Premier Rae and his efforts to bring Ontario online and into the 21st century. And I'm equally sure the cypherpunk anonymous remailer system will get used more frequently.....:> -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLtgwJK+YbMzawbu5AQFDqQP+LyXrnQInpfnG4347XAXYL8JssUfMEZ1S zQl+tSN8rEkGHs85iw61R8rRfNVDXFpdlxHGZletDjSfA7aRNQ6zj/04tX4ODkX3 G10+deboLt6qZuZ6SdkMi66Brt0B6ULfIKqPMbdit7WZvYdX/tRfBKRpR7PQaWcQ t/Q/JaLhVGo= =icAy -----END PGP SIGNATURE----- From sdw at lig.net Sat Nov 26 23:50:44 1994 From: sdw at lig.net (Stephen D. Williams) Date: Sat, 26 Nov 94 23:50:44 PST Subject: bug-finder? In-Reply-To: Message-ID: > > ddt at lsd.com (Dave Del Torto) wrote > >>Anyone here know a source for a listening-device ("bug") detector? > > In my (very lkimited) experience this is NOT an easy thing to detect. I have > pulled apart some comercial bug detectors, usually the contain a 556 and some > LEDS witha speaker. One did actually have anoise diode and a little counter > so's to make things seemingly randmo and more real. > > In reality it is quite difficult to detect ALL bugs. Whilst at a guess most > will be FM (50-150 Mhz) there is still the possibility they use other > (prob. higher) frequencies. I good scanner might pick them up - provided it > is sensitve enough and can scan fast enough as there is quite alot of > spectrum to cover. > > Chris I thought the trick was to use a 'near-field' receiver. I saw one at the Dayton Hamvention a couple years ago for about $100. It'd receive Am audio or sync on FM (you'd here no-noise silence they said). You don't tune it: it relies on the 'near-field' effect which is something about how transmitters can induce the right harmonics in a certain type floating receiver within a short distance. The Rabbit TV extender and a stereo TV decoder used the same method: they sat on top of the TV and 'noticed' which channel you were on. sdw -- Stephen D. Williams Local Internet Gateway Co.; SDW Systems 510 503-9227APager LIG dev./sales Internet: sdw at lig.net In Bay Area Aug94-Dec95 OO R&D Source Dist. By Horse: 2464 Rosina Dr., Miamisburg, OH 45342-6430 Internet Consulting ICBM: 39 38 34N 84 17 12W home, 37 58 41N 122 01 48W work Newbie Notice: I speak for LIGCo., CCI, myself, and no one else, regardless of where it is convenient to post from or thru. From prz at acm.org Sun Nov 27 00:00:50 1994 From: prz at acm.org (Philip Zimmermann) Date: Sun, 27 Nov 94 00:00:50 PST Subject: Zimmermann interrogated without counsel Message-ID: The following is a letter from Ken Bass, who is one of the lawyers on my legal defense team, to US Customs. It is mostly self-explanatory. It concerns the PGP investigation. For those of you unfamiliar with the PGP case, PGP is an email encryption program that is widely used around the world, and was published domestically in the USA as freeware in 1991. As the creator of PGP, I am under investigation by US Customs. They tell my lawyers that they suspect that I violated laws that prohibit the export of encryption software from the USA. If anyone wants to ask questions about this case, contact my lead defense attorney, Phil Dubois, at 303 444-3885, or dubois at csn.org. -Philip Zimmermann prz at acm.org =================================================================== Kenneth C. Bass, III (202) 962-4890 kbass at venable.com Venable, Baetjer, Howard & Civiletti 1201 New York Avenue, NW, Suite 1000 Washington, DC 20005-3917 (202) 962-4800, Fax (202) 962-8300 November 23, 1994 Mr. Homer Williams Acting Assistant Commissioner Office of Internal Affairs United States Customs Service 1301 Constitution Ave., N.W. Washington, D.C. 20229 Dear Mr. Williams: I write on behalf of our client, Philip R. Zimmermann, of Boulder, Colorado, to register a strong objection to the treatment given Mr. Zimmermann at Dulles International Airport on November 9, 1994, when he returned from a trip to Europe. Mr. Zimmermann was invited to Europe to speak on issues of public policy. When Mr. Zimmermann returned to the United States, he was diverted from the normal Customs processing, subjected to an individualized luggage search, and then interviewed extensively by Customs Special Agent Michael Winters. The questions posed to Mr. Zimmermann make it very clear that this encounter was not a routine, random interview, but was a pre-planned encounter. The interview was not restricted to matters relating to Mr. Zimmermann's re-entry into the United States and any proper subjects of inquiry regarding the personal effects he was bringing back with him, but ranged extensively over Mr. Zimmermann's European itinerary and public-speaking activities, as well as prior overseas trips he had taken. Of particular concern to us is the fact that Agent Winters questioned Mr. Zimmermann about possible exportation of PGP, a cryptography program developed by Mr. Zimmermann. This interview was conducted in the absence of Mr. Zimmermann's counsel, despite the fact that Agent Winters was very much aware of a pending criminal investigation involving Mr. Zimmermann who was advised in 1993 by an Assistant United States Attorney in the San Jose, California office that he was a target of a grand jury investigation concerning possible violations of the Arms Export Control Act related to PGP. Agent Winters made specific reference to this investigation in the course of his interrogation. This encounter is deeply troubling for two reasons. First, having such an interview in the absence of counsel when Customs is fully aware of the pending criminal investigation and the fact that Mr. Zimmermann is represented by counsel raises fundamental concerns about Government insensitivity to the constitutional rights of citizens, particularly citizens who are a target of an ongoing criminal investigation. The second major concern is the fact that Agent Winters told Mr. Zimmermann that he should expect to be subjected to the same search and interrogation upon every re-entry into the United States, at least until the criminal investigation is concluded. It is difficult enough for any individual to be the target of an open-ended criminal investigation that seems to have no clear direction, goal or foreseeable conclusion. It is quite another thing to be subjected to official interrogation, in the absence of counsel, about these matters. On behalf of Mr. Zimmermann, we ask that you make appropriate inquiries to determine who authorized this interrogation and why it was continued after Mr. Zimmermann expressed objection to being interrogated in the absence of counsel. With respect to Mr. Zimmermann's future re-entry into the United States, we would expect the Customs Service to strictly limit its contact with him to the conduct of such interviews, declarations and inspections as may be appropriate under 19 CFR Part 148 to determine whether he is subject to payment of any import duties upon his re-entry. As an American citizen he has a constitutional right to return to the United States and it is most improper to use such occasions as an excuse for conducting interviews that would not otherwise be undertaken in the absence of counsel or appropriate judicial process. I am sending copies of this letter to Agent Winters, the Assistant United States Attorney in charge of the criminal investigation, and Mr. Philip Dubois, Mr. Zimmermann's lead counsel in the investigation. If you require any additional information in order to respond to this request, please contact me directly. We would hope to resolve this matter quickly. Cordially, Kenneth C. Bass, III cc: Mr. Philip R. Zimmermann Mr. Michael B. Winters Philip Dubois, Esq. William Keane, Esq. ----- From skaplin at skypoint.com Sun Nov 27 02:12:41 1994 From: skaplin at skypoint.com (Samuel Kaplin) Date: Sun, 27 Nov 94 02:12:41 PST Subject: Zimmermann interrogated without counsel In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- In article , you wrote: > (Philip Zimmermann uses PGP) > > The following is a letter from Ken Bass, who is one of the lawyers on > my legal defense team, to US Customs. It is mostly self-explanatory. > It concerns the PGP investigation. > > For those of you unfamiliar with the PGP case, PGP is an email > encryption program that is widely used around the world, and was > published domestically in the USA as freeware in 1991. As the creator > of PGP, I am under investigation by US Customs. They tell my lawyers > that they suspect that I violated laws that prohibit the export of > encryption software from the USA. > > If anyone wants to ask questions about this case, contact my lead > defense attorney, Phil Dubois, at 303 444-3885, or dubois at csn.org. > > -Philip Zimmermann > prz at acm.org The rest expunged because it infuriates me so... What utter BULLSHIT!!!! (not you Phil, but your treatment by Customs!!) I hope you are contemplating a little legal action of your own. At the least this is harassment. I would be curious if Agent Winters was acting upon his own initiative or whether he was instructed to do this. I suspect the later. Chin up, shoulders back, Phil... Sam ============================================================================== skaplin at skypoint.com | "...vidi vici veni" - Overheard | outside a Roman brothel. PGP encrypted mail is accepted and | preferred. | Change is the only constant in the | Universe..."Four quarters, please." E-mail key at four11.com for PGP Key or | Finger skaplin at mirage.skypoint.com | Smile!! Big brother is watching. ============================================================================== - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAy5pUekAAAEEAKrDj64Zj9AJU+gC7/Ivdk8b1ef6a1T9K5CGFeu1yFDSXLyD DLIdGunZR/4ilosLMxdlZcNqPwZ3HgxL+Gk3y2SwYfqKpeWExWPgb696lgzf2BRC tED15ZAwi3UDIkcouv2PBiDwPNUUmnLb5diDXdA3qtALb+XzlwpnimeWAf3FAAUT tCRTYW11ZWwgS2FwbGluIDxza2FwbGluQHNreXBvaW50LmNvbT6JAJUDBRAu0Wcv CmeKZ5YB/cUBAd1yA/9/n2PA2VrJ+k++yfOdx5EdmqUyUX4IL0XVmxb2lxNSuBlx It2T+Qzz6Xa03eS1qpjWYeU/lXvmgQe5CDPsmmYl9zVPiy8HKTveOtl+5tbBzeBS RfDBz3Jx/71UVyF273lRWn/cw9E8mjlrc2tUJEsCgLRFQVf8YHzdKoUDRwn1b4kA lQMFEC7QbCjVMiHPX2OluQEBelEEAJ/I2sjy6PdXlwawIrP1hQnb2WcTD2VdoOJ1 OWue3hnfgGc7YrwTOg3IphVgHg6Rt3gQ9qURlOlSVGSXmLdgW23iSXxxqsSm75nR wxDx1Ns/M0S+3Qdt4Vs14x5KC5rwI2OuhBX2i18xWUzRbR+d+WbuoRlcPPJ2CA2e kINgoiuX =O2F0 - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLthafQpnimeWAf3FAQExJgP/SDEEvjCwCDfBDTuHGGrLFBhGZPd63SFK HryVQcX+TQsf8deK3wBfCkjbGAl50M2wfzKjTRZ3xpTU+PkZrOH9PHDxGa8yjrod GkHP5t+a/hYY2nveVwYTq/0bwfdP/Z1I9WSaMF1OUUM/AdibhAPo81J7/H+owXCv z83UHIKXZwA= =75ny -----END PGP SIGNATURE----- From michael.shiplett at umich.edu Sun Nov 27 06:49:40 1994 From: michael.shiplett at umich.edu (michael shiplett) Date: Sun, 27 Nov 94 06:49:40 PST Subject: WWW "remailers" In-Reply-To: <199411270704.XAA21510@jobe.shell.portal.com> Message-ID: <199411271449.JAA11832@truelies.rs.itd.umich.edu> "hf" == Hal writes: hf> Interestingly, the standard nntpd (nntp daemon, the master server hf> which runs on a site which offers web pages) from CERN includes hf> proxying capability automatically! All you have to do is to add a hf> few lines to the configuration file. If this idea proves sound, hf> perhaps some people running nntpd will enable proxies and serve as hf> "remailer operators of the web". Thanks for the overview of www proxies. One correction--nntp is the network news (USENET) transport protocol, http is the hypertext (www) transport protocol. Upon first reading, I was confused about how news admins could become ``remailer operators of the web''. If you really did mean to use ``nntp'', then I'm still confused. michael From jya at pipeline.com Sun Nov 27 07:44:41 1994 From: jya at pipeline.com (John Young) Date: Sun, 27 Nov 94 07:44:41 PST Subject: NYT on Satellite Radio Message-ID: <199411271543.KAA12294@pipe3.pipeline.com> Peter Passell writes longish article today on the company CD Radio and other ventures to sat-cast digital radio nationwide. One excerpt: "with digital technology, satellite broadcasters can stuff dozens of channels of CD-quality, interference-resistant programming into a narrow ban of frequencies." Has there not been discussion here before about the use of this technology in lieu of hard-wire for the Net? For e-mail copy send blank message with subject: SAT_rad From hfinney at shell.portal.com Sun Nov 27 08:49:41 1994 From: hfinney at shell.portal.com (Hal) Date: Sun, 27 Nov 94 08:49:41 PST Subject: WWW "remailers" (corrected copy) In-Reply-To: <199411270704.XAA21510@jobe.shell.portal.com> Message-ID: <199411271649.IAA25353@jobe.shell.portal.com> This is a re-post of an earlier message where I accidently wrote "nntp" in place of "http". I have added some more material, too. Please ignore the earlier message, and thanks to those who pointed out the mistake. We have had some discussions here about privacy of accesses on the World Wide Web. Presently servers get a variable amount of information about the people accessing their sites, depending on the particular software being used and how it is configured. This is potentially harmful to the privacy of WWW users in that their access information can be recorded, etc. Far from being a hypothetical concern, I believe many companies are collecting this information and using it to build up possible future email mailing lists, etc. I spoke recently with someone who is designing enhanced server software for the web. Their system will keep all kinds of statistics about who accesses which pages on the server, correlating that with which people request information on the products being sold. We have also seen how even too-cool Wired magazine is demanding user names to allow access to their pages. (Remember: username cypherpunk, password cypherpunk.) Here are some things you can do to reduce this problem. First, to see how bad the problem is for you, try connecting to: http://www.uiuc.edu/cgi-bin/printenv This just displays environment variables, which shows what information about you is being received by servers. Look particularly at the lines reading HTTP_FROM and REMOTE_HOST. These may contain your user name and computer address. You may be able to remove your user name information. Some clients, including, I am told, NetScape and version 2 of Mosaic for Mac/Windows, allow you to set your email address, which is handy, but then they send it along to servers, which is harmful to your privacy. You might want to consider not setting this field and using other programs for sending mail. Also if people complain about this then perhaps the makers of this software will add an option to suppress sending the info. Even if you don't see your name in HTTP_FROM it still may be possible for somewhat more sophisticated programs to log your access if the REMOTE_HOST information is correct and you are running on a Unix system or something similar. This is done via the identd service if that is running on your computer. The server can use this service to ask for your user name once you are connected. One way to see if identd is running on your computer is to telnet to your own computer on port 113 and see if anything is there (telnet 113). If so then this is potentially another privacy exposure. I have recently been experimenting with using "proxy servers" to remove even the REMOTE_HOST information from the server's view. Proxy servers are servers which basically receive WWW connections and pass them along. Then when the data comes from the remote site they pass it back to the originating user's site. Because the proxy server is in the middle the remote site never sees the host name of the originating user. In this respect they are somewhat similar to our cypherpunk remailers, hence the title of this article. (The purpose of proxy servers has nothing to do with this function; they are designed to allow easy WWW access from users who are on firewalled sites. But they happen to serve our purposes as well.) Interestingly, the standard httpd (http daemon, the master server which runs on a site which offers web pages) from CERN includes proxying capability automatically! All you have to do is to add four lines to the configuration file. (See the URLs below for more info.) If this idea proves sound, perhaps some cypherpunks running httpd will enable proxies and serve as "remailer operators of the web". Normally proxy servers are configured to pass connections only from the machines they are there to serve (at least, they can be configured that way; I don't actually know how careful people are about this). But luckily I have found that the CERN proxy server itself accepts connections from anybody (at least, it accepts them from me!). So this is useful for doing experiments. And, the great part is, almost all web clients are set up now for proxy support. The way you enable it varies from client to client. I believe most of the Mac and Windows clients have a preferences box which allows you to put in the address of your proxy server. On Unix, you can set environment variables. Here is the suggestion from the web page at CERN: #!/bin/sh http_proxy="http://www.cern.ch:911/"; export http_proxy ftp_proxy="http://www.cern.ch:911/"; export ftp_proxy gopher_proxy="http://www.cern.ch:911/"; export gopher_proxy wais_proxy="http://www.cern.ch:911/"; export wais_proxy exec Mosaic This is a little shell script which runs Mosaic, first setting four environment variables to "http://www.cern.ch:911/", which is the proxy server I was referring to, the one which accepts connections from the rest of the world. For the purpose of the experiment, only http_proxy needs to be set. Try setting that one and then run lynx or mosaic on your unix workstation, and connect to the printenv URL above. Compare the information that is shown from what you got earlier without the environment variable. Similarly, on other machines, try the printenv test with and without proxy serving enabled using the CERN proxy. I find that the proxy server does in fact prevent the remote site from seeing my computer's address, and without that the IDENTD can't be used to reveal my name. This technique has many ramifications. For example, if a US proxy server were available, ftp could be done via Mosaic to sites which only allowed connections from American computers. People have been talking about writing special IP redirectors for this, but here it turns out the capability has been around all along. Can anyone supply addresses of additional proxy servers to try? I had an idea about how to find them. Many web servers log accesses. By searching those access logs it might be possible to find proxy sites. The server is given information about whether a proxy is used, as well. This shows up in the HTTP_USER_AGENT environment variable on the printenv page. Servers could look for references to proxies in that data and collect proxy addresses in that way. There is a nice irony in using server logging to collect data that would allow users to defeat much server logging. I got my information about proxies by reading: http://info.cern.ch/hypertext/WWW/Proxies/. Specific information on configuring CERN httpd as a proxy server is in: http://info.cern.ch/hypertext/WWW/Daemon/User/Proxies/Proxies.html. Modifications to the proxy server code would be necessary to provide some additional features, such as support of encryption between user and proxy server (via the SHTTP protocol extensions, perhaps; this way you could get local privacy even when connecting to servers which did not support encryption), or possibly chaining of proxies. I think this is a fertile area for discussion and further work. Hal From anonymous-remailer at shell.portal.com Sun Nov 27 10:01:28 1994 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Sun, 27 Nov 94 10:01:28 PST Subject: PRIVACY DIGEST Message-ID: <199411271801.KAA29616@jobe.shell.portal.com> Sat, 26 Nov 94 17:47:51 NetSurfer wrote: [ commenting on the Privacy Digest post by Gary Jeffers ] The prices they were listing were comparable to shareware. This looks to fall under the "if it seems to good (cheap?) to be true, it probably is" category, based on price alone. [ end ] The copied sheets put out by Williams in Costa Rica falls into that group. I have read many xeroxes from lots of sources in my time and some most useful information have even been given to me anonymously. The problem with the entire list of what Williams is selling (and I have some 90+ per- cent of his crap) is that his very homespun assessment of U.S.A. law and case law is inventive, to say the least. He seems to be influenced by some of the kooky writers in the tax revolt movement. Thus, it really matters little if he is a sting or not. As a rule, I am always cautious when entering into a new relationship and that has kept me out of serious trouble so far. When going offshore, I always assume the worst until I have grounds for believing otherwise. And like Sandy Sandfort, I - too - have been to Costa Rica. Lots of small time villains from the States call that country their home, full- or part-time. Best to be careful about who you confide in. Getting back to NetSurfer's post: I agree that inexpensive information is often too cheap. The best way to learn the ropes are not books, reports nor newsletters and the reason for that seems to be that the best information never finds its way into print. In the world of private placements, few of the big players feel a need to spend their weekends putting out newsletters. Even if they do, they will never incriminate themselves. This is because most either live in the U.S.A. or do at least visit the U.S.A. often. In ten years, if PGP is still legal and if PGP and remailers become easier to use (embedded in wordprocessors) this may change - not the part about them going stateside often, of course, but the part about their willing- ness to speak up about how to use the tools of their trade. Meanwhile, I have found one source to be consistent, reliable and surprisingly alert throughout its several decades of publication. It is a little green news- letter called 'The Harry Schultz Letter', published by Harry D Schultz, a libertarian privacy-advocate / gold bug in Monaco. It runs around $300 a year, however, and so proves NetSurfer's point. No free samples either. For books, get yourself a free catalog with page after page of informative summaries of the books put out by a U.K. firm called Scope Int'l Ltd. They also publish a newsletter every other month or so, free for the asking, even if you never buy a book. Their newsletter deals with international cooperation agreements, offshore and privacy, second passports legally. A useful part is a 3-page long section of small classified ads from all over the globe. Sorry, I have no e-mail address for these people, but be sure to ask them when you call (/fax/write), then post the address to the list. They are: Scope, Forestside House, Forestside, Rowlands Castle, Hampshire PO9 6EE, England, Tel: +44 705 631751, Fax: +44 705 631322. There is also the 'Money Laundering Alert' newsletter put out by a Florida lawyer, ostensibly so that banks can stay on top of what is happening on the legal scene all over the world, where regulations are tightening and so on. Most readers seem to be of the Spanish-speaking variety, however. Well, I guess they have banks in Spain, too... Dadum... For now, I prefer to post anonymously. I would be interested in getting a pseudonymous account of the kind described by 'Nobody' on Friday but would want a better place than mg5n to set it up. "Capt'n Bob" P.S. to Sandy Sandfort - Sorry that I can't quite place you, I am a latecomer to the list. But I seem to recall your name from somewhere in the real world. I have even seen your C.V. somewhere a couple of years ago (sent to Europe, I think). If memory serves you are a journalist with financial experience and have written for something in Florida and for the Tico Times, too? Quite an extensive list, mostly trade magazines/newsletters. You were with some interesting guys in the late 80's, but that is all I remember from the list. Sorry. No offense meant by the P.S. above, but I am getting older and my brain is rotting, also I never keep physical files of any kind. -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6 mQCNAy7W3GoAAAEEAMQqHR+mHowjb7JsVxkCRCg0iM3uitOS2cIcctVIuXVJW6ou iumOw2zMURT5LFgGD2XHr7sre8jm9VUGWwFAaRTJB85Kj4Vy2/dGId2kK7Z/YsrE tVQDw75I8UYa3//PS5C2xCZROz5YHVEjvGcl3QqRLw8xVsgG+OZrkMibcPMNAAUR tBpUaGUtQ2FwdGFpbiAoIkNhcHQnbiBCb2IiKQ== =yrC+ -----END PGP PUBLIC KEY BLOCK----- --bob-- From anonymous-remailer at shell.portal.com Sun Nov 27 10:56:50 1994 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Sun, 27 Nov 94 10:56:50 PST Subject: PRIVACY DIGEST Message-ID: <199411271856.KAA03249@jobe.shell.portal.com> Sat, 26 Nov 94 17:47:51 NetSurfer wrote: [ commenting on the Privacy Digest post by Gary Jeffers ] The prices they were listing were comparable to shareware. This looks to fall under the "if it seems to good (cheap?) to be true, it probably is" category, based on price alone. [ end ] The copied sheets put out by Williams in Costa Rica falls into that group. I have read many xeroxes from lots of sources in my time and some most useful information have even been given to me anonymously. The problem with the entire list of what Williams is selling (and I have some 90+ per- cent of his crap) is that his very homespun assessment of U.S.A. law and case law is inventive, to say the least. He seems to be influenced by some of the kooky writers in the tax revolt movement. Thus, it really matters little if he is a sting or not. As a rule, I am always cautious when entering into a new relationship and that has kept me out of serious trouble so far. When going offshore, I always assume the worst until I have grounds for believing otherwise. And like Sandy Sandfort, I - too - have been to Costa Rica. Lots of small time villains from the States call that country their home, full- or part-time. Best to be careful about who you confide in. Getting back to NetSurfer's post: I agree that inexpensive information is often too cheap. The best way to learn the ropes are not books, reports nor newsletters and the reason for that seems to be that the best information never finds its way into print. In the world of private placements, few of the big players feel a need to spend their weekends putting out newsletters. Even if they do, they will never incriminate themselves. This is because most either live in the U.S.A. or do at least visit the U.S.A. often. In ten years, if PGP is still legal and if PGP and remailers become easier to use (embedded in wordprocessors) this may change - not the part about them going stateside often, of course, but the part about their willing- ness to speak up about how to use the tools of their trade. Meanwhile, I have found one source to be consistent, reliable and surprisingly alert throughout its several decades of publication. It is a little green news- letter called 'The Harry Schultz Letter', published by Harry D Schultz, a libertarian privacy-advocate / gold bug in Monaco. It runs around $300 a year, however, and so proves NetSurfer's point. No free samples either. For books, get yourself a free catalog with page after page of informative summaries of the books put out by a U.K. firm called Scope Int'l Ltd. They also publish a newsletter every other month or so, free for the asking, even if you never buy a book. Their newsletter deals with international cooperation agreements, offshore and privacy, second passports legally. A useful part is a 3-page long section of small classified ads from all over the globe. Sorry, I have no e-mail address for these people, but be sure to ask them when you call (/fax/write), then post the address to the list. They are: Scope, Forestside House, Forestside, Rowlands Castle, Hampshire PO9 6EE, England, Tel: +44 705 631751, Fax: +44 705 631322. There is also the 'Money Laundering Alert' newsletter put out by a Florida lawyer, ostensibly so that banks can stay on top of what is happening on the legal scene all over the world, where regulations are tightening and so on. Most readers seem to be of the Spanish-speaking variety, however. Well, I guess they have banks in Spain, too... Dadum... For now, I prefer to post anonymously. I would be interested in getting a pseudonymous account of the kind described by 'Nobody' on Friday but would want a better place than mg5n to set it up. "Capt'n Bob" P.S. to Sandy Sandfort - Sorry that I can't quite place you, I am a latecomer to the list. But I seem to recall your name from somewhere in the real world. I have even seen your C.V. somewhere a couple of years ago (sent to Europe, I think). If memory serves you are a journalist with financial experience and have written for something in Florida and for the Tico Times, too? Quite an extensive list, mostly trade magazines/newsletters. You were with some interesting guys in the late 80's, but that is all I remember from the list. Sorry. No offense meant by the P.S. above, but I am getting older and my brain is rotting, also I never keep physical files of any kind. -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6 mQCNAy7W3GoAAAEEAMQqHR+mHowjb7JsVxkCRCg0iM3uitOS2cIcctVIuXVJW6ou iumOw2zMURT5LFgGD2XHr7sre8jm9VUGWwFAaRTJB85Kj4Vy2/dGId2kK7Z/YsrE tVQDw75I8UYa3//PS5C2xCZROz5YHVEjvGcl3QqRLw8xVsgG+OZrkMibcPMNAAUR tBpUaGUtQ2FwdGFpbiAoIkNhcHQnbiBCb2IiKQ== =yrC+ -----END PGP PUBLIC KEY BLOCK----- --bob-- From roy at cybrspc.mn.org Sun Nov 27 12:03:42 1994 From: roy at cybrspc.mn.org (Roy M. Silvernail) Date: Sun, 27 Nov 94 12:03:42 PST Subject: Need program pointers In-Reply-To: <9411270229.AA26574@marlin.ssnet.com> Message-ID: <941126.231024.0c3.rusnews.w165w@cybrspc.mn.org> -----BEGIN PGP SIGNED MESSAGE----- In list.cypherpunks, storm at marlin.ssnet.com writes: > > Hey all! > > I'm looking for some program recommendation and locations pointers. > Both for MS-dos. > > First, a good secure delete program. These I know exists, which are good? I've had good experience with Norton Wipefile. > Second, I don't know if this exists. I've never heard of one but it should! > I want a program to go through a DOS hard drive and zero out all the unused > sectors. It would also be nice if it zero'ed the tailing disk block after > the end of a file. Norton Wipedisk (in the same utils collection with Wipefile) will do this, including wiping the trailing bytes from unfilled clusters at the end of files. - -- Roy M. Silvernail [ ] roy at cybrspc.mn.org PGP public key available by mail echo /get /pub/pubkey.asc | mail file-request at cybrspc.mn.org These are, of course, my opinions (and my machines) -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBLtgVERvikii9febJAQFiFAP8C4USO9iO0b/zL6KWiS5KXtjHFxjEDF3j RBxhAtlV1SWtsp37dOQ7Dsv7Z+vqBjry47cYX/Hr+ZCCwwwxnne4BvMTiEdoyDp8 cebh761Aoj4Un2HgYp4SzwwHN0/TuIlP458gFBgRFR06F4pj+fHaMPWaousB2jlO izfVzEtwT4w= =ae7y -----END PGP SIGNATURE----- From s009amf at discover.wright.edu Sun Nov 27 13:11:17 1994 From: s009amf at discover.wright.edu (Aron Freed) Date: Sun, 27 Nov 94 13:11:17 PST Subject: A possible solution Message-ID: I was sitting down and thinking about the problem of responsibily of using non-escrowed public key cryptography. Well here is a possible answer. Law enforcement agents have several different methods of finding out about crimes that might happen. And this means they wouldn't be allowed to tap phone lines or use key-escrowed systems like Clipper. Then people who do use non-escrowed public key cryptography for illegal actions would have problems. If they are caught by other means such as tips from anonymous sources and are then caught doing something illegal and they are also using non-escrowed public key cryptography to commit these illegal acts, then the fines and jail time should be increased. This reasoning is based on the fact that we need to be more responsible with technology. Therefore, the government would allow us to go on about our business using non-escrowed key systems, but if misused by the public there would be harsher punishments to the misusing individual. There are plenty of informants out there who can help the law enforcement agencies. We use public key crypt such as PGP. They won't be able to read it, but if there is misuse and the peron is convicted of a crime and is using PGP or some other non-escrowed system to commit the crimes he was convicted of, it's more trouble for him. TO me this is the best solution and it's the only thing I would allow. The government cannot be allowed to tap our phone lines the way they would like to using CLipper or SKE or some other type of system. We need to keep our rights but we need to still make it known that PGP is not meant for corruption and illegal use. IT's meant for private conversation in it due time. I need feedback desperately on this idea. I am incorporating this idea into a two page paper called Dealing with Technology in the Future. I want this to be part of the solution. But I would like to know what others feel about this idea. Aaron 513-276-3817 voice s009amf at discover.wright.edu Big Government Sucks!!! From m5 at vail.tivoli.com Sun Nov 27 13:26:50 1994 From: m5 at vail.tivoli.com (Mike McNally) Date: Sun, 27 Nov 94 13:26:50 PST Subject: A possible solution In-Reply-To: Message-ID: <9411272126.AA05054@vail.tivoli.com> Aron Freed writes: > If they are caught by other means such as tips from anonymous > sources and are then caught doing something illegal and they are > also using non-escrowed public key cryptography to commit these > illegal acts, then the fines and jail time should be increased. This > reasoning is based on the fact that we need to be more responsible > with technology. So why pick specifically on cryptography? Why not increase penalties for criminals who in their crimes are found to have used: * computers; * pagers; * cellular phones; * Casio watches with multiple alarms; * Cars with power windows; * Velcro-fastening tennis shoes; * Gore-Tex jackets; * Ibuprofen pain relievers; * Fat-free ice cream; . . . | GOOD TIME FOR MOVIE - GOING ||| Mike McNally | | TAKE TWA TO CAIRO. ||| Tivoli Systems, Austin, TX: | | (actual fortune cookie) ||| "Like A Little Bit of Semi-Heaven" | From entropy at IntNet.net Sun Nov 27 13:43:04 1994 From: entropy at IntNet.net (Jonathan Cooper) Date: Sun, 27 Nov 94 13:43:04 PST Subject: School Admins In-Reply-To: <199411170430.XAA57764@hopi.gate.net> Message-ID: > > suspend him.' The administration, at least at my school, does *NOT* know > > how to deal with computer networks. They threatened to suspend me for > > insubordination if I didn't grep people's mail spools for obscenity - > > call me a wimp, but I shut up and did it (deleting people I knew. :) ). > > Here's hoping you sent the grep victims anonymous mail with a PGP faq. Riiight. It's not practical to bring PGP in - these AIX boxes have disk drives but the C compiler has been removed. I don't have access to another AIX box to compile PGP on, either. crypt(1) is good enough. -jon ( --------[ Jonathan D. Cooper ]--------[ entropy at intnet.net ]-------- ) ( PGP 2.6.2 keyprint: 31 50 8F 82 B9 79 ED C4 5B 12 A0 35 E0 9B C0 01 ) From sdw at lig.net Sun Nov 27 14:01:07 1994 From: sdw at lig.net (Stephen D. Williams) Date: Sun, 27 Nov 94 14:01:07 PST Subject: School Admins In-Reply-To: Message-ID: Where was this at? Maybe we can voice our opinion to someone. > > > > suspend him.' The administration, at least at my school, does *NOT* know > > > how to deal with computer networks. They threatened to suspend me for > > > insubordination if I didn't grep people's mail spools for obscenity - > > > call me a wimp, but I shut up and did it (deleting people I knew. :) ). > > > > Here's hoping you sent the grep victims anonymous mail with a PGP faq. > > Riiight. It's not practical to bring PGP in - these AIX boxes have > disk drives but the C compiler has been removed. I don't have access to > another AIX box to compile PGP on, either. crypt(1) is good enough. > > -jon > ( --------[ Jonathan D. Cooper ]--------[ entropy at intnet.net ]-------- ) > ( PGP 2.6.2 keyprint: 31 50 8F 82 B9 79 ED C4 5B 12 A0 35 E0 9B C0 01 ) > > -- Stephen D. Williams Local Internet Gateway Co.; SDW Systems 510 503-9227APager LIG dev./sales Internet: sdw at lig.net In Bay Area Aug94-Dec95 OO R&D Source Dist. By Horse: 2464 Rosina Dr., Miamisburg, OH 45342-6430 Internet Consulting ICBM: 39 38 34N 84 17 12W home, 37 58 41N 122 01 48W work Newbie Notice: I speak for LIGCo., CCI, myself, and no one else, regardless of where it is convenient to post from or thru. From entropy at IntNet.net Sun Nov 27 14:05:34 1994 From: entropy at IntNet.net (Jonathan Cooper) Date: Sun, 27 Nov 94 14:05:34 PST Subject: School Admins In-Reply-To: Message-ID: > Where was this at? Maybe we can voice our opinion to someone. Thanks, but no thanks. I would like to graduate this June and I intend to do so. This incident occurred last year and the offending admin is no longer with our school. -jon ( --------[ Jonathan D. Cooper ]--------[ entropy at intnet.net ]-------- ) ( PGP 2.6.2 keyprint: 31 50 8F 82 B9 79 ED C4 5B 12 A0 35 E0 9B C0 01 ) From mab at crypto.com Sun Nov 27 15:42:13 1994 From: mab at crypto.com (Matt Blaze) Date: Sun, 27 Nov 94 15:42:13 PST Subject: School Admins In-Reply-To: Message-ID: <199411272344.SAA20359@crypto.com> > Thanks, but no thanks. I would like to graduate this June and I >intend to do so. This incident occurred last year and the offending >admin is no longer with our school. > Hi, One of the most surprising things that I discovered after dropping out of high school (in my senior year) is just how little my "permanent record" in school affected me after I was out. In particular, colleges are remarkably flexible about admiting people with interesting backgrounds who have demonstrated interests and skills in "non-standard" ways and who seem to know why they want an education. (In other words, schools look for reasons to admit people who may not have good grades but who've done interesting things and who show unusual interests. Sometimes all you have to do to show this is write a good essay or get a convincing letter of recommendation from someone who knows you well and has seen a side of you not reflected in your formal "record"). I'm mentioning this not to encourage you to drop out or to think that nothing you do matters, but rather because your posts remind me of me, 15 years ago. I believed, as you seem to, the message that my high school was sending: do things exactly the "right way" or you'll never get anywhere. In fact, I've discovered almost exactly the opposite to be true. The fact that you're doing unusual stuff like exploring computers and cryptography and the like suggests that you will have an easier time than you might think being successful in the much less structured life that you will be living after you finish high school. Don't let anyone tell you that success in high school is the only route to success in real life. The best kinds of success in life come from finding ways to expand and exploit your own interests and intellect. High schools rarely teach you anything about how to do this. -matt (who dropped out of HS, and now has all the credentials that he needs to do what he likes with his life) From ianf at sydney.sgi.com Sun Nov 27 16:09:27 1994 From: ianf at sydney.sgi.com (Ian Farquhar) Date: Sun, 27 Nov 94 16:09:27 PST Subject: Cell Phones Security?? In-Reply-To: Message-ID: <9411281101.ZM1069@wiley.sydney.sgi.com> On Nov 24, 12:48am, Chris Wedgwood wrote: >I guess in theory GSM is the most secure. Only in practice its not. Many of the >signals from GSM calls can and in some places (e.g. where I live in NZ) go via >analogue repeaters so the call can still be heard of scanners.... *Sigh* Alas too often true. Even so, I am not at all convinced of the security of A5/1. The version of the algorithm which was "leaked" to the network looked like an undergraduate's toy cipher, with (reportedly) 40 bits of key entropy at best. I have spoken to two people who are officially familiar with the cipher, one of whom led me to believe that the leaked version was genuine, and the other who said it was a very early design and bore little resemblence to the final released A5/1. Four other observations don't lead me to have much confidence in it: 1. The reason for it remaining confidential has gone from it being too secure for the public to see, onto it being too insecure and thus needing a security by obscurity protection. 2. The cipher design process was quite contentious, and had the involvement of a lot of people who did not want the public to have decent security. 3. The cipher was originally a French design. Disregarding the well-known hostility of the French government to domestic cryptography, I read a rather interesting comment in "Tower of Secrets" (written by a former KGB cipher-expert) that he wouldn't defect to the French because their ciphers were an "open book" to the Soviets. Note that this was at the time that the KGB computer base could be counted on one hand, and they certainly were not in general use. 4. Although a lot of countries are not happy about it, it looks like A5/1 will be allowed to be imported into China. A5/1 was described to be as a cipher suitable for "tactical security", where the tactical value of the information transmitted encoded with it was only usable for less than six weeks. I really would like to ram this comment up Telecom's advertising department, which describes conversations over GSM phones as "unbreakable". > If someone does really want to listen in on your calls though, they can even > with it being encrypted. The encryption is believe to be a crippled version > of A5 and many people claim to have made devices (usually be re-programming > and hack GSM phones themselves) to decrypt the messages anyway.... A5/1 is the "strong" version, A5/2 (formerly A5/X) is the crippled version. According to the person I spoke to at Austel, base station equipment which implements A5/2 is just not available, and so everyone is installing A5/1. All three carriers in Australia use A5/1. I confirmed this via Austel, not via the carriers themselves. Telecom and Optus did not get back to me with an answer, although the Optus reps gave a valiant attempt. The Vodaphone people quite rudely told me that this information was "classified", and that I wasn't allowed to know. I've heard rumors of a Xilinx-based GSM cracker, but I've never met or spoken to anyone who has actually seen one, or anything more solid than a rumor about the device. Ian. From karn at unix.ka9q.ampr.org Sun Nov 27 16:20:38 1994 From: karn at unix.ka9q.ampr.org (Phil Karn) Date: Sun, 27 Nov 94 16:20:38 PST Subject: Zimmermann interrogated without counsel Message-ID: <199411280020.QAA09078@unix.ka9q.ampr.org> The basic problem here is that Constitutional limits on police powers have long been at their weakest at the border or at "border equivalents" like international airports. More recently the protections have been loosened within the US near borders, which accounts for police-state practices like the INS checkpoint north of San Diego that I have to drive through on my way to LA. It's an open secret that it's as much for drugs being carried by Americans as it is for illegal aliens from Mexico. Looks like all you have to do is to weaken a protection for some "worthwhile" and supposedly narrow reason and you can count on the feds to exploit it fully for any other purpose they can get away with. As I understand it, you have no obligation to do or say anything to a Customs officer when entering the country other than to identify yourself, hand over your passport, and permit a search of your luggage. It's not even clear you have to answer their questions as to where you've been. Dunno what would happen if they searched your laptop and found encrypted material... Phil From an41389 at anon.penet.fi Sun Nov 27 16:27:21 1994 From: an41389 at anon.penet.fi (The Al Capone of the Info Highway) Date: Sun, 27 Nov 94 16:27:21 PST Subject: How to disable telnet to port 25 Message-ID: <9411272312.AA03124@anon.penet.fi> Hey fellow punks: A while back, there was a discussion about how to fake a from address by telneting into port 25 in a site. Many people discussed the pro's and con's, but I wanted to know if anybody knows of a way to stop people from getting in there to send the message in the first place. Send any ideas or solutions to: an41389 at anon.penet.fi Anonymously yours, Wintermute ------------------------------------------------------------------------- To find out more about the anon service, send mail to help at anon.penet.fi. Due to the double-blind, any mail replies to this message will be anonymized, and an anonymous id will be allocated automatically. You have been warned. Please report any problems, inappropriate use etc. to admin at anon.penet.fi. From perry at imsi.com Sun Nov 27 16:47:42 1994 From: perry at imsi.com (Perry E. Metzger) Date: Sun, 27 Nov 94 16:47:42 PST Subject: How to disable telnet to port 25 In-Reply-To: <9411272312.AA03124@anon.penet.fi> Message-ID: <9411280047.AA10945@snark.imsi.com> The Al Capone of the Info Highway says: > A while back, there was a discussion about how to fake a from > address by telneting into port 25 in a site. Many people discussed > the pro's and cons, but I wanted to know if anybody knows of a way > to stop people from getting in there to send the message in the > first place. Sure. Turn off mail to your site. Beyond that, the store and forward nature of mail makes it impossible to stop this. The only real solution is to require digital signatures on all email. Perry From mab at crypto.com Sun Nov 27 16:53:28 1994 From: mab at crypto.com (Matt Blaze) Date: Sun, 27 Nov 94 16:53:28 PST Subject: Zimmermann interrogated without counsel In-Reply-To: <199411280020.QAA09078@unix.ka9q.ampr.org> Message-ID: <199411280054.TAA21721@crypto.com> > >As I understand it, you have no obligation to do or say anything to a >Customs officer when entering the country other than to identify >yourself, hand over your passport, and permit a search of your >luggage. It's not even clear you have to answer their questions as to >where you've been. Dunno what would happen if they searched your >laptop and found encrypted material... I'm going to be taking a business trip to Europe next month, and just to find out what the procedure is I decided to get a "temporary export authorization" for a so-called "exportable" AT&T telephone security device (model 3600-F). This is the "bump in a cord" voice encryptor. The "F" model is supposed to be approved for "fast track" export; it doesn't use Clipper or DES, but rather some exportable algorithm. About two months ago I called our (AT&T's) export lawyer division. They said "ok, this will be easy". Well, sure enough the other day I got back my "license for the temporary export of unclassified defense articles". The form on which this is printed is apparently used for everything in the ITAR; it took me a while to realize that the part of the form where they want the "serial number of aircraft or vessel" is to be filled in only if I'm actually exporting a plane or ship and does not refer to the plane on which I'm flying out of the country. (Where is the serial number on a 767, anyway?) Anyway, the "fast track" procedure seems to be as follows. I have to leave from an international airport with a customs agent present. Before I leave I have to make up an invoice for the devices (even though I'm not selling them to anyone) that states that "These commodities are authorized by the US government for export only to Belgium and the United Kingdom [the countries I'm visiting]. They may not be resold, transshipped, or otherwised disposed of in any country, either in their original form or incorporated into other end-items without the prior written approval of the US Department of State." At the airport, I have to fill out something called a "shippers export declaration" (SED) and copy the same wording onto it. Then I present my invoice, SED, and export license to a customs official at the airport before I leave (this will be fun - I leave from JFK, where Customs is in a different building from departing flights). The Customs officer then endorces my license to show what I'm taking out of the country. On the way back in, I'm supposed to "declare" my item (even though it was manufatured in the US) and show them my license, SED, and invoice, and they're supposed to endorse the license to show that I have, in fact, returned the "defense article". I'd hate to know what the "slow track" is like.... I'll post a report of what actually happens when I try to follow these procedures. -matt From CCGARY at MIZZOU1.missouri.edu Sun Nov 27 17:03:42 1994 From: CCGARY at MIZZOU1.missouri.edu (Gary Jeffers) Date: Sun, 27 Nov 94 17:03:42 PST Subject: Privacy Digest Message-ID: <9411280103.AA16888@toad.com> "Capt. Bob" writes: >3. While not wanting to single out Williams (the "Privacy Digest peopl" as >you call them) because I have nothing more than a hunch, I want to let he >list know that there has been at least one US Government sting operatedout >of a Costa Rica front address. Also, another sting used the corporate ame >of Financial Engineering as Arnie (Offshore) mentioned about a month ag. The return address on the brochure I copied from is: Financial Engr. Consultants, Inc. Box 959 Centro Colon Towers 1007 San Jose, Costa Rica Well, I guess that we really can't give them much of an enthusiastic endorsement! - can we fellow privacy sneakers? You know, my original Privacy Digest post is beginning to look less & less like the infor- mationaly coup that I had intended it to be. Yours Truly, Gary Jeffers From s009amf at discover.wright.edu Sun Nov 27 17:35:29 1994 From: s009amf at discover.wright.edu (Aron Freed) Date: Sun, 27 Nov 94 17:35:29 PST Subject: A possible solution In-Reply-To: <9411272126.AA05054@vail.tivoli.com> Message-ID: On Sun, 27 Nov 1994, Mike McNally wrote: > So why pick specifically on cryptography? Why not increase penalties > for criminals who in their crimes are found to have used: > > * computers; > * pagers; > * cellular phones; > * Casio watches with multiple alarms; > * Cars with power windows; > * Velcro-fastening tennis shoes; > * Gore-Tex jackets; > * Ibuprofen pain relievers; > * Fat-free ice cream; Why don't we stick to the topic? Do you have an intelligent reply or are you going to shoot your mouth off? Or Maybe you can share something better with us, all knowing and wise one. Aaron From merriman at metronet.com Sun Nov 27 18:46:08 1994 From: merriman at metronet.com (David K. Merriman) Date: Sun, 27 Nov 94 18:46:08 PST Subject: Fast Track ITAR (was RE: Zimmerman...) Message-ID: <199411280246.AA22450@metronet.com> >I'm actually exporting a plane or ship and does not refer to the plane >on which I'm flying out of the country. (Where is the serial number on a >767, anyway?) You could probably get by with the Nxxxxxx number on the aircraft (most commonly found on the fuselage in the vicinity of the tail section). ... > >I'd hate to know what the "slow track" is like.... Easy - image having the Post Office in charge of it :-) ... > >I'll post a report of what actually happens when I try to follow these >procedures. Should be "interesting" ("Oh, NO! Not another 'learning experience'!") Dave Merriman - - - - - - - - - - - - - - - - - - - - - - - - - - Finger merriman at feenix.metronet.com for PGP public key and fingerprint. PGP encrypted Email welcome, encouraged, and preferred. "Those who make peaceful revolution impossible will make violent revolution inevitable." John F. Kennedy From lmccarth at ducie.cs.umass.edu Sun Nov 27 18:54:41 1994 From: lmccarth at ducie.cs.umass.edu (L. McCarthy) Date: Sun, 27 Nov 94 18:54:41 PST Subject: A possible solution In-Reply-To: Message-ID: <199411280255.VAA13207@ducie.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- A(a)ron Freed writes: > If they are caught by other means such as > tips from anonymous sources and are then caught doing something illegal > and they are also using non-escrowed public key cryptography to commit these > illegal acts, then the fines and jail time should be increased. This > reasoning is based on the fact that we need to be more responsible with > technology. [...] We need to keep our rights but we need to still make it > known that PGP is not meant for corruption and illegal use. [...] I need > feedback desperately on this idea. [...] I would like to know what others > feel about this idea. Mike McNally writes: # So why pick specifically on cryptography? Why not increase penalties # for criminals who in their crimes are found to have used: # * computers; [...] # * Fat-free ice cream; A(a)ron Freed writes: > Why don't we stick to the topic? Do you have an intelligent reply or are > you going to shoot your mouth off? Relax and chill out with some fat-free ice cream. You wanted to hear some opinions, and you just heard one. If you're already fairly attached to this idea, you probably should have made that clearer in soliciting critical comment. I was tempted to reply to this earlier, but I felt Mike's retort did an ample job. Why, indeed, pick specifically on crypto ? IMHO the choice of tools employed in the commission of the crime should only be relevant in determining the punishment if it substantially alters the nature of the crime. Robbing Ed's Superette with a gun in hand is substantially different from robbing it with a bouquet of flowers in hand. OTOH, robbing Ed while wearing track shoes counts the same as hitting his store while wearing fins. I don't get a break for being stupid enough to pull a robbery in diving gear, but I don't suffer more for having the sense to don appropriate skedaddling apparel. Note that U.S. laws do *not* conform to any such standard, AFA I'm concerned. If I were nabbed driving down into CT carrying a kilo of uncut heroin, I'd be in much hotter watter than if they pulled me over on the Mass Pike just ouside Cambridge. In this instance it's a matter of jurisdiction: cross state lines and suddenly the feds have to deal with you. Perhaps better paradigms are wire fraud and mail fraud. If I knock on your door and offer to protect all your data forever with a proprietary algorithm that's *much* faster than DES, that's one thing. If I send you a postcard or leave a message on your answering machine with the same offer, I'm suddenly liable for stiff fines from the feds. This seems rather absurd to me, but that's the law for ya. At any rate, I'm not about to get behind any initiative that suggests _tougher_ penalties for use of non-escrowed crypto under any circumstance. Especially for DCW, IANAL. - -L. Futplex McCarthy; PGP key by finger or server; "Better watch what you say, or they'll be calling you a radical...a liberal" --Supertramp "He took information in shopping bags out the front door" --a member of Congress, describing CIA/KGB mole Aldrich Ames -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBLtlGUmf7YYibNzjpAQFZ2AP/U4hcBuF92enkquQl/77iD1SvcbFJX3E+ wRqmJiRP88aW6zwbrQYOqDmx232uSOcpVddzYD5VNJ3ZzXlTSY5Ciu5JBQByQSRC a+CFmN72oISerDuhoqZymEDq8EFyQ5HrKzld1hCWYTgOycPIRN1/I4/LJVXlVdan qhUlijs8jaI= =QG2H -----END PGP SIGNATURE----- From rfb at lehman.com Sun Nov 27 18:54:42 1994 From: rfb at lehman.com (Rick Busdiecker) Date: Sun, 27 Nov 94 18:54:42 PST Subject: A possible solution In-Reply-To: Message-ID: <9411280252.AA02560@cfdevx1.lehman.com> Date: Sun, 27 Nov 1994 20:33:32 -0500 (EST) From: Aron Freed Why don't we stick to the topic? Do you have an intelligent reply or are you going to shoot your mouth off? Or Maybe you can share something better with us, all knowing and wise one. His reply was perfectly intelligent. Why don't you answer his question: Why pick on cryptography and not the other items in the list? Why not simply require that government respect the right of individuals to engage in private conversation? If someone commits a `crime' without using cryptography is there less harm to society than if they did use cryptography? What is there about your proposal that might make anyone think that it wasn't completely ridiculous? Rick From jdwilson at gold.chem.hawaii.edu Sun Nov 27 18:56:16 1994 From: jdwilson at gold.chem.hawaii.edu (NetSurfer) Date: Sun, 27 Nov 94 18:56:16 PST Subject: School Admins In-Reply-To: Message-ID: On Sun, 27 Nov 1994, Jonathan Cooper wrote: > Riiight. It's not practical to bring PGP in - these AIX boxes have > disk drives but the C compiler has been removed. I don't have access to > another AIX box to compile PGP on, either. crypt(1) is good enough. Perhaps someone out there could assist this gent by emailing him an AIX-compiled binary of PGP 2.6.2? (Or a p.d. C compiler?) -NetSurfer #include >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> == = = |James D. Wilson |V.PGP 2.7: 512/E12FCD 1994/03/17 > " " o " |P. O. Box 15432 | finger for full PGP key > " " / \ " |Honolulu, HI 96830 |====================================> \" "/ G \" |Serendipitous Solutions| Also NetSurfer at sersol.com > >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> From jrochkin at cs.oberlin.edu Sun Nov 27 19:01:53 1994 From: jrochkin at cs.oberlin.edu (Jonathan Rochkind) Date: Sun, 27 Nov 94 19:01:53 PST Subject: A possible solution Message-ID: At 8:33 PM 11/27/94, Aron Freed wrote: >On Sun, 27 Nov 1994, Mike McNally wrote: > >> So why pick specifically on cryptography? Why not increase penalties >> for criminals who in their crimes are found to have used: >> >> * computers; >> * pagers; >> * cellular phones; >> * Casio watches with multiple alarms; >> * Cars with power windows; >> * Velcro-fastening tennis shoes; >> * Gore-Tex jackets; >> * Ibuprofen pain relievers; >> * Fat-free ice cream; > >Why don't we stick to the topic? Do you have an intelligent reply or are >you going to shoot your mouth off? Or Maybe you can share something >better with us, all knowing and wise one. Something better? I guess most of us think that "something better" would be _not_ having increased penalties for criminals who use cryptography in their crimes. I'm certain that this was the "something better" Mike was suggesting. What rationale is there to have increased penalties for using cryptography to commit a crime, any more then there should be increased penalties for using computers at all? (or do you think there should be?) What reason is there to have increased penalties for using modern technology over using older technology to commit a crime? Using modern technology is somehow "worse" then using older technology? Should we have harsher penalties for someone that uses a getaway automobile after a bank robbery, instead of trying to get away on foot? That might be a better analogy to what's being proposed then Mike's sarcastic ones, if you really want a good analogy. Automobile technology surely makes it easier for a bank robber to escape from the crime scene and not be caught, just as cryptography surely makes it easier for someone selling drugs to close a deal without being caught. So if that somehow justifies harsher penalties for crimes committed with the help of cryptography, does it also justify harsher penalties for crimes committed with automobiles? Why not? From lcrocker at netcom.com Sun Nov 27 19:46:46 1994 From: lcrocker at netcom.com (Lee Daniel Crocker) Date: Sun, 27 Nov 94 19:46:46 PST Subject: A possible solution In-Reply-To: Message-ID: <199411280346.TAA11538@netcom14.netcom.com> > > So why pick specifically on cryptography? Why not increase penalties > > for criminals who in their crimes are found to have used: > > > > * computers; > > * pagers; > > * cellular phones; > > * Casio watches with multiple alarms; > > * Cars with power windows; > > * Velcro-fastening tennis shoes; > > * Gore-Tex jackets; > > * Ibuprofen pain relievers; > > * Fat-free ice cream; > > Why don't we stick to the topic? Do you have an intelligent reply or are > you going to shoot your mouth off? Or Maybe you can share something > better with us, all knowing and wise one. > > Aaron His was the most intelligent reply I've seen. Why don't you answer the question instead of evading it? What is special about cryptography that makes its use in a crime a Bad Thing, whereas the use of, say, a toaster, is not? Attempts to punish the tools instead of the crime make as much sense and are as unsuccessful as treating an infection-caused fever with aspirin instead of treating the infection itself. -- Lee Daniel Crocker /o)\ "Vast amounts of unused information ultimately lcrocker at netcom.com \(o/ become a kind of pollution." Magic Edge: CROCK --Al Gore From cactus at bb.hks.net Sun Nov 27 19:52:48 1994 From: cactus at bb.hks.net (L. Todd Masco) Date: Sun, 27 Nov 94 19:52:48 PST Subject: Brad Templeton's fears In-Reply-To: <199411252242.AA16818@metronet.com> Message-ID: <3bbkda$j0p@bb.hks.net> >>I volunteer again to lend my name (and a little money) to any >>'remailer-in-a-box' account. Wasn't Sameer saying something about setting >>them up at c2.org? > >I, too, am still interested in signing up for a remailer-in-a-box. All I >really need is to know how much it will cost, and (if the price is >reasonable enough for my pockets) where to send the money. >Hopefully, I'll get to at least pick the name for the remailer :-) Hang in there; We're setting a service up on hks.net for individuals for $50/year that will include anon-remailing as a subset of the service. You'll be able to pick the name (assuming it's not in use) and the personal name. I'll announce it here when everything is closer to fruition. -- Todd Masco | "Roam home to a dome, Where Georgian and Gothic once stood cactus at hks.net | Now chemical bonds alone guard our blond(e)s, cactus at bb.com | And even the plumbing looks good." - B Fuller From dfloyd at io.com Sun Nov 27 19:58:48 1994 From: dfloyd at io.com (dfloyd at io.com) Date: Sun, 27 Nov 94 19:58:48 PST Subject: How to disable telnet to port 25 In-Reply-To: <9411280047.AA10945@snark.imsi.com> Message-ID: <199411280358.VAA16759@pentagon.io.com> > > > The Al Capone of the Info Highway says: > > A while back, there was a discussion about how to fake a from > > address by telneting into port 25 in a site. Many people discussed > > the pro's and cons, but I wanted to know if anybody knows of a way > > to stop people from getting in there to send the message in the > > first place. > > Sure. Turn off mail to your site. > > Beyond that, the store and forward nature of mail makes it impossible > to stop this. The only real solution is to require digital signatures > on all email. > > Perry > Identd is pathetic, but may help with finding who did it. (Also, a good look at the mail headers will help too.) If the mail was a forgery on the local site, a check in the mail logs will do, as sendmail is not accessed when mailing from user at localhost to anotheruser at localhost. Enough of the "FAA's... the info that everyone knows, or should.". Other than using PGP or PEM, or writing a new RFC for mail, is there any other way to verify that a message is authentic that I missed? From hayden at krypton.mankato.msus.edu Sun Nov 27 20:57:59 1994 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Sun, 27 Nov 94 20:57:59 PST Subject: How to disable telnet to port 25 In-Reply-To: <199411280358.VAA16759@pentagon.io.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Sun, 27 Nov 1994 dfloyd at io.com wrote: > Other than using PGP or PEM, or writing a new RFC for mail, is there > any other way to verify that a message is authentic that I missed? I don't have an answer to your question, but you did bring up something I've been meaning to ask about for some time and I never really got around to it; Are there any short-term plans to press for an RFC utilizing digital signatures? With the exponential increase of mail users, as well and the influx of Compu$erv, AOL, Prodigy and other users, some methods for the transparent use of digital signatures needs to be worked out before it becomes too difficult to implement change because the commercial services have all the power. (or worse, before the government decides for us.) Of course the question then become one of which standard to use. PGP may seem great, but if there are nothing buy licencing problems and political backlash, maybe something else needs to be looked at. Sorry, just a-babblin'. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLtljEzokqlyVGmCFAQGP3QQAva4mpLJXa8GfxcvfkR5TUQLr7589JZtp UmdJCVS5QtEIrZUvwm+3uS4Bv/rqP29axT/OtHCxIOyayWSadu0wuxfnJ+UKIiS0 SOlqsegrHfoFEKInXANzMGMKC0JxIoDWKp3CK/RpqxnQfp/VQos6PI31OijW5g+0 Dz+LXL4xR6o= =9dbu -----END PGP SIGNATURE----- ____ Robert A. Hayden <=> hayden at krypton.mankato.msus.edu \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> I do not necessarily speak for the \/ Finger for PGP Public Key <=> City of Mankato or anyone else -=-=-=-=-=-=-=- (GEEK CODE 2.1) GJ/CM d- H-- s-:++>s-:+ g+ p? au+ a- w++ v* C++(++++) UL++++$ P+>++ L++$ 3- E---- N+++ K+++ W M+ V-- -po+(---)>$ Y++ t+ 5+++ j R+++$ G- tv+ b+ D+ B--- e+>++(*) u** h* f r-->+++ !n y++** From jpb at gate.net Sun Nov 27 21:33:29 1994 From: jpb at gate.net (jpb at gate.net) Date: Sun, 27 Nov 94 21:33:29 PST Subject: School Admins In-Reply-To: Message-ID: <199411280534.AAA54706@seminole.gate.net> Re: > > > suspend him.' The administration, at least at my school, does *NOT* know > > > how to deal with computer networks. They threatened to suspend me for > > > insubordination if I didn't grep people's mail spools for obscenity - > > > call me a wimp, but I shut up and did it (deleting people I knew. :) ). > > > > Here's hoping you sent the grep victims anonymous mail with a PGP faq. > > Riiight. It's not practical to bring PGP in - these AIX boxes have > disk drives but the C compiler has been removed. I don't have access to > another AIX box to compile PGP on, either. crypt(1) is good enough. Jon, I guess you're right - if they're so clueless that they have to get you to run grep for them they're clueless enough to be stymied by crypt - all you have to do is go "Duh, its encrypted, I don't know how to uncrypt." How long do you think it'll be before crypt disappears, though? Are these machines connected to the net? If so, pointing them in the direction of the remailers might be a good thing. Joe P.S. I realize it is a lot easier for me to make these suggestions than for you to implement them - I don't have to deal with the consequences. From karn at unix.ka9q.ampr.org Sun Nov 27 22:07:09 1994 From: karn at unix.ka9q.ampr.org (Phil Karn) Date: Sun, 27 Nov 94 22:07:09 PST Subject: Zimmermann interrogated without counsel In-Reply-To: <199411280054.TAA21721@crypto.com> Message-ID: <199411280606.WAA09232@unix.ka9q.ampr.org> There was supposed to be an exemption for temporary export of cryptography by US citizens for personal use overseas. At least it was announced last spring by Martha Harris at the State Dept. There's some confusion about whether the exemption ever actually took effect; the current consensus appears to be that it has not. So I guess you still have to go through the formality. Phil From mab at crypto.com Sun Nov 27 22:09:25 1994 From: mab at crypto.com (Matt Blaze) Date: Sun, 27 Nov 94 22:09:25 PST Subject: Zimmermann interrogated without counsel In-Reply-To: <199411280606.WAA09232@unix.ka9q.ampr.org> Message-ID: <199411280610.BAA24922@crypto.com> >There was supposed to be an exemption for temporary export of >cryptography by US citizens for personal use overseas. At least it was >announced last spring by Martha Harris at the State Dept. > >There's some confusion about whether the exemption ever actually took >effect; the current consensus appears to be that it has not. So I >guess you still have to go through the formality. > >Phil > According to our export guy (and also someone I spoke with at NIST) that exemption is not yet in effect. -matt From karn at unix.ka9q.ampr.org Sun Nov 27 22:11:19 1994 From: karn at unix.ka9q.ampr.org (Phil Karn) Date: Sun, 27 Nov 94 22:11:19 PST Subject: Cell Phones Security?? Message-ID: <199411280610.WAA09244@unix.ka9q.ampr.org> In article <94Nov21.08.1184 at qualcomm.com>, you write: |> As one who will be shopping for a cell phone in the next week, what should |> I look for in terms of security? What features are available in phones on |> the market....if any? Basically, there is *no* security whatsoever in cellular phones, at least with the current analog FM technology. If you want privacy, you'll have to provide it yourself on an end-to-end basis. Not only does this require that the party on the other end to have a secure phone, but it greatly reduces reliability since most dialup modems don't perform very well over cellular radio paths. Phil From ianf at sydney.sgi.com Sun Nov 27 22:39:02 1994 From: ianf at sydney.sgi.com (Ian Farquhar) Date: Sun, 27 Nov 94 22:39:02 PST Subject: School Admins In-Reply-To: <199411280534.AAA54706@seminole.gate.net> Message-ID: <9411281732.ZM2476@wiley.sydney.sgi.com> On Nov 28, 12:34am, jpb at gate.net wrote: > How long do you think it'll be before crypt disappears, though? What would be cute would be to roll-your-own enigma using a series of standard Unix filters. It would seem moderately straightforward to maintain rotor files which are fed into tr, while using cut's and simple appends to move the rotors. I'd like to see them go chasing anyone by removing that set of standard Unix utilities. Ian. From alex at omaha.com Mon Nov 28 00:34:08 1994 From: alex at omaha.com (Alex Strasheim) Date: Mon, 28 Nov 94 00:34:08 PST Subject: Transparent Email (WAS disable telnet to port 25) In-Reply-To: <199411280806.CAA00150@omaha.omaha.com> Message-ID: <199411280834.CAA00176@omaha.omaha.com> -----BEGIN PGP SIGNED MESSAGE----- > I don't have an answer to your question, but you did bring up something > I've been meaning to ask about for some time and I never really got > around to it; Are there any short-term plans to press for an RFC > utilizing digital signatures? With the exponential increase of mail > users, as well and the influx of Compu$erv, AOL, Prodigy and other users, > some methods for the transparent use of digital signatures needs to be > worked out before it becomes too difficult to implement change because > the commercial services have all the power. (or worse, before the > government decides for us.) Some still unformed thoughts on this subject: The big problem with transparent encryption and signatures is key distribution: if you've never sent a letter to me, your mailer will have to get my key (invisibly) before the mail can be sent. The big problem with key distribution is the web of trust: who gets to decide which keys are good? This is a subtle advantage that systems with centralized key generation have over systems like PGP, which let users generate their own keys. If big brother mints all the keys, then big brother can set up an authoritative keyserver. The best answer that I can come up with for this problem is to allow for several webs of trust to function simultaneously. Perhaps we would have a default web, which would have everyone's key in it. The idea behind the default web is that it should be able to return a key as often as possible, so we don't want to make it too difficult to submit keys for this web. But anyone else could devise his or her own web, and administer it however he or she pleased. A request to a keyserver would include a list of webs, in order of preference, that the user would be willing to deal with. At the end of the list would be the default web, in case nothing better was available. A web could be defined by a single top-level public key and a set of rules. Perhaps a text based program -- a sort of "meta-pgp" -- could check chains of signatures to validate a key. Suppose, for example, that I'm administering a web of trust. I set up the web so that I can deputize notaries who can in turn sign user keys. Lets further assume that all signatures are good for a year. A keyserver would return a text file containing: (a) the user's key, concated with a header specifiying the date it was signed by the notary, and (b) the notary's key, concated with a header specifiying the date it was singed by me. We'd want "meta-pgp" to be able to handle complex rules which would give it the flexibility to implement a wide variety of webs. Perhaps it could use prolog-ish style induction to determine if a key was good. Does this make sense? Is it something that was already proposed and discarded? == Alex Strasheim | finger astrashe at nyx.cs.du.edu alex at omaha.com | for my PGP 2.6.1. public key -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLtmV+hEpP7+baaPtAQH3kgP8DmycpNrZKQRpyK1rclxJnIY2bdT5m4iM p7IQ7nI07PSMn+ldye2xG5jjms42CR0BVvk4hhdGzDJwcgdd3FHFC7xNHvhk+SOE 4EHqpyW+YdNSe3A7+sMZp30mgWEnvHOpnrU9UiMUIaC8gcLk3GlkXdxDG+SWGwv/ 1yesnbaUxYM= =p2UQ -----END PGP SIGNATURE----- From perry at imsi.com Mon Nov 28 02:23:43 1994 From: perry at imsi.com (Perry E. Metzger) Date: Mon, 28 Nov 94 02:23:43 PST Subject: How to disable telnet to port 25 In-Reply-To: Message-ID: <9411281023.AA11423@snark.imsi.com> "Robert A. Hayden" says: > I've been meaning to ask about for some time and I never really got > around to it; Are there any short-term plans to press for an RFC > utilizing digital signatures? There is already an RFC on this (and indeed has been for some years); its called "PEM", or Privacy Enhanced Mail. Thus far it's been a complete flop. Its thought that certain modifications being proposed right now (MIME integration, "mail style" names instead of X.500 distinguished names, and the ability to use non-hierarchical signature certificates) may change that. Perry From sandfort at crl.com Mon Nov 28 03:05:07 1994 From: sandfort at crl.com (Sandy Sandfort) Date: Mon, 28 Nov 94 03:05:07 PST Subject: CALLING "CAPT'N BOB" Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, BANDWIDTH ALERT: If you are not "Capt'n Bob" this message is a complete waste of your time. "Capt'n Bob, I send a message to your anonymous address; it bounced. Please send me a better address by private e-mail. Thanks, S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From cwedgwood at cybernet.co.nz Mon Nov 28 04:26:09 1994 From: cwedgwood at cybernet.co.nz (Chris Wedgwood) Date: Mon, 28 Nov 94 04:26:09 PST Subject: Need program pointers Message-ID: storm at marlin.ssnet.com wrote: _______________________________________________________________________ I presently use Xtree Gold. It has a DoD and 6 pass Wash Disk feature for writing over usused areas of a disk/drive. So far I have been unsucessfull at recovering any data after Wash Disk with Norton Utilities or PC Tools. If there is a weakness in Wash Disk I'd like to hear about it. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Actually XtreeGold doesn't wipe disks very well. It simply creates a file in (in root) as big as there is free space on the disk. This is fine provided the file have rubbish in it - but with XTG its all blank.... wash you disks then do and undelete from root and you will find a (usually large) file. Look at it - its all blank.... Because the data is all blank (zeros) an anomalie search would produce probably ALL of the data that was there originally..... I have a program (written by me) that writes pseudo-random mess to the disk for a specified number of times. I am also working on another program which clears any data that remians in the last clusters of a file (i.e. past the EOF point). DOS 7 will do this automoatically I'm told (haven't lood and the beta is too messy to bother with). Chris P.S. Sorry for extra spaces in the quoting... my comm prrogram is somewhat broken.... From Brian.McMurry at f844.n102.z1.fidonet.org Mon Nov 28 05:19:18 1994 From: Brian.McMurry at f844.n102.z1.fidonet.org (Brian McMurry) Date: Mon, 28 Nov 94 05:19:18 PST Subject: Cell Phones Security - NOT! Message-ID: <496.2ED9D208@mcws.fidonet.org> On 24-Nov-94, Conrad Walton wrote: >Well, as one who owns an AOR 1000 radio frequency scanner that can receive >any and all cell phone conversations, I would have to say you have no >security unless you use some kind of voice encryption. In order to make you >can feel warm and safe, the manufacture or importation of scanners with >cell phone capability was outlawed by congress earlier this year, which >means that I can still listen to your call with my existing scanner while >you feel protected. Your local budget espionage shop (Radio Shack) still has a selection of scanners that pick up cellular and cordless telephones. A friend picked one up to listen to normal police/fire calls, but hasn't been able to lay a hand on it since his wife is always listening to the 'soap opera' phone calls. Often times she'll tape them. People are unknowingly giving away voice mailboxes, credit cards, and account information all the time (DTMF). --- CNet XFIDO 2.63 * Origin: *AACHEN* 818-972-9440 Burbank, CA FIDONET (1:102/844) -- : Brian McMurry - via mcws.fidonet.org - Public Access (213)256-8371 : ARPA/INTERNET: Brian.McMurry at f844.n102.z1.fidonet.org : UUCP: ...!bengal!mcws!844!Brian.McMurry : Compu$erve: >internet:Brian.McMurry at f844.n102.z1.fidonet.org From m5 at vail.tivoli.com Mon Nov 28 05:28:15 1994 From: m5 at vail.tivoli.com (Mike McNally) Date: Mon, 28 Nov 94 05:28:15 PST Subject: A possible solution In-Reply-To: <9411272126.AA05054@vail.tivoli.com> Message-ID: <9411281328.AA07328@vail.tivoli.com> Aron Freed writes: > > So why pick specifically on cryptography? > > Why don't we stick to the topic? !! > Do you have an intelligent reply or are you going to shoot your > mouth off? !!!!! Ok, look Aaron. You post a long note asking for comments and you get some. Seems to me you need to decide whether you really want feedback or instead you just want people to pat you on the back and say "wow, what a great idea Aaron." If it's the latter, you'd better stick to showing your little ideas to Mom. > Or Maybe you can share something better with us, all knowing and > wise one. My reply was completely serious, and I'd hope that someone pursuing an education would understand it. If you didn't (and so it appears), then let me state my point again more simply: your idea is flawed in that it arbitrarily treats cryptography as a technology that uniquely demands a degree of "responsible use" so great that "irresponsible use" must be specifically punished. I think you should ponder why that's justified instead of just making bald assertions. I also think you should consider what a precedent such a policy would set. Once it's accepted that irresponsible use of cryptography deserves extra punishment, then why exactly should any technology (yes, even including velcro!) not be similarly considered? What would such a legal structure imply? | GOOD TIME FOR MOVIE - GOING ||| Mike McNally | | TAKE TWA TO CAIRO. ||| Tivoli Systems, Austin, TX: | | (actual fortune cookie) ||| "Like A Little Bit of Semi-Heaven" | From rfb at lehman.com Mon Nov 28 06:11:42 1994 From: rfb at lehman.com (Rick Busdiecker) Date: Mon, 28 Nov 94 06:11:42 PST Subject: phone security Message-ID: <9411281410.AA03562@cfdevx1.lehman.com> We have a neighbor who likes to use a scanner to listen in on portable phones, baby monitors, etc.. While I've never used portable phones, I've gotten into a number of discussions with other neighbors about appropriate ways to deal with the situation -- most people don't appreciate my suggestion that they simply stop broadcasting their private conversations (!) Anyway, in a conversation on Saturday I said that without encryption, you basically have no privacy with a portable phone. Several people said that ``900 MHz'' portables are safe from scanners. Does someone know more about this situation? What would be required to eavesdrop on one of these phones? Also, my understanding of the legal situation is that listening in on cellular phones is considered wiretap (at least assuming that intent can be demonstrated), but that most other broadcasting phones are not protected, i. e. my nosy neighbor's actions are merely slimy, not criminal. Is my understanding accurate? Rick From lmccarth at ducie.cs.umass.edu Mon Nov 28 06:15:53 1994 From: lmccarth at ducie.cs.umass.edu (L. McCarthy) Date: Mon, 28 Nov 94 06:15:53 PST Subject: Cell Phones Security - NOT! In-Reply-To: <496.2ED9D208@mcws.fidonet.org> Message-ID: <199411281416.JAA14683@ducie.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Brian McMurry writes: > scanners that pick up cellular and cordless telephones. A friend picked one > up to listen to normal police/fire calls, but hasn't been able to lay a hand > on it since his wife is always listening to the 'soap opera' phone calls. > Often times she'll tape them. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Gee, with friends like that, who needs the government ? - -L. McCarthy -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBLtnmEGf7YYibNzjpAQFMzwP+PluWPWAoZ+yCwFLNZeWO4D72bcVdzuv3 ZOyBgplL+xDZz0pw4rckCDh0UYBdgY+NYwgRloY4ZSp5wR07BPpLbyuXEz4c5tOj HM1bzPqt6VDKLSxDC6YxywpjkQCE4jJwab7NkvGG0O2TJx/IJUyvL0M+AVqQzCMl Vn+6v8v6yUA= =8Yas -----END PGP SIGNATURE----- From cdodhner at PrimeNet.Com Mon Nov 28 06:46:42 1994 From: cdodhner at PrimeNet.Com (Christian Odhner) Date: Mon, 28 Nov 94 06:46:42 PST Subject: Cash In-Reply-To: <9411190018.AA08899@anchor.ho.att.com> Message-ID: On Fri, 18 Nov 1994 wcs at anchor.ho.att.com wrote: > Hasn't really provided it for quite a while, as long as there's an > infrastructure to track serial numbers (you've presumably noticed that > each bill a unique serial number, except for counterfeits and maybe > printing glitches.) And every bill that passes through my hands (of course not the ones I handle at work, I'm talking personal here...) gets the serial # overwriten in heavy black marker. Happy Hunting, -Chris. ______________________________________________________________________________ Christian Douglas Odhner | "The NSA can have my secret key when they pry cdodhner at primenet.com | it from my cold, dead, hands... But they shall pgp 2.3 public key by finger | NEVER have the password it's encrypted with!" cypherpunks WOw dCD Traskcom Team Stupid Key fingerprint = 58 62 A2 84 FD 4F 56 38 82 69 6F 08 E4 F1 79 11 ------------------------------------------------------------------------------ From nowhere at bsu-cs.bsu.edu Mon Nov 28 07:01:07 1994 From: nowhere at bsu-cs.bsu.edu (Anonymous) Date: Mon, 28 Nov 94 07:01:07 PST Subject: No Subject Message-ID: <199411281500.KAA16037@bsu-cs.bsu.edu> Realizing this is somewhat off-topic, has anyone heard of the 'internet liberation front'? - spooge From perry at imsi.com Mon Nov 28 07:03:58 1994 From: perry at imsi.com (Perry E. Metzger) Date: Mon, 28 Nov 94 07:03:58 PST Subject: No Subject In-Reply-To: <199411281500.KAA16037@bsu-cs.bsu.edu> Message-ID: <9411281503.AA11841@snark.imsi.com> Anonymous says: > Realizing this is somewhat off-topic, has anyone heard of the > 'internet liberation front'? How do you liberate something thats already free? From cdodhner at PrimeNet.Com Mon Nov 28 07:12:20 1994 From: cdodhner at PrimeNet.Com (Christian Odhner) Date: Mon, 28 Nov 94 07:12:20 PST Subject: usenet-to-mail,ftp-to-mail,xxxx-to-mail In-Reply-To: Message-ID: On Sat, 19 Nov 1994, Jonathan Rochkind wrote: > "Robert A. Hayden" wrote: > >More importantly, are there are usenet-to-mail gateways? > [good stuph left out here..] > > Would there by any benefit to doing this at all over the present system? > Why would someone submit a message to the remailer "bramble" via newsgroup > instead of just mailing it? Unless you find an anonymous way to post to > the newsgroup in the first place, your security seems to be seriously > compromised. Even if everything is encrypted, you've made traffic analysis > a huge amount easier. And if you are finding a way to post the a newsgroup > anonymously in the first place, odds are you have some other entry point to > the remailer bramble, so why make a stop on the newsgroup opening yourself > up to traffic analysis? For a long time I've wanted to set up a remailer that instead of just re-mailing the input mail would telnet to port 25 on a specified machine and spoof the headers exactly like you tell it to, or that would anon-ftp upload the "mail" message to a specified site, or that would continualy check a local (or remote) ftp directory for filenames that match a certain wildcard, processing them as inbound mail... I can think of a couple of situations under which having a mailer pick up off a newsgroup would be very usefull... send a pgp encrypted, nested message through a chain of four remailers... one is a standard-ish remailer which peels off the first layer of encryption and posts your message to a certain newsgroup. The second one, whos address remains a mystery, spoofs or remails the message it found in the newsgroup to a different newsgroup, where it is again picked up and decrypted by the third remailer, which uploads it to an ftp site watched by the fourth, again anonymous remailer, who picks it up and remails it to the recipient. It may all be an excercise in futility, I'm not an expert on that kinda thing, but it sure /seems/ more secure to me... Happy Hunting, -Chris. ______________________________________________________________________________ Christian Douglas Odhner | "The NSA can have my secret key when they pry cdodhner at primenet.com | it from my cold, dead, hands... But they shall pgp 2.3 public key by finger | NEVER have the password it's encrypted with!" cypherpunks WOw dCD Traskcom Team Stupid Key fingerprint = 58 62 A2 84 FD 4F 56 38 82 69 6F 08 E4 F1 79 11 ------------------------------------------------------------------------------ From khijol!erc Mon Nov 28 07:41:47 1994 From: khijol!erc (Ed Carp [Sysadmin]) Date: Mon, 28 Nov 94 07:41:47 PST Subject: usenet-to-mail,ftp-to-mail,xxxx-to-mail In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- > For a long time I've wanted to set up a remailer that instead of just > re-mailing the input mail would telnet to port 25 on a specified machine > and spoof the headers exactly like you tell it to, or that would anon-ftp > upload the "mail" message to a specified site, or that would continualy > check a local (or remote) ftp directory for filenames that match a > certain wildcard, processing them as inbound mail... I can think of a > couple of situations under which having a mailer pick up off a newsgroup > would be very usefull... send a pgp encrypted, nested message through a > chain of four remailers... one is a standard-ish remailer which peels off > the first layer of encryption and posts your message to a certain > newsgroup. The second one, whos address remains a mystery, spoofs or > remails the message it found in the newsgroup to a different newsgroup, > where it is again picked up and decrypted by the third remailer, which > uploads it to an ftp site watched by the fourth, again anonymous > remailer, who picks it up and remails it to the recipient. It may all be > an excercise in futility, I'm not an expert on that kinda thing, but it > sure /seems/ more secure to me... Here's a script that you might want to use as a base: (echo helo;echo mail from:\<`logname`@`hostname`.`domainname`\>;echo rcpt to:\<$1\>;echo data echo X-Info-1: This message was sent using fastmail 0.1 - contact ecarp at netcom.com echo X-Info-2: for more information. Copyright 1994 by Ed Carp. cat echo .;echo quit)|telnet `echo $1|cut -f2 -d@` 25 - -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi ** PGP encrypted email preferred! ** "What's the use of distant travel if only to discover - you're homeless in your heart." --Basia, "Yearning" -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBLtn5dCS9AwzY9LDxAQELNwP/TeP9GvonQOsDPiKb7dJKtG1Uj3puVEpu fXwGYl0g+q+ZfdeBUwE0NfkZMK7L453/3oNevB2JbLFzypF+bAgZJeDlFHZgLs1B Dq8SgMAyvtQztlSEZ6tKIWNiIVSmfNFHbyS4/QsLitkRJywWRN8UJE1/3KUNQ3hy 2vFmIjRLbxA= =zA4H -----END PGP SIGNATURE----- From corbet at stout.atd.ucar.edu Mon Nov 28 08:56:13 1994 From: corbet at stout.atd.ucar.edu (Jonathan Corbet) Date: Mon, 28 Nov 94 08:56:13 PST Subject: Zimmerman interrogated Message-ID: <199411281655.JAA26066@atd.atd.ucar.EDU> The sad thing is that what happened to Phil in customs is far from exceptional. A lot of us who went to Nicaragua in the early- to mid-eighties found this out... Thereafter, every time I came back into the country from somewhere I would get pulled out, searched, my money counted, and so on. I got to where I would routinely schedule at least three hours for my domestic connection. After five years of "good behavior" this stopped as abruptly as it began. There are cases of people who had their journals confiscated; these then later turned up in places like FBI files, which is highly illegal. jon From corbet at stout.atd.ucar.edu Mon Nov 28 08:57:49 1994 From: corbet at stout.atd.ucar.edu (Jonathan Corbet) Date: Mon, 28 Nov 94 08:57:49 PST Subject: E$ in the Economist Message-ID: <199411281656.JAA26111@atd.atd.ucar.EDU> This week's issue of the Economist has an interesting article on electronic money. They talk somewhat about Chaum, tax collection problems, and so on. Some discussion about how encryption standards are lacking on the Internet, but they don't go into why. A worthwhile read anyway. jon From norm at netcom.com Mon Nov 28 09:07:31 1994 From: norm at netcom.com (Norman Hardy) Date: Mon, 28 Nov 94 09:07:31 PST Subject: Transparent Email (WAS disable telnet to port 25) Message-ID: At 1:34 AM 11/28/94, Alex Strasheim wrote: .... >The big problem with transparent encryption and signatures is key >distribution: if you've never sent a letter to me, your mailer will have >to get my key (invisibly) before the mail can be sent. The big problem >with key distribution is the web of trust: who gets to decide which keys >are good? .... If I have never sent you mail, consider how I got your e-mail address? You could have sent your public key to me along with your e-mail address. If your public key is too big you could include a phoneticized secure hash of your public key and I could check big brother (the CA). I suspect that initial bits of a public key serve pretty well as a secure hash. Perhaps all email addresses should be accompanied by such a hash. The more initial bits the harder to find a fake public key with sutiable mathematical properties and initial bits that agree with your real pulic key. If an email address and its associated PK are sent thru unauthenticated channels a man in the middle can substitute the PK. In the same situation, however, the man in the middle can substitute the email address! .... From asgaard at sos.sll.se Mon Nov 28 09:58:23 1994 From: asgaard at sos.sll.se (Mats Bergstrom) Date: Mon, 28 Nov 94 09:58:23 PST Subject: Need program pointers In-Reply-To: Message-ID: > I have a program (written by me) that writes pseudo-random mess to > the disk for a specified number of times. I am also working on another A simple easy-to-get file over-writer (around 5 times if I remember correctly) for DOS is tbdel.com, part of the TBAV (ThunderByte Anti Virus) SW package. Mats From dat at ebt.com Mon Nov 28 10:00:27 1994 From: dat at ebt.com (David Taffs) Date: Mon, 28 Nov 94 10:00:27 PST Subject: School Admins In-Reply-To: <9411281732.ZM2476@wiley.sydney.sgi.com> Message-ID: <9411281801.AA05231@veronica.EBT.COM> From: "Ian Farquhar" : On Nov 28, 12:34am, jpb at gate.net wrote: > How long do you think it'll be before crypt disappears, though? What would be cute would be to roll-your-own enigma using a series of standard Unix filters. It would seem moderately straightforward to maintain rotor files which are fed into tr, while using cut's and simple appends to move the rotors. I'd like to see them go chasing anyone by removing that set of standard Unix utilities. Ian. Whotsa madder wid good ole Rot13 to foil the grepmeister? Dat otter work jes fine... -- (david taffs) From turner at telecheck.com Mon Nov 28 10:09:47 1994 From: turner at telecheck.com (Joe Turner) Date: Mon, 28 Nov 94 10:09:47 PST Subject: School Admins In-Reply-To: Message-ID: <9411281810.AA09436@TeleCheck.com> > > > On Sun, 27 Nov 1994, Jonathan Cooper wrote: > > > Riiight. It's not practical to bring PGP in - these AIX boxes have > > disk drives but the C compiler has been removed. I don't have access to > > another AIX box to compile PGP on, either. crypt(1) is good enough. > > Perhaps someone out there could assist this gent by emailing him an > AIX-compiled binary of PGP 2.6.2? (Or a p.d. C compiler?) > John, What kind of AIX box? I have an IBM RT/PC running an old version of AIX at home, and might have access to a RISC/6000 if I need it. Tell me what kind of machine you are running and I will dump the executables somewhere you can get it. ... if you want it. -- Joe N. Turner Telecheck International turner at telecheck.com 5251 Westheimer, PO BOX 4659, Houston, TX 77210-4659 compu$erv: 73301,1654 (800) 888-4922 * (713) 439-6597 From jamiel at sybase.com Mon Nov 28 10:15:08 1994 From: jamiel at sybase.com (Jamie Lawrence) Date: Mon, 28 Nov 94 10:15:08 PST Subject: Interfacing PGP with Pine (Script pointer) Message-ID: At 7:47 AM 11/25/94, Michael Handler wrote: > For a well written script to interface PGP with Pine: > > finger slutsky at lipschitz.sfasu.edu | pgp -f > mkpgp.txt.uu > > If you don't have finger access, mail me privately, and I'll send >the file to you. If you don't mind, could I have a copy? finger is disabled here... thanks, -j From jamiel at sybase.com Mon Nov 28 10:36:35 1994 From: jamiel at sybase.com (Jamie Lawrence) Date: Mon, 28 Nov 94 10:36:35 PST Subject: I promise never... (Was: Re: Interfacing PGP with) Message-ID: to send mail before having my coffee and checking the cc:line again. Honest this time. -j -- On the internet, no one knows you're a deity. ___________________________________________________________________ Jamie Lawrence Soon ---------> From turner at telecheck.com Mon Nov 28 10:40:56 1994 From: turner at telecheck.com (Joe Turner) Date: Mon, 28 Nov 94 10:40:56 PST Subject: PGP for VMS In-Reply-To: <94112220190218@nzdairy.co.nz> Message-ID: <9411281841.AA09575@TeleCheck.com> > > Can anyone tell me where I can get a copy of > PGP for vms? AXP or VAX. > > T > I have never gotten PGP to compile on either AXP or VAX. I briefly glanced at the assembly language routines, but did little else since I had access to PCs and Alphas running OSF. Has anyone gotten this to compile? -- Joe N. Turner Telecheck International turner at telecheck.com 5251 Westheimer, PO BOX 4659, Houston, TX 77210-4659 compu$erv: 73301,1654 (800) 888-4922 * (713) 439-6597 From alex at omaha.com Mon Nov 28 11:01:09 1994 From: alex at omaha.com (Alex Strasheim) Date: Mon, 28 Nov 94 11:01:09 PST Subject: Transparent Email (WAS disable telnet to port 25) In-Reply-To: Message-ID: <199411281901.NAA00468@omaha.omaha.com> -----BEGIN PGP SIGNED MESSAGE----- I think that the main problem with this is that it would require email addresses to be transmitted electronically. My email address is alex at omaha.com, and one of the nice things about it is that I can tell someone what it is, and they'll remember it. I'd hate to have to append a fingerprint to the address when I gave it out. The big problem with secure mail in the real world is that most people probably aren't willing to sacrifice much in the way of convenience in order to get security. We really need a Eudora-style program which would look and act like Eudora does now, with encryption and signatures going on in the background. A scheme which would make addresses more complicated probably won't fly. The general approach that I was proposing was to create a lowest common denominator web of trust, but to allow anyone to create, maintain, and use their own webs, using whatever criteria they deem appropriate. This is, in my understanding at least, the best way to guard against the man in the middle problem: keys would have to be signed by someone we trust in order to be accepted. The idea is to put a lot of flexibility in the hands of users, making a very high level of security possible, without imposing the responsibilities this involves on people who don't want or need it. In order to do this, we'd need a general system for describing and manipulating webs. Ideally, a web could be defined with a single top level public key and a rule set. They keyserver would return a text file which contained a chain of signatures in a text file, and a general program, which I'm calling meta-pgp, would be able to extract and verify the user's public key using the web's top level public key and the rule set. The point of meta-pgp is to give people enough flexibility in administering their webs that they wouldn't feel constrained by the system. It would work by allowing chains of signatures, and allowing supplemental information to be affixed to each key in the chain before it was signed. Suppose, to take a simple example, I administer a web. I decide that I'll deputize people to sign user keys. Each signature will be good for a year. First of all, I'd have to sign the deputy's keys. I'd meet with the deputies, and they'd give me their public keys in text format. I'd prepend two fields of header information, a DEPUTY token, and a DATE 11/28/94 token to the deputy's key, and then sign it with my public key. Then I'd return it to the deputy. The deputy would do something similar for the user when he signed the user's public key: he'd affix USER and DATE tokens, sign the result and give it back to the user. He'd also prepend his own public key, signed by my top level public key. The user would submit this to the keyserver database. That way when someone wants to send mail to the user, they'd query the database. The sender would send the keyserver the email address of the recipient, along with a list of acceptable webs, in order of preference. If the sender was willing to accept my web, the keyserver would return that chain, and the sender's meta-pgp would validate the key, based on the top level key for the web and the rule set. The point of meta-pgp would be to allow people to use whatever kinds of webs they want, at the same time preserving the ability of generalized programs to verify keys. The default web could be based on something simple, with comparatively low security, allowing people to send in their keys via email and requiring them to respond to an encrypted reply from the web administrator. This wouldn't be impossible to spoof, obviously, but it would allow a lot of people to put their keys into circulation. Those of us who would be dissatisfied with such an insecure setup could make other arrangements. [I'm sorry to describe the same proposal twice, but I wrote the last one in the middle of the night, and I was a little bleary... I'm not sure how well I described it.] > If I have never sent you mail, consider how I got your e-mail address? > You could have sent your public key to me along with your e-mail address. > If your public key is too big you could include a phoneticized secure hash of > your public key and I could check big brother (the CA). I suspect that initial > bits of a public key serve pretty well as a secure hash. Perhaps all email > addresses should be accompanied by such a hash. The more initial bits > the harder to find a fake public key with sutiable mathematical properties > and initial bits that agree with your real pulic key. > > If an email address and its associated PK are sent thru unauthenticated > channels a man in the middle can substitute the PK. In the same situation, > however, the man in the middle can substitute the email address! == Alex Strasheim | finger astrashe at nyx.cs.du.edu alex at omaha.com | for my PGP 2.6.1. public key -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLtoo3xEpP7+baaPtAQEkSwP/SlwhZ9TGnB0hpGMZ5L/WRjyKe7OTEAlj yzYRGCPdEarvWkY9NtNDB1tqLJjomARJEZGD8jACSo25z8lgTXguVm98BxkzBErz TlWhRuSBY/UzfBDLG7PMP5VlR6yosNrToErwbl7ZSAveZuC9+usjCXB8WGhvK+Qg /zKGskP06iI= =lEaX -----END PGP SIGNATURE----- From RGRIFFITH at sfasu.edu Mon Nov 28 11:03:34 1994 From: RGRIFFITH at sfasu.edu (RGRIFFITH at sfasu.edu) Date: Mon, 28 Nov 94 11:03:34 PST Subject: Message-ID: <01HK0I5JUYCY000UIE@TITAN.SFASU.EDU> > >Realizing this is somewhat off-topic, has anyone heard of the >'internet liberation front'? > >- spooge > > According to today's WSJ it's the name used by hackers who broke into Pipeline Services, an Internet access provider in NY. Their intrusion was detected and stopped before major damage was done. They posted a message that "warned corporate America against commercializing the Internet into a 'cesspool of greed'." From pfinerty at seattleu.edu Mon Nov 28 11:49:37 1994 From: pfinerty at seattleu.edu (Patrick J. Finerty Jr.) Date: Mon, 28 Nov 94 11:49:37 PST Subject: PGP for VMS In-Reply-To: <9411281841.AA09575@TeleCheck.com> Message-ID: i have successfully compiled pgp2.6.2, pgp2.5, pgp2.6.1 etc on a VAX. there are some modifications that usually need to be made when building rsaref (modifications to the rsabuild.com file i believe) that simply comment out a couple lines that are not required to build pgp but that are required to build the whole rsaref library. i think the important lines to remove or comment out with a '!' are $ call compile md2c $ call compile md5c please write if you need more assistance than this. -pat finerty I cannot fathom people who seem to insist on taking their doses of reality rectally. 5150 pfinerty at bach.seattleu.edu finerty at msscc.med.utah.edu finger any acct. for pgp key pfinerty at nyx10.cs.du.edu On Mon, 28 Nov 1994, Joe Turner wrote: > > > > Can anyone tell me where I can get a copy of > > PGP for vms? AXP or VAX. > > > > T > > > I have never gotten PGP to compile on either AXP or > VAX. I briefly glanced at the assembly language > routines, but did little else since I had access > to PCs and Alphas running OSF. From eric at remailer.net Mon Nov 28 13:53:29 1994 From: eric at remailer.net (Eric Hughes) Date: Mon, 28 Nov 94 13:53:29 PST Subject: Transparent Email In-Reply-To: <199411280834.CAA00176@omaha.omaha.com> Message-ID: <199411282252.OAA01960@largo.remailer.net> The big problem with key distribution is the web of trust: who gets to decide which keys are good? This whole area of key distribution has generated much confusion. A perfect world is described, and then everyone is assumed to participate in achieving this world. This approach of generality, however, is notably more complicated than a world where responsibility for security is partitioned, where each user does not have to worry about all the possible systemic security issues. Proposition: You don't need to be responsible for making sure that the other person is being spoofed; that's their responsibility. A common situation where this proposition makes a significantly simpler system is exactly in the case described, where you and your email correspondents wish to exchange keys. Suppose, in addition, that you two met online and that your only channels of communication are electronic. The goal here is to create persistence of identity; identification with a physical body is not needed. In the PGP case you start with your own key, which you trust, then look for a chain of signatures to the destination. This chain can be rather cumbersome to produce. It's overkill, as well, since all you really needed to know is that the key was not being translated on your own end. The PGP trust chain largely accomplishes that, true, but not as simply as possible. Alternatively, you save the first piece of email that you receive from your correspondent; it has a digital signature on it. Now _by whatever means_, you obtain a public key by which to verify that signatures on email you receive are the same. You yourself need to ensure that you aren't getting spoofed; you can do this by, say, having your correspondent send mail to two different locations, or by using a second channel to obtain the key by, or by using a PGP trust chain, if one is available. The original model for public key communications seems to have been one channel with an interposer. The real world is much more complicated than that. One can obtain good protection, at least as good as a trust chain, by crossing organizational boundaries. The argument that trust chains are better because they are cryptographic carries no weight; the decision at each link to make a signature is of social, not cryptographic, character. In particular, the design of PGP that ties key management inextricably to encryption is bad and will contribute to an inflexibility that will eventually sink PGP if it is not corrected. Perhaps we would have a default web, which would have everyone's key in it. This is a really bad idea. Some "public" keys should not be made public, but rather revealed only to the correspondent. Forward secrecy is the reason. If the public key has never been in the possession of an opponent, and assuming the results of the public key operation yield little or no information about the modulus, then when the keys are changed and destroyed, no amount of factoring can find the private key because the public key isn't around to factor. Eric From s009amf at discover.wright.edu Mon Nov 28 14:32:53 1994 From: s009amf at discover.wright.edu (Aron Freed) Date: Mon, 28 Nov 94 14:32:53 PST Subject: A possible solution In-Reply-To: <9411280252.AA02560@cfdevx1.lehman.com> Message-ID: On Sun, 27 Nov 1994, Rick Busdiecker wrote: > His reply was perfectly intelligent. Why don't you answer his > question: Why pick on cryptography and not the other items in the > list? Why not simply require that government respect the right of > individuals to engage in private conversation? If someone commits a > `crime' without using cryptography is there less harm to society than > if they did use cryptography? The use of cryptography makes it virtually impossible to know anything. If everyone used to PGP to communicate. I mean everybody in the whole entire world. There would be no possible way to ever know what is going on. OKay. WE could do that, but guess what. You might as well get your self your own arsenal of weapons because if you can't trust the govt. you're going to be only trusting yourself. IF that's what ya want, do it. But I want to live in a world where I can at least step outside and breathe in the fresh air.. > What is there about your proposal that might make anyone think that it > wasn't completely ridiculous? > > Rick > From s009amf at discover.wright.edu Mon Nov 28 14:37:13 1994 From: s009amf at discover.wright.edu (Aron Freed) Date: Mon, 28 Nov 94 14:37:13 PST Subject: A possible solution In-Reply-To: Message-ID: Ok. You all have basically defeated the stiffer fines issue. The one issue remaining is do we want to live a life of anarchy. Do we want to live in total isolation? Do we want to be completely paranoid and be always looking over our shoulder? You tell me how we solve that problem. I for one do not want to touch "1984" territory, but I don't want to live in an anarchy either. Aaron From alex at omaha.com Mon Nov 28 15:30:02 1994 From: alex at omaha.com (Alex Strasheim) Date: Mon, 28 Nov 94 15:30:02 PST Subject: Transparent Email In-Reply-To: <199411282226.QAA00093@omaha.omaha.com> Message-ID: <199411282330.RAA00186@omaha.omaha.com> -----BEGIN PGP SIGNED MESSAGE----- Ok, I should start off by saying I'm not sure I followed everything Eric said in his post, so this might not be a great answer to him. My proposal isn't for an all inclusive, everything to all people, security system. It certainly would't preclude people from using other, stand alone systems, from using multiple sets of keys, or whatever else they wanted to do. My posts were predicated on the assumption that transparent encryption and signatures are worthwhile and necessary. By "traansparent encryption and signatures", I mean email systems that work and look pretty much like the programs we're using now -- elm and eudora, for example -- but which do crypto work automatically, behind the scenes. I think we ought to be moving in that direction, for two reasons. The first is that most people -- including most of us -- aren't willing to do much work in order to sign and encrypt our email traffic. If there's any penalty at all in terms of convenience, most people probably won't use a secure system. The second reason is that I believe it's only a matter of time until someone else institutes a transparent, reasonably secure email system. What would happen if Microsoft instituted a secure email system for their online customers, but took control over keys away from users? I think that the result would be that everyone would embrace the new system, because it would be a gigantic improvement over the status quo. We would compare the new system to an idealized vision, in which everyone has total control over their keys, who they trust, and in which law enforcement officials can't retrieve secret keys at will from some central repository. But everyone else would compare the new system to what we have now: an email system which is vulnerable to forging, and which isn't secure enough to transmit credit card numbers. I think that if we can't field an alternative, usable system, something that's practical and easy to use, we're going to lose by default. I'm not under any delusion that what I've proposed is some kind of magic answer. I'm not a heavy hitter, in a technical sense, like Eric, Hal, Tim, and many of the others here are. But at the same time, I think there's some need for compromise. We need a transparent system that can embrace people who aren't willing to put a lot of effort into security, but at the same time is able to accomodate people who want to take more trouble for the sake of their privacy. > This whole area of key distribution has generated much confusion. A > perfect world is described, and then everyone is assumed to > participate in achieving this world. This approach of generality, > however, is notably more complicated than a world where responsibility > for security is partitioned, where each user does not have to worry > about all the possible systemic security issues. I understand this criticism. But if we abandon generality, I don't think we can achieve transparency. And as I said before, I think a transparent system is going to come out on top. It's true that what I proposed is complicated, but a lot of the net is pretty complicated when you take off the lid. I think it could still be made usable. > Proposition: You don't need to be responsible for making sure that the > other person is being spoofed; that's their responsibility. > > A common situation where this proposition makes a significantly > simpler system is exactly in the case described, where you and your > email correspondents wish to exchange keys. Suppose, in addition, > that you two met online and that your only channels of communication > are electronic. The goal here is to create persistence of identity; > identification with a physical body is not needed. Actually, I wasn't trying to identify keys with physical bodies, but rather with email addresses. But the whole point of the system is that there is no need for the two correspondents to worry about exchanging keys: it all happens automatically. People who are doing unusual things, like creating nyms, would of course be free to take unusual actions. > In the PGP case you start with your own key, which you trust, then > look for a chain of signatures to the destination. This chain can be > rather cumbersome to produce. It's overkill, as well, since all you > really needed to know is that the key was not being translated on your > own end. The PGP trust chain largely accomplishes that, true, but not > as simply as possible. I'm not sure I follow the last part of this. > Alternatively, you save the first piece of email that you receive from > your correspondent; it has a digital signature on it. Now _by > whatever means_, you obtain a public key by which to verify that > signatures on email you receive are the same. You yourself need to > ensure that you aren't getting spoofed; you can do this by, say, > having your correspondent send mail to two different locations, or by > using a second channel to obtain the key by, or by using a PGP trust > chain, if one is available. Again, I go back to my goal (which wasn't stated clearly enough in my original posts, to be sure) of transparency, and of trying to get the bulk of day to day email encrypted. > The original model for public key communications seems to have been > one channel with an interposer. The real world is much more > complicated than that. One can obtain good protection, at least as > good as a trust chain, by crossing organizational boundaries. The > argument that trust chains are better because they are cryptographic > carries no weight; the decision at each link to make a signature is of > social, not cryptographic, character. I agree with this 100%. This is part of what I was trying to accomodate. On the low end, we have a default web of trust, which is sort of crummy because it's not terribly difficult to spoof. Cryptographically, it's very sound, but socially, it's quite weak. But my goal was to meet this criticism by making the system open to other webs, and to place as few restrictions as possible on people who want to create and use alternative webs. Those alternative webs could tie email addresses and keys to physical persons, or to nyms, or to anything else they wanted. They could be as rigid or as lax as they pleased. And we as users could decide which webs we were willing to trust. > In particular, the design of PGP that ties key management inextricably > to encryption is bad and will contribute to an inflexibility that will > eventually sink PGP if it is not corrected. Could you elaborate on this? > Perhaps we would have > a default web, which would have everyone's key in it. > > This is a really bad idea. Some "public" keys should not be made > public, but rather revealed only to the correspondent. Forward > secrecy is the reason. If the public key has never been in the > possession of an opponent, and assuming the results of the public key > operation yield little or no information about the modulus, then when > the keys are changed and destroyed, no amount of factoring can find > the private key because the public key isn't around to factor. You could still do this. I did not phrase this well, and I can see where your concern comes from. I have a few nyms, and I don't publish all of my public keys. I didn't mean to imply that all public keys ought to be on the default web. I meant that you ought to be able to get *a* public key for an aribitrary address from the default web. I have used a couple of nyms over the past couple of years, and I haven't published those public keys or tried to associate them with my email adddresses. That would be, as you pointed out, a bad idea. But at the same time, I have a public key for my address here, alex at omaha.com, that I want to publish as widely as possible. Right now, it's available via finger at astrashe at nyx.cs.du.edu. The system I proposed is just an elaborate (probably too elaborate) substitution for getting the key via finger, with the intention of making transparent secure mail possible. Basically, it comes down to this: in a transparent system, if you want to mail me, somehow your mailer will have to get a copy of my key without your doing anything about it. More importantly, your mailer will have to decide if it should trust the key it retrieves without asking you. Otherwise, it wouldn't be transparent. The problem is: how do we let the machine make this decision on it's own, without imposing a single web of trust on users? That's what I'm trying to get at. > Eric > Thanks for the thoughtful response, I appreciate it. == Alex Strasheim | finger astrashe at nyx.cs.du.edu alex at omaha.com | for my PGP 2.6.1. public key -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLtpn7xEpP7+baaPtAQHoIgP/SmOcR2a8PXEwHdF5ROfTmQ2GVxg0ZhlY LYvUKFB+phV7RZAjlP3OCpEjchxTpzaiJFgM4+wtKulrD0ZdGfyF6iGM+K8OTAql lWMfJ25/AvfTlqfBlZ0TAX4hkEWF5r3D65TpncgR7VOF8XErmFPPEvVCvZhx6Rd/ koZmgdTIoXg= =vJqj -----END PGP SIGNATURE----- From mccoy at io.com Mon Nov 28 15:42:42 1994 From: mccoy at io.com (Jim McCoy) Date: Mon, 28 Nov 94 15:42:42 PST Subject: A possible solution In-Reply-To: Message-ID: <199411282342.RAA19093@pentagon.io.com> > From: Aron Freed > On Sun, 27 Nov 1994, Rick Busdiecker wrote: > > [...] If someone commits a > > `crime' without using cryptography is there less harm to society than > > if they did use cryptography? > > The use of cryptography makes it virtually impossible to know anything. Bullshit. Advances in technology are making many things easier to do. In addition to making it harder to tap into an arbitrary data communication that is encrypted it has made actually monitoring a specific individual much easier. Bugs are getting much better and much more sophisticated. It is almost at the point where Joe Citizen-Unit can walk into a "Spy Shop (tm)" and pick out a set of gear that will allow him to monitor his friends, enemies, and lovers without fear of detection. Bugs, and cameras are getting smaller, better, and cheaper. The ability of the state to monitor those it suspects of breaking laws is in no danger, and anyone who tells you that it encryption is a legitimate threat to law enforcement is either ignorant or a liar. What it does prevent is "fishing expeditions"; it prevents someone from just going out and listening in on thousands of conversations in the hopes of catching a criminal or two. It places the burden of proof upon the prosecutors when it comes to gathering evidence, an American value that is older than our current government. > [...] You might as well get your > self your own arsenal of weapons because if you can't trust the govt. > you're going to be only trusting yourself. IF that's what ya want, do it. > But I want to live in a world where I can at least step outside and > breathe in the fresh air.. At least you can at the moment. Who knows what may happen. One interesting thing about governments is that they do not last as long as societies do and struggle to thier last gasp to prevent thier own decay (societies in the cultural-identity/shared-values/common location sense of the word.) In 1917 a wacky Austrian corporal was just another cog in the great machine of the germanic society, in less than twenty years he molded a state that is closer to Orwell's vision than just about any we have ever seen. Twenty years ago an American president could subvert chunks of the national security apparatus in the interests of maintaining his hold on power (and he is remarkable for being the only one that has been caught, IMHO...) I trust the people I work with and live with far more than I do any government agency. The U.S. federal governement, for example, has become so isolated from the reality of it's own citizens that if you trust it as much as you seem to then one day it is quite possible that you will wake up to a very rude surprise. Please stand in line over there with the rest of the sheep... jim From m5 at vail.tivoli.com Mon Nov 28 15:49:04 1994 From: m5 at vail.tivoli.com (Mike McNally) Date: Mon, 28 Nov 94 15:49:04 PST Subject: A possible solution In-Reply-To: Message-ID: <9411282348.AA02164@vail.tivoli.com> Aron Freed writes: > The one issue remaining is do we want to live a life of anarchy. Do we > want to live in total isolation? Do we want to be completely paranoid and > be always looking over our shoulder? Are you trying to say that the current ability of law enforcement to access telephone conversations and e-mail is the only thing protecting you from a life of paranoid terror? Have you investigated the cypherwonks list? | GOOD TIME FOR MOVIE - GOING ||| Mike McNally | | TAKE TWA TO CAIRO. ||| Tivoli Systems, Austin, TX: | | (actual fortune cookie) ||| "Like A Little Bit of Semi-Heaven" | From jrochkin at cs.oberlin.edu Mon Nov 28 15:52:30 1994 From: jrochkin at cs.oberlin.edu (Jonathan Rochkind) Date: Mon, 28 Nov 94 15:52:30 PST Subject: A possible solution Message-ID: At 5:35 PM 11/28/94, Aron Freed wrote: >Ok. You all have basically defeated the stiffer fines issue. > >The one issue remaining is do we want to live a life of anarchy. That depends on what you mean by "anarchy." I'm sure there are a few anarchists on the list, but they probably don't mean the same thing as you do by "anarchy". > Do we >want to live in total isolation? Do we want to be completely paranoid and >be always looking over our shoulder? Many of us already are. Except the kind of rules you are describing would increase our paranoia, not lessen it. The people we're already looking over our shoulder for are the people who would be enforcing the rules you are proposing. >You tell me how we solve that >problem. I still don't understand what "that problem" is. How does the existence of cryptography (which is of course what started this discussion. fittingly, since we're on cypherpunks here) make anyone live in total isolation, or be completely paranoid, or be always looking over his shoulder? I don't understand how strong cryptography does any of those things. What exactly is this "problem" that you see, and how is it related to cryptography? >I for one do not want to touch "1984" territory, but I don't >want to live in an anarchy either. About half the people I talk to think we're already "touching" _1984_ territory, and about the other half think we're already living in an "anarchy", so appearantly it's in the eye of the beholder. They mean "anarchy" in a negative sense of course, the same as you. I wouldn't mind living in an anarchy if it's the kind Mikhail Bakunin or Emma Goldman or Alexander Berkman or Petr Kropotkin advocated. You might pick up a book by any of those authors at your local public library, you might be surprised. From alex at omaha.com Mon Nov 28 16:18:36 1994 From: alex at omaha.com (Alex Strasheim) Date: Mon, 28 Nov 94 16:18:36 PST Subject: A possible solution In-Reply-To: <199411290012.SAA00297@omaha.omaha.com> Message-ID: <199411290019.SAA00317@omaha.omaha.com> -----BEGIN PGP SIGNED MESSAGE----- > The use of cryptography makes it virtually impossible to know anything. > If everyone used to PGP to communicate. I mean everybody in the whole > entire world. There would be no possible way to ever know what is going > on. What about signatures? You know (or at least you could) that I wrote this note, thanks to PGP. Crypto doesn't just hide things, it can establish indelible trails as well. In this particular instance, PGP has added to what you know, because the signature has added information to the post. Crypto isn't just about secrecy: it gives us a set of tools that allow us to have a great deal of control over how much of a trace our actions will leave, and who is able to see that trace. == Alex Strasheim | finger astrashe at nyx.cs.du.edu alex at omaha.com | for my PGP 2.6.1. public key -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLtpzdxEpP7+baaPtAQEL2gP/afzRoPmDWYKWdOl7u4O4qDgB8QiQjzla RrKShPfmXK0U06eU5Wran1VYKYOaGkoRhQbZQXQ8T33sbFNHWKYPcDcYpXT6kkqu dT/AHcp/wuCYp0oeb65qYhuiemus0cFPWzfPujOkwKnm8r57lz9S8YVeSMHQzWrv glLORANPoO0= =r1q5 -----END PGP SIGNATURE----- From jgrubs at voxbox.norden1.com Mon Nov 28 17:04:33 1994 From: jgrubs at voxbox.norden1.com (Jim Grubs, W8GRT) Date: Mon, 28 Nov 94 17:04:33 PST Subject: Forwarded message from comp.internet.nethappenings Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Path: voxbox!hypnos!malgudi.oar.net!caen!zip.eecs.umich.edu!newsxfer.itd.umich.edu!gatech!howland.reston.ans.net!usc!news.cerf.net!noc.cerf.net!news-mail-gateway From: sackman at plains.nodak.edu (Gleason Sackman) Newsgroups: comp.internet.net-happenings Subject: WWW> Digitale Burgerbeweging Nederland DB.NL (fwd) Message-ID: Date: 28 Nov 1994 06:57:26 -0800 Sender: daemon at CERF.NET Distribution: world Organization: CERFnet Lines: 34 Approved: usenet at noc.cerf.net NNTP-Posting-Host: noc.cerf.net - ---------- Forwarded message ---------- SENDER: mwharing at cs.vu.nl (Haring MWA) Subject: ORG> Announce: Digitale Burgerbeweging Nederland DB.NL Date: Wed, 23 Nov 1994 19:38:20 GMT =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Digitale Burgerbeweging Nederland ..sticking up for the interests of digital citizens... On Saterday 15 October the dutch db.nl (digitale burgerbeweging nederland) organization was founded in Amsterdam. Some of our items are: o digital democracy, citizens' rights such as freedom of speech, protection of privacy and involvement in policy making. o socially valuable applications of information and communication technology o an accessible and user friendly digital public network The organization was founded in reaction of government plans to ban cryptografy, and regulation wich would forbid public libaries to lend electronic information. For more information you can check out our web-pages. WWW: http://www.xs4all.nl/~db.nl fax: +31 20 6239761 phone: +31 20 6200174 e-mail: db.nl at xs4all.nl snail-mail: P.O. Box 18624 1001 WD Amsterdam =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLto+5t74r4kaz3mVAQHM9AP+KVFGtjrTPAC3ep8xbbxUM3+woy9i+43l 9ZZTNXVXHjUoymlvpCpooJnP/qp4+KKIuZIjqz7clhCJpU/hH3K8Yd1ROTyVyT50 ou8CUXod4j0vYq2O1HL7nZnkV6PVqGDcDtlfE1nOVtWyYjuoy3nk1+QST3mXNny3 LgL/wDP3ezo= =s1H2 -----END PGP SIGNATURE----- ... "The greatest dangers to liberty lurk in the insidious encroachment of men of zeal, well meaning but without understanding." - Justice Louis Brandeis -- jgrubs at voxbox.norden1.com (James C. Grubs, W8GRT) Voxbox Enterprises, 6817 Maplewood Ave., Sylvania, Ohio 43560-1956 Tel.: 419/882-2697 From nobody at jpunix.com Mon Nov 28 17:08:09 1994 From: nobody at jpunix.com (Anonymous) Date: Mon, 28 Nov 94 17:08:09 PST Subject: Cash Message-ID: <199411290107.TAA17362@jpunix.com> >On Fri, 18 Nov 1994 wcs at anchor.ho.att.com wrote: > >> Hasn't really provided it for quite a while, as long as there's an >> infrastructure to track serial numbers (you've presumably noticed that >> each bill a unique serial number, except for counterfeits and maybe >> printing glitches.) > >And every bill that passes through my hands (of course not the ones I >handle at work, I'm talking personal here...) gets the serial # >overwriten in heavy black marker. > >Happy Hunting, -Chris. I went to a GSA auction and picked up 3 very nice U.S. Gubment surplus paper shredders. They shred into very fine particulate that makes great fire starting material for the fireplace. I run everything with my name, address, etc., thru it so that *none* of my trash is identifiable. How's that for paranoid :> From eb at comsec.com Mon Nov 28 17:13:37 1994 From: eb at comsec.com (Eric Blossom) Date: Mon, 28 Nov 94 17:13:37 PST Subject: MIME meme continues... New internet drafts Message-ID: <199411290021.QAA04991@comsec.com> [ Perry, hit "delete" now... ] Here are a couple of more internet drafts relevant to secure email. ftp://ds.internic.net/internet-drafts/ Title : Security Multiparts for MIME: Multipart/Signed and Multipart/Encrypted Author(s) : J. Galvin, S. Murphy, S. Crocker, N. Freed Filename : draft-ietf-pem-sigenc-02.txt Pages : 10 Date : 11/23/1994 This document defines two new content types for specifying the application of security services to MIME message bodies. MIME, an acronym for "Multipurpose Internet Mail Extensions", defines the format of the contents of Internet mail messages and provides for multi-part textual and non-textual message bodies. The new content types are subtypes of multipart: signed and encrypted. Each will contain two body parts: one for the protected data and one for the control information necessary to remove the protection. The type and contents of the control information body parts are determined by the value of the protocol parameter of the enclosing multipart/signed or multipart/encrypted content type, which is required to be present. Title : PEM Security Services and MIME Author(s) : S. Crocker, N. Freed, J. Galvin, S. Murphy Filename : draft-ietf-pem-mime-07.txt Pages : 34 Date : 11/23/1994 This document specifies how the services of MIME and PEM can be used in a complementary fashion. MIME, an acronym for "Multipurpose Internet Mail Extensions", defines the format of the contents of Internet mail messages and provides for multi-part textual and non-textual message bodies. PEM, an acronym for "Privacy Enhanced Mail", provides message authentication/integrity and message encryption services for Internet mail messages. From merriman at metronet.com Mon Nov 28 18:42:04 1994 From: merriman at metronet.com (David K. Merriman) Date: Mon, 28 Nov 94 18:42:04 PST Subject: Cash Message-ID: <199411290242.AA13364@metronet.com> >>On Fri, 18 Nov 1994 wcs at anchor.ho.att.com wrote: >> >>> Hasn't really provided it for quite a while, as long as there's an >>> infrastructure to track serial numbers (you've presumably noticed that >>> each bill a unique serial number, except for counterfeits and maybe >>> printing glitches.) >> >>And every bill that passes through my hands (of course not the ones I >>handle at work, I'm talking personal here...) gets the serial # >>overwriten in heavy black marker. >> >>Happy Hunting, -Chris. > >I went to a GSA auction and picked up 3 very nice U.S. Gubment surplus >paper shredders. They shred into very fine particulate that makes great >fire starting material for the fireplace. >I run everything with my name, address, etc., thru it so that *none* of >my trash is identifiable. >How's that for paranoid :> > How much would you want for one of them, assuming there's one for sale? Dave "Getting more paranoid by the minute, sometimes" Merriman - - - - - - - - - - - - - - - - - - - - - - - - - - Finger merriman at feenix.metronet.com for PGP public key and fingerprint. PGP encrypted Email welcome, encouraged, and preferred. "Those who make peaceful revolution impossible will make violent revolution inevitable." John F. Kennedy From tcmay at netcom.com Mon Nov 28 18:48:35 1994 From: tcmay at netcom.com (Timothy C. May) Date: Mon, 28 Nov 94 18:48:35 PST Subject: A possible solution In-Reply-To: Message-ID: <199411290245.SAA14361@netcom6.netcom.com> Jonathan Rochkind wrote: > At 5:35 PM 11/28/94, Aron Freed wrote: > >Ok. You all have basically defeated the stiffer fines issue. > > > >The one issue remaining is do we want to live a life of anarchy. > > That depends on what you mean by "anarchy." I'm sure there are a few > anarchists on the list, but they probably don't mean the same thing as you > do by "anarchy". Indeed, different things are meant by the overloaded term "anarchy." Three fairly different meanings are in common use: 1. Anarchy(1) -- Chaos, lawlessness, people killing each other at will, law of the jungle, mother rapers, father rapers, and other "anarchic" things. This is thee "popular" notion of anarchy, associated with bomb-throwers, nihilism, terrorism, and disorder. (Never mind that most terrorists work for political causes, and that most nihilists are too deeply into their coffee house discussions to do anything.) 2. Anarchy(2) -- "Whoever denies authority and fights against it is an anarchist." (S. Faure) Social change through communal self-ordering, etc. (I'm not an expert in Anarchy(2), and I for sure don't have the rhetoric down!) Often associated with left-leaning views. Also linked to "anarcho-syndicalism." Georgee Woodcock's "Anarchism" is a good introduction. 3. Anarchy(3) -- Anarcho-capitalism. (Not to be confused with the arachno-capitalism of the Web, or th narco-capitalism of the CIA.) The free-market, libertarian approach of people choosing who they will trade labor, goods, or money with. David Friedman's "The Machinery of Freedom" is a good place to look. Most anarchy(3) supporters would argue that anarchy(2) implies anarchy(3), that some people will have more wealth than others for "normal" reasons (greater talent, harder working, willingness to be bond trader instead of crystal healer, etc.). I lack the will to make the arguments here. Robert Nozick's "Anarchy, the State, and Utopia" is a thoughtful argument in favor of Anarchy(2) leading inevitably to Anarchy(3). Anarchy(1)--people killing each other at will--is of course what America and many other countries hav as the default. Conclusions are left for another time. The links to crypto are very clear: strong crypto ---> anarchy(3) Which is what I call "crypto anarchy." Lots of discussion of this in my Cyphernomicon FAQ. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. Cypherpunks list: majordomo at toad.com with body message of only: subscribe cypherpunks. FAQ available at ftp.netcom.com in pub/tcmay From xpat at vm1.spcs.umn.edu Mon Nov 28 18:57:36 1994 From: xpat at vm1.spcs.umn.edu (xpat at vm1.spcs.umn.edu) Date: Mon, 28 Nov 94 18:57:36 PST Subject: Secure EDI over Internet Message-ID: <9411290257.AA14372@toad.com> Summarized from PC Week, Nov 28th, page 44: -begin- Premenos Corp now testing product to foster Electronic Data Interchange transactions over the Internet. Technology licensed from RSA Data Security Inc provide the security features, encryption, authentication, and guaranteed message delivery. Carl Redfield, VP of manufacturing for Cisco Systems Inc, was quoted as saying, "Security is the most important factor to us, as it is now, anyone could intercept messages off the Internet." Cisco is involved in testing the new product. The Premenos suite will be available first quarter 95. Pricing not set. These phone numbers were given for more info: Premenos (800) 426-3836 Cisco (800) 553-6387 -end- regards, -pd- From wcs at anchor.ho.att.com Mon Nov 28 19:12:13 1994 From: wcs at anchor.ho.att.com (bill.stewart@pleasantonca.ncr.com +1-510-484-6204) Date: Mon, 28 Nov 94 19:12:13 PST Subject: How to disable telnet to port 25 Message-ID: <9411282038.AA00652@anchor.ho.att.com> > The Al Capone of the Info Highway says: > > A while back, there was a discussion about how to fake a from > > address by telneting into port 25 in a site. Many people discussed > > the pro's and cons, but I wanted to know if anybody knows of a way > > to stop people from getting in there to send the message in the > > first place. > Sure. Turn off mail to your site. You don't have to go quite that far (almost, but not quite :-) You can do things like only accept your incoming mail via uucp, which has a whole different set of holes and limitations, but which is supported by a number of the major network suppliers. If you're on dialup access anyway, uucp is fine. If you've got a real IP feed, uucp-over-tcp has slightly more authentication than smtp, and can turn off anonymous access, but that basically means you're transferring your trust to your MX forwarder's security system, which presumably still speaks port 25. Bill From ecf at tenet.edu Mon Nov 28 19:24:33 1994 From: ecf at tenet.edu (Ferguson) Date: Mon, 28 Nov 94 19:24:33 PST Subject: School Admins Message-ID: (My apologies for losing the article to which this is relevant) This is in regards to compiling PGP, and distributing it to those of us who are on restricted systems. My provider, the state government does not allow me (or anyone else) to use cc. The platform is DEC Alpha OSF/1, and if anyone has access to a compiler and would be willing to put the binaries for PGP(preferably 2.6.2, but I'll take what I can get :) and/or gcc up for ftp somewhere, I would be very grateful. Brad From jya at pipeline.com Mon Nov 28 19:37:41 1994 From: jya at pipeline.com (John Young) Date: Mon, 28 Nov 94 19:37:41 PST Subject: UN_nab (Re: an96489) Message-ID: <199411290337.WAA04033@pipe2.pipeline.com> Responding to msg by an96489 at anon.penet.fi () on Tue, 29 Nov 1:8 AM >Due to the double-blind, any mail >replies to this message will be anonymized, and an >anonymous id will be allocated automatically. You have >been warned. Dear an96489, Penet.fi warning jams lob of UN_nab. Kiss twice wid nice nym-id. From ianf at sydney.sgi.com Mon Nov 28 19:57:52 1994 From: ianf at sydney.sgi.com (Ian Farquhar) Date: Mon, 28 Nov 94 19:57:52 PST Subject: Need program pointers In-Reply-To: Message-ID: <9411291442.ZM4252@wiley.sydney.sgi.com> On Nov 28, 6:51pm, Mats Bergstrom wrote: > A simple easy-to-get file over-writer (around 5 times if I > remember correctly) for DOS is tbdel.com, part of the TBAV > (ThunderByte Anti Virus) SW package. What worries me about most of these PC "DoD" file erasers is that I am reliably informed that on at least one occasion, 11 generations of data have been recovered from a generic SCSI hard disk. It was a very unusual circumstance (suspicion of data leakage from a very high security site), but I find it difficult to take 5-pass programs very seriously. Ian. From jcorgan at netcom.com Mon Nov 28 20:10:54 1994 From: jcorgan at netcom.com (Johnathan Corgan) Date: Mon, 28 Nov 94 20:10:54 PST Subject: We really _aren't_ paranoid :) Message-ID: Just in case anyone didn't catch this in the newsgroups: From: dcd at se.houston.geoquest.slb.com (Dan Day) Newsgroups: talk.politics.crypto,alt.privacy,alt.security.pgp Subject: Re: Mandatory Key Escrow: Goodnight! Date: 28 Nov 1994 19:02:31 GMT Organization: GeoQuest System, Inc. Houston Lines: 29 Message-ID: <3bd9g7$1fc at sndsu1.sinet.slb.com> In article <3b655b$rne at eis.calstate.edu> jomcgow at eis.calstate.edu (John S. McGow an) writes: > >It is frightening how the power to regulate "interstate commerce" has >been used as a justification for the constitutional authority of the >federal government to intercede in so many things. The good news is a few justices still seem to have their heads on straight: Item from AP: It seems that in urging the Supreme Court to reinstate a federal-level ban on firearms within 1000 feet of schools (the 1990 Gun-Free School Zones Act), the Clinton administration argues that the national economy is adversely affected by gun-related violence at schools. Therefor, the reasoning continues, Congress was authorized to institute the ban under (you guessed it) the Interstate Commerce clause of the Constitution. Said Solicitor General Drew S Day III, "This is not about just regulating guns. Congress is concerned with this impact on the national economy." Asked Justice Ruth Bader Ginsburg, "Is there any violent crime that doesn't affect interstate commerce under your rationale?" Ginsburg later asked Days to cite an example of a law which Congress would NOT have the authority to enact under the Interstate Commerce Clause. Interjected Justice Scalia, "Don't give away anything here. They might want to do it." -- ----------------------------------------------------------------------- Johnathan Corgan "Violence is the last refuge of the incompetent" jcorgan at netcom.com -Isaac Asimov PGP Public Key: http://www-swiss.ai.mit.edu/~bal/pks-toplev.html Or send email to: pgp-public-keys at pgp.ai.mit.edu Subj: GET jcorgan ----------------------------------------------------------------------- From msanders at ataxia.res.wpi.edu Mon Nov 28 20:17:52 1994 From: msanders at ataxia.res.wpi.edu (Michael K. Sanders) Date: Mon, 28 Nov 94 20:17:52 PST Subject: School Admins In-Reply-To: Message-ID: <199411290424.XAA14077@ataxia.res.wpi.edu> Once upon a time, Ferguson might have said: > >My provider, the state government does not allow me (or anyone >else) to use cc. The platform is DEC Alpha OSF/1, and if anyone has >access to a compiler and would be willing to put the binaries for >PGP(preferably 2.6.2, but I'll take what I can get :) and/or gcc up for >ftp somewhere, I would be very grateful. PGP 2.6.2 compiled quite painlessly for OSF, so until someone wants to move it, you can find it at: ftp://ataxia.res.wpi.edu/pub/pgp2.6.2-dec-alpha-osf-bin.tar.gz Included is the pgp binary, and all the doc/config files (I hope). Let me know if I left something out. Enjoy! *8-) Mike -- Michael K. Sanders -- msanders at ataxia.res.wpi.edu ataxia: NetBSD/Amiga 1.0 - Creating Chaos out of Anarchy for a Better Tomorrow Ataxia Home Page From CCGARY at MIZZOU1.missouri.edu Mon Nov 28 20:29:35 1994 From: CCGARY at MIZZOU1.missouri.edu (Gary Jeffers) Date: Mon, 28 Nov 94 20:29:35 PST Subject: Privacy Digest - the future Message-ID: <9411290429.AA15396@toad.com> THE FOLLOWING IS FOR INFORMATIONAL VALUE ONLY & IS DOES NOT ADVOCATE THE BREAKING OF ANY LAWS. Dear Cypherpunks, Well, I think enough damage control has been done with my original Privacy Digest post. Now to pick through the ashes & see if I can come up with anything of value. The ideas & services presented in the Privacy Digest advertisement e are still very good. I think that bright segments of the upper classes commonly do have access to these services. The trick would be to bring these services to the class masses. I think that it would have been hard to do this in the times before the great amount of electronic privacy software & infrastructure that have been built up. Now that we have the tech. investment, I think that International financial transactions could be privately done for the people. What we need mostly are lawyers & financial experts that are willing to deal with the middle classes & who are aware of & want to deal with Cypherpunk technology. That would probably mean two or more people. One would be the international law/money expert. The other would be the communications expert. Do we have a shortage of lawyers who want to live & work in tax haven vacation spots & get rich? If our Cypherpunk lawyers are afraid of wrecking their reputations with States, then maybe they could get "little" lawyers to do the front work for them. We seem to be up to our asses here in the U.S. with lawyers & I hear they are starting to have a hard time making careers. However, there is a huge market for lawyers financial experts that is unoccupied in the masses money privacy area. As to the Cypherpunk tech.s, I think that for a good salary, they could be convinced to go to a vacation spot & do what they really want to do anyway. They would, of course, own a portion of the Corporation so that a successful venture would mean a secure future. It really needs one model experiment to open it up. After that, other groups could model themselves on the first & we would wind up with a giant private economy. - a true free market! I would suggest that the team just start out with a couple of services. I would suggest check & money order cashing & funds trans- mitting service & possibly an e$ clearinghouse. Once these activities were successful, then other services could be added on. When this business starts making good money, then they could afford to pay Cypherpunk programmers for their work. They could also afford to pay remailers for stable services. This would, of course, snowball. More money means better privacy software & better privacy software means a safer & more committed private money business & thus more money for more & better privacy software & privacy infrastructure. So far, Cypherpunks & associates have been like "all dressed up & no place to go". That is, we have a lot of good software & systems & hardly anyone making good use of it. An offshore, money privacy business for the general public that wanted Cypherpunk tech. would have use for most of it & a demand for more of it. It is my view, that what is most needed now, is a model offshore private money services company which uses Cypherpunk tech. & actually makes money. With that as a nucleus, the TRULY private economy would skyrocket & the Cypherpunk dream would be realized. Yours Truly, Gary Jeffers From eric at remailer.net Mon Nov 28 20:55:57 1994 From: eric at remailer.net (Eric Hughes) Date: Mon, 28 Nov 94 20:55:57 PST Subject: Transparent Email In-Reply-To: <199411282330.RAA00186@omaha.omaha.com> Message-ID: <199411290554.VAA02536@largo.remailer.net> Ok, I should start off by saying I'm not sure I followed everything Eric said in his post, so this might not be a great answer to him. Well, I didn't address everything in your post, either. Does that make us even? My posts were predicated on the assumption that transparent encryption and signatures are worthwhile and necessary. Well, yes, I certainly agree. My point about key distribution, partly, that you don't need to solve it before you get a basic system. Separation of key distribution and encryption allows you to implement the encryption seamlessly and do the key management by hand. Since use of keys is more frequent than distribution, you can make a big win by getting the encryption working right first. I think we ought to be moving in that direction, for two reasons. The first is that most people -- including most of us -- aren't willing to do much work in order to sign and encrypt our email traffic. I am still considering the "sign-or-delay" proposal for the toad.com server, that is, sign your articles to the list or they'll be delayed and eventually rejected. > This approach of generality, > however, is notably more complicated than a world where responsibility > for security is partitioned, where each user does not have to worry > about all the possible systemic security issues. I understand this criticism. But if we abandon generality, I don't think we can achieve transparency. The generality I was referring to was non-locality, where decisions taken remotely by other persons must be considered by the user. The analogy in programming languages is scoping, i.e. global vs. local variables. But the whole point of the system is that there is no need for the two correspondents to worry about exchanging keys: it all happens automatically. I think this is exactly the wrong approach if you want rapid deployment. Case in point--PEM. The PEM folks had basic encryption down pretty quickly and then spent years (like two or three times as many) figuring out key distribution. And the key distribution mechanism they came up with has political problems and very few people use it. Had PEM released an initial RFC with just encryption etc. in it when they were done with it, we'd all be using PEM today. We aren't. PGP is used more than PEM because it's key distribution system allowed you to use uncertified keys. PGP isn't used much because it integrates so poorly with other software. PGP insists upon doing every goddamn thing it knows how to do whenever you invoke it. I tell PGP to process a message, not to decrypt it. How to do encryption and decryption is mechanism. How I decide what keys I trust is policy. Separation of mechanism and policy is a good thing. (Good defaults for policy also help.) A package which has this right--swIPe. The initial swipe code works, and all it does is encryption. Right now you have to do key management manually. That's OK, because that can be another subsystem. On the low end, we have a default web of trust, which is sort of crummy because it's not terribly difficult to spoof. But my goal was to meet this criticism by making the system open to other webs, and to place as few restrictions as possible on people who want to create and use falternative webs. My point is that you don't need webs at all. They have their uses, to be sure, but they aren't the last word in key distribution that they're often made out to be. Bilateral distribution of keys for electronic-only communication can work out just fine, providing enough different communications channels are available. There was a post I made last year about the email provider signing keys which is relevant here. (If someone could repost it, ...) I didn't mean to imply that all public keys ought to be on the default web. I meant that you ought to be able to get *a* public key for an aribitrary address from the default web. The publication of a key, however, reveals the _existence_ of that arbitrary address. On the other hand, if that address sends a message, then the public key should be available to those who see it. For Usenet participation, for example, a default key repository is useful and does not affect forward secrecy, which has already been compromised by posting a public message with signature. Basically, it comes down to this: in a transparent system, if you want to mail me, somehow your mailer will have to get a copy of my key without your doing anything about it. That's a good final goal, but I really think it ought not to be included in the first subgoal. There are substantial problems with achieving both transparent key access from a single mailer and assurance against that mailer being spoofed. All such solutions seem to require global, non-partitionable information, making the problem difficult, not insurmountable. If, though, the mailer runs on trusted hardware and has multiple links to the outside world, automated solutions seem possible. The problem is: how do we let the machine make this decision on it's own, without imposing a single web of trust on users? In my ideal view, keys should be certified by the communications providers. Since the comm providers are necessarily involved with interposition attacks (it's their equipment, after all), participation by them seems desirable and, in some sense, minimal. Let us again restrict the problem to mappings between email addresses and keys. This restriction, as noted, covers a huge percentage of real interaction. The provider of email services has agreed to send messages that are addressed to X to X's mailbox, without alteration. If you get the provider to sign X's key and transmit it to the world, then X, via another channel, can get a copy of that signed key and verify that the provider is not interposing. Likewise, the internet provider agrees to deliver mail addressed to users at site Y to Y's mail daemon. Y has the same interest in spoofing vis-a-vis the internet provider as X does vis-a-vis Y. The argument is recursive, and bottoms out at the other end of the communication link. Clearly, an exhaustive analysis of internet protocols in terms of these explicit promises and obligations would be enormous. It would also be a firm foundation for secure communications. Nevertheless, it's benefits might be approximated by creating provider keys and site-signing keys. Eric From khijol!erc Mon Nov 28 22:08:53 1994 From: khijol!erc (Ed Carp [Sysadmin]) Date: Mon, 28 Nov 94 22:08:53 PST Subject: Need program pointers In-Reply-To: <9411291442.ZM4252@wiley.sydney.sgi.com> Message-ID: > On Nov 28, 6:51pm, Mats Bergstrom wrote: > > A simple easy-to-get file over-writer (around 5 times if I > > remember correctly) for DOS is tbdel.com, part of the TBAV > > (ThunderByte Anti Virus) SW package. > > What worries me about most of these PC "DoD" file erasers is that > I am reliably informed that on at least one occasion, 11 generations > of data have been recovered from a generic SCSI hard disk. It was > a very unusual circumstance (suspicion of data leakage from a very > high security site), but I find it difficult to take 5-pass programs > very seriously. The NSA has done the same thing with a tunneling electron microscope. That was a published report, too... -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi ** PGP encrypted email preferred! ** "What's the use of distant travel if only to discover - you're homeless in your heart." --Basia, "Yearning" From shamrock at netcom.com Mon Nov 28 22:29:02 1994 From: shamrock at netcom.com (Lucky Green) Date: Mon, 28 Nov 94 22:29:02 PST Subject: Transparent Email Message-ID: <199411290628.WAA22841@netcom13.netcom.com> -----BEGIN PGP SIGNED MESSAGE----- Eric wrote: >I am still considering the "sign-or-delay" proposal for the toad.com >server, that is, sign your articles to the list or they'll be delayed >and eventually rejected. Do it. Either it will work or it will kill the list. If it works, geat. If it kills the list, we would have failed in our mission anyway. - --Lucky -----BEGIN PGP SIGNATURE----- Version: 2.6ui iQCVAgUBLtrCYASQkem38rwFAQHTFgP/VrP8GACjMT4amw7Ws1+VP0HftgZUtCGW +xP59b4FDVUuZH/KH0Q0t9eGYyHBqYlhkr3M4eU/149+Q6Jz7u/juOXx5W638UKB Ujz4Mf4MnBHaEU5/famKmFTD/n+dGS2Gzds121SLnW3rmVU2rPcPYBRkvYAQQZ+f Q//TPjhoj5Y= =3+9F -----END PGP SIGNATURE----- From werewolf at io.org Mon Nov 28 22:50:50 1994 From: werewolf at io.org (Mark Terka) Date: Mon, 28 Nov 94 22:50:50 PST Subject: Transparent Email In-Reply-To: <199411290628.WAA22841@netcom13.netcom.com> Message-ID: On Mon, 28 Nov 1994, Lucky Green wrote: > Eric wrote: > >I am still considering the "sign-or-delay" proposal for the toad.com > >server, that is, sign your articles to the list or they'll be delayed > >and eventually rejected. > > Do it. Either it will work or it will kill the list. If it works, geat. If > it kills the list, we would have failed in our mission anyway. I second the motion. -------------------------------------------------------------------------- Mark Terka | werewolf at io.org | public key (werewolf) by Toronto,Canada | dg507 at cleveland.freenet.edu | public key server or request --------------------------------------------------------------------------- From lcottrell at popmail.ucsd.edu Mon Nov 28 23:21:29 1994 From: lcottrell at popmail.ucsd.edu (Lance Cottrell) Date: Mon, 28 Nov 94 23:21:29 PST Subject: To: Pr0duct Cypher Re. PGPTools and Mixmaster Message-ID: <199411290721.XAA03730@ucsd.edu> -----BEGIN PGP SIGNED MESSAGE----- I am using PGPTools to handle all the crypto functions in the second generation remailer that I have written. All the copies of PGPTools that I have found seem to be set up to compile on SUN workstations only. Mixmaster is both a remailer and a front end, and therefor must run on many different platforms. I have been able to compile PGPTools on Linux and FreeBSD, but PGPTools produces invalid RSA blocks. If you (or anyone else reading this) have ported PGPTools to other platforms could you send me the source and makefile, or point me to them. If not, could you help me do it, the source code is a tangle, and it will take me a long time to do on my own (I am a brute force programer, not a C wizard). Many thanks Lance Cottrell -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBLtrWYVVkk3dax7hlAQElaQP9EZawmQ/sBXg4h7aUsrFAOK/W62m4Ie+r oS61kT7Lu6YqoC4lElwYomaU5ofyDaGDVdlph9J1a9rurqCXxYtLfAAuQFEAznSl 2LEEupWm36vM5TYr0GGXaq2Q1LN04Bsc7TI1Q7kkqa97U0ixvi8HfoRjchvqXW4F i4R0RK0xP48= =fYrB -----END PGP SIGNATURE----- -- Lance Cottrell http://nately.ucsd.edu/~loki/ Home of the remailer chaining script "chain". PGP 2.6 key available by finger or server. "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche From tcmay at netcom.com Mon Nov 28 23:37:46 1994 From: tcmay at netcom.com (Timothy C. May) Date: Mon, 28 Nov 94 23:37:46 PST Subject: "You aren't following the _rules_!" In-Reply-To: <199411290628.WAA22841@netcom13.netcom.com> Message-ID: <199411290736.XAA17767@netcom6.netcom.com> Lucky Green wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Eric wrote: > >I am still considering the "sign-or-delay" proposal for the toad.com > >server, that is, sign your articles to the list or they'll be delayed > >and eventually rejected. > > Do it. Either it will work or it will kill the list. If it works, geat. If > it kills the list, we would have failed in our mission anyway. > Yes, do it! Do it now! Do it tonight! I spend too much time reading this list as it is, so this new requirement will actually mean *less* time spent in e-mail, as I'd have to leave the list. Go for it! You see, I'm reading with elm (on-line) or Eudora (off-line). And not always both. It depends on what I'm doing. (Standard request: Please don't send me advice on how _you_ are happy with Slackware Linux v.3.845 running pine 3.4 on your Pinto-um box. Or how you run PGP on your campus machines. Etc. I'm happy that you're happy, which ought to be enough.) I have little means of solving the Netcom-Macintosh-elm-Eudora issues, and I don't see others solving them especially cleanly or usably, so I expect that the "sign your messages or else" dictum would have a predictable result, for me. And isn't it up to the _readers_ to decide if they don't want to read my messages because they think I'm not being diligent enought, or because my messages appear to be forged? Isn't end-user choice the core of the Cypherpunk ethos? "You can't be an anarchist....your messages aren't formatted according to the rules." Can we get back to reality? --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. Cypherpunks list: majordomo at toad.com with body message of only: subscribe cypherpunks. FAQ available at ftp.netcom.com in pub/tcmay From skaplin at skypoint.com Mon Nov 28 23:41:21 1994 From: skaplin at skypoint.com (Samuel Kaplin) Date: Mon, 28 Nov 94 23:41:21 PST Subject: A possible solution In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- In article , you wrote: > The use of cryptography makes it virtually impossible to know anything. > If everyone used to PGP to communicate. I mean everybody in the whole > entire world. There would be no possible way to ever know what is going > on. No, just the things that other people and institutions have NO BUSINESS KNOWING. I value my privacy. I do not take it for granted. If everyone in the world used PGP or some other form of strong crypto to protect confidential information it might start to rebuild our right to privacy which is being chipped away daily. We do have the right and responsibility to privacy. Our right is to privacy, our responsibility is to protect it. > OKay. WE could do that, but guess what. You might as well get your > self your own arsenal of weapons because if you can't trust the govt. > you're going to be only trusting yourself. You show just how naive you are. The government has long since stopped representing its citizens. Its sole interest is to perpetuate itself. This happened when politicians replaced statesmen. The needs of the citizens are no longer the needs of government. Citizens are just here to pay the bills and go along with the ride. We have no one to blame but ourselves, we keep electing the same idiots year after year and never hold them accountable. We believe what they say, not what they do. > But I want to live in a world where I can at least step outside and > breathe in the fresh air.. So do I but, if you trust the government, this will vanish too. I prefer to breathe the fresh air and ensure that my children will be able to do the same. ============================================================================== The fewer clear facts you have in support of an opinion, the stronger your emotional attachment to that opinion. - Anonymous ============================================================================== skaplin at skypoint.com | "...vidi vici veni" - Overheard | outside a Roman brothel. PGP encrypted mail is accepted and | preferred. | Change is the only constant in the | Universe..."Four quarters, please." E-mail key at four11.com for PGP Key or | Finger skaplin at mirage.skypoint.com | Smile!! Big brother is watching. ============================================================================== -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLtrZ/QpnimeWAf3FAQHPYwP+JyTXMBMoB2Jz6z92oFSSIE9rDBPRuDsD P5tI+Qykw52I05wjZG9T6+yPUEFC1UKlThALWb6aXkCctjwewqFRcs59gJF1Dznn gVy1HjNqUm0IVzuFtYOAi0phDWoHUEnfgArEZ9sFNruk7fSvQ5n6OCI31G5qYXS7 Wv7hSJRBI0Y= =2gkN -----END PGP SIGNATURE----- From norm at netcom.com Mon Nov 28 23:54:48 1994 From: norm at netcom.com (Norman Hardy) Date: Mon, 28 Nov 94 23:54:48 PST Subject: How to not have to trust CAs Message-ID: I have been reading RFC1422 which describes the hierarchy of authorities (CA = Certificate Authorities) proposed for distributing public keys for PEM and such. One must trust the CA which is a leaf of this hierarchy. If higher elements of the hierarchy are corrupted there is also danger but perhaps it is less. One interesting thing that I learned is that RFC1422 specifically allows for "personas" as in pseudonyms. Their treatment of CRLs (Certificate Revocation List) is most of the complexity and hard to understand and implement. It is a hard problem. Here is a different scheme that involves such a hierarchy but does not require one to trust anyone in the hierarchy except concerning denial of service. The scheme allows one to check the hierarchy. I ignore the revocation problem in this note. The idea stems from an idea that came from Belcore I think. The Belcore idea posits a tree of nodes where each node holds the secure hash of each of its children. The secure hash of the root node is published in the Sunday New York Times and a few other places. There are weekly editions of the tree. If I may want to prove to you in the future that some certain piece of data exists this week, then I arrange to put a secure hash of that data in some leaf of next weeks edition of the tree. If I should ever need to present proof, I display the contents of each of the nodes between my leaf and the root. (I got that list a few days after I submitted my secure hash.) You can compute the hashes of each node and observe that they each occur in the superior node. You compare the secure hash of the root node with what is in the Times. The only plausible explanation is that someone had the data at the date of publication. My CA scheme is a variation of the above. A certificate is a (name -- public key) pair. The names are stored in a tree in alphabetical order. Each node in the tree holds a pair (first name in child node, secure hash of child node) for each of its children. (This is much like a B-tree.) The tree is available thru an untrusted CA. When you request the public key from the CA corresponding to some name, all nodes from the leaf with that name, thru the root are returned. You verify the secure hashes as in the Belcore scheme. You also verify that name stuff in the intermediate nodes is correct. The later is to prevent the CA from showing one public key to some requesters and another key to others. My secure mail agent queries the data base upon each new edition to ensure that my own public key is reported correctly. (Besides being published in the Times, the hash of the top node is transmitted once per minute in video blank time on NBC.) Since the data base can't tell different requesters different things, the agent can be sure that all requesters will be informed of my correct key. I would prefer to change my public key at most once per month and then only with a month's notice. This gives me time to verify that the CA is telling the truth about my PK and warn correspondents otherwise. This avoids the attack of the CA publishing a bogus public key to which it knows the private key in order to decipher mail intended for me. In all, changing public keys may be more dangerous than not! This system still has several flaws. There is a single point of failure. Failure is not immediately catastrophic as old keys can continue in use. If you mistrust the CA you must inform your correspondents quickly, (via a signed message). If there are several such hierarchies then each user with a public key must subscribe to each lest one of the hierarchies lie about his public key. I think that revocation is better solved (easier code and smaller data) by Blum filters but that is another story. The policy revocation problems are still difficult. From wendigo at mars.lib.iup.edu Tue Nov 29 00:00:29 1994 From: wendigo at mars.lib.iup.edu (CyberDrunk) Date: Tue, 29 Nov 94 00:00:29 PST Subject: PGP & Elm Message-ID: <199411290328.DAA32292@mars.lib.iup.edu> I've been a lurker here on this list, but I am currently trying to get PGP working with elm in a way that will be convenient for users who use PGP and won't mess with the ones who don't. To make this short, I haven't been able to find much documentation. Can anyone point me in the right direction? wendigo at mars.lib.iup.edu From alex at omaha.com Tue Nov 29 00:02:54 1994 From: alex at omaha.com (Alex Strasheim) Date: Tue, 29 Nov 94 00:02:54 PST Subject: Transparent Email In-Reply-To: <199411290714.BAA00246@omaha.omaha.com> Message-ID: <199411290803.CAA00300@omaha.omaha.com> -----BEGIN PGP SIGNED MESSAGE----- I think it's a bad idea to require signatures on the list, or even to penalize people who don't use them. People aren't signing their posts because it's too much of a hassle to do it from a dial up, netcom style, account, not because they're insufficiently committed to the cause. It seems to me that such a rule would stifle discussion and encourage people to store their keys on insecure accounts. The real solution is to try to build tools which will make it so easy to use crypto that there's simply no reason not to do it. And towards that end: I think Eric's point about separating key distribution from encryption finally sunk in. It's encouraging for me, because I think we're very close to being able to implement good transparent systems, at least if we put key distribution on the back shelf. I haven't totally thought it through, but it seems to me that it's almost a matter of assembling a few existing tools into a coherent system. I've just installed Raph Levien's premail as /usr/lib/sendmail on my system, and I'm happy to report that it's running well, despite the fact that my machine is a very puny linux box. This means that I can keep a list of addresses that ought to be encrypted in my ~/.premailrc file, and outgoing email to those destinations will be automatically encrypted and signed, no matter what mail software I happen to be using. This leaves the problem of passphrases for outgoing signatures and automatically decrypting incoming mail, but I think that cfs will let me kludge something together which will get around this. (My situation is a little unusual, because I'm running linux on a pc which is connected to the net via a static slip account. I don't think this would work well in other situations.) If, after I power on my machine, I mount an encrypted directory with cfs, and then connect my slip, I think I can get away with keeping my key unprotected with a passphrase as long as the keyring is stored in the encrypted directory. What's more, if my mail spool is stored in the encrypted directory as well, a filter which automatically decrypts incoming mail and deposits the plaintext in the spool would be feasible. A good filter would probably stick something in the text to let you know that it had come with a good signature. It would be sort of ugly, but I think it would work. I'm sort of new to cfs, though, and I'm sure how it would deal with multiple users (root, my main account, my cp account which recieves cypherpunk list traffic, etc.). But If it worked, I'd have a machine which: o talked to the rest of the email universe without difficulty, and which uses standard unix software o would automatically use crypto when sending mail to a list of email addresses, and which could automatically handle incoming crypto o would be reasonably secure when it was powered off == Alex Strasheim | finger astrashe at nyx.cs.du.edu alex at omaha.com | for my PGP 2.6.1. public key -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLtrgPREpP7+baaPtAQHTlQP/RYcJi9u5iU0AY4SV1MqNGxAuQDfYwL2G LcJC5sxYreFGkpwwpA87fRcLi7PreAtS6vFg5tsMXiUXaNS15v1mCDfxr54AwO7C P3yyHWUTGg1I8CRbDUYlZqksrF3Bqzxy0pDRQGzPEFwP7k8ER72XXeVtIVc8K/zM CBW+smDOY/w= =43eM -----END PGP SIGNATURE----- From shamrock at netcom.com Tue Nov 29 00:58:36 1994 From: shamrock at netcom.com (Lucky Green) Date: Tue, 29 Nov 94 00:58:36 PST Subject: "You aren't following the _rules_!" Message-ID: <199411290857.AAA06729@netcom20.netcom.com> -----BEGIN PGP SIGNED MESSAGE----- Tim wrote: >I have little means of solving the Netcom-Macintosh-elm-Eudora issues, >and I don't see others solving them especially cleanly or usably, so I >expect that the "sign your messages or else" dictum would have a >predictable result, for me. I don't want to restart the "If the output wont work on a stack of Hollister cards the system sucks" thread, but Tim is here, as he is most of the time, right. After two years, we still have not made it much simpler to integrate PGP/whatever into a mixed OS environment. >And isn't it up to the _readers_ to decide if they don't want to read >my messages because they think I'm not being diligent enought, or >because my messages appear to be forged? Few readers on this list would think that Tim is not dilligent enough. A forged message would not be able to fool us for long. The problems is that is no simple way to integrate PGP with the many newsreaders, mailers, etc., that are being used on the net. This is unlikely to change until there is a new, acceptable, RFC for mail that implements digital signatures and encyption (if desired) without user intervention. >Isn't end-user choice the core of the Cypherpunk ethos? Yes, choice is what Cypherpunks are (I hope) about. Choice through crypto. Unless crypto spreads we will face ever reduced choice. Crypto will not spread unless there is a demand. Most people, including one of (the?) leading thinker(s) of the group on the net that most supports cryptography believe that the added security and privacy that cryptography provides are not worth typing a few commands or clicking a few buttons. I myself rarely, if ever, sign my post. If WE don't even use crypto ourselves, who do you think else uses it and who do you think will therfore care if the government chooses to outlaw it? We don't have a motivation to use crypto. We all realize that there is really no need to encrypt/sign the vast majority of the stuff we are sending. There may be the occasional message that we will encrypt and we are well aware that we encrypt that message for the very reasons that the powers-that-be want to see encryption outlawed. There are no better tools for integration of crypto today, because there has been no need. The few times you actually need crypto you can punch the commands "by hand". I do not mean to belittle the work that has been done, but unless the encryption is built into the mailer and using a remailer means clicking the "use X remailer(s)" button, and the mailer better know which ones are working and do the PGP envelopes, it won't happen. Hell, I have been on this list for two years and today I decided against posting that updater everyone was begging for to USENET because I didn't want to spend the 15 minutes it would take me to look up the address of a mail-to-usenet gateway, find out which remailers are working, binhex the thing, and past it into the remailer interface. Yes, I know the 3 or 4 URL's it would take to do all that. Suppose the world will have to wait until that computer makers's FTP site is up again. /dev/null> We are stuck: No need -> no development of tools -> no spreading of crypto beyond the "hard core" -> no public resitance when crypto becomes illegal. So how can we prevent crypto from becomming illegal? Just follow the above chain backwards. Create a need. Create mailing lists that require signed messages. Create ftpsites that require signed uploads or whatever. Require the use of crypto. Not to partake in some involuntary interaction with the government (that will happen without out help), but for some voluntary interactions between people on the net. Sending mail to cypherpunks is such a voluntary interaction. Requiring it here just might result in better tools in the long run. Just an idea, if it sounds like garbage, forget about it. - -Lucky, who wouldn't think of signing this post and only does it to show that requiring it for posting just might get people to do it. -----BEGIN PGP SIGNATURE----- Version: 2.6ui iQCVAgUBLtrswASQkem38rwFAQFZ0AQAixcrK7wNFJzisuA3v8FefURUt05NYj23 AyJw9TVoyWuo4gdDiao1/3dC43ZIgVSvTTGXKZ8cy5a4YcFyMLMEKumNfyn7FM/l PLzcOYXfCWp2/KlfY4cQs4nlUEDvheiTmgXE+2VRle00WHwL+ctm/Tx1i/mxD3BS 7Zo79IIOQyg= =ZSOT -----END PGP SIGNATURE----- From jcorgan at netcom.com Tue Nov 29 01:20:02 1994 From: jcorgan at netcom.com (Johnathan Corgan) Date: Tue, 29 Nov 94 01:20:02 PST Subject: CID spoofing Message-ID: Whatever happened to the thread on CID header spoofing? I know it isn't exactly germane to this list, but the original poster's return address doesn't appear to work. ----------------------------------------------------------------------- Johnathan Corgan "Violence is the last refuge of the incompetent" jcorgan at netcom.com -Isaac Asimov PGP Public Key: http://www-swiss.ai.mit.edu/~bal/pks-toplev.html Or send email to: pgp-public-keys at pgp.ai.mit.edu Subj: GET jcorgan ----------------------------------------------------------------------- From adam.philipp at ties.org Tue Nov 29 01:55:58 1994 From: adam.philipp at ties.org (Adam Philipp) Date: Tue, 29 Nov 94 01:55:58 PST Subject: Transparent Email Message-ID: >I think it's a bad idea to require signatures on the list, or even to >penalize people who don't use them. People aren't signing their posts >because it's too much of a hassle to do it from a dial up, netcom style, >account, not because they're insufficiently committed to the cause. > >The real solution is to try to build tools which will make it so easy to >use crypto that there's simply no reason not to do it. I whole heartedly agree! Thank you Alex for pointing out the real issue. ObPlug: (I am currently writing a handbook on what intellectual property law can be used for when developing crypto systems, either to make a profit or to keep them free from commercial entanglement.) Tomorrow (San Diego Cypherpunks meet at Hops) I was planning on asking Phil Karn what Qualcomm was planning with Eudora as far as any PGP hooks, or if we need to to get of our rear-ends and design a mail application that will implement PGP for all the SLIP users on Windoze & MacN'trash systems. Sure there are those of us who can use LINUX and various scripts to bring PGP into our mailers, but a well built app that would get PGP to the lay people who want their privacy is needed. So, Cypherpunks write code. o Get off our collective asses and write something for: SLIP / PPP in windoze, mac, ( & warp?) o Make it free, widely available, and either stand alone, or compatible with Eudora. o Collectively demand that Qualcomm do something or else... o See if there are any software companies willing to take up the challenge. o Meanwhile, see what works for people... Create a contest for who has the best system for ELM, PINE, EUDORA, etc... o What about windoze scripting? PCTools for windoze scripting? Other scripts? I am willing to help, but I'm in the middle of Law school finals so any help will be delayed... Adam -- PGP Key available on the keyservers. Encrypted E-mail welcome. SUB ROSA: Confidential, secret, not for publication. -Black's Law Dictionary GJ/CS d H S:+ g? p? au+ a- w+ v++ c++ UL+ UU+ US+ P+ 3 E N++ k- W++ M-- V po- Y++ t++ 5+ jx R G' tv+ b+++ D++ B--- E+++ u** h-- f++ r+ n+ y++-- From jcorgan at netcom.com Tue Nov 29 02:16:59 1994 From: jcorgan at netcom.com (Johnathan Corgan) Date: Tue, 29 Nov 94 02:16:59 PST Subject: SecureDevice/X-Windows Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Okay, so I'm signing my messages now. At least your proposed sign-or-delay rule has had its intended effect on one user here :) My question is: What is the group's opinion on the use of SecureDevice to store sensitive data as an encrypted volume under DOS on a PC? (I am assuming here that enough people know what I'm referring to not to explain.) I've moved all my email, sensitive data files, and PGP keyrings over to this new volume. Given all that I've read on the IDEA encryption method, I feel comfortable that the data is essentially secure from everything but a brute force attack on the key, or carelessness on my part. I'm sure that the magnetic fingerprint of the original data files still remains scattered over the rest of the hard disk, but I'm not as worried about this (yet--the more I read this list, more paranoid I seem to get :) Someone posted about using CFS under Linux to store his PGP secret keyring, without a keyring pass phrase. The idea here was that when the system was powered off, CFS provided sufficient security to protect the secret keyring. This would allow the user to automate the use of PGP with scripts to send and receive encrypted mail, without the need to deal with piping in or otherwise supplying a pass phrase. Would anyone consider this foolish? I can take the same argument here with SecureDevice--I only 'login' to the drive with my passphrase when I am using it, and when the machine is off, the encrypted volume protects the secret keyring by default. The weakness here is that should I step away from my machine and carelessly forget to 'logout' of the secured drive, my secret key is wide open for someone to steal. On an entirely different note: I use MS-Windows on the PC platform for my internet access due to the variety and relative availability of Windows Sockets based software. Call me a traitor to the cause, all Microsoft bashing aside, but I really do prefer the GUI interface to mail, FTP, telnet, and WWW than the Unix command line oriented tools to do the same. I also have Linux installed on a different machine, and am slowly learning all the neat and wonderful things one can do with it. I haven't quite gotten X Windows configured properly, but I wonder if all the same internet access tools I mentioned exist as X apps. This would allow me to get all the benefits of Unix, while retaining the ease-of-use benefits of a GUI environment. Forgive me if these are naive questions--I'm a lowly DOS/Windows user just now starting to see the light of Unix :) Another question: How feasible would it be to build a system under Linux/X Windows to automate PGP encryption and signatures in a transparent way, using an X windows mail reader? People have done this with Pine/Elm, so I assume the same techniques would work under X. Gosh, really showing my ignorance here :) - ----------------------------------------------------------------------- Johnathan Corgan "Violence is the last refuge of the incompetent" jcorgan at netcom.com -Isaac Asimov PGP Public Key: http://www-swiss.ai.mit.edu/~bal/pks-toplev.html Or send email to: pgp-public-keys at pgp.ai.mit.edu Subj: GET jcorgan - ----------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBLtr+6E1Diok8GKihAQFGLgP/e2BN0W+QOpRwnj7JmIVUgl0cQaNeXpTS tvSmarhiSSQy6+6uC7XdOHWlJJ8qavbwr8LguMTcFIU8LFSp0jCiQcUj5Jxt9oSV evpeZXucwXsT/kh3m97MRiwqOxkjFED1h7zjKbJrHxdI/TkGPUXUmP815Am6eVqB qwY9W3lqeSs= =n+Df -----END PGP SIGNATURE----- From cdodhner at PrimeNet.Com Tue Nov 29 02:51:05 1994 From: cdodhner at PrimeNet.Com (Christian Odhner) Date: Tue, 29 Nov 94 02:51:05 PST Subject: Cash In-Reply-To: <199411290107.TAA17362@jpunix.com> Message-ID: On Mon, 28 Nov 1994, Anonymous wrote: > I went to a GSA auction and picked up 3 very nice U.S. Gubment surplus > paper shredders. They shred into very fine particulate that makes great > fire starting material for the fireplace. > I run everything with my name, address, etc., thru it so that *none* of > my trash is identifiable. > How's that for paranoid :> I personaly feel that anybody who bothers to go 'trashing' at my house already knows my name, S.I.N., address (obviously), phone number, and the status of my bank account. Anything more sensitive than the above does indeed get destroyed before disposal, and on days that I am feeling particularly paranoid, I add some 'interesting' fiction to my trash before I take it out... Happy Hunting, -Chris. ______________________________________________________________________________ Christian Douglas Odhner | "The NSA can have my secret key when they pry cdodhner at primenet.com | it from my cold, dead, hands... But they shall pgp 2.3 public key by finger | NEVER have the password it's encrypted with!" cypherpunks WOw dCD Traskcom Team Stupid Key fingerprint = 58 62 A2 84 FD 4F 56 38 82 69 6F 08 E4 F1 79 11 ------------------------------------------------------------------------------ From tcmay at netcom.com Tue Nov 29 03:03:12 1994 From: tcmay at netcom.com (Timothy C. May) Date: Tue, 29 Nov 94 03:03:12 PST Subject: The Market for Crypto--A Curmudgeon's View In-Reply-To: <199411290857.AAA06729@netcom20.netcom.com> Message-ID: <199411291101.DAA12770@netcom14.netcom.com> -----BEGIN PGP SIGNED MESSAGE----- I have to apologize for the length of this piece. It's almost 3 in the morning, and I've spent far too much time writing it. It's just that my "rant buttons" are pushed by an argument I'll call the "crypto isn't being used by enough people, so we'll have to make our own lives harder to set an example" argument. Some would call it the Self Flagellation Argument. There's a larger issue, of why crypto is not being used in the way some of us think it _should_ be being used. Why no digital cash? Why no common use of digital signatures in the business world? Why isn't everybody (or anybody?) time-stamping their lab notebooks and song lyrics? Why, why, why? I've developed some views on this. Some have come from watching my nanotechnology friends exhorting the world to develop nanotech, some have come from my 20 years in high tech, watching the "gotta succeed" technologies get bypassed (remember holographic memories? Integrated Injection Logic? laser pantography? aptical foddering? artificial intelligence?). And on the "self-flagellation" front, I participated in well-intentioned experiments on other mailing lists, in which it was hoped that certain desired evolutionary outcomes be "facillitated" by list rules and regulations....how they failed is another topic. And of course I've devoted several hours a day to this list for more than two years. A lot of stuff to draw some conclusions from. So, here it is. Not a polished essay, but as polished as it's likely to ever get. Lucky Green wrote: > I don't want to restart the "If the output wont work on a stack of > Hollister cards the system sucks" thread, but Tim is here, as he is most of > the time, right. After two years, we still have not made it much simpler to > integrate PGP/whatever into a mixed OS environment. The issue that keeps coming up is a familiar one to economists: is the success of a product determined by the "push" of customer demands for such products or by the "pull" of available technology? Did customers demand the microprocessor or did companies like Intel demonstrate a technology and thus pull customers in? (The possible subject of much debate. Examples on both sides. An exercise: which model does the Web/Mosaic combination fit? As it relates here, there seem to be two main camps: 1. The Pushers. Those who believe that encryption and related technologies (digital cash being the most obvious) will "succeed" (become popular, profitable, etc.) when there is *customer demand* for it. Some purpose, some economic gain, or some recreational benefit. 2. The Pullers. Those who believe that these technologies will success because they are so compelling as to pull customers in. Orthogonal to these are the camps regarding how to *proselytize* crypto: A. The Preachers. Spread the word, educate the masses. Make crypto necessary to access information. (Whether for the Pushers or the Pullers, the Preachers believe that the key to the success of crypto lies in _convincing_ others to use it.) B. The Pragmatists. Whether pushed or pulled, crypto will happen when it happens. When the time is right--technologically, economically, and socially, perhaps--crypto will find its uses. (I could, as as my wont, write more on each of these. But I'll resist the urge.) The graphically-oriented may imagine this as a map. With ranges of beliefs. Various of you fall into various places on this map. Some argue that lawyers should relocate to the Caribbean tax havens to "service" Cypherpunk needs (no insult intended to the proposer of this scheme, but this a classic "2A"--the Preacher-Puller. Also known as the "If you build it, they will come" view.). Others argue that Cypherpunks should "practice what they preach" at all times (not surprisingly, a trait of the Preacher). Well, I think you can see where I'm headed. I happen to believe that strong crypto, of the sort I am interested in (though not necessarily using/advocating/proselytizing for), will become common at some time in the next decade or so: - when markets have arisen which can make use of, for example, digital cash. (This could be next year, with NetCash or VisaBits...it's always hard to predict exact markets.) - when the current protocol problems which make all of this crypto stuff so _complicated_ to use ("To spend a DigiDime, first create a client on a 4.3BSD-compliant server...."). - when other interesting technical problems well known to us--such as issues about double spending, revocation, etc.--are better solved. (Yes, I am saying that we are probably a couple of years too early...the Crypto conferences are still generating new results. Perhaps someone will pull it off, but it is by no means obvious that all the pieces are ready to go.) - and of course when everyone is just a little bit better net-connected, when e-mail is more robust, when agent technology is more mature, etc. So, I guess this makes me a "Pragmatist." No point in preaching. (And before a smart aleck claims that my presence on the list, and my posts, and my FAQ, etc., makes me a "Preacher," think about it. Once can be interested in an area, want to see it become a reality, without being a Preacher. The microprocessor happened for a variety of reasons...proselytizing was not one of the main reasons.) As to Pusher or Puller, I'm in both camps. Certain market needs--in areas like online commerce, Web publishing, even money laundering--will push the existing technology "from the bottom up." Thus, brain-damaged "electronic purse" schemes will be broken, will need to be fixed, and so folks like Chaum and Brands will license their results, consult, etc. This is how most products evolve, kind of haphazardly (in the sense that previous history exerts a strong influence...the reptilian brain in us, etc.). At the same time, the purer technologies--such as DC-Nets and other abstract ideas--will pull from the top. (It can be argued that the two are really the same, displaced in time. Thus, yesterday's exotic technology that "pulled" is today's "pusher" tool. Digital signatures, for example.) I'm all for exploring, for folks going off and doing their thing, and for trying to commercialize ideas. (The joke that the only people who've made money on crypto are the book publishers is not far from the truth. RSA Data has, despite its obvious situation, never paid a dime to its early investors (so says Alan Alcorn, inventor of "Pong" and an early investor in RSADSI). Zimmermann sure hasn't. I assume Cylink, Crypto AG, and some of the others have some profits, or at least not continuing losses, but none of them are powerhouses.) The Glorious Crypto Revolution may happen. In fact, I'll bet on it. But the precise form is unknown. And it won't happen because a bunch of people decided to "prove the technology" by sending DigiFranques to each other in a toy market. (The HEx market on Extropians showed the failure of this...as have some experiments here.) And it won't happen because we all sign our messages, any more than wearing secret decoder rings ushers in a new political regime. (I'm much more interested in ensuring that signing of messages, or encryption of them, cannot practicably be outlawed than I am in "spreading the word." If having lots of folks using crypto makes a ban less likely or less enforceable, then of course I hope more people use crypto. But this is not the same as saying we should all be "setting an example" and thereby _cause_ this widespread use. Or so it seems to me.) > We are stuck: No need -> no development of tools -> no spreading of crypto > beyond the "hard core" -> no public resitance when crypto becomes illegal. Push and Pull, Preachers and Pragmatism. Find the "Killer App" that people want, and there you are. Web/Mosaic is the current killer app. (And ironic that so many people preached the wonders of hypertext and Xanadu...including several people on this list (and I agreed with them, by the way)...but nothing of significance happened until the WWW and browsers ignited the phenomenal explosion of the past two years.) And if you can't just "think up" the killer app, find an area of deep interest and focus on that _for the pleasure of it_ (and for the profit of it). Somebody who, as an example, can apply agent technology to crypto, may find himself in the thick of things in 1998. I guess I'm reacting to the pervasive mood of "We've got to *do* something!!" that keeps coming up. I'm skeptical, because of the push/pull points, and because a bunch of scattered, part-time workers who rarely meet, who are all going in different directions, etc., is not exactly a team likely to build a new product. (In nearly every case I can think of where a significant technology or product was developed, some kind of focus was needed. Usually geographic, and usually economic ("Finish this or you're fired," to put it bluntly). (Some may cite the PGP 2.x effort as a good example of Net collaboration. I wasn't in on it, but in talking to some of those who've worked on it, my impression is that the focus was still there. Provided by Phil, and by the _existence_ of PGP 1.0, an examplar that could then be added to, worked on, etc. Remailers are a kind of equivalent.) In any case, the notion that a bunch of us--students, dabblers, activists, engineers, etc.--can somehow create a finished product, or a company, as some folks periodically try to argue for ("Let's do a company!"), is not too likely. (I was going to say "is crazy," but some may think I'm already being insulting enough. Believe me, my intent is not to insult any of us.) Crypto is happening. In bits and pieces. As is to be expected. But then, I'm a pragmatist. --Tim May -----BEGIN PGP SIGNATURE----- Version: 2.7 f99TVoyWuo4gdDiao1/3dC43ZIgVSvTTGXKZ8cy5a4YcFyMLMEKumNfyn7FM/l49 y0CVAgUBLtrswASQkem38rwFAQFZ0AQAixcrK7wNFJzisuA3v8FefURUt05NYj23 2lJw9TVoyWuo4gdDiao1/3dC43ZIgVSvTTGXKZ8cy5a4YcFyMLMEKumNfyn7FM/l PMzcOYXfCseehoweasilytheserequiredsigscouldbespoofed?3858H3w2NlC 3Zo79IIOQyg= =ZSOT -----END PGP SIGNATURE----- -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. Cypherpunks list: majordomo at toad.com with body message of only: subscribe cypherpunks. FAQ available at ftp.netcom.com in pub/tcmay From frissell at panix.com Tue Nov 29 03:24:25 1994 From: frissell at panix.com (Duncan Frissell) Date: Tue, 29 Nov 94 03:24:25 PST Subject: Zimmermann interrogated without counsel Message-ID: <199411291124.AB07764@panix.com> At 12:57 AM 11/27/94 -0700, Philip Zimmermann wrote: > >The following is a letter from Ken Bass, who is one of the lawyers on >my legal defense team, to US Customs. It is mostly self-explanatory. >It concerns the PGP investigation. Time to start travelling via Canada. DCF From jkreznar at ininx.com Tue Nov 29 03:34:22 1994 From: jkreznar at ininx.com (John E. Kreznar) Date: Tue, 29 Nov 94 03:34:22 PST Subject: Sign-or-delay In-Reply-To: <199411290554.VAA02536@largo.remailer.net> Message-ID: <9411291010.AA10566@ininx> -----BEGIN PGP SIGNED MESSAGE----- Eric Hughes writes > I am still considering the "sign-or-delay" proposal for the toad.com > server, that is, sign your articles to the list or they'll be delayed > and eventually rejected. That's as good an idea now as it was last time you brought it up. It could even be the touch that rescues individual freedom from the jaws of politics. Please do it! John E. Kreznar | Relations among people to be by jkreznar at ininx.com | mutual consent, or not at all. -----BEGIN PGP SIGNATURE----- Version: 2.3a iQCVAgUBLtr2YMDhz44ugybJAQE1DwQAuE2WKXO+82TZEv8yy9Jf/GtXCYGYM4QE 7sRUqFa8KDUpfUTKFHn9GctPdJxj9+Kgd+wSjLw9lTM44skO9iRCvrEqZqG6Q3HQ hWim4Uk8sQmeybKOL1Ce2FYIoazhOwu+rcgQVIuyk18YU8tH4NVJG8Mv1tzJNh5v VkCVVLzOUdI= =nVWv -----END PGP SIGNATURE----- From khijol!erc at cygnus.com Tue Nov 29 03:51:54 1994 From: khijol!erc at cygnus.com (Ed Carp [Sysadmin]) Date: Tue, 29 Nov 94 03:51:54 PST Subject: Transparent Email In-Reply-To: <199411290803.CAA00300@omaha.omaha.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- > I think it's a bad idea to require signatures on the list, or even to > penalize people who don't use them. People aren't signing their posts > because it's too much of a hassle to do it from a dial up, netcom style, > account, not because they're insufficiently committed to the cause. Is it just me, or does this come up every few months? > The real solution is to try to build tools which will make it so easy to > use crypto that there's simply no reason not to do it. They are already there - in elm and pine, as well as many others. > This leaves the problem of passphrases for outgoing signatures and > automatically decrypting incoming mail, but I think that cfs will let me > kludge something together which will get around this. No need to kludge anything. Take a good look at the PGP docs - they will let you do exactly what you want. > (My situation is a little unusual, because I'm running linux on a pc which > is connected to the net via a static slip account. I don't think this > would work well in other situations.) I'm running Linux here, and have run it both as static/dynamic SLIP, and hung (well!) off a T1 line. > o talked to the rest of the email universe without difficulty, and > which uses standard unix software > > o would automatically use crypto when sending mail to a list > of email addresses, and which could automatically handle > incoming crypto > > o would be reasonably secure when it was powered off This last one is really the only advantage to running cfs, IMO. Here's the set of scripts I use here. Others use more sophisticated ones, but I'm not into shell programming ;} pgpview will decrypt to the screen, vie will edit then encrypt, vis will edit then sign. They are intended to be used from within elm. #! /bin/sh # # Created by shar, version 0.5 - 04/10/91 # # This is a shell archive, meaning: # 1. Remove everything about the #! /bin/sh line. # 2. Save the resulting text in a file. # 3. Execute the file with /bin/sh to create: # # length name # ------ ------------------------------------- # 28 pgpview # 379 vie # 199 vis # # # Archive number 1 # This archive created Tue Nov 29 05:04:46 1994 # echo "shar: extracting pgpview - (28 characters)" if test -f 'pgpview' ; then echo shar: will not over-write existing file pgpview else sed 's/^X//' << \SHAR_EOF > 'pgpview' Xpgp +batchmode -m | less -c SHAR_EOF if test 28 -ne "`wc -c < 'pgpview'`" ; then echo "shar: ***** error transmitting file pgpview (should have been 28 characters, but was "`wc -c < 'pgpview'`" characters) *****" fi fi touch 0823232194 pgpview chmod 0755 pgpview echo "shar: extracting vie - (379 characters)" if test -f 'vie' ; then echo shar: will not over-write existing file vie else sed 's/^X//' << \SHAR_EOF > 'vie' X# X# vie - like vi, but sign & encrypt with pgp X# Xsed -e 's/^> //g' $1 > $1.clr X# why doesn't pgp $1 $1.clr work? It should produce $1.clr... Xpgp +force $1.clr $1 Xsed -e 's/^/> /g' $1.clr > $1 X/bin/rm -f $1.clr Xif [ "$EDITOR" == "" ] ; then X pico $1 Xelse X $EDITOR $1 Xfi Xclear XL=`logname` Xif [ "$L" = "erc" ] ; then X L=ecarp Xfi Xpgp -seta +clearsig=on -u $L $1 Xmv $1.asc $1 SHAR_EOF if test 379 -ne "`wc -c < 'vie'`" ; then echo "shar: ***** error transmitting file vie (should have been 379 characters, but was "`wc -c < 'vie'`" characters) *****" fi fi touch 0904203294 vie chmod 0755 vie echo "shar: extracting vis - (199 characters)" if test -f 'vis' ; then echo shar: will not over-write existing file vis else sed 's/^X//' << \SHAR_EOF > 'vis' X# X# vie - like vi, but sign with pgp X# Xif [ "$EDITOR" == "" ] ; then X pico $1 Xelse X $EDITOR $1 Xfi Xclear XL=`logname` Xif [ "$L" = "erc" ] ; then X L=ecarp Xfi Xpgp -sta +clearsig=on -u $L $1 Xmv $1.asc $1 SHAR_EOF if test 199 -ne "`wc -c < 'vis'`" ; then echo "shar: ***** error transmitting file vis (should have been 199 characters, but was "`wc -c < 'vis'`" characters) *****" fi fi touch 0801202294 vis chmod 0755 vis echo End of all shell archives exit 0 - -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi ** PGP encrypted email preferred! ** "What's the use of distant travel if only to discover - you're homeless in your heart." --Basia, "Yearning" -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBLtsLMiS9AwzY9LDxAQHTWgP/VAxadrlIIhH/QwqDUX1KtfnPd6UBh5kL rouCpajJj4BfFGk486gHOekVZcwTe19NDzUHXE78UDSIWytf1zuAZvf5b9bFgVkV lXxyaRJK4xIcYHUFTptumpCDRvAQi9ixMwI07K3rs4gzQNd4fgOqMZj7g08wOot9 64BnvLL/J10= =7WFV -----END PGP SIGNATURE----- From skaplin at skypoint.com Tue Nov 29 04:44:04 1994 From: skaplin at skypoint.com (Samuel Kaplin) Date: Tue, 29 Nov 94 04:44:04 PST Subject: "You aren't following the _rules_!" In-Reply-To: <199411290857.AAA06729@netcom20.netcom.com> Message-ID: <3ymskKjqR8A3073yn@skypoint.com> -----BEGIN PGP SIGNED MESSAGE----- Deletia... > Most people, including one of (the?) leading thinker(s) of the group on the > net that most supports cryptography believe that the added security and > privacy that cryptography provides are not worth typing a few commands or > clicking a few buttons. I myself rarely, if ever, sign my post. If WE don't > even use crypto ourselves, who do you think else uses it and who do you > think will therfore care if the government chooses to outlaw it? I've noticed this and always thought it quite strange. > We don't have a motivation to use crypto. We all realize that there is > really no need to encrypt/sign the vast majority of the stuff we are > sending. There may be the occasional message that we will encrypt and we > are well aware that we encrypt that message for the very reasons that the > powers-that-be want to see encryption outlawed. Yes there is...I recent got my fanny pulled out of the fire because I sign ALL of my messages. Someone spoofed me on one of my accounts. I never got the full details, but I screamed VERY loudly to the powers "WAS THE MESSAGE SIGNED WITH MY DIGITAL SIGNATURE." The answer was "NO." My reply was "It couldn't be me, because my software automatically signs all of my posts...If I were you I would look at your logs to see who hacked the message." I never heard another word. Granted this wasn't a really big deal, but it does illustrate the power of digital signatures. It got them to at least look at their logs, which probably wouldn't have happened otherwise. (Even though that SHOULD have been the first place they looked.) More deletions... > There are no better tools for integration of crypto today, because there > has been no need. The few times you actually need crypto you can punch the > commands "by hand". I'm basically a lazy S.O.B. when I first got my shell account I made sure that my provider had uqwk installed because: a. I wanted to use AUTOPGP to sign all of my messages automatically because I had been burned several times before on forgeries. As more people get burned, the demand for digital signatures will go up. This was my initial motivation for installing PGP. The encryption angle came later. We might learn something from AUTOPGP. Instead of focusing on making every reader compatible with encryption, why not focus on making a semi-universal pre-processor and post-processor for them. Hit the lowest common denominator. Another interesting concept would be for providers to make signatures mandatory. While you wouldn't be forced to sign your messages, you would be responsible for any message bearing your name if your software wasn't set up for signing. Deletion... > We are stuck: No need -> no development of tools -> no spreading of crypto > beyond the "hard core" -> no public resitance when crypto becomes illegal. > > > So how can we prevent crypto from becomming illegal? Just follow the above > chain backwards. Create a need. Create mailing lists that require signed > messages. Create ftpsites that require signed uploads or whatever. Require > the use of crypto. Not to partake in some involuntary interaction with the > government (that will happen without out help), but for some voluntary > interactions between people on the net. Sending mail to cypherpunks is such > a voluntary interaction. Requiring it here just might result in better > tools in the long run. Just an idea, if it sounds like garbage, forget > about it. I agree with you Lucky, we have to create a demand. We also have to make it easy enough for people to implement. There is definitely a stigma attached to encryption though. Some of you may remember my post a while back about looking for a place to set up a mailing list, this will demonstrate some of the forces involved. A while back I came up with an idea, "Why not set up a public mailing list to distribute PGP Keys." After mulling it over for a while I decided to do it. I also came up with the idea of subscribing alt.key-dist to it and also subscribing a keyserver to it. One stop shopping...post your key to the list and it makes it to all interested parties. A universal venue for distributing PGP keys. No system administrator involvement needed, instead of having to rely on them carrying alt.key-dist, which isn't on a lot of systems. I went to several providers about setting up the list. (BTW - Thank You L. McCarthy for your efforts!!!) Everything was great until they found out what the list was for. After that "Sorry, we can't do it." or they wanted to charge an exorbitant price for the list. The moral: A lot of system administrators do not want encrypted messages, because they fear that they are responsible for the content. While they won't kill encrypted messages they won't help propagate the technology either. BTW - I'm still LISTLESS. (I couldn't resist the pun) Sam (Who ALWAYS signs his messages) ============================================================================== One was never married, and that's his hell; another is, and that's his plague. - Robert Burton, 1651 ============================================================================== skaplin at skypoint.com | "...vidi vici veni" - Overheard | outside a Roman brothel. PGP encrypted mail is accepted and | preferred. | Change is the only constant in the | Universe..."Four quarters, please." E-mail key at four11.com for PGP Key or | Finger skaplin at mirage.skypoint.com | Smile!! Big brother is watching. ============================================================================== -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLtsg6gpnimeWAf3FAQH/BwP5AWqVCjtaa7RWjRtImKoTIwoof3FVQVPs Q1BqI/XAte92YWTiJqi06CWHxyL3lojuQSjY5a4d1reepBfydjI3QVypOQZtXyaM MKeXmJJQwqW+oKU1SV0v5DGIVIqZRqT86uxZBTYs0UsdewUtET8MUTY/6CgPhgBQ XCJIO3xxOsY= =CX+D -----END PGP SIGNATURE----- From emw at ima.com Tue Nov 29 05:37:46 1994 From: emw at ima.com (Ed Wilkinson) Date: Tue, 29 Nov 94 05:37:46 PST Subject: popularising digsigs In-Reply-To: <3ymskKjqR8A3073yn@skypoint.com> Message-ID: <9411301332.AA02657@ima.com> Well, knowing the US, things will probably hobble along much the same, until there's a lawsuit. e.g. X sues Y because a post on the net 'apparently' from Y libelled X. Now *that* would get people to start using digsigs! Ed -- Ed Wilkinson emw at ima.com IMA Ltd Internet Email Gateways From eric at remailer.net Tue Nov 29 06:50:14 1994 From: eric at remailer.net (Eric Hughes) Date: Tue, 29 Nov 94 06:50:14 PST Subject: The Market for Crypto--A Curmudgeon's View In-Reply-To: <199411291101.DAA12770@netcom14.netcom.com> Message-ID: <199411291549.HAA03235@largo.remailer.net> From: tcmay at netcom.com (Timothy C. May) It's just that my "rant buttons" are pushed by an argument I'll call the "crypto isn't being used by enough people, so we'll have to make our own lives harder to set an example" argument. Let me review the exact proposal. First, a recognizer is set up at toad.com to distinguish between digitally signed and unsigned messages. Second, some action on the message would be taken, which would gradually increase in effect over time. The first action would be to add a header to the end of the mail identifying it as unsigned. A later action would be to delay the mail at the server for some amount of time. A final action would be to delete or bounce messages that weren't signed. I note that Tim is not objecting to the nature of these effects, but rather their existence, especially since he is not addressing the timing of any ramped up vigor at the server. Just to set the record straight, refusing messages would be at the very least over year away, and certainly wouldn't be taken until crypto mail readers were widely available. For purposes of discussion then, I leave out message deletion and only address the server actions of notification and delay. One underlying premise of Tim's argument is that the presence of these actions at the server makes his life harder. In what way? The server will not require a digital signature. Unsigned messages will still be sent to the list. There need be no change in the way that one sends and receives mail. I refuse the argument that toad.com server actions make anybody's life harder. I'm not saying that these server actions would have no effect, far from it. The effects are all in the social realm and have far more to do with peer pressure and social position than with technology. Can it be said that being marked as a non-signer makes one's life harder? I think not, perhaps others feel otherwise. I do, however, agree with the other two premises of Tim's hypothetical. I do think that crypto isn't being used by enough people. I realize that the exact meaning of 'enough' is subjective, so let me rephrase. I do think that crypto is being used by fewer people than I want. I also believe that setting an example is a good thing, because it signals an achievable task to those who are considering doing it. When I first proposed server actions last year, it was with the full realization that I wouldn't be signing my own posts and would thereby be subject to the delay (the first-proposed action). This post isn't signed either. Eric From werewolf at io.org Tue Nov 29 06:57:46 1994 From: werewolf at io.org (Mark Terka) Date: Tue, 29 Nov 94 06:57:46 PST Subject: "You aren't following the _rules_!" In-Reply-To: <3ymskKjqR8A3073yn@skypoint.com> Message-ID: <8jpskOwscUSQ075yn@io.org> -----BEGIN PGP SIGNED MESSAGE----- In article <3ymskKjqR8A3073yn at skypoint.com>, skaplin at skypoint.com (Samuel Kaplin) wrote: >I'm basically a lazy S.O.B. when I first got my shell account I made sure >that my provider had uqwk installed because: > > a. I wanted to use AUTOPGP to sign all of my messages > automatically because I had been burned several times before on > forgeries. Thats just it....I can't speak for Tim's setup but in DOS you have a couple of mailreaders (YARN and PGPBLU) that make signing and encrytion of messages a snap, assuming you can run some sort of SOUP/QWK routine to pull your mail. Then, sign OR encrypt whatever you need offline and u/l it back into the system. Hell, I even use YARN to push encrypted & chained messages through the remailer system, and it works like a charm. Since I can't see anyone maintaining their secret keys online (unless they consider the sysadmins ULTRA trustworthy), offline processing of messages is the path to follow. Simple, VERY quick and easy to implement with a couple of keystrokes. Offline mail processing fits the criteria needed to nudge digital signatures and encryption overall into the mainstream, due to its speed and ease of use (ie not having to leave the mailreader program to use PGP). Keeping the use of signing/encrypting to one step is what makes it work. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLts9W6+YbMzawbu5AQGL0QQAoxnElG0jtYH0394Kv75wfJK3k1OvyEW5 aiV5YN+bfTLy/2VqAflCv84cCKeokJ1q0Yima5/uoFB9aDCk43YerlUEa862mNeo UJZ90F/MRyLACEyXlSZSj92/VH7HcjSNV9cL/K5FdjywmQMUHGHfOc5+3XqC84zb h6BLWl7/xPI= =KbxQ -----END PGP SIGNATURE----- From eric at remailer.net Tue Nov 29 07:10:01 1994 From: eric at remailer.net (Eric Hughes) Date: Tue, 29 Nov 94 07:10:01 PST Subject: Transparent Email In-Reply-To: <199411290803.CAA00300@omaha.omaha.com> Message-ID: <199411291608.IAA03269@largo.remailer.net> From: Alex Strasheim re: signature checking at the toad.com server It seems to me that such a rule would stifle discussion and encourage people to store their keys on insecure accounts. Good! That means they'll have generated a key. One of the problems with cryptography generally is a prevailing attitude that crypto isn't worth using unless it provides security as complete as it can offer. I reject this attitude. Partial security is better than no security. Protection against some threats is better than no protection. Storing a key on a public machine is OK, just fine, hunky-dory, just so long as it doesn't induce false beliefs about a lack of protection from sysadmins and other roots. The real solution is to try to build tools which will make it so easy to use crypto that there's simply no reason not to do it. Sure. No argument. I will disagree, however, with a conclusion that insists that these tools have to be the first to be built. Partial progress is desirable. Or to put it the words of the old homily: Don't let the best become the enemy of the good. Eric From nobody at nately.UCSD.EDU Tue Nov 29 07:47:16 1994 From: nobody at nately.UCSD.EDU (Anonymous) Date: Tue, 29 Nov 94 07:47:16 PST Subject: INTERFACING PGP WITH Message-ID: <9411291550.AA12332@nately.UCSD.EDU> |> If you don't have finger access, mail me privately, and I'll send |>the file to you. JA|If you don't mind, could I have a copy? finger is disabled here... If you can't use finger from your site, send mail to mg5n+finger at andrew.cmu.edu and put the address you want to finger in the message. He's the greatest, eh... From rfb+ at cs.cmu.edu Tue Nov 29 08:40:07 1994 From: rfb+ at cs.cmu.edu (Rick Busdiecker) Date: Tue, 29 Nov 94 08:40:07 PST Subject: PGP Enhanced Messaging (PEM) Message-ID: <3bflf1$f97@casaba.srv.cs.cmu.edu> -----BEGIN PGP SIGNED MESSAGE----- I've made my PGP Enhanced Messaging (PEM) available via anonymous FTP on H.GP.CS.CMU.EDU in /usr/rfb/pem/. This is free software available under the terms GNU Public License. I'm enclosing some information from the +Read.Me+ file for the distribution archive (ftp://h.gp.cs.cmu.edu/usr/rfb/pem/) as well as the one for the the software itself. Changes since the most recent distributed version include: - New keybindings that meet RMS specifications. - Some fine tuning related to generating and verifying `header signatures' for messages that include lines starting with either "From " or ">From ". If you pick this up, please send mail to me to let me know. Rick ====================================================================== This is a distribution archive for PGP Enhanced Messaging (PEM). The files contained here are: +Read.Me+ This file pem.tar.gz compressed (with gzip) archive pem.tar.gz.asc PGP signed and armored compressed archive pem.tar.gz.sig detached signature for pem.tar.gz rfb at cmu.edu my public key block Notes: - There is no uuencoded file. pem.tar.gz.asc can be mailed safely. - If you're concerned about tampering at this archive site, you should fetch my public key block from elsewhere. The public key server at pgp-public-keys at pgp.mit.edu is a good place to get it. ====================================================================== PGP Enhanced Messaging (PEM) should not be confused with the Privacy Enhanced Mail standard (PEM). Information on integrating PEM into your GNU Emacs environment is included at the end of this file. The idea behind PEM is to provide a set of Emacs Lisp functions to augment common mailers and newsreaders with PGP related operations. PEM is implemented in layers. There are customization variables defined at each level. They are described later in this document. At the highest level, each supported messaging package has a file that implements the functions that are specific to that package. Currently there are: pem-mhe.el For use with mh-e.el, and Emacs interface to the MH mailer. pem-gnus.el For use with the GNUS newsreader. Appropriate hook functions are defined which add standard function bindings to the various modal key maps. Typically, the following bindings will be in place in any message related buffer: C-c C-d Decrypt next PGP block in current message C-c C-e Encrypt current message C-c C-i Insert a public key into a message C-c C-n sign aNd encrypt current message C-c C-s Sign current message C-c C-v Verify next PGP signed block in current message C-c C-x Extract next public key from message [ Note: This is a change from previous versions where, for example, C-c d and C-c D would be defined. RMS says to do bindings this way and leave those other bindings for users ] Where possible, in buffers which are for composing messages, the standard mechanism for committing (sending or posting) a message will be augmented to support signing and/or encrypting. In buffers which are not for composing messages, the upper case versions are also defined without the C-c prefix, e. g. "D" will decrypt the current message. A notable exception to this is the GNUS *Summary* buffer which has the following default bindings: D gnus-summary-mark-as-read-backward N gnus-summary-next-article V gnus-version X gnus-summary-delete-marked-with Note that in some contexts, some of these bindings don't make sense. They are still bound, however, the function to which they are bound signals an error indicating the operation is inappropriate. For example, it does not make sense to insert your public key into the body of a news article that you are reading. However, some `obvious' restrictions are relaxed when dealing with mail. When you attempt to encrypt a mail message which you are reading, it may be `self encrypted', that is, the message body will be encrypted such that only you can decrypt it. Each of the package specific files are built on functions defined in pem.el. It contains generic message operations and deals with issues like parsing headers and addresses, and identifying PGP armored regions. At the core is npgp.el -- New pgp.el -- so named as to avoid conflicts with the pgp.el, maintained by Gray Watson and Jack Repenning , which is available through various elisp archives. This runs PGP asynchronously and is able to deal with the erratic prompting that PGP sometimes does. For example, the first time that you use an untrusted key, PGP will prompt asking if you're sure that you want to use it. npgp.el passes the question on to you, using standard Emacs prompting to get the answer from you. PEM also uses passwd.el by Jamie Zawinski to read passphrases. -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAgUBLttV6JNR+/jb2ZlNAQF26AP/fyq+fxLEeqlpaP7bu5oBakgDhkm4pTlf ejo6kmlm052y+g+ax/5LF3ZsHZw0GFKyg4ltL2C8rDcgPo8dPOqv49GfHeeuS1lE HsL/wWBmhwWqijw1bOu0KAogL1I0mumSx+oeYP0Rlea9rRb2cyYYta7X5r0dGFuDWwGoXOIb9yc= =7/tF -----END PGP SIGNATURE----- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6 mQCNAi3iH2wAAAEEAMjRQMS6OEvdPUFX0HwxA0kYGAXUOde0Kklbdj/Gsf6QCgrA vfrLlW2jIv6Gqn345NZXQ5S45z+m4YlEZV78Ln3G1alxd22lXlo8RChs8QVdxgCX dkfVKJlcpJQfNWfrNHLMtaAB9+22p8nhGjBmTnuX5K0BQgMLCZNR+/jb2ZlNAAUR tB1SaWNrIEJ1c2RpZWNrZXIgPHJmYkBjbXUuZWR1PokAVQIFEC3iIcaIwD3rAd2b uQEBF4UB/iCxzTUBT+eAJCINmk9qkZYNWFhtt12zfyPSK9Ub2ruK6PGkjqE5HQ/b a7Fz49FX9Z70LOpJz11P9pPEmQ8CW3aJAJUCBRAt4iD6Fpk0o882PjUBATWEA/wP +WGx6GKaSHmEdtfNfGQPF70FPFRYKpugAwI/wZBHjtvNnsgTcI92Oby+b9QQDzgJ oXlerHeeoqeGpi8ZiKwIXproR5JBkB/4UuVkmIS1pP5T1D6BIUH27K6k87Yvz8JW GAqHfinoN3YOW4Fx9qZdo46aoRCGcYhTzTuXwyKxTIkAlQIFEC3iIIaTUfv429mZ TQEBmo8EAIHrwdeJ9sFb6Ro4iWxlED1OEMD+KYxfB2vu39uKGXEP1SB488uR1N7z jxcFHqZPliZ0tc2DhrUPpBY85JmI1IjtXXhS8Fbqc5Dp1Pnua+XjndaRpSSD29VH CgNvkf1S35w33GBAh8bVSgjvl8kZKOoDBV4v9ZbqG39+raZ+imAVtCBSaWNrIEJ1 c2RpZWNrZXIgPHJmYkBsZWhtYW4uY29tPokAlQIFEC48n6yTUfv429mZTQEBVwwD /iXo9pv/wFISdSwNKniNcHqogQLHjnZryzvjXNkDTvi0miBlzayozl/Q21a2nMEc 1MI8K3gNv/mP98Qw7xw5FD8F5zuY3XiFYr0GK4m0bqwixUfxkjBacb67mflCvaFS h8+K2k7Db6V0/MpV9t/VOzqjF4h5CFkoWAd+1Cr21OuQ =ruN3 -----END PGP PUBLIC KEY BLOCK----- From rfb at CMU.EDU Tue Nov 29 08:43:28 1994 From: rfb at CMU.EDU (Rick Busdiecker) Date: Tue, 29 Nov 94 08:43:28 PST Subject: PGP Enhanced Messaging (PEM) Message-ID: <9411291643.AA26270@toad.com> -----BEGIN PGP SIGNED MESSAGE----- I've made my PGP Enhanced Messaging (PEM) available via anonymous FTP on H.GP.CS.CMU.EDU in /usr/rfb/pem/. This is free software available under the terms GNU Public License. I'm enclosing some information from the +Read.Me+ file for the distribution archive (ftp://h.gp.cs.cmu.edu/usr/rfb/pem/) as well as the one for the the software itself. Changes since the most recent distributed version include: - New keybindings that meet RMS specifications. - Some fine tuning related to generating and verifying `header signatures' for messages that include lines starting with either "From " or ">From ". If you pick this up, please send mail to me to let me know. Rick ====================================================================== This is a distribution archive for PGP Enhanced Messaging (PEM). The files contained here are: +Read.Me+ This file pem.tar.gz compressed (with gzip) archive pem.tar.gz.asc PGP signed and armored compressed archive pem.tar.gz.sig detached signature for pem.tar.gz rfb at cmu.edu my public key block Notes: - There is no uuencoded file. pem.tar.gz.asc can be mailed safely. - If you're concerned about tampering at this archive site, you should fetch my public key block from elsewhere. The public key server at pgp-public-keys at pgp.mit.edu is a good place to get it. ====================================================================== PGP Enhanced Messaging (PEM) should not be confused with the Privacy Enhanced Mail standard (PEM). Information on integrating PEM into your GNU Emacs environment is included at the end of this file. The idea behind PEM is to provide a set of Emacs Lisp functions to augment common mailers and newsreaders with PGP related operations. PEM is implemented in layers. There are customization variables defined at each level. They are described later in this document. At the highest level, each supported messaging package has a file that implements the functions that are specific to that package. Currently there are: pem-mhe.el For use with mh-e.el, and Emacs interface to the MH mailer. pem-gnus.el For use with the GNUS newsreader. Appropriate hook functions are defined which add standard function bindings to the various modal key maps. Typically, the following bindings will be in place in any message related buffer: C-c C-d Decrypt next PGP block in current message C-c C-e Encrypt current message C-c C-i Insert a public key into a message C-c C-n sign aNd encrypt current message C-c C-s Sign current message C-c C-v Verify next PGP signed block in current message C-c C-x Extract next public key from message [ Note: This is a change from previous versions where, for example, C-c d and C-c D would be defined. RMS says to do bindings this way and leave those other bindings for users ] Where possible, in buffers which are for composing messages, the standard mechanism for committing (sending or posting) a message will be augmented to support signing and/or encrypting. In buffers which are not for composing messages, the upper case versions are also defined without the C-c prefix, e. g. "D" will decrypt the current message. A notable exception to this is the GNUS *Summary* buffer which has the following default bindings: D gnus-summary-mark-as-read-backward N gnus-summary-next-article V gnus-version X gnus-summary-delete-marked-with Note that in some contexts, some of these bindings don't make sense. They are still bound, however, the function to which they are bound signals an error indicating the operation is inappropriate. For example, it does not make sense to insert your public key into the body of a news article that you are reading. However, some `obvious' restrictions are relaxed when dealing with mail. When you attempt to encrypt a mail message which you are reading, it may be `self encrypted', that is, the message body will be encrypted such that only you can decrypt it. Each of the package specific files are built on functions defined in pem.el. It contains generic message operations and deals with issues like parsing headers and addresses, and identifying PGP armored regions. At the core is npgp.el -- New pgp.el -- so named as to avoid conflicts with the pgp.el, maintained by Gray Watson and Jack Repenning , which is available through various elisp archives. This runs PGP asynchronously and is able to deal with the erratic prompting that PGP sometimes does. For example, the first time that you use an untrusted key, PGP will prompt asking if you're sure that you want to use it. npgp.el passes the question on to you, using standard Emacs prompting to get the answer from you. PEM also uses passwd.el by Jamie Zawinski to read passphrases. -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAgUBLttV6JNR+/jb2ZlNAQF26AP/fyq+fxLEeqlpaP7bu5oBakgDhkm4pTlf ejo6kmlm052y+g+ax/5LF3ZsHZw0GFKyg4ltL2C8rDcgPo8dPOqv49GfHeeuS1lE HsL/wWBmhwWqijw1bOu0KAogL1I0mumSx+oeYP0Rlea9rRb2cyYYta7X5r0dGFuDWwGoXOIb9yc= =7/tF -----END PGP SIGNATURE----- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6 mQCNAi3iH2wAAAEEAMjRQMS6OEvdPUFX0HwxA0kYGAXUOde0Kklbdj/Gsf6QCgrA vfrLlW2jIv6Gqn345NZXQ5S45z+m4YlEZV78Ln3G1alxd22lXlo8RChs8QVdxgCX dkfVKJlcpJQfNWfrNHLMtaAB9+22p8nhGjBmTnuX5K0BQgMLCZNR+/jb2ZlNAAUR tB1SaWNrIEJ1c2RpZWNrZXIgPHJmYkBjbXUuZWR1PokAVQIFEC3iIcaIwD3rAd2b uQEBF4UB/iCxzTUBT+eAJCINmk9qkZYNWFhtt12zfyPSK9Ub2ruK6PGkjqE5HQ/b a7Fz49FX9Z70LOpJz11P9pPEmQ8CW3aJAJUCBRAt4iD6Fpk0o882PjUBATWEA/wP +WGx6GKaSHmEdtfNfGQPF70FPFRYKpugAwI/wZBHjtvNnsgTcI92Oby+b9QQDzgJ oXlerHeeoqeGpi8ZiKwIXproR5JBkB/4UuVkmIS1pP5T1D6BIUH27K6k87Yvz8JW GAqHfinoN3YOW4Fx9qZdo46aoRCGcYhTzTuXwyKxTIkAlQIFEC3iIIaTUfv429mZ TQEBmo8EAIHrwdeJ9sFb6Ro4iWxlED1OEMD+KYxfB2vu39uKGXEP1SB488uR1N7z jxcFHqZPliZ0tc2DhrUPpBY85JmI1IjtXXhS8Fbqc5Dp1Pnua+XjndaRpSSD29VH CgNvkf1S35w33GBAh8bVSgjvl8kZKOoDBV4v9ZbqG39+raZ+imAVtCBSaWNrIEJ1 c2RpZWNrZXIgPHJmYkBsZWhtYW4uY29tPokAlQIFEC48n6yTUfv429mZTQEBVwwD /iXo9pv/wFISdSwNKniNcHqogQLHjnZryzvjXNkDTvi0miBlzayozl/Q21a2nMEc 1MI8K3gNv/mP98Qw7xw5FD8F5zuY3XiFYr0GK4m0bqwixUfxkjBacb67mflCvaFS h8+K2k7Db6V0/MpV9t/VOzqjF4h5CFkoWAd+1Cr21OuQ =ruN3 -----END PGP PUBLIC KEY BLOCK----- From adam at bwh.harvard.edu Tue Nov 29 09:27:41 1994 From: adam at bwh.harvard.edu (Adam Shostack) Date: Tue, 29 Nov 94 09:27:41 PST Subject: PGP Enhanced Messaging (PEM) In-Reply-To: <9411291643.AA26270@toad.com> Message-ID: <199411291727.MAA00226@walker.bwh.harvard.edu> You wrote: | PGP Enhanced Messaging (PEM) should not be confused with the Privacy | Enhanced Mail standard (PEM). Information on integrating PEM into | your GNU Emacs environment is included at the end of this file. There is enough FUD in the crypto buisness already. Why enhance it by using another name, already in use, that refers to a similar*, but competing set of standards? Adam * By similar, I mean that both PEM's are cryptographic solutions for privacy & authentication, rather than one being a routing protocol, the other a security package. -- "It is seldom that liberty of any kind is lost all at once." -Hume From jamesd at netcom.com Tue Nov 29 09:39:05 1994 From: jamesd at netcom.com (James A. Donald) Date: Tue, 29 Nov 94 09:39:05 PST Subject: The Market for Crypto--A Curmudgeon's View In-Reply-To: <199411291549.HAA03235@largo.remailer.net> Message-ID: <199411291737.JAA14520@netcom7.netcom.com> Right now there is no market for crypto on the net because then net is not yet real life. You cannot make money one the net, net reputations do not count in jobs, academic or otherwise. When real life moves onto the net, there will be plenty of demand for crypto. And as I said before, first you need a user interface that even the chairman of the board can use. First we get that user interface up for other things, then for crypto. Do crypto first, no one will buy it. -- --------------------------------------------------------------------- We have the right to defend ourselves and our property, because of the kind of animals that we James A. Donald are. True law derives from this right, not from the arbitrary power of the omnipotent state. jamesd at acm.org From hfinney at shell.portal.com Tue Nov 29 10:15:07 1994 From: hfinney at shell.portal.com (Hal) Date: Tue, 29 Nov 94 10:15:07 PST Subject: Transparent Email In-Reply-To: <199411290803.CAA00300@omaha.omaha.com> Message-ID: <199411291633.IAA05260@jobe.shell.portal.com> -----BEGIN PGP SIGNED MESSAGE----- Alex Strasheim writes: >I think it's a bad idea to require signatures on the list, or even to >penalize people who don't use them. People aren't signing their posts >because it's too much of a hassle to do it from a dial up, netcom style, >account, not because they're insufficiently committed to the cause. >It seems to me that such a rule would stifle discussion and encourage >people to store their keys on insecure accounts. Just create a special key for your netcom account. Use no pass phrase; using one would give a misleading sense of security IMO. Just pass your mail through "pgp -saft" or equivalent and you've got it. It is easy to do this from most editors. -----BEGIN PGP SIGNATURE----- Version: 2.6 iQBVAwUBLttXrxnMLJtOy9MBAQHPNgIAu42vPelscZqT7yQkY08NtOw6XGdNciXI WBVXvgRsRdzIoH7GPbHUIPBVXbPNuZ6zDYzbazmSr+Z2tErY9qTHBw== =wqC5 -----END PGP SIGNATURE----- From rfb at lehman.com Tue Nov 29 10:21:21 1994 From: rfb at lehman.com (Rick Busdiecker) Date: Tue, 29 Nov 94 10:21:21 PST Subject: popularising digsigs In-Reply-To: <9411301332.AA02657@ima.com> Message-ID: <9411291817.AA02631@cfdevx1.lehman.com> From: Ed Wilkinson Date: Tue, 29 Nov 94 21:32:16 HKT Well, knowing the US, things will probably hobble along much the same, until there's a lawsuit. e.g. X sues Y because a post on the net 'apparently' from Y libelled X. Now *that* would get people to start using digsigs! Hmmm. So, lets see. Since I'm someone who (almost) always signs my outgoing mail/posts, if I make a libelous statement to a newsgroup and `forget' to sign it, then I'm safer from litigation than people who never sign? Personally, I hope that when the first libel suit of this form actually makes it to trial, the defense makes a point of showing just how easy it is to spoof mail and postings, i. e. just how difficult the burden of proof is. On the other hand, I'm scared by the prospect that the first trial where it's an issue is a tax or drug forfeiture case where the burden of proof is on the defendent. Rick From tcmay at netcom.com Tue Nov 29 10:24:11 1994 From: tcmay at netcom.com (Timothy C. May) Date: Tue, 29 Nov 94 10:24:11 PST Subject: popularising digsigs In-Reply-To: <9411301332.AA02657@ima.com> Message-ID: <199411291822.KAA10153@netcom8.netcom.com> Ed Wilkinson wrote: > > Well, knowing the US, things will probably hobble along much the same, > until there's a lawsuit. e.g. X sues Y because a post on the net > 'apparently' from Y libelled X. Now *that* would get people to start using > digsigs! > Quite so. By analogy, the *safe* industry (vaults, not the modern thing) evolved by _insurers_ charging higher rates for weaker safes. This directly, in the present, incentivized a merchant to invest in a better safe. He didn't need to be _persuaded_ by the 1894 "Safepunks" mailing list that better safes were a good thing. In other words, we're at an early, immature stage of crypto. Yes, really. I agree that some well-publicized events could accelerate the use of crypto, could galvanize improvements in user interface, etc.: - a lawsuit such as Ed Wilkinson mentioned (a nit: from my understanding of burdern of proof, the burden would lie on X to prove that Y libelled him, not on Y to prove that he didn't write the material). - evidence of massive corporate espionage could accelerate a conversion to an "encrypt everything" mode. - a patent dispute that gets settled because of time-stamping of lab notebooks...this would make "Electronic Lab Books" de rigeur. (Budding entrepreneurs may want to keep this in mind.) -- and so on. Crypto is mostly about economics, as we often say (esp. Eric H.). Costs of encryption, decryption, breaking of ciphers, deployment of digital cash, etc. Right now there are few _good economic reasons_ to use digital cash in lieu of real cash or Visa-type payments. Maybe this'll change (I think it will, someday), but for now... All of these things are related. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. Cypherpunks list: majordomo at toad.com with body message of only: subscribe cypherpunks. FAQ available at ftp.netcom.com in pub/tcmay From zoo at armadillo.com Tue Nov 29 10:27:49 1994 From: zoo at armadillo.com (david d `zoo' zuhn) Date: Tue, 29 Nov 94 10:27:49 PST Subject: The Market for Crypto--A Curmudgeon's View Message-ID: <199411291828.MAA27828@monad.armadillo.com> -----BEGIN PGP SIGNED MESSAGE----- // You cannot make money one the net, net reputations // do not count in jobs, academic or otherwise. I disagree here -- I've gotten a couple of jobs where my net reputation preceded me and was the primary motivator for my getting an interview. I was also told at one of them to continue posting as I did because they felt that their reputation was enhanced by mine. And "cannot make money on the net"? How do you see this? Much as I hate the metaphor, I don't make money on the local highways either, but they're a part of real life. I use them to do other things to make money. Neither are an integral part of the work that I do, but both make it possible for me to do the work in a fashion that I can handle (I refuse to live in my office ever again). Just because the reputations aren't digital yet, nor is the cash, doesn't mean that the Net isn't real life. It's as real as nearby I-94. And a lot more interesting and complex. -- - david d `zoo' zuhn -| armadillo zoo software -- St. Paul, Minnesota -- zoo at armadillo.com --| unix generalist (and occasional specialist) ------------------------+ send e-mail for more information pgp key upon request +---------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBLttyl+80ah2ymxnRAQFP3AP/VOcxV7y9EE5a8humdh51i4qMd/f/bEHS Z5lvKJS7chVTTIwBTzBui/+3JIM8WmlSveiKBYVbGAuojQS3tC0g7phqVMKHPDCC vy2+/DzIbIILUvI/AQoSJm06Frfzgh1uYTiisr47Dznx2bLHlpLgep6xwwXkvCAM vKP1r0l7l+s= =oxCh -----END PGP SIGNATURE----- From rfb at lehman.com Tue Nov 29 10:41:39 1994 From: rfb at lehman.com (Rick Busdiecker) Date: Tue, 29 Nov 94 10:41:39 PST Subject: PGP Enhanced Messaging (PEM) In-Reply-To: <199411291727.MAA00226@walker.bwh.harvard.edu> Message-ID: <9411291839.AA03025@cfdevx1.lehman.com> From: Adam Shostack Date: Tue, 29 Nov 94 12:27:13 EST Why enhance it by using another name, already in use, that refers to a similar*, but competing set of standards? Well, at least in part because I think that some things about the Privacy Enhanced Mail standard suck big time. Do I think that I'll actually cause it to be changed simply by stealing the acronym? Of course not. Do I get any pleasure from the idea that this could potentially muck up the works a bit? Sure. Rick From jya at pipeline.com Tue Nov 29 10:52:21 1994 From: jya at pipeline.com (John Young) Date: Tue, 29 Nov 94 10:52:21 PST Subject: Transparent Email Message-ID: <199411291851.NAA13999@pipe2.pipeline.com> Responding to msg by eric at remailer.net (Eric Hughes) on Mon, 28 Nov 9:54 PM >I am still considering the "sign-or-delay" proposal for >the toad.com >server, that is, sign your articles to the list or >they'll be delayed >and eventually rejected. Does not everyone get a complete header like the one below from Eric's post with incoming mail? This is presented automagically by The Pipeline's system. I had assumed that because every mail received here has such a header that everyone else could also see who sent my mail, signed or not. That is why I have not signed my posts. BTW, Pipeline does not allow anonymously-sent direct mail -- as a take it or leave it policy. So we cannot manipulate headers to forge from this Windows-driven end. John Young (redundantly, I thought) >From owner-cypherpunks at toad.com Tue Nov 29 00:01 EST >1994 > Received: from relay2.UU.NET (relay2.UU.NET >[192.48.96.7]) by pipeline.com (8.6.9/8.6.9) with ESMTP >id AAA09928 for ; Tue, 29 Nov 1994 >00:01:20 -0500 >Received: from toad.com by relay2.UU.NET with SMTP > id QQxsbj13332; Mon, 28 Nov 1994 23:59:02 -0500 >Received: by toad.com id AA15623; Mon, 28 Nov 94 >20:55:57 PST >Received: from largo.remailer.net ([204.94.187.1]) by >toad.com id AA15611; Mon, 28 Nov 94 20:55:29 PST >Received: (from eric at localhost) by largo.remailer.net >(8.6.8/8.6.6) id VAA02536; Mon, 28 Nov 1994 21:54:14 >-0800 >Date: Mon, 28 Nov 1994 21:54:14 -0800 >Message-Id: <199411290554.VAA02536 at largo.remailer.net> >To: cypherpunks at toad.com >In-Reply-To: <199411282330.RAA00186 at omaha.omaha.com> >(message from Alex Strasheim on Mon, 28 Nov 1994 >17:30:22 -0600 (CST)) >Subject: Re: Transparent Email >From: eric at remailer.net (Eric Hughes) >Sender: owner-cypherpunks at toad.com >Precedence: bulk >Content-Type: text >Content-Length: 6504 From jrochkin at cs.oberlin.edu Tue Nov 29 10:52:48 1994 From: jrochkin at cs.oberlin.edu (Jonathan Rochkind) Date: Tue, 29 Nov 94 10:52:48 PST Subject: "You aren't following the _rules_!" Message-ID: At 3:58 AM 11/29/94, Lucky Green wrote: >I do not mean to belittle the work that has been done, but unless the >encryption is built into the mailer and using a remailer means clicking the >"use X remailer(s)" button, and the mailer better know which ones are >working and do the PGP envelopes, it won't happen. Have you used premail? It pretty much does all of that. People still aren't using premail, either because they can't figure out how to install it (doubtful, it's not hard to install), or because they don't have a need for it that's great enough to justify the (minimal) time neccesary to ftp it and install it, or wait the (sometimes more painful) time neccesary for the computer to encrypt and/or sign your outgoing messages. Which was admitteedlyu your main point; until there is a _need_ for crypto, it's not going to be used. Because premail makes it incredibly easy to use PGP on a unix box. And, for that matter, the Eudora/PGP applescritps make it incredibly easy to use PGP on a mac. And there are some people working on an applescript that will automate using remailers on a mac too. But ease of use appearantly isn't enough; no matter how easy it gets to use, it's still going to have some cost to the user over not using it. Even if the cost is only having to wait the 1.5 seconds it takes your machine to decrypt/encrypt a message. Unless there's a use for it, people won't be willing to spend that 1.5 seconds per message. From alex at omaha.com Tue Nov 29 11:00:06 1994 From: alex at omaha.com (Alex Strasheim) Date: Tue, 29 Nov 94 11:00:06 PST Subject: Transparent Email In-Reply-To: Message-ID: <199411291900.NAA00304@omaha.omaha.com> -----BEGIN PGP SIGNED MESSAGE----- > They are already there - in elm and pine, as well as many others. Yes, I know this. I have hacked up a couple of primitive scripts I use to sign my outgoing mail from elm, for example. There is, I think, a big advantage to using premail as a /usr/lib/sendmail, though, namely that it provides a general solution. In one fell swoop, I get elm, pine, /bin/mail, etc. Email sent from trn or tin is encrypted, (but posts are still unsigned, unfortunately.) The thing that I'm shooting for is a unix workstation which works and acts pretty much exactly like most other workstations, at least as far as email goes, except that there's a file (in this case ~/.premailrc) with a list of people with whom encrypted and signed email ought to be exchanged, transparently. As far as I'm concerned, as a user, I won't even be able to tell the difference between corresponding with people on the list and off the list. It will look pretty much the same to me. It's not a revolutionary improvement by any means, but I think it is an evolutionary step forward. And because it is pretty much a matter of kludging together a bunch of available pieces, it might be a good prelude to pop clients which would be more useful to the public at large, but a lot harder to implement. > > This leaves the problem of passphrases for outgoing signatures and > > automatically decrypting incoming mail, but I think that cfs will let me > > kludge something together which will get around this. > > No need to kludge anything. Take a good look at the PGP docs - they will > let you do exactly what you want. I know, but I'm a little squeamish about leaving my keys unprotected. Also, I'm not very fond of the idea that encrypted email would be decrypted when it got here and left in plaintext on the mail spool. > > (My situation is a little unusual, because I'm running linux on a pc which > > is connected to the net via a static slip account. I don't think this > > would work well in other situations.) > > I'm running Linux here, and have run it both as static/dynamic SLIP, and hung > (well!) off a T1 line. The main problem comes from using cfs vs. having mail come in all the time. A constant flow of mail necessitates having cfs dirs mounted all the time, which sort of defeats the point of using cfs in the first place. Of course a queue would fix this, and might tidy up some other loose ends about multiple email addresses as well. > > o would be reasonably secure when it was powered off > > This last one is really the only advantage to running cfs, IMO. I agree with you about it being the only advantage, but I think it's a big enough one to justfify bringing cfs into the picture. Otherwise it wouldn't be practical to use this setup in an office or school environment, because anyone could boot your machine with a floppy and steal your key. > Here's the set of scripts I use here. Others use more sophisticated ones, but > I'm not into shell programming ;} Thanks... yours is a lot more sophisticated than mine, though: #!/bin/sh /usr/bin/vi $@ clear echo -n "Sign file? (y/N)" read ans case $ans in y) pgp -fast < $1 > $1.asc; mv $1.asc $1;; Y) pgp -fast < $1 > $1.asc; mv $1.asc $1;; esac == Alex Strasheim | finger astrashe at nyx.cs.du.edu alex at omaha.com | for my PGP 2.6.1. public key -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLtt6AhEpP7+baaPtAQHjuQP/XEsruK0E5ViyU95MYUboE8JqWMYATCzh beXnus7458hDDq/7zxVhjZHBmNMXz3y3ixrt43n/7VakOyi1pgPEi/7EuEQpvBgt 6rx5LB19OHZCfeo2H8vsyvuzaGnjP+rFPVcqbp6DVFvg7oD5rF8Zu+OkSkuLaZTA k0IVyasvg2Y= =Td4h -----END PGP SIGNATURE----- From samman at CS.YALE.EDU Tue Nov 29 11:03:53 1994 From: samman at CS.YALE.EDU (Ben) Date: Tue, 29 Nov 94 11:03:53 PST Subject: We really _aren't_ paranoid :) In-Reply-To: Message-ID: On Mon, 28 Nov 1994, Johnathan Corgan wrote: [snip] > Ginsburg later asked Days to cite an example of a law which Congress > would NOT have the authority to enact under the Interstate Commerce > Clause. Interjected Justice Scalia, "Don't give away anything here. > They might want to do it." I'm not sure I follow. Is Scalia saying, "Don't give away anything here. They[Congress?] might want to do it."? Thanks Ben. From jcorgan at netcom.com Tue Nov 29 11:12:31 1994 From: jcorgan at netcom.com (Johnathan Corgan) Date: Tue, 29 Nov 94 11:12:31 PST Subject: We really _aren't_ paranoid :) Message-ID: -----BEGIN PGP SIGNED MESSAGE----- >> Ginsburg later asked Days to cite an example of a law which Congress >> would NOT have the authority to enact under the Interstate Commerce >> Clause. Interjected Justice Scalia Don't give away anything here. >> They might want to do it. > >I'm not sure I follow. Is Scalia saying Don't give away anything here. >They[Congress?] might want to do it. ? That's what it sounds like to me. -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBLtt80E1Diok8GKihAQHjjwP+Ljp8nSvm14pWWirV84u+jmjsQgopi3qd 1I/v1p/jdexucfBQzUIfVGEY1FPSBX7ok6gU6bJspKJffah68uIy7D2Zu72WmNSd ywjfoAX93JKhJ5AVKvV/bGJLKxqu2jdZ2p9AwQCp74n9Y4t/NbKyDHGzDwq0YaMp renusqwd8Mo= =ZSzM -----END PGP SIGNATURE----- ======================================================================= Johnathan Corgan "Violence is the last refuge of the incompetent" jcorgan at netcom.com -Isaac Asimov PGP Public Key: http://www-swiss.ai.mit.edu/~bal/pks-toplev.html Or send email to: pgp-public-keys at pgp.ai.mit.edu Subj: GET jcorgan ======================================================================= From jamiel at sybase.com Tue Nov 29 11:29:49 1994 From: jamiel at sybase.com (Jamie Lawrence) Date: Tue, 29 Nov 94 11:29:49 PST Subject: Crypto and Ease of Use (Was: Re: "You aren't following) Message-ID: >At 3:58 AM 11/29/94, Lucky Green wrote: >Have you used premail? It pretty much does all of that. >People still aren't using premail, either because they can't figure out how >to install it (doubtful, it's not hard to install), or because they don't >have a need for it that's great enough to justify the (minimal) time >neccesary to ftp it and install it, or wait the (sometimes more painful) >time neccesary for the computer to encrypt and/or sign your outgoing >messages. I think there is still a difference between having functionality available for some effort (ftping, installing, reading the instructions) and having a menu item in Eudora. The difference is the same one that makes Macintoshes more popular than Unix boxes for the people out there who just want to get something done ("The Rest Of Us"). Full integration into mainstream products is nessessary before Your Avarage Joe out there will bother to use the various tools available. This may be somewhere in between Tim's pusher/puller distinctions - crypto-related technologies are compelling, but not enough to draw people in without ease of use. "If you build it, they will come (but only if it is pretty)." -j -- On the internet, no one knows you're a deity. ___________________________________________________________________ Jamie Lawrence Soon ---------> From jya at pipeline.com Tue Nov 29 11:30:41 1994 From: jya at pipeline.com (John Young) Date: Tue, 29 Nov 94 11:30:41 PST Subject: Transparent Email Message-ID: <199411291929.OAA05687@pipe3.pipeline.com> Knumbskull Alert! On the transparent e-mail topic, I send the presumably anonymous mail headers below received here by way of The Pipeline provider. Would some kind soul verify that the headers do not disclose the true ID or true address or true path other true info that would identify the prayerfully anonymous sender? Every piece of mail coming here has such headers. Does everyone else get the same? FWIW, the mail system automagically lists the sender and the subject in a neat chart, and hides the header if commanded to do so, or reveals it to the prying mind. Thanks. John Young (signing until forbidden) PS: It's true that Pipeline was cracked last Saturday and the system shut down for a while "due to a security breach". The story in the WSJ about the "Internet Liberation Front" explained more than we clueless subscribers were allowed to know -- as the story said, corporations don't want us babes to know about our vulnerabilities, we might demand better service. ------------------- Jpunix Header: >From owner-cypherpunks at toad.com Mon Nov 28 20:14 EST 1994 Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by pipeline.com (8.6.9/8.6.9) with ESMTP id UAA22639 for ; Mon, 28 Nov 1994 20:14:45 -0500 Received: from toad.com by relay2.UU.NET with SMTP id QQxsau18498; Mon, 28 Nov 1994 20:13:25 -0500 Received: by toad.com id AA12541; Mon, 28 Nov 94 17:08:09 PST Received: from jpunix.com by toad.com id AA12535; Mon, 28 Nov 94 17:07:57 PST Received: (from remailer at localhost) by jpunix.com (8.6.9/8.6.6) id TAA17362 for cypherpunks at toad.com; Mon, 28 Nov 1994 19:07:46 -0600 Date: Mon, 28 Nov 1994 19:07:46 -0600 Message-Id: <199411290107.TAA17362 at jpunix.com> To: cypherpunks at toad.com Subject: RE: Cash From: nobody at jpunix.com (Anonymous) Comments: This message did not originate from the above address. It was automatically remailed by an anonymous mail service. Please report inappropriate use to NOTE: Mail to nobody is sent to /dev/null Finger remailer at jpunix.com for remailer help. Finger kserver at jpunix.com for PGP keyserver help. Sender: owner-cypherpunks at toad.com Precedence: bulk Content-Type: text Content-Length: 801 ------------------- Chaos.bsu Header (spooge): >From owner-cypherpunks at toad.com Mon Nov 28 10:09 EST 1994 Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by pipeline.com (8.6.9/8.6.9) with ESMTP id KAA26339 for ; Mon, 28 Nov 1994 10:09:55 -0500 Received: from toad.com by relay2.UU.NET with SMTP id QQxrzg29356; Mon, 28 Nov 1994 10:03:33 -0500 Received: by toad.com id AA25960; Mon, 28 Nov 94 07:01:07 PST Received: from bsu-cs.bsu.edu by toad.com id AA25954; Mon, 28 Nov 94 07:01:03 PST Received: (from nowhere at localhost) by bsu-cs.bsu.edu (8.6.9/8.6.6) id KAA16037 for cypherpunks at toad.com; Mon, 28 Nov 1994 10:00:55 -0500 Date: Mon, 28 Nov 1994 10:00:55 -0500 Message-Id: <199411281500.KAA16037 at bsu-cs.bsu.edu> From: Anonymous To: cypherpunks at toad.com X-Remailed-By: Anonymous X-Ttl: 2 X-Notice: This message was forwarded by a software- automated anonymous remailing service. Comment: The contents of this message are neither condoned by nor approved by Ball State University. Please report problems or complaints to nowhere at chaos.bsu.edu Sender: owner-cypherpunks at toad.com Precedence: bulk Content-Type: text Content-Length: 105 ------------------- Anon.penet.fi Header (Al Capone) >From owner-cypherpunks at toad.com Sun Nov 27 19:49 EST 1994 Received: from news.pipeline.com (news [198.80.32.5]) by pipeline.com (8.6.9/8.6.9) with ESMTP id TAA05980 for ; Sun, 27 Nov 1994 19:49:52 -0500 Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by news.pipeline.com (8.6.9/8.6.9) with ESMTP id TAA14755 for ; Sun, 27 Nov 1994 19:30:25 -0500 Received: from toad.com by relay2.UU.NET with SMTP id QQxrwz27537; Sun, 27 Nov 1994 19:29:53 -0500 Received: by toad.com id AA16432; Sun, 27 Nov 94 16:27:21 PST Received: from anon.penet.fi by toad.com id AA16426; Sun, 27 Nov 94 16:27:16 PST Received: by anon.penet.fi (5.67/1.35) id AA03124; Mon, 28 Nov 94 01:12:06 +0200 Message-Id: <9411272312.AA03124 at anon.penet.fi> To: cypherpunks at toad.com From: an41389 at anon.penet.fi (The Al Capone of the Info Highway) X-Anonymously-To: cypherpunks at toad.com Organization: Anonymous contact service Reply-To: an41389 at anon.penet.fi Date: Sun, 27 Nov 1994 23:12:05 UTC Subject: How to disable telnet to port 25 Sender: owner-cypherpunks at toad.com Precedence: bulk Content-Type: text Content-Length: 764 ------------------- Nately Header: >From owner-cypherpunks at toad.com Sat Nov 26 22:50 EST 1994 Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by pipeline.com (8.6.9/8.6.9) with ESMTP id WAA12434 for ; Sat, 26 Nov 1994 22:50:31 -0500 Received: from toad.com by relay2.UU.NET with SMTP id QQxrtv11771; Sat, 26 Nov 1994 22:50:04 -0500 Received: by toad.com id AA02097; Sat, 26 Nov 94 19:47:48 PST Received: from ucsd.edu by toad.com id AA02091; Sat, 26 Nov 94 19:47:45 PST Received: from nately.UCSD.EDU by ucsd.edu; id TAA19011 sendmail 8.6.9/UCSD-2.2-sun via SMTP Sat, 26 Nov 1994 19:47:41 -0800 for Received: by nately.UCSD.EDU (4.1/UCSDGENERIC.4) id AA12222 to cypherpunks at toad.com; Sat, 26 Nov 94 19:50:40 PST Date: Sat, 26 Nov 94 19:50:40 PST Message-Id: <9411270350.AA12222 at nately.UCSD.EDU> To: cypherpunks at toad.com Subject: Need program pointers From: nobody at nately.UCSD.EDU (Anonymous) Comments: This message did not originate from the above address. It was automatically remailed by an anonymous mail service. Please report inappropriate use to Sender: owner-cypherpunks at toad.com Precedence: bulk Content-Type: text Content-Length: 978 From: IN%"storm at marlin.ssnet.com" 26-NOV-1994 21:38:47.14 To: IN%"cypherpunks at toad.com" CC: IN%"storm at marlin.ssnet.com" Subj: Need program pointers ------------------- Au.informix Header (Critias): >From owner-cypherpunks at toad.com Sat Nov 26 17:58 EST 1994 Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by pipeline.com (8.6.9/8.6.9) with ESMTP id RAA29778 for ; Sat, 26 Nov 1994 17:58:07 -0500 Received: from toad.com by relay2.UU.NET with SMTP id QQxrtb28834; Sat, 26 Nov 1994 17:56:43 -0500 Received: by toad.com id AA28479; Sat, 26 Nov 94 14:52:50 PST Received: from gateway.informix.com by toad.com id AA28473; Sat, 26 Nov 94 14:52:39 PST Received: from informix.com (infmx.informix.com) by gateway.informix.com (4.1/SMI-4.1) id AA20299; Sat, 26 Nov 94 14:52:34 PST Received: from carbon.informix.com by informix.com (4.1/SMI-4.1) id AA06617; Sat, 26 Nov 94 14:52:33 PST Received: by carbon.informix.com (4.1/SMI-4.1) id AA00381; Sat, 26 Nov 94 14:53:23 PST Date: Sat, 26 Nov 94 14:53:23 PST From: Critias_the_conspirator at au.informix.com Message-Id: <9411262253.AA00381 at carbon.informix.com> Subject: Privacy Digest Apparently-To: cypherpunks at toad.com Sender: owner-cypherpunks at toad.com Precedence: bulk Content-Type: text Content-Length: 2111 ------------------- Access Header (Uni): >From owner-cypherpunks at toad.com Sat Nov 26 15:40 EST 1994 Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by pipeline.com (8.6.9/8.6.9) with ESMTP id PAA21937 for ; Sat, 26 Nov 1994 15:40:51 -0500 Received: from toad.com by relay2.UU.NET with SMTP id QQxrss22905; Sat, 26 Nov 1994 15:40:01 -0500 Received: by toad.com id AA24978; Sat, 26 Nov 94 12:17:51 PST Received: from access3.digex.net by toad.com id AA24972; Sat, 26 Nov 94 12:17:40 PST Received: by access3.digex.net id AA16948 (5.67b8/IDA-1.5 for cypherpunks at toad.com); Sat, 26 Nov 1994 15:17:29 -0500 Date: Sat, 26 Nov 1994 15:17:29 -0500 (EST) From: Black Unicorn To: Gary Jeffers Cc: cypherpunks at toad.com Subject: Re: Privacy Digest - Blk Unicorn , Frissell, Sandfort In-Reply-To: <9411261934.AA23910 at toad.com> Message-Id: Mime-Version: 1.0 Sender: owner-cypherpunks at toad.com Precedence: bulk Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Length: 1332 From merriman at metronet.com Tue Nov 29 11:50:09 1994 From: merriman at metronet.com (David K. Merriman) Date: Tue, 29 Nov 94 11:50:09 PST Subject: "You aren't following the _rules_!" Message-ID: <199411291950.AA02745@metronet.com> -----BEGIN PGP SIGNED MESSAGE----- Jonathan Rochkind replied: >At 3:58 AM 11/29/94 Lucky Green wrote: >>I do not mean to belittle the work that has been done but unless the >>encryption is built into the mailer and using a remailer means clicking the >>"use X remailer(s)" button and the mailer better know which ones are >>working and do the PGP envelopes it won't happen. > >Have you used premail? It pretty much does all of that. >People still aren't using premail either because they can't figure out how >to install it (doubtful it's not hard to install) or because they don't >have a need for it that's great enough to justify the (minimal) time >neccesary to ftp it and install it or wait the (sometimes more painful) >time neccesary for the computer to encrypt and/or sign your outgoing >messages. This brings up a point that I - among others - have to flog every now and then: the *x-centric nature of most of the net. I have no doubt that premail works wonders - but I don't know of any version of it that would run on my MS-DOS box a Mac an Amiga etc. I use PC Eudora for email and have pinged on QualComm every so often to ask when the commercial version will allow/support external encryption programs. As some may have noticed over the weekend I also started trying to use the PGP Tools package to try and write a PGP.DLL. For various reasons (mostly me :-) it's going to be more difficult and take longer than I thought - but I am *not* going to give up on it. Until/unless there exists fairly easy-to-implement means of including crypto for applications programmers on a variety of platforms other than *x boxes progress in the click-a-button-to-encrypt area is going to be bloody slow. > >Because premail makes it incredibly easy to use PGP on a unix box. And for >that matter the Eudora/PGP applescritps make it incredibly easy to use PGP >on a mac. And there are some people working on an applescript that will >automate using remailers on a mac too. But ease of use appearantly isn't >enough; no matter how easy it gets to use it's still going to have some >cost to the user over not using it. Even if the cost is only having to wait >the 1.5 seconds it takes your machine to decrypt/encrypt a message. Unless >there's a use for it people won't be willing to spend that 1.5 seconds per >message. This kinda supports my previous observations: the necessity of adding external scripts and such to the Mac version of Eudora slows down the program's operation more than necessary. If there were a Mac resource (of whatever kind - I'm not Mac-fluent) that the nice folks over at QualComm could use to build crypto into the program to start with then they wouldn't have the excuse of "we can't because there's nothing to do it with at the source level". My ha-penny's worth.... Dave Merriman -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLtuEeMVrTvyYOzAZAQFwuwQAtGMZyS3vj1T88EgaLuKOqWARruGjWTxv V2+Lri/nPuBwm6Nkfu12MBHGXl9QlMsh58MuhvFfvA2qdgmuDBy0iHBaPq0C1L5v 1YnHiBHrYIfLkNchqapuMQSM6tbL+PJWGWikqYV2Nv7SR6Mtu+jCK8yt6biHZxIm qU9Yk4CJ0Kw= =+K/s -----END PGP SIGNATURE----- - - - - - - - - - - - - - - - - - - - - - - - - - - Finger merriman at feenix.metronet.com for PGP public key and fingerprint. PGP encrypted Email welcome, encouraged, and preferred. "Those who make peaceful revolution impossible will make violent revolution inevitable." John F. Kennedy From pfarrell at netcom.com Tue Nov 29 11:51:33 1994 From: pfarrell at netcom.com (Pat Farrell) Date: Tue, 29 Nov 94 11:51:33 PST Subject: Anarchists break rules, details at 11, was: The Market for Crypto--A Curmudgeon's View Message-ID: <53177.pfarrell@netcom.com> -----BEGIN PGP SIGNED MESSAGE----- eric at remailer.net (Eric Hughes) writes: > One underlying premise of Tim's argument is that the presence of these > actions at the server makes his life harder. > In what way? The server will not require a digital signature. > Unsigned messages will still be sent to the list. There need be no > change in the way that one sends and receives mail. > I refuse the argument that toad.com server actions make anybody's life > harder. A few days delay, which is what I think we are talking about, will clearly make following threads more difficult. And add to noise on the list, as the content of an early-non-signed message may be repeated and signed by someone else later on. After netcom's recent mail mis-delivery problems, I know all too well how hard it is to participate in discussions that are delivered in random-appearing order. A few hours delay will be indistinguishable to the netcom subscribers. My experience with rules and PPLs on other lists has not impressed me. YMMV. Whatcha trying to do, eric, lead that anarchists? Pat -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBLtuEc7CsmOInW9opAQE/wAP+OmPDe8vD7/D5WvZpGvecPgec8oT9/sqN ghMf+uxUwiVfxe2NuSDCKrVcipYAV6h+Q3QRo/o4FijlwleT2wmaL8yxoBT5KffN SQAVINfx6n9Hb0hxH3md8JdOYD5jyOpPhEMh5JyaEUetNfK0bnXCzVUsj5v20SXp E7KXxmAZqPc= =SV9C -----END PGP SIGNATURE----- Pat Farrell Grad Student pfarrell at cs.gmu.edu Department of Computer Science George Mason University, Fairfax, VA Public key availble via finger #include From tcmay at netcom.com Tue Nov 29 12:26:43 1994 From: tcmay at netcom.com (Timothy C. May) Date: Tue, 29 Nov 94 12:26:43 PST Subject: The Market for Crypto--A Curmudgeon's View In-Reply-To: <199411291549.HAA03235@largo.remailer.net> Message-ID: <199411292023.MAA00141@netcom19.netcom.com> Eric Hughes wrote: > Let me review the exact proposal. First, a recognizer is set up at > toad.com to distinguish between digitally signed and unsigned > messages. Second, some action on the message would be taken, which > would gradually increase in effect over time. The first action would > be to add a header to the end of the mail identifying it as unsigned. > A later action would be to delay the mail at the server for some > amount of time. A final action would be to delete or bounce messages > that weren't signed. As "all crypto is economics," the question is "why?" Why delay/bounce messages that don't fit someone's idea of proper usage? Not to trivialize this proposal by frivolously insulting it, but consider a mailing list that decided to delay/bounce any messages that were not written in TeX, or in Acrobat, or whatever. How would people react who lacked these capabilities, or preferred to use alternatives (like simple unadorned text), or who merely object to an enforced standard? If there's a good reason, fine. Or if the "owner" chooses to set arbitrary policies, fine. "My house, my rules" and all that. I don't want to open the pointless debate about who "owns" the list. I'm relatively happy with the way things are: John Gilmore owns the toad machine and lets us use the CPU, etc., Hugh Daniel performs various maintenance actions on toad, and Eric Hughes is the de facto chief operator of the list. But that Eric--or John or Hugh or anyone else--has some notions of what people _ought_ to be using does not seem to be enough to effectively bar those who helped form the Cypherpunks group (many of us) just because they choose to communicate in one particular way. If some flavor of PGP is mandated, I expect I'll unsubscribe (as I can't stand reading but not posting...lurkers obvious feel otherwise). Absent a compelling reason, a market reason, why bother with someone's notion of ideological reasons? If people feel my unsigned messages are ideologically incorrect, they can not read my stuff. > I note that Tim is not objecting to the nature of these effects, but > rather their existence, especially since he is not addressing the > timing of any ramped up vigor at the server. Just to set the record > straight, refusing messages would be at the very least over year away, > and certainly wouldn't be taken until crypto mail readers were widely > available. For purposes of discussion then, I leave out message > deletion and only address the server actions of notification and > delay. I didn't address the timing because it's not the main issue. I agree that a year-long delay would lessen the effects, but it's still unwise to let ideology interfere with communication. (For example, if I ran the list, instead of Eric, perhaps I'd insist that all posts be paid for in digital cash...or bought, or whatever. Lots of folks would be justifiably concerned that my ideology was getting in the way of letting folks communicate as they see fit.) (Like I've said, anyone who doesn't want to read unsigned posts is perfectly free to filter out unsigned messages.) > One underlying premise of Tim's argument is that the presence of these > actions at the server makes his life harder. > > In what way? The server will not require a digital signature. > Unsigned messages will still be sent to the list. There need be no > change in the way that one sends and receives mail. What about the *bounce* plan? If my posts get bounced, that'd qualify as making my life harder. Or so it seems to me. > I refuse the argument that toad.com server actions make anybody's life > harder. I can imagine many such actions that would make many people's lives harder. A requirement to post in TeX, a stipulation that all posts use a certain format, academic rules for footnoting, etc. All of these sorts of "rules" can and do make lives harder. (I'm grappling with specific format requirements for a paper to be published in a French publication. Such format requirements have their advantages, and I don't dispute the right of the French publishers to impose them, but they undisputably make the lives of authors harder.) > I'm not saying that these server actions would have no effect, far > from it. The effects are all in the social realm and have far more to > do with peer pressure and social position than with technology. Can > it be said that being marked as a non-signer makes one's life harder? > I think not, perhaps others feel otherwise. Again, I thought the proposal was to ultimately reject non-signed articles? That's a bit more that merely "being marked as a non-signer." Speaking of this, it's already pretty clear who signs and who doesn't. What could be clearer than "----BEGIN PGP SIGNED MESSAGE---"? Why is anything further needed? If the proposal is to stamp a scarlet letter on non-signers, it seems overly harsh, somewhat petty, kind of insulting, and not needed. Cypherpunks can clearly see who signs, who doesn't, and can decide what they wish to do with messages. I don't wish to sound angry, as I'm not, really. This is a fascinating issue unto itself, worthy of discussion. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. Cypherpunks list: majordomo at toad.com with body message of only: subscribe cypherpunks. FAQ available at ftp.netcom.com in pub/tcmay From jya at pipeline.com Tue Nov 29 12:43:44 1994 From: jya at pipeline.com (John Young) Date: Tue, 29 Nov 94 12:43:44 PST Subject: Dr Dobb's Info Way Message-ID: <199411292043.PAA10922@pipe3.pipeline.com> Dr. Dobb's has a special Winter issue on the "Information Highway" which includes a good long article on the economics of the system, past, present and future, and another fine piece on e-mail security by Bruce Schneier. That's Winter 1994, Volume 19, Issue 14. From tjbryce at unix.amherst.edu Tue Nov 29 13:03:55 1994 From: tjbryce at unix.amherst.edu (Tom Bryce) Date: Tue, 29 Nov 94 13:03:55 PST Subject: whats all this nonsense Message-ID: <199411292103.AA07490@amhux3.amherst.edu> I just signed onto this list. What the hell is all this nonsense that I hear about mandating PGP signed messages? I thought the whole grassroots crypto thing was about protecting privacy rights and individual liberty and all that. So what if someone wants to post a message to cypherpunks AND DOES NOT WANT ANYONE TO BE ABLE TO PROVE THEY WROTE THE MESSAGE. Whether because they fear legal prosecution, or some other social consequence down the line, or whatever. It's everyone's personal choice whether they want their name nailed down unmistakably to given messages of personal/political/WHATEVER nature. It seems heinously against the spirit of this list to mandate that pople append an unforgeable digital signature to everything they feel like saying to the list so that anyone, anywhere can prove that they said a particular thing at a partic time. If you have a problem with what someone said and want to verify its authenticity, why not just send them an email and ask them to sign the message personally? Tom From adam at bwh.harvard.edu Tue Nov 29 13:20:22 1994 From: adam at bwh.harvard.edu (Adam Shostack) Date: Tue, 29 Nov 94 13:20:22 PST Subject: Stego paper Message-ID: <199411292121.QAA00540@arthur.bwh.harvard.edu> There is a paper on stegonography "Minimum Protocols for the Insertion of Messages into Random or Pseudorandom Data" posted to sci.crypt.research. From: klockstone at cix.compulink.co.uk (Keith Lockstone) Message-ID: <3benes$pbh at net.auckland.ac.nz> Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From acspring at knoware.nl Tue Nov 29 13:27:42 1994 From: acspring at knoware.nl (Andrew Spring) Date: Tue, 29 Nov 94 13:27:42 PST Subject: Mac Encryption Components? Message-ID: <9411292229.AA26503@indy.knoware.nl> Does anybody know if there is an encryption component registered with Apple? I was planning to write one, but I wanted to know if there was already a standard/spec I could code to. I e-mailed REGISTRY at AppleLink a coupla weeks ago, but they seem to be focussed just on registering new components; not fielding queries about what's already registered. -- Man! Woman! Child! All! are up against the WALL of SCIENCE! PGP Key print:4C 17 EC 47 A1 6D AF 67 F3 B4 26 24 FE B2 0F 5E From warlord at MIT.EDU Tue Nov 29 13:49:22 1994 From: warlord at MIT.EDU (Derek Atkins) Date: Tue, 29 Nov 94 13:49:22 PST Subject: whats all this nonsense In-Reply-To: <199411292103.AA07490@amhux3.amherst.edu> Message-ID: <9411292149.AA06891@toxicwaste.media.mit.edu> -----BEGIN PGP SIGNED MESSAGE----- I think the point is that people should take some time to think about what they say. By forcing them to sign their message, it will take an extra few seconds so they will consider what they are saying. As for privacy, who's to say that I can't generate a random PGP key with a random UserID and use that to sign the message. I don't thin the idea was to keep a "who can send to this list" keyring on toad.com (Eric: correct me if my interpretation is incorrect). - -derek -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQBuAwUBLtuhkzh0K1zBsGrxAQFeNALDBbbC5ccV6bqqnpdj2Nz9T0Obt3BcDxg/ SarT29RVvTJvjCOpMXaC+9qnMq6bjB9RFyuaks8KJMiV2Zq8uPOLO+R9gjTA1qmq Fq6IOQhNZmqJdFxdJIZlDD0= =b9m1 -----END PGP SIGNATURE----- From JLICQUIA at mhc.uiuc.edu Tue Nov 29 13:58:59 1994 From: JLICQUIA at mhc.uiuc.edu (JEFF LICQUIA (CEI)) Date: Tue, 29 Nov 94 13:58:59 PST Subject: The Market for Crypto--A Curmudgeon's View Message-ID: -----BEGIN PGP SIGNED MESSAGE----- > From: eric at remailer.net (Eric Hughes) > Let me review the exact proposal. First, a recognizer is set up at > toad.com to distinguish between digitally signed and unsigned > messages. Second, some action on the message would be taken, which > would gradually increase in effect over time. The first action would > be to add a header to the end of the mail identifying it as unsigned. > A later action would be to delay the mail at the server for some > amount of time. A final action would be to delete or bounce messages > that weren't signed. Perhaps something a little more useful would be a little more palatable. I have a feeling that something like the above would sound gratuitous to many on the list. A better way would possibly be to have some value-added service offered by the list server which involves encryption or digital signatures. Here are a few ideas: 1. What if all messages on the list were themselves signed by "Cypherpunks List "? (yeah, I'm reaching here; let my brain warm up...) 2. Encrypted submission to the list. This could be useful if used in tandem with remailers, perhaps... 3. Offer anonymization locally. Messages posted this way could appear as "cypherpunks-reader at somewhere" or something like that. When combined with remailers and encryption (like #2 above), this could mix things up with respect to anonymous mail. As another (possible) option, the remailers could be set to recognize cypherpunks at toad.com and send in such a way as to use this local anonymizing. 4. Auto-verify signed messages. Put a header at the top of signed messages such as: [Signature verified. ID: Joe Blow ] [Bad signature! ID: Joe Blow ] for tested signatures. This would either require a key registry (where you register your public key with the list server) or an interface to the key servers. This would of course imply quite a few changes to the list server code, as well as possibly non-trivial resources to do the processing, but hey, social imperatives don't have to answer to reality, now, do they? (At least they never seem to when the government is concerned. :-) Two variants: Strip the signatures after verifying them, and/or marking unsigned posts in a similar way. 5. Allow the option to encrypt list messages before sending. If we used #4 above, this could encrypt with the public keys; otherwise, it could use conventional encryption. This could be a great boon to readers whose sysadmins might take a dim view of them reading such an antisocial list. :-) Corollary: allow the option of sending the list, encrypted, through the remailers as well without requiring a pseudonymous remailer. I'm sure I could think of more lamebrained ideas given enough time and motivation. :-) > I do, however, agree with the other two premises of Tim's > hypothetical. I do think that crypto isn't being used by enough > people. I realize that the exact meaning of 'enough' is subjective, > so let me rephrase. I do think that crypto is being used by fewer > people than I want. I also believe that setting an example is a good > thing, because it signals an achievable task to those who are > considering doing it. I would agree, though I would suggest that holding out carrots (neat features you can take advantage of if you encrypt) would work better than punishments (your posts won't get through as fast if you don't sign your posts). Does that make me a Puller? > When I first proposed server actions last year, it was with the full > realization that I wouldn't be signing my own posts and would thereby > be subject to the delay (the first-proposed action). This post isn't > signed either. This post is. :-) I'm a believer that it serves as effective spoof insurance. But, then again, I've got a direct Ethernet link to the net on my Windows box at work and Linux at home, so it's easy for me. Also, I wasn't even a lurker at that time, so my suggestions may be old hat. If so, please bonk lightly! -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLtuijTER5KvPRd0NAQFfXAQAgDrbMlEJBXU2V9NIquHNQGonE/dwwH0I aEnykWh+8Bu3hCdqYgbv6zhe7gc+0itb/QuwHMpUn8MNHE6VhykFPl+i7c3HOibf 0yAqPVy10UNMuJY6LxqSxfrTKwV/sFcnRWDaJcboL3MvTFrwRqC3ItdaOeokKvx2 1Cgv1ioQqfc= =gzbV -----END PGP SIGNATURE----- From sandfort at crl.com Tue Nov 29 14:08:38 1994 From: sandfort at crl.com (Sandy Sandfort) Date: Tue, 29 Nov 94 14:08:38 PST Subject: The Market for Crypto--A Curmudgeon's View Message-ID: -----BEGIN PGP SIGNED MESSAGE----- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, Did anyone but me notice that Eric Hughes and Tim May have reached a consensus in the on-going debate about signed posts? Tim says, "your house, your rules" and acknowledges that Eric is the de facto boss of the list. Tim expresses no real objection to Eric's first step except in a "slippery slope" sort of way. Personally, I'm against mandatory digitally signatures as a rerequisite for posting to Cypherpunks. On the other hand, I like the idea of having the list software automatic verify digital signatures. This is a valuable service I'm usually too lazy to perform for myself. Here's my suggestion. Eric should unilaterally impose his first step, i.e., all unsigned messages and messages with spoofed signatures will henceforth be flagged as such. Let's see what effect, if any, that has on the way people post their messages. After the protocol has been in effect for some time, we can re-open the topic for further discussion. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBLtulbk5ULTXct1IzAQERKQP/QKtfYC1MNpvxTNPeLTlxJeAcFiTrufKi M3I0vpH3gXRDZeeL+ff/8YyRbkDgYZEOu6Si/fZuiWWZCYNmAQb22QaQ9riW6amq ghIybvhd66i7rOntNIkcXOAGtk6rBJ8AVc3lFqmGEYBRW2p/+mATsAFaJ7Agj5K9 L9nc34T6Mb0= =sDH7 -----END PGP SIGNATURE----- From jrochkin at cs.oberlin.edu Tue Nov 29 14:28:19 1994 From: jrochkin at cs.oberlin.edu (Jonathan Rochkind) Date: Tue, 29 Nov 94 14:28:19 PST Subject: whats all this nonsense Message-ID: >I just signed onto this list. What the hell is all this nonsense that I hear >about mandating PGP signed messages? > >I thought the whole grassroots crypto thing was about protecting privacy >rights and individual liberty and all that. So what if someone wants to >post a message to cypherpunks AND DOES NOT WANT ANYONE TO BE ABLE TO >PROVE THEY WROTE THE MESSAGE. Whether because they fear legal prosecution, >or some other social consequence down the line, or whatever Of course we all agree with you there, but as someone else mentioned, users would be perfectly free to sign with a _pseudonymous_ key. My key wouldn't have to be in the name of "Jonathan Rochkind," it could be "Dirk the Destroyer", or whatever else I wanted it to be. I'm not sure if Eric is suggesting that everyone submit their public key to the list or not. If he is, then things would be made a bit dificult, as you would have to make your one-time-only anonymous key, send it to toad.com, wait for it to be recognized, and _then_ send your message to the list. Assuming that not only do I not want your messages traceable to Jonathan Rochkind, but I also don't want them traceable to _each other_, then I'd have to make a new key before sending each message, and go through that whole rigamarole each time. I'm not how often people actually _would_ desire to do such a thing (generally, it's important to most people to build up a good reputation, pseudonymous or otherwise), but.... I agree you have a good point that it's important the list be set up so it's possible to contribute to it anonymously/pseudonomously. And that _some_ implementations of what Eric is suggesting might make that either impossible or just a pain in the ass (and we probably dont' want to do either). There are probably other implementations that wouldn't have this problem. Although I would still oppose them, pretty much on the grounds Tim May has been ranting about. (and I do mean ranting in the best way. :) ). People should pretty much be able to do what they want, and I don't see any compelling reason to force people to sign their messages whether they like it or not. From turner at telecheck.com Tue Nov 29 14:56:29 1994 From: turner at telecheck.com (Joe Turner) Date: Tue, 29 Nov 94 14:56:29 PST Subject: Jeff @ViaCrypt Message-ID: <9411292250.AA06552@TeleCheck.com> Please excuse the bandwith. Earlier today I had a conversation with Jeff who claimed to be from ViaCrypt. I was in a hurry to attend a lunch/meeting and forgot to get his internet address. Could someone point me in the right direction? -- Joe N. Turner Telecheck International turner at telecheck.com 5251 Westheimer, PO BOX 4659, Houston, TX 77210-4659 compu$erv: 73301,1654 (800) 888-4922 * (713) 439-6597 From skaplin at skypoint.com Tue Nov 29 15:20:49 1994 From: skaplin at skypoint.com (Samuel Kaplin) Date: Tue, 29 Nov 94 15:20:49 PST Subject: whats all this nonsense In-Reply-To: <199411292103.AA07490@amhux3.amherst.edu> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- In article <199411292103.AA07490 at amhux3.amherst.edu>, you wrote: > > I just signed onto this list. What the hell is all this nonsense that I hear > about mandating PGP signed messages? > > I thought the whole grassroots crypto thing was about protecting privacy > rights and individual liberty and all that. So what if someone wants to > post a message to cypherpunks AND DOES NOT WANT ANYONE TO BE ABLE TO > PROVE THEY WROTE THE MESSAGE. Whether because they fear legal prosecution, > or some other social consequence down the line, or whatever. It's everyone's > personal choice whether they want their name nailed down unmistakably to > given messages of personal/political/WHATEVER nature. It seems heinously > against the spirit of this list to mandate that pople append an unforgeable > digital signature to everything they feel like saying to the list so that > anyone, anywhere can prove that they said a particular thing at a partic > time. If you have a problem with what someone said and want to verify its > authenticity, why not just send them an email and ask them to sign > the message personally? > > Tom If I had something to post that I did not want to be held accountable for, I would post it via a remailer. If I post something in my own name I want people to know that it came from me. A digital signature facilitates this. ============================================================================== Ireland has the honor of being the only country which never persecuted the Jews -- because we never let any in. --James Joyce-- ============================================================================== skaplin at skypoint.com | "...vidi vici veni" - Overheard | outside a Roman brothel. PGP encrypted mail is accepted and | preferred. | Change is the only constant in the | Universe..."Four quarters, please." E-mail key at four11.com for PGP Key or | Finger skaplin at mirage.skypoint.com | Smile!! Big brother is watching. ============================================================================== - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAy5pUekAAAEEAKrDj64Zj9AJU+gC7/Ivdk8b1ef6a1T9K5CGFeu1yFDSXLyD DLIdGunZR/4ilosLMxdlZcNqPwZ3HgxL+Gk3y2SwYfqKpeWExWPgb696lgzf2BRC tED15ZAwi3UDIkcouv2PBiDwPNUUmnLb5diDXdA3qtALb+XzlwpnimeWAf3FAAUT tCRTYW11ZWwgS2FwbGluIDxza2FwbGluQHNreXBvaW50LmNvbT6JAJUDBRAu0Wcv CmeKZ5YB/cUBAd1yA/9/n2PA2VrJ+k++yfOdx5EdmqUyUX4IL0XVmxb2lxNSuBlx It2T+Qzz6Xa03eS1qpjWYeU/lXvmgQe5CDPsmmYl9zVPiy8HKTveOtl+5tbBzeBS RfDBz3Jx/71UVyF273lRWn/cw9E8mjlrc2tUJEsCgLRFQVf8YHzdKoUDRwn1b4kA lQMFEC7QbCjVMiHPX2OluQEBelEEAJ/I2sjy6PdXlwawIrP1hQnb2WcTD2VdoOJ1 OWue3hnfgGc7YrwTOg3IphVgHg6Rt3gQ9qURlOlSVGSXmLdgW23iSXxxqsSm75nR wxDx1Ns/M0S+3Qdt4Vs14x5KC5rwI2OuhBX2i18xWUzRbR+d+WbuoRlcPPJ2CA2e kINgoiuX =O2F0 - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLtu1/ApnimeWAf3FAQFdIwP/ZwlJJbfAJHbZDYDJybvf7mD6wXwvykwj Bu9D+6MBcolZLrP8CtareTauevDxHloeP7g7OLJSyUEf5ACEv7QJUFLhBhTqyvmv bT8/mO33c+gSl9uDqraUHuWwjszBbU00e8fQ2UykyPHWt/l3IQLdV6YtmvtMDYvI o1Qh9nESAL0= =ZbvX -----END PGP SIGNATURE----- From storm at marlin.ssnet.com Tue Nov 29 15:21:36 1994 From: storm at marlin.ssnet.com (Don Melvin) Date: Tue, 29 Nov 94 15:21:36 PST Subject: "You aren't following the _rules_!" In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- There have been some good points made here about leading by example. And about a little more protection from fraudulent posts. Though I would not want to see sigs made mandatory for list postings, we should be making more use of digisigs, if for no other reason than to get them in front of more people. That's the reason I put in the line about fingering for my PGP key. Not that I expect people to start sending me cryptomail, but to spread the word a bit to those who aren't on this list. And it's worked... I'm gotten several questions about what it means and why I use it. So, in that light, I'll also start signing my email and posts. I'll admit, though, I also use and off-line reader, so it's simple for me. But the reason I'm off-line is the responses I got from this list when I asked about key management. And I'm NOT saying everyone should. That's a personal decision and depends on many things, work environment, system speed, personal preferance. I'm just saying I will. That's my $200.00 worth. (Why yes, I do government contracting. How could you tell?) - - -- America - a country so rich and so strong we can reward the lazy and punish the productive and still survive (so far) Don Melvin storm at ssnet.com finger for PGP key. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLtukpWvyi8p8VUiJAQHuwAP7BKlcFwgB6j0yyuRadSo8LQwvbUpuaxlE MXNNVk6hL/S2HWKrcnZB5kp9cZfYeyiAhykPp0OkAwRIZF+T+86RdTN6oxhMyOQo HY45VFHi9aFoMeEDY5f9CFzne1IiIGX4EIwtNE1bNhQBDgF04HO+KDp7pAaSdVQF fkEGdHSysi8= =t7ZV -----END PGP SIGNATURE----- From werewolf at io.org Tue Nov 29 15:34:20 1994 From: werewolf at io.org (Mark Terka) Date: Tue, 29 Nov 94 15:34:20 PST Subject: CFV on Signing Posts To List? Message-ID: -----BEGIN PGP SIGNED MESSAGE----- It seems like we have a pretty good thread on the for/against arguments re: digitally signing articles posted to the list. Perhaps we should allow it to run its course over the next 48 hrs, and then Eric could circulate a form like the following Friday morning (ie Dec 2): - --------------------------------------------------------------------------- Question: Do you agree that all articles posted to the list should be digitally signed and that the keeper of the list should take steps to implement such? Yes ___ No ___ - ---------------------------------------------------------------------------- I realize we are not exactly in a democracy here (ie Eric maintains the list) but then again the participation of the subscribers would be a lot more enthusiastic if the perception of "majority rules" was met. As someone mentioned earlier, this discussion seems to pop up every so often and ramble on for a certain amount of time with nothing being resolved. Maybe a "Call for the Vote" would change that. We all would seem to hold the net and its functions to a high degree of importance. Settling of this issue (as opposed to the thread meandering for the next month or so) would indicate that something concrete in favour of crypto could be implemented (or discarded....after suitable discussion) by its main proponents. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLtu4hK+YbMzawbu5AQE4GAP+LM4gNXDS5O4uzOWTYC4U60veXnjWVjC6 gXxvE/fEJu99SzThgthrf51Jb5K4hKrtJfZ44hwmdyQHsOx+p9xStjkSZFQFWc7b /J9vEtzwG/IyO/DxD2hHmCzUod64WIx0cXtwUDjUCxgDnAdFaIEjhLfYk5Pr3KaW e6mkrDiQtSQ= =S4BI -----END PGP SIGNATURE----- From p.v.mcmahon.rea0803 at oasis.icl.co.uk Tue Nov 29 15:42:37 1994 From: p.v.mcmahon.rea0803 at oasis.icl.co.uk (p.v.mcmahon.rea0803 at oasis.icl.co.uk) Date: Tue, 29 Nov 94 15:42:37 PST Subject: (re-tx) RE: Transparent Email (WAS disable telnet to port 25) Message-ID: <9411292035.AA01114@getafix.oasis.icl.co.uk> I sent this yesterday, but it apparently didn't through. -- > > I don't have an answer to your question, but you did bring up something > > I've been meaning to ask about for some time and I never really got > > around to it; Are there any short-term plans to press for an RFC > > utilizing digital signatures? With the exponential increase of mail Existing standards track RFCs support PEM-based security of RFC-822 email (RFC 1421, RFC 1422, RFC 1423, and RFC 1424). Recent work on security of MIME has allowed for an alternative content protection and certification mechanism (i.e. PGP). See Internet Drafts draft-ietf-pem-sigenc-02.txt and draft-ietf-pem-mime-07.txt which respectively define the framework and the PEM-specific parts. > The best answer that I can come up with for this problem is to allow for > several webs of trust to function simultaneously. Perhaps we would have The intent of the MIME extensions is to enable either PGP or PEM to be used, although the standard for the former is I believe still pending. I am not aware of efforts to integrate the two certification mechanisms. > A web could be defined by a single top-level public key and a set of This is the function for the IPRA (as discussed in RFC 1422). > rules. Perhaps a text based program -- a sort of "meta-pgp" -- could > check chains of signatures to validate a key. This is what a PEM-conformant user agent does. > Suppose, for example, that I'm administering a web of trust. I set up > the web so that I can deputize notaries who can in turn sign user keys. The PEM WG used to call these organisational notaries, but they have been dropped from the standards. They are also referred to in related work as Local Registration Agents or Authorities - and are necessary for large organisations' use of certification services. > Lets further assume that all signatures are good for a year. A keyserver > would return a text file containing: (a) the user's key, concated with a > notary's key, concated with a header specifiying the date it was singed > by me. This sounds similar to the certification message in RFC 1424. There isn't a requirement for certificate retrieval as certificates are sent with the message or handled using (as yet unspecified) directory facilities - probably an extended DNS in the Internet environment. - pvm From lmccarth at ducie.cs.umass.edu Tue Nov 29 16:07:15 1994 From: lmccarth at ducie.cs.umass.edu (L. McCarthy) Date: Tue, 29 Nov 94 16:07:15 PST Subject: Mac Encryption Components? In-Reply-To: <9411292229.AA26503@indy.knoware.nl> Message-ID: <199411300007.TAA19266@ducie.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Unverified writes: > Does anybody know if there is an encryption component registered with > Apple? I was planning to write one, but I wanted to know if there was > already a standard/spec I could code to. You might try to make contact with Romana Machado . According to her home page (http://www.mps.ohio-state.edu/cgi-bin/hpp?romanaHQ.html): Software engineer, author, cryptoanarchist, model, "hot-blooded capitalist", I have been featured in Wired and Boing Boing for Stego, a crypto tool for the Macintosh, and for being a Very Extropian Person. I work in the Newton group at Apple Computer . - - From a linked page (http://www.nitv.net/homes/mech/Romana/stego.html): Stego was favorably reviewed by Sandy Sandfort in the March 1994 issue of Wired and the March 1994 issue of Boing Boing. ...so perhaps Sandy can correct me if this is a bum steer. I ran across her home page near the end of a long WWW safari which passed through some utterly non-crypto-related links. - -L. Futplex McCarthy; PGP key by finger or server "Don't say my head was empty, when I had things to hide...." --Men at Work -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBLtvCHWf7YYibNzjpAQGCYQP5AR8JXH1c58bTqDK5PGPnG0hnQU7nJKns iG4kf4Kkuycod4pZCF1VK2kg9aQ2RX1+IswtIfJ25CyFRyeM3+hvxRYinswhILkL LZNI4jFTRgeB6jo9rxB2k5eGfSrcULpTDTiRX/kf9lhfCp5ftTxYdJfxKl9ztA63 BjF8x8SiRNQ= =W8n6 -----END PGP SIGNATURE----- From greg at ideath.goldenbear.com Tue Nov 29 16:20:36 1994 From: greg at ideath.goldenbear.com (Greg Broiles) Date: Tue, 29 Nov 94 16:20:36 PST Subject: signing messages Message-ID: <199411300019.AA21138@ideath.goldenbear.com> -----BEGIN PGP SIGNED MESSAGE----- Seems like one way to encourage the use of digital signatures is to start forging messages from people who don't ordinarily sign their messages. Necessity is the mother of invention, and all of that. I finally started signing my messages on a regular basis as a result of Detweiler forging a message which purported to be from me. On the other hand, I think Tim has been the most frequent target of Detweiler's forgeries, and I don't detect much of a creep towards signing messages on his part. Eric, would you mind clarifying the purpose of the "sign-or-delay" rule? Last time this came up I assumed that it was to encourage folks who had 95% of the tools/initiative to start using crypto techniques on a day-to-day basis to get off their asses and do so; but other people seem to have different ideas about the purpose(s) of such a practice. I think it might be interesting to try the "sign-or-delay" rule on a part-time basis - perhaps weekends only, or never on weekends, or only during December, or whatever. To me, it seems useful as sort of a "Great American Smoke-Out Day" for crypto; to get folks to go just one day where they use crypto in a practical, applied way, to prove that they can do it. What they do after that is their own business. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLtvFC33YhjZY3fMNAQGc+QP/R2kBRlCNVLDVJNOLOGOWv6URYmnj+qTt poo1LKtz31Mzj+rBAiXPZSYY5xPtTXKD/7X8dU3JYyJbH12kwvH/RS1GS4mEV++V QDJD6L84EekrdFy0piP7jsGDMq2SQsHnI6G3GG0koGoMN/3u/UbDiCG3+yJ1b5u1 iMCS8dZQTfA= =eCnh -----END PGP SIGNATURE----- From hayden at krypton.mankato.msus.edu Tue Nov 29 16:23:39 1994 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Tue, 29 Nov 94 16:23:39 PST Subject: CFV on Signing Posts To List? In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Since there wasn't anything stated about where to send your vote, I'll vote here :-) No. It might be a good idea for people to sign their posts, and to even encourage it, but to require it would be more of a hinderance in the long run because sometimes people don'thave access to their keys, or might just plain forget. All, IMHO, of course :-) -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLtvFoDokqlyVGmCFAQGWhwQAmdS0heDINJYLBoqt0CoDYTsqlZoFN30D gLNYD7ThH+pd5/mRu3nMvVO91zvrEGqPPoNTHHAdBg2lVFb/JDl5QP2L29YUJ0Vr xmuCy4VrIKsyhR8tEOQmoMoouNM+7ez9WcS6olbl+XnjhWFFPPp++PXk4v2xZPil 5QqPkzMZYpY= =o4lC -----END PGP SIGNATURE----- ____ Robert A. Hayden <=> hayden at krypton.mankato.msus.edu \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> I do not necessarily speak for the \/ Finger for PGP Public Key <=> City of Mankato or anyone else -=-=-=-=-=-=-=- (GEEK CODE 2.1) GJ/CM d- H-- s-:++>s-:+ g+ p? au+ a- w++ v* C++(++++) UL++++$ P+>++ L++$ 3- E---- N+++ K+++ W M+ V-- -po+(---)>$ Y++ t+ 5+++ j R+++$ G- tv+ b+ D+ B--- e+>++(*) u** h* f r-->+++ !n y++** From blancw at microsoft.com Tue Nov 29 16:24:21 1994 From: blancw at microsoft.com (Blanc Weber) Date: Tue, 29 Nov 94 16:24:21 PST Subject: CFV on Signing Posts To List? Message-ID: <9411300024.AA04528@netmail2.microsoft.com> I disagree that a cypherpunk should be expected agree to commit everyone towards arriving at a consensus over whether anyone who posts to the list should sign their messages, or that the list owner should be expected to submit to their conclusions simply because that is what they agreed among themselves he ought do. It's a matter of (anarchist) principle. Blanc From tjbryce at unix.amherst.edu Tue Nov 29 16:28:41 1994 From: tjbryce at unix.amherst.edu (Tom Bryce) Date: Tue, 29 Nov 94 16:28:41 PST Subject: Mandatory message signing Message-ID: <199411300028.AA26712@amhux3.amherst.edu> >It's usually a good idea to read for at least a month before leaping >into the discussion, so as not to overreact. I guess so. :) > > I thought the whole grassroots crypto thing was about protecting privacy > > rights and individual liberty and all that. So what if someone wants to > > post a message to cypherpunks AND DOES NOT WANT ANYONE TO BE ABLE TO > > PROVE THEY WROTE THE MESSAGE. > >Mechanisms for this already exist. For example, register a PGP key to >a pseudonym, such as "Dr. Death". >An advantage of doing this is that even though no one really knows who >"Dr. Death" is, you can sign messages certifying that yes, the person >they know as "Dr. Death" wrote this message. Without this >certification, anyone can claim to be "Dr. Death" at any given moment. Hmmm. But even with a psuedonym like that, people can still claim you were Dr. Death, and Dr. Death will have posted enough stuff about enough things so the Dr. and you can be linked fairly certainly, isn't this right? There's a reason why one should prefer the telephone over mail for many matters. That is, no one can record your call (legally) and prove that you said a certain thing at a certain time, while they can keep your letter and prove you wrote a certain thing. Honestly, the chance of someone posting a fraudulent message under someone else's email address to the cypherpunks list is pretty slim, but that possibility (or the chance that they left their computer on and someone sent something, etc.) leaves you plausible deniability if you ever want it. If one has to sign all their posts with their pgp key, or conversely with a psuedonym generated for the purpose, to me, that's beginning a dangerous practice of using the technology to invade peoples' privacy instead of expand their privacy possibilities. People who want a psuedonym identity and who want their messages to be verified against a PGP signature can easily choose to do so, presently, and if you wanted to, you could append a notice to the end of an unsigned message: NOTE: The preceding message was not accompanied by a digital signature, and its authenticity may be suspect. But I guess I just don't see why people should have to sign their messages under some given key to contribute to the group. Unless you generated and registered a new key for every message you wanted to post, there would still be unforgeable evidence linking you or your psuedonym to a series of posts. And if there was a series of posts from your psuedonym, that increases the chances it could be linked to you. And besides that, you might want to post free and clear and sign your name to it, and forget the hiding behind a psuedonym stuff. Just you don't want to sign the message digitally. This seems like a perfectly valid choice that users should have the privacy rights and freedom to make. Tom From raph at netcom.com Tue Nov 29 16:34:38 1994 From: raph at netcom.com (Raph Levien) Date: Tue, 29 Nov 94 16:34:38 PST Subject: Premail and transparent email Message-ID: <199411300033.QAA23322@netcom15.netcom.com> It's quite gratifying to see that people are actually using premail and like it. I see premail as a prototype for _real_ transparent email encryption. A lot of people are intimidated by the need to get premail off the ftp site, unzip/untar it, and set all the configuration variables to get it running right. This "intimidation factor," of course, only applies to *x people. Everybody else is completely out of luck. I think the same problems hold with most of the scripts that are out there. Every time I've gotten something to play with, I've had to diddle with pathnames, or the makefile, or whatever. The real solution, I think, is to get all the needed components for transparent email encryption into the standard releases of the tools. I'm currently working on exactly this project. In rough outline, PGP will run as a "server" process. Mailers would connect to the server, and pass all incoming and outgoing mail through it. One advantage is that clients would contain _no_ crypto content, so there would be no problems with exportability. The server would contain much of the functionality of premail. I showed an early prototype at the last cpunks meeting. Initially, I am doing all the work in *x, just because that's what I have tools for, but ultimately it should work for Windows and Mac as well. My intent is to get large numbers of people to use PGP to encrypt all of their email, including casual stuff. This won't happen until encryption and decryption are _totally_ transparent. -- Raph Levien -- raph at netcom.com From msanders at ataxia.res.wpi.edu Tue Nov 29 16:36:18 1994 From: msanders at ataxia.res.wpi.edu (Michael K. Sanders) Date: Tue, 29 Nov 94 16:36:18 PST Subject: premail 0.30 Message-ID: <199411300049.TAA16964@ataxia.res.wpi.edu> I've got premail v0.30 installed here as /usr/lib/sendmail. I added the $config{"sendmail"}="real_sendmail" option, but this means that ~/.premailrc is not used. But that users can't specify their own options... Specifically, it looks as if doing it this way I can't automatically PGP sign my mail without adding it to the global script, but that would mean _all_ mail out of this site would be signed with my id. Any suggestions how to go about this? It makes it so convenient to have it replace sendmail, but I'd like to sign my mail as well. -- Michael K. Sanders -- msanders at ataxia.res.wpi.edu ataxia: NetBSD/Amiga 1.0 - Creating Chaos out of Anarchy for a Better Tomorrow Ataxia Home Page From jonathon at doe174g.sbi.com Tue Nov 29 16:44:54 1994 From: jonathon at doe174g.sbi.com (Jonathon Fletcher) Date: Tue, 29 Nov 94 16:44:54 PST Subject: The Market for Crypto--A Curmudgeon's View (fwd) Message-ID: On Tue, 29 Nov 1994, Sandy Sandfort wrote: [ ... stuff r'moved ... ] > > Personally, I'm against mandatory digitally signatures as a > rerequisite for posting to Cypherpunks. On the other hand, I > like the idea of having the list software automatic verify > digital signatures. This is a valuable service I'm usually too > lazy to perform for myself. > > Here's my suggestion. Eric should unilaterally impose his first > step, i.e., all unsigned messages and messages with spoofed > signatures will henceforth be flagged as such. Let's see what > effect, if any, that has on the way people post their messages. > After the protocol has been in effect for some time, we can > re-open the topic for further discussion. > This is a good idea - certainly a nice way to emphasize (sp) signing posts. Having majordomo verify signatures automatically and add message content if either (as sandy suggests) signature is missing or bad. One question would be whether majordomo should add content upon verification of a signature, or upon failure to verify a signature (missing or bad). Depends on which would have most 'positive' appearance, and (more importantly) would generate least extra volume in the long term. Personally I think that flagging the messages with bad or missing signatures is a better idea - as more people sign articles on the list there will be less flagging volume sent out by md. Nice idea Sandy. ... only snag is that md has to be modified again. Has Eric the time and desire to fit this in. I can't help with the perl - still not grokked it properly. -Jon -- Jonathon Fletcher j.fletcher at stirling.ac.uk " .. all opinions expressed or implied are my own and not necessarily those of my employer or any other party ... " From perry at jpunix.com Tue Nov 29 17:10:00 1994 From: perry at jpunix.com (John A. Perry) Date: Tue, 29 Nov 94 17:10:00 PST Subject: premail 0.30 In-Reply-To: <199411300049.TAA16964@ataxia.res.wpi.edu> Message-ID: <199411300109.TAA11788@jpunix.com> -----BEGIN PGP SIGNED MESSAGE----- In a previous message, Michael K. Sanders said: > I've got premail v0.30 installed here as /usr/lib/sendmail. I added > the $config{"sendmail"}="real_sendmail" option, but this means that > ~/.premailrc is not used. But that users can't specify their own > options... Specifically, it looks as if doing it this way I can't > automatically PGP sign my mail without adding it to the global script, > but that would mean _all_ mail out of this site would be signed with > my id. Any suggestions how to go about this? It makes it so convenient > to have it replace sendmail, but I'd like to sign my mail as well. That's interesting that it works that way on your system. I have premail installed here as /usr/lib/sendmail and I still have a ~/.premailrc that premail reads. I have aliases installed in my own ~/.premailrc that allows my messages to be automatically encrypted to the recipients in tha alias list. Are you SURE yours doesn't operate this way also? - -- John A. Perry - KG5RG - perry at jpunix.com WWW - http://jpunix.com PGP 2.62 key for perry at jpunix.com is on the keyservers. PGP-encrypted e-mail welcome! Finger kserver at jpunix.com for PGP keyserver help. Finger remailer at jpunix.com for remailer help. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLtvQtlOTpEThrthvAQF+PAQAryzMUnw5DoZBBatYvxvvYEKVNBzWN7Nb u+ews2bXi+j9yqHYK6Sz9c8yJIo0q6h7LzvrCKCNO8G7nbVELvYLc6SOqsHM/Yh9 tUhTO96OFEJTxSVxbcjGUVSmdVDVWIrvSf1/S3cXmW50k1cdbKSruzA4X68P3i20 RrXL6fWUep0= =mkm8 -----END PGP SIGNATURE----- From tjb at acpub.duke.edu Tue Nov 29 17:50:20 1994 From: tjb at acpub.duke.edu (Thomas J. Bryce) Date: Tue, 29 Nov 94 17:50:20 PST Subject: where to get secure edit a0.3.3 for macintosh Message-ID: <199411300150.UAA16805@carr2.acpub.duke.edu> -----BEGIN PGP SIGNED MESSAGE----- I've received a number of inquiries about where to obtain secure edit a0.3.3 for the macintosh. Please finger me at tjbryce at amherst.edu if you want information on this. Thank you Tom tjb at acpub.duke.edu -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBLtuTJk8YjrUhOUC5AQEoAAP/W+kl5cOkuohw5QtafawUFA5kKSrhhv/o rE8mzGVsntNJ52NcCS7ImONTKxH+rHmcrbhYi8A0rVAaf0byYDSZ50PHCqoM4WPc ccNQ4zMO75N38uZ8/pLO9w3nYw5Y386737IND8QOjHmLc/jUQlJqdFuGzxtYq2r1 RzQgKu9xjS4= =m0X4 -----END PGP SIGNATURE----- From lmccarth at ducie.cs.umass.edu Tue Nov 29 18:59:25 1994 From: lmccarth at ducie.cs.umass.edu (L. McCarthy) Date: Tue, 29 Nov 94 18:59:25 PST Subject: Mandatory message signing In-Reply-To: <199411300028.AA26712@amhux3.amherst.edu> Message-ID: <199411300259.VAA19579@ducie.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Tom Bryce writes: [BTW, welcome to the list] > Hmmm. But even with a psuedonym like that, people can still claim you were > Dr. Death, and Dr. Death will have posted enough stuff about enough > things so the Dr. and you can be linked fairly certainly, isn't this right? There is a distinct danger that one can be identified, with a fairly high degree of confidence, by the characteristics of one's writing style. If one holds particularly unusual views, the content of expression may belie one's pseudonymous identity. Altering one's writing style is a nontrivial problem for AI researchers, but a human can do a decent job of it. About all one can do about one's distinguishing _opinions_ is to refrain entirely from posting under one's own name. If you think safe sex with animals (safe bestiality doesn't have the same ring to it ;) should be taught in public schools, and you've posted to that effect, you're simply stuck with the fact that hardly anyone will believe that someone else could be behind a pseudonym which shares that opinion. Basically, if you choose to identify yourself implicitly, that's your problem. > There's a reason why one should prefer the telephone over mail for many > matters. That is, no one can record your call (legally) and prove that you > said a certain thing at a certain time, Hold the phone ! As I understand the law, only one party to a telephone call has to be aware of the recording for it to be perfectly legal. Someone not party to the call can't do it, but any one of the people talking can do it. > while they can keep your letter > and prove you wrote a certain thing. Honestly, the chance of someone > posting a fraudulent message under someone else's email address to the > cypherpunks list is pretty slim, It's happened. Allow me to weigh in on the heart of this signing requirement debate. I don't see a need at present to require dig sigs in messages to the list. I'm nobody's anarchist, but like Blanc I am uncomfortable with the idea of imposing a restriction like this on the rest of the list on principle. Meanwhile, the suggestion that the list software be adapted to verify signatures on incoming messages qualifies the entire discussion as profitable, IMHO. On the theme of transparency and standardization, I think the important thing is to develop a generally applicable patch to Majordomo to handle authentication like this. Ideally, some people would get together with Brent Chapman and incorporate authentication of signed messages in a future release of Majordomo. I'd love to volunteer for a project like this but I don't believe I can spare the time. - -L. Futplex McCarthy; PGP key by finger or server "Don't say my head was empty, when I had things to hide...." --Men at Work -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBLtvqe2f7YYibNzjpAQFTsQP/eAd+nmCT+aYJ+gioyLFOz9Vsyw3THwlL UIi+57XrL+SwT+7AHga/upWy1vdos8bEKrV2XWIbaCpda5QoE/34VjfIhkYE5OZB Yq6a1uZ51wAEOV4ynwa9p65VzMMspqb4tSl7KoqiqpjBtaoCGPHsxQp2EhnOk5YM 7S+e+lmgSWA= =ltql -----END PGP SIGNATURE----- From alex at omaha.com Tue Nov 29 19:21:09 1994 From: alex at omaha.com (Alex Strasheim) Date: Tue, 29 Nov 94 19:21:09 PST Subject: premail 0.30 Message-ID: <199411300322.VAA01173@omaha.omaha.com> -----BEGIN PGP SIGNED MESSAGE----- I've also installed premail as /usr/lib/sendmail, and it works fine. I haven't had any problems with it reading my ~/.premailrc file. I was a little queasy about installing it as sendmail, but I'm very glad I did. It hasn't caused any problems at all, adds a lot of functionality, and doesn't seem to extract too high of a penalty in terms of overhead. I'm not sure how sendmail forks for incoming mail, but my impression is that the additional instance of sendmail is created without calling premail. If that's true, then premail installed as sendmail doesn't add any overhead at all for incoming mail. This was a big concern for me, because I don't have very much memory or processor power, but so far everything's been working great. == Alex Strasheim | finger astrashe at nyx.cs.du.edu alex at omaha.com | for my PGP 2.6.1. public key -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLtvvxREpP7+baaPtAQFq5wQAzT295CbJIQXJU8chI4Cwm9rHGa4mbqNV +geDhS02z/ttYjMIoXRh1066YmnSEB3/3uqQPL4K1w8SP3z7uYfQwDwKwbmRdoPa p03ksQ8PEK/9dbRc05azjz4PFpMTqk4HDhyQnM3xRo34DPNbnfl4HUSMbccvdCEw vS4Vip00zX0= =+du+ -----END PGP SIGNATURE----- From perry at jpunix.com Tue Nov 29 19:24:54 1994 From: perry at jpunix.com (John A. Perry) Date: Tue, 29 Nov 94 19:24:54 PST Subject: Elm and premail (long) Message-ID: <199411300324.VAA14320@jpunix.com> -----BEGIN PGP SIGNED MESSAGE----- I have just finished integrating premail 0.30 with Elm on jpunix.com. Since there have been some questions about how to do this type of thing, I thought I'd give a blow-by-blow description of what I did and the pro's, con's and alternatives to what I did. 1) I installed premail as a wedge to the sendmail daemon. In other words, per Raph Levin's instructions in his README file, I renamed sendmail to something else and then renamed premail to sendmail and have it pointing to the renamed sendmail. I realize this requires system admin privs and is a big step to take, but I have testing premail working as the sendmail program with great success and at this point I have no qualms about premail/sendmail being one in the same. 2) I created the ~/.premailrc file in my home directory per Raph's README file. There is an option at the bottom to create aliases and that is what I did at first. Then, I discovered that the alias database created by Elm is compatible with premail!! 3) I edited ~/.elm/aliases.text to make changes similar to the following: The alias raph = Levin; Raph = raph at kiwi.cs.berkeley.edu to raph = Levin; Raph = raph at kiwi.cs.berkeley.edu^key=raph at cs.berkeley.edu Elm doesn't seem to mind this new alias structure and premail parses it just fine! I could have added a ^chain=3 also, but I decided that I may not want to email Raph through a set of remailers every time. I decided I would add the extra header during message creation. More on this later. What this does is that from now on, whenever I send email to Raph, it will automatically be encrypted with his public key with no further intervention on my part! When I want to chain the message through some remailers, I just take the H)eaders option from the Elm pre-send menu and add a header line: Chain: 3 This causes the message to be chaine through three random remailers before it gets to Raph. I also added two addition Perl scripts to Elm to help in the creation of encrypted messages for people NOT in my alias file, signing messages, and reading PGP encrypted messages that are not MIME compliant. These scripts are mailpgp and morepgp. These Perl scripts were published with version 2.3 of PGP but work fine with 2.4 and up. In Elm, I went to the options menu and replaced the default editor with mailpgp as well as the visual editor. I also replaced the default builtin+ display parameter with morepgp. These two Perl scripts are listed at the end of this message. The mailpgp script will allow you to encrypt and sign messages right before they are sent. The morepgp script will decrypt/verify incoming messages on the fly. The really nice benefit of these scripts is that you can reply to cleartext version of PGP encrypted messages. With the combination of these Perl scripts, Elm (or Pine for that matter) can be turned into an encrypted mail handler with a minimum of fuss. morepgp: #!/usr/local/bin/perl # -*- Perl -*- # written by jason steiner, jsteiner at anwsun.phya.utoledo.edu, Jan 1993 # # if you use or make improvements to this program i would appreciate # copies of your modifications & your PGP public key. # # Modified by Greg Spencer, greg at graphics.cornell.edu, May 1994 # Mostly just cleaned up things and added stuff like automatic # addition and detection (and ignoring) of keys to be added to keyring, # and signal catching, as well as environment variable control of # most site-specific stuff. # # Must set the following environment variable: # # PGPCOMMAND set to the pgp decryption command # # PAGER set to the desired pager command # # NOTE that this program NEVER writes sensitive data to a disk file. # it will only slurp it into memory, so if you have a HUGE file, you might # have problems. # setup some variables ($pgpcommand = $ENV{'PGPCOMMAND'}) || ($pgpcommand = "/usr/local/bin/pgp"); # just used for tmpfile names... ($logname = $ENV{'LOGNAME'}) || ($logname = "nobody"); # ($pager = $ENV{'PAGER'}) || ($pager="/usr/local/bin/less -i -n -s -S -c -M"); ($pager = $ENV{'PAGER'}) || ($pager="/usr/bin/more -c"); $|=1; $topgp = 0; $tokey = 0; $pgpused = 0; ($tmpdir = $ENV{'TMPDIR'}) || ($tmpdir = "/tmp"); #temporary file name $tmpfile = "${tmpdir}/.pgp1.$logname.$$"; $tmpfile2 = "${tmpdir}/.pgp2.$logname.$$"; # trap signals so we do not leave # garbage around sub catcher { local ($sig) = @_; print "Caught a SIG$sig -- exiting\n"; close (TMPFILE); close (OUTPUT); close (PAGER); unlink ($tmpfile); unlink ($tmpfile2); } $SIG{'INT'} = 'catcher'; $SIG{'QUIT'} = 'catcher'; $SIG{'HUP'} = 'catcher'; $SIG{'KILL'} = 'catcher'; # make sure nobody can read stuff umask 077; # prepare a data area @tmpdata = (); @newkeys = (); while (<>) { if (!$topgp && m/^-----BEGIN PGP .*-----/ && !m/^-----BEGIN PGP PUBLIC KEY BLOCK-----/) { $topgp = 1; $pgpused = 1; unlink ($tmpfile); open (TMPFILE, ">$tmpfile") || (unlink ($tmpfile) && die "Cannot open $tmpfile for output.\n"); } if (!$topgp) { push(@tmpdata, $_); } if ((!$tokey) && (m/^-----BEGIN PGP PUBLIC KEY BLOCK-----/)) { $contains_keys = 1; $tokey = 1; } if ($tokey) { push (@newkeys, $_); if (m/^-----END PGP PUBLIC KEY BLOCK-----/) { $tokey = 0; } } if ($topgp) { print TMPFILE $_; # OK to write this to a file -- it is encrypted! if (m/^-----END PGP .*-----/ && !m/^-----END PGP PUBLIC KEY BLOCK-----/) { $topgp = 0; close TMPFILE; open (CLEAR, "$pgpcommand -f < $tmpfile |") || (unlink($tmpfile) && die "Cannot open pipe to PGP.\n"); $blocktype = $_; $blocktype =~s/^-----END (PGP .*)-----/$1/; $blocktype =~s/PGP MESSAGE/DECRYPTED MESSAGE/; $blocktype =~s/PGP SIGNATURE/SIGNED MESSAGE/; chop ($blocktype); push (@tmpdata, "-----BEGIN $blocktype-----\n"); while () { push (@tmpdata, $_); if ((!$tokey) && (m/^-----BEGIN PGP PUBLIC KEY BLOCK-----/)) { $contains_keys = 1; $tokey = 1; } if ($tokey) { push (@newkeys, $_); if (m/^-----END PGP PUBLIC KEY BLOCK-----/) { $tokey = 0; } } } close CLEAR; print STDERR "\n"; unlink ($tmpfile); push (@tmpdata, "-----END $blocktype-----\n"); } } } select (STDIN); $|=1; select (STDERR); $|=1; select (STDOUT); $|=1; # This handles things if we found keys that need # adding to our keyring # note that we are only writing the KEYS to the file. if ($contains_keys) { print STDERR "PGP Keys found, attempting to add...\n"; open (TMPFILE2, ">$tmpfile2"); foreach $_ (@newkeys) { print TMPFILE2; } close (TMPFILE2); # strange things happen if we do not # read/write directly from /dev/tty (perl bug??) system ("$pgpcommand -ka $tmpfile2 >/dev/tty &1"); unlink ($tmpfile2); # get rid of it asap $pgpused = 1; } # copy the contents of @tmpdata to the pager we want to use. open (PAGER, "|$pager") || (unlink ($tmpfile1) && die "Cannot open pipe to $pager.\n"); # do "press any key to continue" # only if we had some output from PGP # (like a verified signature) # again with the /dev/tty thing (weird!) if ($pgpused) { $q=''; open (TTY, "$rplyfile") || die "Cannot open $rplyfile for output.\n"; while () { # make sure to allow printing of key blocks if (!$topgp && (!m/^$prefix-----BEGIN PGP .*-----/ || m/^$prefix-----BEGIN PGP PUBLIC KEY BLOCK-----/)) { if (m/^$prefix*$/) { if ($paragraphs) { if ($blankcompress) { if ($blanks == 0) { print OUTPUT "\n"; $blanks = 1; } } else { print OUTPUT "\n"; } } else { print OUTPUT; } } elsif (m/^[ \t\r]*$/) { if ($blankcompress) { if ($blanks == 0) { print OUTPUT "\n"; $blanks = 1; } } else { print OUTPUT; } } else { print OUTPUT; if ($. == 1 && !m/^$prefix/) { print OUTPUT "\n"; $blanks = 1; } else { $blanks = 0; } } } # make sure to skip key blocks because we already did 'em in morepgp if (!$topgp && m/^$prefix-----BEGIN PGP .*-----/ && !m/^$prefix-----BEGIN PGP PUBLIC KEY BLOCK-----/ ) { $topgp = 1; unlink ($pgpfile); open (PGPFILE, ">$pgpfile") || die "Cannot open $pgpfile for output.\n"; } if ($topgp) { $_ =~ s/^$prefix//; print PGPFILE $_; # make sure to skip key blocks because we already did 'em in morepgp if (m/^-----END PGP .*-----/ && !m/^-----END PGP PUBLIC KEY BLOCK-----/) { $blocktype = $_; $blocktype =~ s/^-----END (PGP .*)-----/$1/; $blocktype =~ s/PGP MESSAGE/DECRYPTED MESSAGE/; $blocktype =~ s/PGP SIGNATURE/SIGNED MESSAGE/; chop ($blocktype); $topgp = 0; close (PGPFILE); system ("$pgpcommand $pgpfile -o $clrfile > /dev/tty 2>&1"); open (CLEAR, "<$clrfile") || die "Cannot open $clrfile for input.\n"; print OUTPUT "$prefix-----BEGIN $blocktype-----\n> \n"; $blanks = 0; while () { if (m/^[ \t\r]*$/) { if ($paragraphs) { if ($blankcompress) { if ($blanks == 0) { print OUTPUT "\n"; $blanks = 1; } } else { print OUTPUT "\n"; } } else { print OUTPUT "$prefix\n"; } } else { print OUTPUT "$prefix"; print OUTPUT; $blanks = 0; } } close (CLEAR); unlink ($clrfile); unlink ($pgpfile); print OUTPUT "$prefix-----END $blocktype-----\n\n"; } } } close OUTPUT; close INPUT; unlink ($name); rename ("$rplyfile", "$name"); system ($visual, @ARGV); while (!$q) { print "\nSign this message? [Y]: "; $q = ; $q =~ s/[ \t\n]//g; $q = substr ($q, 0, 1); if (($q eq 'Y') || ($q eq 'y') || ($q eq '')) { push (@opts, '-st', '+clearsig=on'); $q = "y"; } elsif (($q ne 'N') && ($q ne 'n')) { $q = ''; } } # note that it is the default to NOT encrypt, # simply because not everyone has PGP (unfortunately :-) $q=''; while (!$q) { print "Encrypt this message? [N]: "; $q = ; $q =~ s/[ \t\n]//g; $q = substr ($q, 0, 1); if (($q eq 'Y') || ($q eq 'y')) { push (@opts, '-e'); $q = "y"; } elsif (($q eq 'N') || ($q eq 'n') || ($q eq '')) { $q = "n"; } else { $q = ''; } } if (@opts) { if ($q eq 'y') { print "Enter receipients, each on a separate line, terminate with EOF or a single `.':\n"; { print "> "; if ($_ = ) { chop; last if ("$_" eq '.'); push (@receipients, "$_"); redo; } last; } } system ($pgpcommand, '-a', @opts, "$name", @receipients); if ($? == 0) { unlink ($name); rename ("$ascfile", "$name"); } } - -- John A. Perry - KG5RG - perry at jpunix.com WWW - http://jpunix.com PGP 2.62 key for perry at jpunix.com is on the keyservers. PGP-encrypted e-mail welcome! Finger kserver at jpunix.com for PGP keyserver help. Finger remailer at jpunix.com for remailer help. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLtvwZ1OTpEThrthvAQFwlAP+MxX6olbMempfh6UYdTDGruTngH+WgRsa BacTB86oNIjlllDfZB55KJyuUs5dpP+gRRDW4BZTK6zyNuzy3tv5iErQnvDiV/Tn PjSKmJJFs7HnC88aC830eQ+ojGaXzZCE2IbaTm/a7R6SU9nLc/KnJYY5pMHjdVx+ uN0xwmRrBYw= =SUyb -----END PGP SIGNATURE----- From ianf at sydney.sgi.com Tue Nov 29 19:46:06 1994 From: ianf at sydney.sgi.com (Ian Farquhar) Date: Tue, 29 Nov 94 19:46:06 PST Subject: Security Services Message-ID: <9411301438.ZM9135@wiley.sydney.sgi.com> >From The Australian, Tue 29th November: Secret Service Files Lost in Blaze, by Cameron Steward (Foreign Affairs Writer) "Hundreds of top-secret documents relevant to the Federal Government's inquiry into the Australian Secret Intelligence Service were destroyed by a fire that swept through the ASIS headquarters in Canberra at the weekend." "The fire has erased highly sensitive ASIS files and archives that detailed the activities and operations of the troubled spy agency over the past decade." "The blaze is a big blow to the Government's inquiry into accountability and management of ASIS because it destroyed many of the records needed to adequately assess the organisation's performance." "But despite the suspicious timing of the accident, the Government does not believe it was arson and says that the blaze appears to have been sparked by an electrical fault." "'I can confirm that the fire broke out at 2am on Saturday morning on the fourth floor of the Department of Foreign Affairs and Trade Building,' a DFAT spokeswoman said." "'The damage appears to have been fairly extensive and is believed to have been caused by an electrical fault.'" "Sources yesterday said the area damaged by the blzae was far greater than was originally revealed by the authorities, with the initial damage estimate of about $200,000 ballooning to at least $1 million." "The fourth floor of the DFAT building has housed ASIS for years." "One intelligence source said last night that it was 'highly coincidental' for ASIS to experience such a fire in the midst of a Government inquiry into its operations." "It was rumored yesterday that the fire also destroyed thousands of files that the service was alleged to have kept on Australian citizens." "Two former ASIS officers alleged in March that the organisation illegally held files on thousands of Australian citizens, despite the fact that it is not part of its role involving gaining foreign intelligence." "The former agents also claimed ASIS has bribed politicans in Malaysia and had helped British Intelligence obtain confidential information that harmed Australia's interests." (Small note here which was not in the article: the ASIS jargon for MI6 is 'head office'. Many of the officers were trained by MI6.) "The allegations by the former officers prompted the Government to conduct an inquiry into the control and accountability of the organisation." "The inquiry, headed by former NSW Supreme Court judge Mr Gordon Samuels, is also examining the 'protection of ASIS intelligence sources and methods' as well as the 'resolution of grievances and complaints relating to ASIS." "The inquiry has been in progress for several months. It is still taking evidence and is due to report to the Government early in the New Year." This article was transcribed without permission from the paper, for the purposes of research and study as defined in the "fair use" provisions of the Copyright act. ------- Yet another depressing but compelling reminder that our privacy has as many enemies within the Government as without. BTW, this was the same TLA which I mentioned some weeks ago in connection with the bungled raid on the Sheraton Wentworth Hotel. Ian. #include From rogaski at phobos.lib.iup.edu Tue Nov 29 19:46:22 1994 From: rogaski at phobos.lib.iup.edu (Mark Rogaski) Date: Tue, 29 Nov 94 19:46:22 PST Subject: Mandatory sigs Message-ID: <199411300345.WAA18315@phobos.lib.iup.edu> -----BEGIN PGP SIGNED MESSAGE----- I would have to agree w/ not REQUIRING digsigs, but flagging posts w/out them. I guess that's my write in. doc -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBLtv1T3sYwuXlZ+UZAQGXvgL/c21Yws0KUdzea12xExOszs1ZUuVUOKJX O7QtKbX96mZsh6lDUH+QS4uoNetqYdwwmbvW9PWcCkyksbzmjJpQOWzXwaDTw87S duLvkPNd+obUHUrawzUU+d0TNl/kXQIr =5DO0 -----END PGP SIGNATURE----- From jrochkin at cs.oberlin.edu Tue Nov 29 19:51:08 1994 From: jrochkin at cs.oberlin.edu (Jonathan Rochkind) Date: Tue, 29 Nov 94 19:51:08 PST Subject: Mandatory message signing Message-ID: At 9:59 PM 11/29/94, L. McCarthy wrote: >Hold the phone ! As I understand the law, only one party to a telephone >call has to be aware of the recording for it to be perfectly legal. Someone >not party to the call can't do it, but any one of the people talking can do >it. I believe it varies from state to state, but this is indeed the norm. >handle authentication like this. Ideally, some people would get together >with Brent Chapman and incorporate authentication of signed messages in a >future release of Majordomo. I'd love to volunteer for a project like this >but I don't believe I can spare the time. Why stop at authenticating signed messages? I'd like to see some mailing list software that would send mail out to you encrypted if you want (sure, the list is probably public, but you might not want people knowing you subscribe. If list traffic was encrypted, and you routed it through Ghio's remailer-alias doohickey, the fact that you subscribe could be kept completely hidden), and would require authentication on a message to change your address, or to change your public key (which would also be possible). And would have config parameters such that the list operator could make it only accept signed submissions, or even only accept submissions encrypted to the list. [not that I'm advocating this on the cypherpunks list, but it might be good on other lists, especially private ones]. And Ideally, I'd even like the list to be able to mail to you through the remailer-net, by prepending your encrypted address block, and sending to a remailer. Although the existence of Ghio's forementioned doohickey (what is that service being called?) makes that somewhat superflous. I was planning on writing such a beast myself, and might still get around to it eventually. The problem is that I'm unlikely to write something from scratch as robust as the current list server software (I'm not interested in writing good list software, just in implementing the crypto), and I'm not really skilled enough to understand the majordomo code enough to modify it. But I might try, one of these days. From cactus at bb.hks.net Tue Nov 29 20:07:14 1994 From: cactus at bb.hks.net (L. Todd Masco) Date: Tue, 29 Nov 94 20:07:14 PST Subject: Mandatory sig workaround Message-ID: <3bgtvf$edn@bb.hks.net> So what's the big deal? Eric sets the list to slow down unsigned posts and somebody else sets up a remailer that generates a key for each post, signs it, and forwards it. Similar workarounds abound for every twist and turn in the policy until the policy is dead or the rules are too restrictive (IE, only "human-approved" key signatures are accepted). A fun game, certainly (I'll play!), but hardly a productive way to spend time. It always happens that when hacker A tries to enforce an arbitrary rule on other hackers, hacker B will find an automatic workaround. -- Todd Masco | "Roam home to a dome, Where Georgian and Gothic once stood cactus at hks.net | Now chemical bonds alone guard our blond(e)s, cactus at bb.com | And even the plumbing looks good." - B Fuller From msanders at ataxia.res.wpi.edu Tue Nov 29 20:15:11 1994 From: msanders at ataxia.res.wpi.edu (Michael K. Sanders) Date: Tue, 29 Nov 94 20:15:11 PST Subject: premail 0.30 In-Reply-To: <199411300109.TAA11788@jpunix.com> Message-ID: <199411300428.XAA17910@ataxia.res.wpi.edu> > That's interesting that it works that way on your system. I have premail > installed here as /usr/lib/sendmail and I still have a ~/.premailrc that > premail reads. I have aliases installed in my own ~/.premailrc that allows > my messages to be automatically encrypted to the recipients in tha alias > list. Are you SURE yours doesn't operate this way also? I did some testing, and sure enough, it reads the aliases in my ~/.premailrc just fine. BUT, it does not automatically sign my messages as I thought it should. I've double-checked and both $config{"signuser"} and $config{"signpass"} are set correctly. Oh well, I'll just have to try out your scripts for elm. :) > - -- > John A. Perry - KG5RG - perry at jpunix.com -- Michael K. Sanders -- msanders at ataxia.res.wpi.edu ataxia: NetBSD/Amiga 1.0 - Creating Chaos out of Anarchy for a Better Tomorrow Ataxia Home Page From john1941 at itlabs.umn.edu Tue Nov 29 20:19:42 1994 From: john1941 at itlabs.umn.edu (It's Me! It's Me!) Date: Tue, 29 Nov 94 20:19:42 PST Subject: "You aren't following the _rules_!" In-Reply-To: Message-ID: <199411300419.WAA16803@moby.itlabs.umn.edu> > > Have you used premail? It pretty much does all of that. > People still aren't using premail, either because they can't figure out how > to install it (doubtful, it's not hard to install), or because they don't > have a need for it that's great enough to justify the (minimal) time > neccesary to ftp it and install it, or wait the (sometimes more painful) > time neccesary for the computer to encrypt and/or sign your outgoing > messages. > Well, personally this is the first time I've even _heard_ of premail.. (thank you for mentioning it) ;) so, that's why _I'm_ not using it.. but more info would be appreciated.. a pointer to an ftp site, perhaps? Thanks, from another one just lurking in the background... Evan From sleas at d.umn.edu Tue Nov 29 20:52:42 1994 From: sleas at d.umn.edu (shawn leas) Date: Tue, 29 Nov 94 20:52:42 PST Subject: PGP Enhanced Messaging (PEM) Message-ID: <199411300450.WAA17038@ub.d.umn.edu> -----BEGIN PGP SIGNED MESSAGE----- Where can I get this software? Looks kinda cool. BTW... I like the idea of spurring on some pgp usage. It's a good idea. I would not object to having to sign messages. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLtwEkqZRyOzqm29xAQEoKgQAywzBTW92lYiDEFQPVfmWxHg3hYnKDN70 c3gRSNjqO6VcJguXhVBHHjA3/ZBpWybys9deML/2FONUwrm50+MKotifo+7wpKnk E6LIrnuzuJdmlMTACR6Qx3FXVpnuQmuDz2jRybxDST+Iob5jItwt2SsZkSuFscDN vdxQHa26VAs= =BmiN -----END PGP SIGNATURE----- From wcs at anchor.ho.att.com Tue Nov 29 20:54:36 1994 From: wcs at anchor.ho.att.com (bill.stewart@pleasantonca.ncr.com +1-510-484-6204) Date: Tue, 29 Nov 94 20:54:36 PST Subject: Sign-or-delay Message-ID: <9411300425.AA21554@anchor.ho.att.com> -----BEGIN PGP SIGNED MESSAGE----- Eric Hughes writes > I am still considering the "sign-or-delay" proposal for the toad.com > server, that is, sign your articles to the list or they'll be delayed > and eventually rejected. Well, it's easy to require people to include PGP signatures. However, for some people, it's difficult to do signatures in a secure and also convenient fashion across a mix of mailers; Tim's netcom+Mac example, or anyone using an insecure system. My laptop where I get my work-related mail really can't handle the volume of mail I get from cypherpunks; I'm using it as a terminal to talk to a netblazer to telnet to a Sun where I still have an account several gateways away, on which I haven't been root for over a year... Sure, I forward some of the interesting mail to the not-very-diskful laptop, and could wait for it to arrive and PGP-sign my replies, which will delay my articles anyway. On the other hand, if I sign them here, half of AT&T could probably grab the passphrase with a sniffer, so it's not something I'd trust my real keys to. Similarly, I wouldn't put real keys on netcom or other mass service provider. On the other hand, how carefully were you planning to make your system check signatures - does toad.com have the spare cycles to validate them all, or are you really going for syntax only? Thanks; Bill -----BEGIN PGP SIGNATURE----- Version: 3.2beta AjtHiSiSnOtAsIgNaaTuretHiSiSnOtAsIgNaaTuretHiSiSnOtAsIgNaaTurexZ ITsBoGustHiSiSnOtAsIgNaaTuretHiSiSnOtAsIgNaaTuretHiSiSnOtAsIgfoo ReAlLyTrUsTmetHiSiSnOtAsIgNaaTureLouisFreehWasHeretHiSiSnOtAsIgN tAsIgNaaT -----END PGP SIGNATURE----- From tcmay at netcom.com Tue Nov 29 22:25:05 1994 From: tcmay at netcom.com (Timothy C. May) Date: Tue, 29 Nov 94 22:25:05 PST Subject: signing messages In-Reply-To: <199411300019.AA21138@ideath.goldenbear.com> Message-ID: <199411300623.WAA03988@netcom11.netcom.com> (I haven't been getting list mail all day...just a few message getting through Netcom's mail bouncer, so....) Greg Broiles wrote: > Seems like one way to encourage the use of digital signatures is to > start forging messages from people who don't ordinarily sign their > messages. Necessity is the mother of invention, and all of that. > > I finally started signing my messages on a regular basis as a result > of Detweiler forging a message which purported to be from me. On the > other hand, I think Tim has been the most frequent target of > Detweiler's forgeries, and I don't detect much of a creep towards > signing messages on his part. Several points, and I'll try not to repeat points I made in my long essay of early this morning: 1. Only one person has reported to me that they were unable to verify my PGP sig (Lance Cottrell reported this...if others did, maybe their messages haven't gotten through to me)). From this I conclude that few people check PGP sigs. (The "PGP 2.7" and the ASCII message in the sig might've provided some clues.) 2. This does not make such sigs useless of course, as the main value is in "critical" situations. (Legal cases, forgeries, diplomacy, contracts, etc.) 3. Again, crypto is about economics. In the military, crypto is a big part of operations (maybe 5% of staff on ships is connected with crypto, communications, etc.). But the military has real needs, and can afford (via our tax dollars) to have such efforts. Most of us are not dealing with such critical uses. 4. Speaking for myself, I have not generated or transmitted a file I felt *needed* to be signed, encrypted, etc. This is not to say such situations don't exist for others, won't someday exist for me, etc. Just things as they now stand. (When contracts are handled electronically, when payments are made electronically, etc., then such uses will be more apparent. But I am fairly open about my politics--indeed, I fly the flag of crypto anarchy in visible places--and have few files I transmit that I need to encrypt. Your mileage may vary.) 5. The Detweiler thing was amusing. No such thing as bad publicity (unless it's the Pinto-um RISK chip). Detweiler's forgeries had no legal effect on me, no lasting effect. Also, those who were "taken in" by his forgeries would hardly be in a position to verify my sig (to know who I was, to look up my PK on a keyserver, to jump through the hoops needed, and to ensure that the "Tim May" they checked was not in fact a phony keyserver entry...the several "BlackNet" public keys, only one of which I generated, are instructive). I don't discourage anyone from using crypto, from signing messages, from routinely encrypting, etc. I just reject arguments that crypto is "essential," today, when in fact it clearly isn't. Crying wolf and all that. In 2-4 years, a lot of the current incompatibilities and lack of usability will have been worked out. About the time I expect to actually _need_ to use more crypto. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. Cypherpunks list: majordomo at toad.com with body message of only: subscribe cypherpunks. FAQ available at ftp.netcom.com in pub/tcmay From eric at remailer.net Tue Nov 29 22:36:06 1994 From: eric at remailer.net (Eric Hughes) Date: Tue, 29 Nov 94 22:36:06 PST Subject: The Market for Crypto--A Curmudgeon's View In-Reply-To: <199411292023.MAA00141@netcom19.netcom.com> Message-ID: <199411300734.XAA10429@largo.remailer.net> Let me be REAL clear about this. The immediate proposal is to mark and possibly delay unsigned messages to the list. The proposal does NOT include bouncing messages or preventing use. These options are acknowledged as possibilities for the future. They are not on the table right now. I, unlike the gov't, will warn you of your impending doom. From: tcmay at netcom.com (Timothy C. May) Not to trivialize this proposal by frivolously insulting it, but consider a mailing list that decided to delay/bounce any messages that were not written in TeX, or in Acrobat, or whatever. I don't think you are frivolously insulting it, but I do think you are ignoring the basic distinction I made about the difference between measures which prevent use and measures which do not. The use of the syntax "delay/bounce" denies exactly this distinction. [...] to delay/bounce any messages that were not written in TeX, or in Acrobat, or whatever. How would people react who lacked these capabilities, or preferred to use alternatives (like simple unadorned text), or who merely object to an enforced standard? I have two answers, one for delay, the other for bounce. 1. For delay or other non-preclusive measures, those who do not use the valorized feature can still use the list. They get signalled in some fashion that use of the valorized feature is desired. I consider this primarily a communication mechanism. I wish to communicate to everyone one the list that using digital signatures is something that I want everyone to do. In particular, that means that you, the current reader of this message, are one of the people I want to use digital signatures. Rhetoric is not as effective as a policy embedded in software that people interact with. Doing is more effective than hearing. 2. For bouncing or other preclusive measures, those who do not use the valorized feature can't participate in the discussion. This would in many situations be counterproductive, but in others, say, an experimental group discussing design in Acrobat, absolutely vital. As this is not germane to the actual proposal, I leave off here. But that Eric [...] has some notions of what people _ought_ to be using does not seem to be enough to effectively bar those who helped form the Cypherpunks group (many of us) just because they choose to communicate in one particular way. I want you, Tim May, to use digital signatures. There, that's explicit and verbal. I do understand if your software doesn't cooperate. I've been there. I'm not (to repeat) talking about a proposal to eliminate you from the list. Does a mark or a delay constitute an "effective bar" from participation on this list? I think not, although I'm entertaining arguments. If some flavor of PGP is mandated, I expect I'll unsubscribe (as I can't stand reading but not posting...lurkers obvious feel otherwise). Whoa! We went from an effective bar to an actual prevention there. That's not what I'm talking about. And I'm not tied to PGP by any means. You want to make a digital signature with some other piece of software? Fine. I'll add it right in. Absent a compelling reason, a market reason, why bother with someone's notion of ideological reasons? I'm not a libertarian (neither big L nor small l), and I don't find an identity between compelling reasons and market reasons, as apposition implies. The implementation of function at the server is a communication between me, Eric Hughes, the implementor of that nasty shit, and you, the participant in the cypherpunks list, that I want you to use digital signatures. Now, because of my position as de facto list maintainer, I can do this and you can't. I've got the bully pulpit, and while I've not used it much, I am beginning want to spend some it on urging crypto deployment and usage. Not all is lost for erstwhile communicators. One could write a filter to look for unsigned posts and pipe them off through a suitably hacked 'vacation' filter which would send them a missive (but not too often) encouraging the use of cryptography and which would include pointers to software. This kind of communication is similar in form but not in scope to what I've proposed for the list. In fact, if someone were to bundle this kit up, I suspect it might receive fairly wide use. [...] perhaps I'd insist that all posts be paid for in digital cash...or bought, or whatever. You hypothetical includes an insistence. Mine does not. Again, I thought the proposal was to ultimately reject non-signed articles? There's a very explicit disclaimer to contrary in the original. To paraphrase, it acknowledged the possibility of rejection but removed it from immediate consideration. Speaking of this, it's already pretty clear who signs and who doesn't. What could be clearer than "----BEGIN PGP SIGNED MESSAGE---"? What about random headers with things like: X-Signature: none X-Warning: Cryptography Non-User X-Heckle: Yo! Too _good_ to use crypto? X-Lazy: Jeez, Eric's even got a Unix box at home and _still_ isn't signing? X-Bozo: God, Tim's been on this list for over two years and he still doesn't sign his posts? X-Traitor-To-The-Cause: X-Cryptography-Impaired-And-Proud: [For the satire impaired, note the use of the phrase "satire impaired" at the beginning of this sentence.] If the proposal is to stamp a scarlet letter on non-signers, it seems overly harsh, somewhat petty, kind of insulting, and not needed. A scarlet letter is a reasonable apt analogy, except the intent is not to create outcasts. Harsh? I still fail to see that. Petty? What trivial mattr is being blown out of proportion? Insulting? I'm sure some people can take it that way. Not needed? Perhaps not, but I may _want_ it. Eric From werewolf at io.org Tue Nov 29 22:44:19 1994 From: werewolf at io.org (Mark Terka) Date: Tue, 29 Nov 94 22:44:19 PST Subject: Fighting Censorship at Canadian Universities Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Used to be that Universities were bastions of free thought and discussion. Guess not nowadays, if this E-Mail to me earlier today is any indication: - -------------------------------------------------------------------------- - From kyleh at cs.mun.ca Wed Nov 30 01:01:19 1994 Date: Wed, 30 Nov 1994 00:47:41 -0330 From: Kyle Douglas Hearfield Subject: interested in PGP To: werewolf at io.org Mark, I am a Student at Memorial University of Newfoundland, and I have recently been censored and had my postings to newsgroups aborted. I received a message from our system administrator that the messages(of a political nature) were not appropriate. I was wondering if I could use PGP to get past them? I have read some about PGP, but I am still kind of in the dark as to how it works and what it can do. Any info you could provide me would be much appreciated. Thanks in advance, - -------------------------------------------------------------------------- Maybe he was posting some stuff that contravened university policy...shrug. But with the recent events at McGill University in Montreal, I'm prepared to give him the benefit of the doubt. The first step was to provide him with the instructions to the the xs4all remailer. If he figures that is what he needs (more importantly....if he isn't scared off!) then I'll give him the list of the other remailers and mail him a copy of PGP. Who knows? Maybe all he needs is anon.penet.fi :> -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLtwbn6+YbMzawbu5AQHFUwP8CbzooBrhWKVHRaRIBn55ha3mYWIO62lZ 6D09DJvc9YAnwxbSVcE1X8MjNuR9XbRRrJfQMI8lnSWt8pr13FsI8cjHQqjzS9yk HXMYSKy7mdnerHaZSTK0RZdFrRHST6a5qVdNw4ffZsjO4WM/02nN/u9n5ywgsu4C dbCQlp9EMPQ= =mnSN -----END PGP SIGNATURE----- From eric at remailer.net Tue Nov 29 22:46:46 1994 From: eric at remailer.net (Eric Hughes) Date: Tue, 29 Nov 94 22:46:46 PST Subject: whats all this nonsense In-Reply-To: Message-ID: <199411300745.XAA10458@largo.remailer.net> From: jrochkin at cs.oberlin.edu (Jonathan Rochkind) I'm not sure if Eric is suggesting that everyone submit their public key to the list or not. No, I'm not, because I consider that problem not yet satisfactorily solved. Eric From eric at remailer.net Tue Nov 29 22:48:06 1994 From: eric at remailer.net (Eric Hughes) Date: Tue, 29 Nov 94 22:48:06 PST Subject: Anarchists break rules, details at 11, was: The Market for Crypto--A Curmudgeon's View In-Reply-To: <53177.pfarrell@netcom.com> Message-ID: <199411300747.XAA10467@largo.remailer.net> From: "Pat Farrell" A few days delay, which is what I think we are talking about, will clearly make following threads more difficult. I wasn't thinking about days. As far as specifics, I was thinking about two or four hours to start with. And add to noise on the list, as the content of an early-non-signed message may be repeated and signed by someone else later on. It may add noise at the beginning, certainly. It may give rise to some pause before sending off an unsigned message on a triviality, as well. Whatcha trying to do, eric, lead that anarchists? Herd cats. Merely because it can be difficult does not mean it's never worthwhile. Eric From eric at remailer.net Tue Nov 29 23:02:35 1994 From: eric at remailer.net (Eric Hughes) Date: Tue, 29 Nov 94 23:02:35 PST Subject: signing messages In-Reply-To: <199411300019.AA21138@ideath.goldenbear.com> Message-ID: <199411300801.AAA10505@largo.remailer.net> From: Greg Broiles Seems like one way to encourage the use of digital signatures is to start forging messages from people who don't ordinarily sign their messages. Necessity is the mother of invention, and all of that. How about a vacation-like program that automatically finds .sig blocks, stores them in a database and appends them at random to other posts? Eric, would you mind clarifying the purpose of the "sign-or-delay" rule? Last time this came up I assumed that it was to encourage folks who had 95% of the tools/initiative to start using crypto techniques on a day-to-day basis to get off their asses and do so; but other people seem to have different ideas about the purpose(s) of such a practice. Some of the reasons I've explained just recently. You are correct in the reason you state, also. Providing an incentive for those who are mostly there already will push many to act. I think that is a good thing. One benefit I did not anticipate is an outcome of the large number of people actually having gone through the process of setting up their own signing mechanisms. There are many more people now who have hands-on experience setting these crypto mechanisms for themselves and who consequently have a much better understanding of the implementation issues involved. For some problems action is ten times more effective than theorizing. I think it might be interesting to try the "sign-or-delay" rule on a part-time basis - perhaps weekends only, or never on weekends, or only during December, or whatever. This is a good suggestion. It makes the transition even more gradual. Eric From eric at remailer.net Tue Nov 29 23:07:24 1994 From: eric at remailer.net (Eric Hughes) Date: Tue, 29 Nov 94 23:07:24 PST Subject: Mandatory sig workaround In-Reply-To: <3bgtvf$edn@bb.hks.net> Message-ID: <199411300806.AAA10511@largo.remailer.net> Eric sets the list to slow down unsigned posts and somebody else sets up a remailer that generates a key for each post, signs it, and forwards it. It always happens that when hacker A tries to enforce an arbitrary rule on other hackers, hacker B will find an automatic workaround. Fine. I still win. My purpose is to communicate that I want list users to use encryption. If you feel the need to use someone else's service, then you have at least been exposed to the fact that signatures are desired at toad.com. Some people may find a way around it. OK. I still get the initial sign-on message that new users see. Most people get the message. That's what I want. Eric From eric at remailer.net Tue Nov 29 23:10:39 1994 From: eric at remailer.net (Eric Hughes) Date: Tue, 29 Nov 94 23:10:39 PST Subject: Sign-or-delay In-Reply-To: <9411300425.AA21554@anchor.ho.att.com> Message-ID: <199411300809.AAA10521@largo.remailer.net> From: wcs at anchor.ho.att.com (bill.stewart at pleasantonca.ncr.com +1-510-484-6204) Well, it's easy to require people to include PGP signatures. And, as I've said, that's not what I'm talking about. On the other hand, how carefully were you planning to make your system check signatures - does toad.com have the spare cycles to validate them all, or are you really going for syntax only? Well, I was going to do syntax only, because the real benefit is in changing local software architecture to make automatic any operation on outgoing mail. If that operation is encryption, so much the better, but the larger strategic goal is to alter architecture. Eric From eric at remailer.net Tue Nov 29 23:19:13 1994 From: eric at remailer.net (Eric Hughes) Date: Tue, 29 Nov 94 23:19:13 PST Subject: Transparent Email In-Reply-To: <199411291851.NAA13999@pipe2.pipeline.com> Message-ID: <199411300818.AAA10539@largo.remailer.net> Does not everyone get a complete header like the one below from Eric's post with incoming mail? Everyone gets it, but the better readers don't show it to the user. Many people don't even know about those hidden headers, perhaps most. I had assumed that because every mail received here has such a header that everyone else could also see who sent my mail, signed or not. That is why I have not signed my posts. The Received: fields can be forged. You can even forge your own with the cypherpunks remailers and ##. BTW, Pipeline does not allow anonymously-sent direct mail -- as a take it or leave it policy. So we cannot manipulate headers to forge from this Windows-driven end. That's what the :: syntax was invented for, for folks who can't manipulate headers in their systems. The original purpose was for Fidonet, and Tom Jennings, who couldn't use the remailers at the time. What :: does is glue in the headers you want _at the receiving end_. If your service passes message bodies with no harm, these soon-to-be header fields will pass just fine. Eric From eric at remailer.net Tue Nov 29 23:24:33 1994 From: eric at remailer.net (Eric Hughes) Date: Tue, 29 Nov 94 23:24:33 PST Subject: Transparent Email In-Reply-To: <199411291900.NAA00304@omaha.omaha.com> Message-ID: <199411300823.AAA10545@largo.remailer.net> From: Alex Strasheim I know, but I'm a little squeamish about leaving my keys unprotected. Then make up separate insecure keys for transmission to the host. Add an attribution which says to disbelieve any signature made with this key. Also, I'm not very fond of the idea that encrypted email would be decrypted when it got here and left in plaintext on the mail spool. Some protection is better than no protection. Protection in transit is still protection, even if it is not universal. Otherwise it wouldn't be practical to use this setup in an office or school environment, because anyone could boot your machine with a floppy and steal your key. That's a different threat than interception of mail, remember. A partial solution is better than none. One of PGP's many problems is that it's policies for key use are quite restricted. There's no way, for example, to make a receive-only key. Eric rom owner-cypherpunks Tue Nov 29 23:24:34 1994 Return-Path: Received: by toad.com id AA18942; Tue, 29 Nov 94 23:24:34 PST Received: from netcom13.netcom.com by toad.com id AA18930; Tue, 29 Nov 94 23:24:28 PST Received: by netcom13.netcom.com (8.6.9/Netcom) id XAA12077; Tue, 29 Nov 1994 23:23:12 -0800 From: tcmay at netcom.com (Timothy C. May) Message-Id: <199411300723.XAA12077 at netcom13.netcom.com> Subject: Re: "You aren't following the _rules_!" To: jrochkin at cs.oberlin.edu (Jonathan Rochkind) Date: Tue, 29 Nov 1994 23:23:12 -0800 (PST) Cc: cypherpunks at toad.com In-Reply-To: from "Jonathan Rochkind" at Nov 29, 94 01:56:30 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1991 Sender: owner-cypherpunks at toad.com Precedence: bulk (My list mail f0or today is now arriving in huge batches, courtesy of Netcom's mail machine finally becoming unclogged...) Jonathan Rochkind wrote: > Which was admitteedlyu your main point; until there is a _need_ for crypto, > it's not going to be used. > Because premail makes it incredibly easy to use PGP on a unix box. And, for > that matter, the Eudora/PGP applescritps make it incredibly easy to use PGP > on a mac. And there are some people working on an applescript that will Not if you read mail on-line, while also reading News. > automate using remailers on a mac too. But ease of use appearantly isn't > enough; no matter how easy it gets to use, it's still going to have some > cost to the user over not using it. Even if the cost is only having to wait > the 1.5 seconds it takes your machine to decrypt/encrypt a message. Unless > there's a use for it, people won't be willing to spend that 1.5 seconds per > message. I strongly doubt that _anyone_ is not using crypto because of something so trivial as a .5 or 1.5 or even 4.5 second delay. No, the issues are that handling encryped messages is, for too many of us, _much_ more than a 1.5 seconds per message delay. Several of us have outlined the steps. Are we just lazy? No, in some cases we're at home, pretty much relegated to dial-ups like Netcom. In other cases, on VAXes, or terminals, or AVIIONs. Whatever. Again, described repeatedly. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. Cypherpunks list: majordomo at toad.com with body message of only: subscribe cypherpunks. FAQ available at ftp.netcom.com in pub/tcmay From lcottrell at popmail.ucsd.edu Tue Nov 29 23:58:57 1994 From: lcottrell at popmail.ucsd.edu (Lance Cottrell) Date: Tue, 29 Nov 94 23:58:57 PST Subject: Is Pr0duct Cypher still around? Message-ID: Having posted that massive spam asking Pr0duct Cypher for some information, it occurs to me to ask if he has been heard from lately. Has anyone seen anything from him lately? -------------------------------------------------- Lance Cottrell who does not speak for CASS/UCSD loki at nately.ucsd.edu PGP 2.6 key available by finger or server. Encrypted mail welcome. Home page http://nately.ucsd.edu/~loki/ Home of "chain" the remailer chaining script. For anon remailer info, mail remailer at nately.ucsd.edu Subject: remailer-help "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche From skaplin at skypoint.com Wed Nov 30 00:13:54 1994 From: skaplin at skypoint.com (Samuel Kaplin) Date: Wed, 30 Nov 94 00:13:54 PST Subject: We are ALL guests (except Eric) Message-ID: -----BEGIN PGP SIGNED MESSAGE----- With the recent furor over the possibility of mandatory key signing on this list, I think we all are forgetting something. We are all guests here. Eric is our host. I've seen proposals for voting on the issue, I've seen posts saying "I'm not going to do it, wah wah wah." This list is analogous to Eric's home. We are his guests. If a host asks his guests to do something he or she has two choices, do it or leave. If someone walked into my house and I asked them to do something and they said: "Lets vote on it," they would be out the door quicker than a 'toon on a banana peel. Eric has been a gentleman about this. He is not asking those who do not wish to comply to leave. This is Eric's house and I think we need to play by his rules while we are here. One caveat for Eric though, hosts with stringent rules are usually very lonely. ============================================================================== A government is the only know vessel that leaks from the top. --James Reston-- ============================================================================== skaplin at skypoint.com | "...vidi vici veni" - Overheard | outside a Roman brothel. PGP encrypted mail is accepted and | preferred. | Change is the only constant in the | Universe..."Four quarters, please." E-mail key at four11.com for PGP Key or | Finger skaplin at mirage.skypoint.com | Smile!! Big brother is watching. ============================================================================== -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLtwymApnimeWAf3FAQGOkQQAgK6OrqyifMk3aICiLdtjHWILxUyAyTWx HyEXgfNdo3VXKALOCpON3sbtgiYlopFU9PyqQY4JGhievAfElEFOgUzfcOcNutKR vLeT73zsvYl0zJPk6TkKhBwLymykHcBq5VtM8qLFustkEOynlVNHanBZlCQEj1sC HKYfjJbX65E= =5hb+ -----END PGP SIGNATURE----- From cdodhner at PrimeNet.Com Wed Nov 30 01:24:03 1994 From: cdodhner at PrimeNet.Com (Christian Odhner) Date: Wed, 30 Nov 94 01:24:03 PST Subject: The Market for Crypto--A Curmudgeon's View In-Reply-To: Message-ID: On Tue, 29 Nov 1994, Sandy Sandfort wrote: > Here's my suggestion. Eric should unilaterally impose his first > step, i.e., all unsigned messages and messages with spoofed > signatures will henceforth be flagged as such. Let's see what Not to point out the obvious or anything, but 99% of the people on this list are inteligent enough to tell if a post is signed or not, and a spoofed sig can be one of two things: a) the actual sender trying to 'give a good impression' or 'see if anyone checks', or b) a third party trying for whatever reason to mislead people into thinking he/she is really somebody else that we know/trust. Situation 'a'? I don't give a damn, let them do what they want. Situation 'b'? Well the person they are spoofing is likely to yell loudly that they didn't write the post in question, and also there have been many times in the past where a signed message goes by and a few hours later several people have posted 'did anyone else get a bad sig check on XXXXX ?' messages... Why should we splater the list with 'flagged' messages so that the small percentage of us who don't (ever) check sigs will have some way of knowing that something was signed? As my father used to say, "The lord helps those who help themselves. Let us go now and do likewise." This seems a little too much like a bit of net.welfare approaching. Added to that, it would be easy enough to hack toad, or somewhere just 'upstream' of toad, and edit out the 'bad sig' flags from selected messages, unless toad.com signed all outgoing messages after flagging them, which considering the list volume would slow that machine down to a crawl. All in all, I think it's too much trouble (for the list admins mostly, but also for those who wouldn't sign their posts but now feel compelled to do so) for a false sense of security. Happy Hunting, -Chris. ______________________________________________________________________________ Christian Douglas Odhner | "The NSA can have my secret key when they pry cdodhner at primenet.com | it from my cold, dead, hands... But they shall pgp 2.3 public key by finger | NEVER have the password it's encrypted with!" cypherpunks WOw dCD Traskcom Team Stupid Key fingerprint = 58 62 A2 84 FD 4F 56 38 82 69 6F 08 E4 F1 79 11 ------------------------------------------------------------------------------ From tcmay at netcom.com Wed Nov 30 01:46:27 1994 From: tcmay at netcom.com (Timothy C. May) Date: Wed, 30 Nov 94 01:46:27 PST Subject: We are ALL guests (except Eric) In-Reply-To: Message-ID: <199411300945.BAA21574@netcom11.netcom.com> Samuel Kaplin wrote: > With the recent furor over the possibility of mandatory key signing on > this list, I think we all are forgetting something. We are all guests here. > Eric is our host. I've seen proposals for voting on the issue, I've seen > posts saying "I'm not going to do it, wah wah wah." This list is analogous > to Eric's home. We are his guests. If a host asks his guests to do I think this analysis is misleading. I leave it to readers to analyze the history of the list, the role of the early members, and the contributing contributions of the hundred or so active posters to decide if this analysis is correct. As to characterizing the posts here as "I'm not going to do it, wah wah wah," this is too insulting to comment on. > comply to leave. This is Eric's house and I think we need to play by his > rules while we are here. Funny, I don't recall Eric ever claiming it was "his house" to do with as he wishes. Seems to me that the list is an emergent entity, presently being centrally distributed off a machine owned by John Gilmore (is the list then his house?), being maintained by Hugh Daniel (his house?), and generally managed to the extent management is needed by Eric Hughes (his house?). But a lot of others have contributed. No, we are not making "demands," nor are we calling for "a democratic vote." I happen to think Eric is quite wrong in thinking that "behavior modification" is needed, or practical. The list has done very well for the past 26 months without rigid rules, and has never even had a person kicked off the list (who didn't ask to be removed, back in the pre-Majordomo manual processing days)). To begin behavior modification now, with many of us unwilling to convert to systems which would make conformance practical, seems unwise. In any case, that's a separate issue. Suddenly declaring the list to be the personal property of Eric to do with as he pleases--a claim I have not heard from Eric--is another category of issue. I frankly don't know if it makes sense to say anyone "owns" the list. (We went through this several times on the Extropians list; the Extropians mostly solved this situation by having the list the formal property of their Board of Directors. And yet debates naturally continued.) --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. Cypherpunks list: majordomo at toad.com with body message of only: subscribe cypherpunks. FAQ available at ftp.netcom.com in pub/tcmay From gnu Wed Nov 30 03:09:49 1994 From: gnu (gnu) Date: Wed, 30 Nov 94 03:09:49 PST Subject: The Market for Crypto--In Real Life In-Reply-To: <199411291918.LAA07191@comsec.com> Message-ID: <9411301109.AA21847@toad.com> Tim May ranted: > In any case, the notion that a bunch of us--students, dabblers, > activists, engineers, etc.--can somehow create a finished product, or > a company, as some folks periodically try to argue for ("Let's do a > company!"), is not too likely. As Heinlein said, babies aren't too likely either. I'm immediately looking for a contractor to work on documentation for Cygnus Network Security, the Kerberos software. Our goal is to create a finished product. A bunch of us dabblers already created the company and got it to make money. If you're interested, send me mail at gnu at cygnus.com and show me why you'd be good at it and how soon you're available. The writer who started the job ended up unable to finish it for personal reasons. It'll help a lot to be in Boston or SF Bay Area since our Kerberos engineers who can explain what to write are there. I'm also "likely to" eventually need another crypto programmer, contract or full time. For this we don't have a burning need yet, but talk to me if you might come available, and stay in touch. General programming wizardry on some platform is the basic requirement. Not mastery, not skill, not a degree. Wizardry -- exceptional skill. Interest and expertise in crypto technology, markets, and politics are desirable. Interest and expertise in the guts of compiler tools is also desirable, since that's our other main business, and people swap back and forth at times. Yes, it's a job posting. I just couldn't resist this followup to Tim. And I suspect some of you might actually care to read job postings for crypto jobs here; I would. John -- John Gilmore gnu at toad.com -- gnu at cygnus.com -- gnu at eff.org Can we talk in private? Chairman, Crypto Committee Not if the FBI and NSA have their way. Electronic Frontier Foundation Board Let's sell free crypto software. Product Manager, Cygnus Network Security From lmccarth at ducie.cs.umass.edu Wed Nov 30 05:56:21 1994 From: lmccarth at ducie.cs.umass.edu (L. McCarthy) Date: Wed, 30 Nov 94 05:56:21 PST Subject: net.welfare approaching In-Reply-To: Message-ID: <199411301356.IAA20630@ducie.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Christian Douglas Odhner writes: > Why should we splater the list with 'flagged' messages It's entirely unclear to me how adding a line or two to the header of each list message could possibly be construed as splattering anything. At least, I didn't see any mention of the scheme involving mailing of form letter advisories to the list for each invalid dig sig, accompanied by an increase in DEFCON. > so that the small percentage of us who don't (ever) check sigs ~~~~~~~~~~~~~~~~ What's your evidence for this ? I'm inclined to doubt this, but I can't see any empirical point to which anyone could point. > will have some way of knowing that > something was signed? As my father used to say, "The lord helps those > who help themselves. Let us go now and do likewise." (I would have been out the door within the first few words. YMMV. ;) > This seems a little too much like a bit of net.welfare approaching. Oh, puhleeeze ! I sincerely hope that was sarcastic, but I don't believe it was. Automated checking of digital signatures by mailing list management software constitutes a form of *welfare* in your book ??? Why should we be so pampered with an automated mailing list, anyway ? If we were really K00L, we'd have to pursue the list traffic actively on the net, ideally with a homemade packet sniffer. If you can't design and build your car from scratch, you shouldn't be allowed to drive it. Oh, you must have stress-tested the parts yourself, too. > Added to that, it would > be easy enough to hack toad, or somewhere just 'upstream' of toad, and > edit out the 'bad sig' flags from selected messages, Feel free to be an 3L33T HAK'R D00D, but I'll cheerfully middle-digit you if you try to tell me I have to code everything in assembly language. > All in all, I think it's too much trouble (for the list admins mostly, Eric, the list admin, seems to be by far the most enthusiastic campaigner for this plan to date. [...] > for a false sense of security. Are you saying you know a convenient way to forge, say, PGP signatures ? If not, I don't understand your claim here. Personal anecdote time: I've been trying to promote the use of dig sigs at my site. I happen to be in charge of sending a broadcast message each Monday morning to announce the dept.'s official weekly coffee rendezvous. I pretty much have carte blanche w.r.t. the content of the messages, which means I have to restrain myself mightily from ramming my foot down my own throat. Anyway, when I started PGP-signing all my mail a few weeks ago, I naturally began to sign these broadcast messages. Sure enough, I've received more feedback and curious queries about the signatures than anything else I've ever written. The short point of this overlong narrative is that leading by example can have a significant effect, and shouldn't be dismissed lightly as a means of raising crypto awareness. Reiterating, I eagerly support the notion of automatic dig sig validation by the list software. Right now, I'd mostly like to see an end to this torrent of meta-mail on the list about delaying unsigned messages. Perhaps we could delay all messages *about* delaying unsigned messages ;} - -L. Futplex McCarthy; PGP key by finger or server "Don't say my head was empty, when I had things to hide...." --Men at Work -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBLtyEdmf7YYibNzjpAQEo6wQA3GCqJ+iy9TDajUvTjW5NG0qbZnHNI0fb wAJwjE/QNhsplbJjUq98X+/RWCCiuMggSqAWvjoDjqqrQuzHls0am19hybd+JX5u 2xiodRwK1yChRujaARbSkW5gR4piltbqtPtJ5Pzh17s+ySNGOi9/G077jISpLHHW oYeXmVXNjaI= =oFg6 -----END PGP SIGNATURE----- From dmandl at bear.com Wed Nov 30 06:17:34 1994 From: dmandl at bear.com (dmandl at bear.com) Date: Wed, 30 Nov 94 06:17:34 PST Subject: PGP hook for Eudora? Message-ID: <9411301417.AA20931@yeti.bsnet> > Jonathan Rochkind wrote: > > > Because premail makes it incredibly easy to use PGP on a unix box. And, for > > that matter, the Eudora/PGP applescritps make it incredibly easy to use PGP > > on a mac. And there are some people working on an applescript that will I keep hearing about PGP hooks for (Mac) Eudora, but a casual search of at least five advertised ftp sites has turned up nothing. Can someone post an address where this stuff can definitely be found? Thanks. --Dave. From snyderra at dunx1.ocs.drexel.edu Wed Nov 30 06:39:54 1994 From: snyderra at dunx1.ocs.drexel.edu (Bob Snyder) Date: Wed, 30 Nov 94 06:39:54 PST Subject: Mandatory sig workaround In-Reply-To: <199411300806.AAA10511@largo.remailer.net> Message-ID: <199411301438.JAA19795@dunx1.ocs.drexel.edu> -----BEGIN PGP SIGNED MESSAGE----- Eric Hughes scribbles: > Fine. I still win. My purpose is to communicate that I want list > users to use encryption. If you feel the need to use someone else's > service, then you have at least been exposed to the fact that > signatures are desired at toad.com. > Some people may find a way around it. OK. I still get the initial > sign-on message that new users see. Most people get the message. > That's what I want. As a personal policy I don't sign usenet news or mailing list postings, unless special circumstances arise, I sign most personal email where the text will be longer than the signature, or I know the other person is a proponent of PGP, and I encrypt messages to people I know can receive them without too much pain. I don't sign/encrypt to mailing list, as many people get disgruntled by it, and can cause problems of it's own. I suspect that most people on the list have worked with PGP at some point, simply because of the nature of the list. I don't see a problem with signing/encrypting to Cypherpunks for 90% of the people that contribute. How about just an annoyance responder that sends a piece of mail to people who post without signing/encrypting, telling them they should be encrypting, that it's the preferred method of doing things, and to do so in the future if possible? As a side note, if you want people to sign their notes, why aren't you doing so now? I apologize if this has already been asked and I missed it, and it's not intended as a flame, but it would seem that signing your own messages would be a good way of starting things toward the direction you want to go. Bob -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBLtyNZuS0CjsjWS0VAQFa+QQAqxXi8zCdKSQZKPBY2TdAxkj5qtGrA3Os berJslmnPdnpdc1xfpoWBnnT57d/z6EyExh1rDRxlXmENbB3uxl/X+ycq3XooiJo 0d0OeSiuHlKZLjEHN5en2b/6Lzv2uyxCRsJyfwJ8c+AIKsOiupRqBo8/jPnJ5zhf QYXDnVeZ5Gw= =Fdp+ -----END PGP SIGNATURE----- From dmandl at bear.com Wed Nov 30 06:58:30 1994 From: dmandl at bear.com (dmandl at bear.com) Date: Wed, 30 Nov 94 06:58:30 PST Subject: The pain of encrypting email Message-ID: <9411301445.AA21875@yeti.bsnet> > Jonathan Rochkind wrote: > > > Because premail makes it incredibly easy to use PGP on a unix box. "Incredibly easy" is an exaggeration, since the docs themselves say that you need root privileges to install premail properly. The alternative is using premail in stand-alone mode, i.e., entering your mail line-by-line a la the generic mail program! Now, I think premail is beautiful, but the bottom line is that at this point it's not something I can actually use, like most email-encrypting tools I hear about, alas. --Dave. From eric at remailer.net Wed Nov 30 07:04:43 1994 From: eric at remailer.net (Eric Hughes) Date: Wed, 30 Nov 94 07:04:43 PST Subject: net.welfare approaching In-Reply-To: <199411301356.IAA20630@ducie.cs.umass.edu> Message-ID: <199411301603.IAA11130@largo.remailer.net> From: "L. McCarthy" Personal anecdote time: I've been trying to promote the use of dig sigs at my site. [...] The short point of this overlong narrative is that leading by example can have a significant effect, and shouldn't be dismissed lightly as a means of raising crypto awareness. This is exactly the kind of communication I want to promote. Communication by allowing others to observe your actions can be far more powerful than abstract arguments in favor of that action. Eric From adam at bwh.harvard.edu Wed Nov 30 07:11:45 1994 From: adam at bwh.harvard.edu (Adam Shostack) Date: Wed, 30 Nov 94 07:11:45 PST Subject: PGP hook for Eudora? In-Reply-To: <9411301417.AA20931@yeti.bsnet> Message-ID: <199411301459.JAA05488@bwh.harvard.edu> | I keep hearing about PGP hooks for (Mac) Eudora, but a casual search | of at least five advertised ftp sites has turned up nothing. Can | someone post an address where this stuff can definitely be found? They can definitely be found at duke.bwh.harvard.edu:/pub/adam/mcip They require an Apple Events aware PGP (2.3 v1.1 or Viacrypt). Also in that site is the macpgp kit, which is an interface to do crypto stuff on the clipboard. There is no copy of PGP stored there, for 2.3v1.1, goblin.dsi.unimi.it:/pub/security/crypt/PGP. For Viacrypt, contact viacrypt at acm.org Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From rishab at dxm.ernet.in Wed Nov 30 07:49:09 1994 From: rishab at dxm.ernet.in (rishab at dxm.ernet.in) Date: Wed, 30 Nov 94 07:49:09 PST Subject: Economist's Dash for E-cash Message-ID: I've been away for a couple of days so I don't know if this has come up already, but... The Economist has proven yet again my firm belief that it's the most wired magazine around. In a special report on e-cash in the latest issue, it presents a lucid description of the pros and cons of different digicash, including Chaum. It then goes on to discuss in detail how e-cash could work, how it would be backed by real money and therefore not earn interest, how governments might get worried by the development of implicit currency markets beyond their control, how eventually e-cash might become an independent currency with no 'real' value, hinting at my outline of 'cooking-pot' markets in Electric Dreams #37. ObHeeHee: an article on the anti-DWEM backlash against Shakespeare quotes Gary Taylor, editor of the Oxford Shakespeare, as saying that "Shakespeare helped murder" Nicole Simpson. Why? The play Othello "makes a wife-murderer not only tragic but also, pervesely, heroic." ----------------------------------------------------------------------------- Rishab Aiyer Ghosh "Clean the air! clean the sky! wash the wind! rishab at dxm.ernet.in take stone from stone and wash them..." rishab at arbornet.org Voice/Fax/Data +91 11 6853410 Voicemail +91 11 3760335 H 34C Saket, New Delhi 110017, INDIA From jrochkin at cs.oberlin.edu Wed Nov 30 08:03:09 1994 From: jrochkin at cs.oberlin.edu (Jonathan Rochkind) Date: Wed, 30 Nov 94 08:03:09 PST Subject: PGP hook for Eudora? Message-ID: At 9:17 AM 11/30/94, dmandl at bear.com wrote: >I keep hearing about PGP hooks for (Mac) Eudora, but a casual search >of at least five advertised ftp sites has turned up nothing. Can >someone post an address where this stuff can definitely be found? There is a bunch of applescript PGP stuff, in various states of done-ness, at ftp://ftp.netcom.com/pub/xenon. I'm not quite sure what the status of this stuff is, or if it's actually final release software, or just betas and such, because xenon seems to have disappeared for an indefinite period of time and isn't answering email. You want the MacPGPKit Installer, and the Eudora/PGP scripts (I'm not sure about the exact name for the Eudora scripts). In my own experience, the Eudora scripts work really well and are quite stable, but the more general purpose MacPGPKit has some problems and isn't so stable. From kinney at bogart.Colorado.EDU Wed Nov 30 08:56:40 1994 From: kinney at bogart.Colorado.EDU (W. Kinney) Date: Wed, 30 Nov 94 08:56:40 PST Subject: net.welfare approaching In-Reply-To: <199411301603.IAA11130@largo.remailer.net> Message-ID: <9411301656.AA20967@bogart.Colorado.EDU> Eric Hughes writes: > Communication by allowing others to observe your actions can be far > more powerful than abstract arguments in favor of that action. Or compulsion. -- Will From shamrock at netcom.com Wed Nov 30 09:59:13 1994 From: shamrock at netcom.com (Lucky Green) Date: Wed, 30 Nov 94 09:59:13 PST Subject: The Market for Crypto--A Curmudgeon's View Message-ID: <199411301759.JAA05474@netcom10.netcom.com> Sandy wrote: > >Here's my suggestion. Eric should unilaterally impose his first >step, i.e., all unsigned messages and messages with spoofed >signatures will henceforth be flagged as such. Let's see what >effect, if any, that has on the way people post their messages. >After the protocol has been in effect for some time, we can >re-open the topic for further discussion. It seems we have pretty much reached a consensus. Eric should implement a way to flag un signend posts. [Loved the various headers in Eric's post. They were real funny.] After this is implemented lets se how it works and see what else should be done. However, I agree that this is Eric's list and Eric's rules. If he decides that it would be a Good Thing to incentivise us Cypherpunks to use more crypto when posting to the list, he is free to do so with our without anyone's consent. -- Lucky Green PGP encrypted mail preferred. "The very atmosphere of firearms anywhere and everywhere restrains evil interference - they deserve a place of honor with all that's good." From mpj at netcom.com Wed Nov 30 10:07:07 1994 From: mpj at netcom.com (Michael Paul Johnson) Date: Wed, 30 Nov 94 10:07:07 PST Subject: Where to get the latest PGP (Pretty Good Privacy) FAQ Message-ID: -----BEGIN PGP SIGNED MESSAGE----- ===============================BEGIN SIGNED TEXT============================= WHERE TO GET THE PRETTY GOOD PRIVACY PROGRAM (PGP) (Last modified: 30 November 1994 by Mike Johnson) WHAT IS THE LATEST VERSION? |-----------------+---------------------+---------------------------------| | Platform(s) | Latest Version | Distribution File Names | |-----------------+---------------------+---------------------------------| | DOS, Unix, | Viacrypt PGP 2.7 | disk sets | | Mac, Windows, | | | | or WinCIM/CSNav | | | |-----------------+---------------------+---------------------------------| | DOS, Unix, | MIT PGP 2.6.2 | pgp262.zip (DOS + docs) | | others | | pgp262s.zip (source) | | | | pg262s.zip source on CompuServe | | | | pgp262.tar.gz (source) | | | | pgp262.gz (same as above on DOS)| | | | pgp262.tar.Z (source) | | | | pgp262dc.zip (documentation) | | | | pg262d.zip (docs on CompuServe) | |-----------------+---------------------+---------------------------------| | Macintosh | MIT PGP 2.6 | MacPGP2.6.sea.hqx (binary+docs) | | | | macpgp26.hqx (same as above) | | | | MacPGP2.6.src.sea.hqx (source) | | | | macpgp26.src (same as above) | | | | MacPGP2.6-68000.sea.hqx (binary)| | | | mcpgp268.hqx (same as above) | |-----------------+---------------------+---------------------------------| | Mac Applescript | MacPGP 2.6ui v 1.2 | MacPGP-2.6ui-v1.2.sit.hqx | | | | MacPGP2.6ui_V1.2_sources.cpt.hqx| | | | MacPGP2.6uiV1.2en.cpt.hqx | | | | MacPGP2.6uiV1.2src.cpt.hqx | | | | MacPGP2.6uiV1.2.68000.hqx | |-----------------+---------------------+---------------------------------| | Amiga | PGP 2.6.2 Amiga 1.4 | pgp262-a14-000.lha | | | | pgp262-a14-020.lha | | | | pgp262-a14-src.lha | |-----------------+---------------------+---------------------------------| | Atari | Atari PGP 2.6ui | pgp26uib.lzh (binary, docs) | | | | pgp26uis.lzh | |-----------------+---------------------+---------------------------------| | Archimedes | Archimedes 2.3a | ArcPGP23a | |-----------------+---------------------+---------------------------------| | Non-USA version | PGP 2.6.i from | pgp26i.zip | | to avoid RSAREF | Stale Schumacher | pgp26is.zip | | license. | | pgp26is.tar.gz | |_________________|_____________________|_________________________________| WHERE CAN I GET THE PGP VERSION DIRECTLY FROM PHILIP ZIMMERMANN? This is the MIT version. For several good reasons, Phil is releasing the main line freeware PGP through MIT, at net-dist.mit.edu. See a list of sites that also carry this version, below, or use this WWW URL: http://web.mit.edu/network/pgp-form.html WHAT IS PGP 2.6.i? Stale Schumacher released an international version of PGP built the "right way." By "right way," I mean that it uses the latest MIT code, but uses a different rsaglue.c to use the mpilib instead of RSAREF for RSA calculations, thus including all the latest bug fixes and features in the main freeware PGP code line, but frees non-USA persons from the limitations of the RSAREF license. This release has been as strongly endorsed by Philip Zimmermann as he can do without incriminating himself. Naturally, by not using the RSAREF code for RSA calculations, this version is not legal for use in the USA (other than limited research, etc.), but is fine anywhere else (like Canada) were RSA patents don't hold. Note that the latest version of Stale Schumacher's PGP is 2.6.i, 2.6i (without the second .) was a beta test version that has been superceded. WHAT IS PGP 2.6ui? The "unofficial international" versions are really just PGP 2.3a, modified just enough to make it compatible with MIT PGP 2.6, but do not include all of the fixes in MIT PGP 2.6 and MIT PGP 2.6.1. They have a "ui" somewhere in their file names. I recommend the use of the "ui" versions only if you are using a platform for which there is no Viacrypt or MIT PGP that works properly. For a version that doesn't use RSAREF, PGP 2.6.i from Stale Schumacher is a better choice, because it is more up-to-date. WHERE CAN I GET VIACRYPT PGP? If you are a commercial user of PGP in the USA or Canada, contact Viacrypt in Phoenix, Arizona, USA. The commecial version of PGP is fully licensed to use the patented RSA and IDEA encryption algorithms in commercial applications, and may be used in corporate and government environments in the USA and Canada. It is fully compatible with, functionally the same as, and just as strong as the freeware version of PGP. Due to limitations on ViaCrypt's RSA distribution license, ViaCrypt only distributes executable code and documentation for it, but they are working on making PGP available for a variety of platforms. Call or write to them for the latest information. The latest version number for Viacrypt PGP is 2.7. Here is a brief summary of Viacrypt's currently-available products: 1. ViaCrypt PGP for MS-DOS. Prices start at $99.98 2. ViaCrypt PGP for UNIX. Includes executables for the following platforms: SunOS 4.1.x (SPARC) IBM RS/6000 AIX HP 9000 Series 700/800 UX SCO 386/486 UNIX SGI IRIX AViiON DG-UX(88/OPEN) Prices start at $149.98 Executables for the following additional platforms are available upon request for an additional $30.00 charge. BSD 386 Ultrix MIPS DECstation 4.x 3. ViaCrypt PGP for WinCIM/CSNav. A special package for users of CompuServe. Prices start at $119.98 Please contact ViaCrypt for quantity discount pricing. Orders may be placed by calling 800-536-2664 during the hours of 8:30am to 5:00pm MST, Monday - Friday. They accept VISA, MasterCard, AMEX and Discover credit cards. If you have further questions, please feel free to contact: Paul E. Uhlhorn Director of Marketing, ViaCrypt Products Mail: 9033 N. 24th Avenue Suite 7 Phoenix AZ 85021-2847 Phone: (602) 944-0773 Fax: (602) 943-2601 Internet: viacrypt at acm.org Compuserve: 70304.41 WHERE CAN I GET THE FREEWARE PGP? These listings are subject to change without notice. If you find that PGP has been removed from any of these sites, please let me know so that I can update this list. Likewise, if you find PGP on a good site elsewhere (especially on any BBS that allows first time callers to access PGP for free), please let me know so that I can update this list. Because this list changes frequently, I have not attempted to keep it complete, but there should be enough pointers to let you easily find PGP. There are several ways to get the freeware PGP: ftp, WWW, BBS, CompuServe, email ftp server, and sneakernet (ask a friend for a copy). Just don't ask Philip Zimmermann directly for a copy. FTP SITES IN NORTH AMERICA There are some wierd hoops to jump through, thanks to the U. S. Department of State and the ITAR, at many of these sites. Telnet to net-dist.mit.edu, log in as getpgp, answer the questions, then ftp to net-dist.mit.edu and change to the hidden directory named in the telnet session to get your own copy. MIT-PGP is for U. S. and Canadian use only, but MIT is only distributing it within the USA (due to some archaic export control laws). 1. Read ftp://net-dist.mit.edu/pub/PGP/mitlicen.txt and agree to it. 2. Read ftp://net-dist.mit.edu/pub/PGP/rsalicen.txt and agree to it. 3. Telnet to net-dist.mit.edu and log in as getpgp. 4. Answer the questions and write down the directory name listed. 5. QUICKLY end the telnet session with ^C and ftp to the indicated directory on net-dist.mit.edu (something like /pub/PGP/dist/U.S.-only-????) and get the distribution files (see the above chart for names). If the hidden directory name is invalid, start over at step 3, above. You can also get PGP from: ftp.csn.net/mpj ftp://ftp.csn.net/mpj/I_will_not_export/crypto_???????/pgp/ See ftp://ftp.csn.net/mpj/README.MPJ for the ??????? See ftp://ftp.csn.net/mpj/help for more help on negotiating this site's export control methods (open to USA and Canada). ftp.netcom.com/pub/mp/mpj ftp://ftp.netcom.com/mp/mpj/I_will_not_export/crypto_???????/pgp/ See ftp://ftp.netcom.com/pub/mp/mpj/README.MPJ for the ??????? See ftp://ftp.netcom.com/pub/mp/mpj/help for more help on negotiating this site's export control methods. TO GET THESE FILES BY EMAIL, send mail to ftp-request at netcom.com containing the word HELP in the body of the message for instructions. You will have to work quickly to get README.MPJ then the files before the ??????? part of the path name changes again (several times a day). ftp.eff.org Follow the instructions found in README.Dist that you get from one of: ftp://ftp.eff.org/pub/Net_info/Tools/Crypto/README.Dist gopher.eff.org, 1/Net_info/Tools/Crypto gopher://gopher.eff.org/11/Net_info/Tools/Crypto http://www.eff.org/pub/Net_info/Tools/Crypto/ ftp.csua.berkeley.edu (for U. S. or Canadian users) /pub/cypherpunks/pgp/ ftp.wimsey.bc.ca /pub/crypto/software/dist/US_or_Canada_only_XXXXXXX/PGP (U. S. and Canadian users only) See /pub/crypto/software/README for the characters for XXXXXXXX This site has all public releases of the freeware PGP. WORLD WIDE WEB ACCESS http://web.mit.edu/network/pgp-form.html http://www.ifi.uio.no/~staalesc/PGPVersions.html http://www.mantis.co.uk/pgp/pgp.html http://rschp2.anu.edu.au:8080/crypt.html http://www.eff.org/pub/Net_info/Tools/Crypto/ http://community.net/community/all/home/solano/sbaldwin COMPUSERVE The NCSA Forum sysops have a library (Library 12: Export Controlled) that is available only to people who send them a message asserting that they are within the U. S. A. This library contains PGP. I have also seen PGP in some other places on Compuserve. Try searching for PGP262.ZIP in the IBMFF forum for up-to-date information on PGP in selected other areas. The last time I tried a search like this, PGP was found in the PC World Online forum (GO PWOFORUM) new uploads area, along with several PGP shells and accessories. I've also heard that EUROFORUM carries PGP, but have not confirmed this. Compuserve file names are even more limited than DOS (6.3 instead of the already lame 8.3), so the file names to look for are PGP262.ZIP, PG262S.ZIP (source code), PGP262.GZ (Unix source code) and PG262D.ZIP (documentation only). BULLETIN BOARD SYSTEMS Colorado Catacombs BBS Mike Johnson, sysop Mac and DOS versions of PGP, PGP shells, and some other crypto stuff. Also the home of some good Bible search files and some shareware written by Mike Johnson, including ATBASH, DLOCK, CRYPTA, CRYPTE, CRYPTMPJ, MCP, MDIR, DELETE, PROVERB, SPLIT, ONEPAD, QUICRYPT, etc. v.FAST/v.32bis/v.42bis, speeds up to 28,800 bps 8 data bits, 1 stop, no parity, as fast as your modem will go. Use ANSI terminal emulation, of if you can't, try VT-100. Free access to PGP. If busy or no answer, try again later. Log in with your own name, or if someone else already used that, try a variation on your name or pseudonym. You can request access to crypto software on line, and if you qualify legally under the ITAR, you can download on the first call. For free access: log in with your own name, answer the questions, then select [Q]uestionaire 3 from the [M]ain menu. (303) 772-1062 Longmont, Colorado number - 2 lines. (303) 938-9654 Boulder, Colorado number forwarded to Longmont number intended for use by people in the Denver, Colorado area. The Freedom Files BBS, DeLand Florida, USA 904-738-2691 Exec-Net, New York, NY, USA (Host BBS for the ILink net) 914-667-4567 The Ferret BBS (North Little Rock, Arkansas) (501) 791-0124 also (501) 791-0125 Special PGP users account: login name: PGP USER password: PGP This information from: Jim Wenzel CVRC BBS 317-791-9617 CyberGold BBS 601-582-5748 Self-Governor Information Resource, 915-587-7888, El Paso, Texas, USA In the UK, try 01273-688888 Other BBS -- check your local BBS. Chances are good that it has any release that is at least a month old if it has much of a file area at all. OTHER FTP SITES ftp.informatik.uni-hamburg.de /pub/virus/crypt/pgp This site has most, if not all, of the current PGP files. ftp.ox.ac.uk (163.1.2.4) ftp.netcom.com /pub/dc/dcosenza -- Some crypto stuff, sometimes includes PGP. /pub/gb/gbe/pgpfaq.asc -- frequently asked questions answered. /pub/qw/qwerty -- How to MacPGP Guide, largest steganography ftp site as well. PGP FAQ, crypto FAQ, US Crypto Policy FAQ, Steganograpy software list. MacUtilites for use with MacPGP. Stealth1.1 + other steganography programs. Send mail to ftp-request at netcom.com with "HELP" in the body of the message if you don't have ftp access. ftp.ee.und.ac.za /pub/crypto/pgp ftp.csua.berkeley.edu /pub/cypherpunks/pgp (DOS, MAC) ftp.demon.co.uk /pub/amiga/pgp /pub/archimedes /pub/pgp /pub/mac/MacPGP ftp.informatik.tu-muenchen.de ftp.funet.fi ftp.dsi.unimi.it /pub/security/crypt/PGP ftp.tu-clausthal.de (139.174.2.10) (Atari ST/E,TT,Falcon) /pub/atari/misc/pgp/pgp26uib.lzh (2.6ui ttp, 2.3a docs) /pub/atari/misc/pgp/pgp26uis.lzh (2.6ui sources) /pub/atari/misc/pgp/pgp26ui.diffs (Atari diffs for 2.6 sources) wuarchive.wustl.edu /pub/aminet/util/crypt src.doc.ic.ac.uk (Amiga) /aminet /amiga-boing ftp.informatik.tu-muenchen.de /pub/comp/os/os2/crypt/pgp23os2A.zip (OS/2) iswuarchive.wustl.edu pub/aminet/util/crypt (Amiga) nic.funet.fi (128.214.6.100) /pub/crypt ftp.uni-kl.de (131.246.9.95) /pub/aminet/util/crypt qiclab.scn.rain.com (147.28.0.97) pc.usl.edu (130.70.40.3) leif.thep.lu.se (130.235.92.55) goya.dit.upm.es (138.4.2.2) tupac-amaru.informatik.rwth-aachen.de (137.226.112.31) ftp.etsu.edu (192.43.199.20) princeton.edu (128.112.228.1) pencil.cs.missouri.edu (128.206.100.207) ftp.csua.berkeley.edu kauri.vuw.ac.nz nctuccca.edu.tw /PC/wuarchive/pgp/ ftp.fu-berlin.de:/mac/sys/init/MacPGP2.6uiV1.2en.cpt.hqx.gz Also, try an archie search for PGP using the command: archie -s pgp262 (DOS & Unix Versions) archie -s pgp2.6 (MAC Versions) FTPMAIL For those individuals who do not have access to FTP, but do have access to e-mail, you can get FTP files mailed to you. For information on this service, send a message saying "Help" to ftpmail at decwrl.dec.com. You will be sent an instruction sheet on how to use the ftpmail service. It works with messages something like this: > To: ftpmail at decwrl.dec.com > Subject: Ftpmail request > Connect ftp.csua.berkeley.edu > chdir pub/cypherpunks/pgp/pgp262 > uuencode > get pgp262.zip > quit Another e-mail service is from nic.funet.fi. Send the following mail message to mailserv at nic.funet.fi: ENCODER uuencode SEND pub/crypt/pgp23srcA.zip SEND pub/crypt/pgp23A.zip This will deposit the two zipfiles, as 15 batched messages, in your mailbox with about 24 hours. Save and uudecode. For the ftp sites on netcom, send mail to ftp-request at netcom.com containing the word HELP in the body of the message. To get pgp 2.6.i by email: Send a message to hypnotech-request at ifi.uio.no with your request in the Subject: field. Subject What you will get GET pgp26i.zip MS-DOS executable (uuencoded) GET pgp26is.zip MS-DOS source code (uuencoded) GET pgp26is.tar.gz UNIX source code (uuencoded) For FAQ information, send e-mail to mail-server at rtfm.mit.edu with send usenet/news.answers/ftp-list/faq in the body of the message. IS MY COPY OF PGP GOOD? If you find a version of the PGP package that does not include the PGP User's Guide, something is wrong. The manual should always be included in the package. PGP should be signed by one of the developers (Philip Zimmermann, Jeff Schiller, Viacrypt, Stale Schumacher, etc.). If it isn't, the package is suspect and should not be used or distributed. The site you found it on should remove it so that it does no further harm to others. To be really sure, you should get PGP directly from MIT or check the signatures with a version of PGP that you trust. The copies of PGP on ftp.csn.net/mpj, ftp.netcom.com/pub/mp/mpj, and the Colorado Catacombs BBS are direct copies of the ones on MIT, except that the ones on the BBS include a BBS advertisement (automatically added by the system when it virus scans new files) in the outer .zip files. OTHER PGP DOCUMENTATION PGP is rather counter-intuitive to a Mac user. Luckily, there's a guide to using MacPGP in ftp://ftp.netcom.com/pub/qw/qwerty/Here.is.How.to.MacPGP. There is a Frequently Asked Questions document in ftp://ftp.netcom.com/pub/gb/gbe/pgpfaq.asc For more information on the "time bomb" in PGP, see ftp://ftp.csn.net/mpj/pgpbomb.asc More PGP details are at http://www.pegasus.esprit.ec.org/people/arne/pgp.html Windows shells documentation http://www.LCS.com/winpgp.html LANGUAGE MODULES These are suitable for most PGP versions. I am not aware of any export/import restrictions on these files. German * _UK:_ ftp://ftp.ox.ac.uk/src/security/pgp_german.txt * _US:_ ftp://ftp.csn.net/mpj/public/pgp/pgp_german.txt * _US:_ ftp://ftp.csn.net/mpj/public/pgp/PGP_german_docs.lha Italian * _IT:_ ftp://ftp.dsi.unimi.it/pub/security/crypt/PGP/pgp-lang.italian.tar.gz * _FI:_ ftp://ftp.funet.fi/pub/crypt/ghost.dsi.unimi.it/PGP/pgp-lang.italian.tar.gz * _US:_ ftp://ftp.csn.net/mpj/public/pgp/pgp-lang.italian.tar.gz Japanese * _US:_ ftp://ftp.csn.net/mpj/public/pgp/pgp-msgs-japanese.tar.gz Lithuanian * _US:_ ftp://ftp.csn.net/mpj/public/pgp/pgp23ltk.zip Russian * _RU:_ ftp://ftp.kiae.su/unix/crypto/pgp/pgp26ru.zip (MIT version) * _RU:_ ftp://ftp.kiae.su/unix/crypto/pgp/pgp26uir.zip (ui version) * _US:_ ftp://ftp.csn.net/mpj/public/pgp/pgp26ru.zip Spanish * _IT:_ ftp://ftp.dsi.unimi.it/pub/security/crypt/PGP/pgp-lang.spanish.tar.gz * _FI:_ ftp://ftp.funet.fi/pub/crypt/ghost.dsi.unimi.it/pgp-lang.spanish.tar.gz * _US:_ ftp://ftp.csn.net/mpj/public/pgp/pgp-lang.spanish.tar.gz Swedish * _UK:_ ftp://ftp.ox.ac.uk/src/security/pgp_swedish.txt * _US:_ ftp://ftp.csn.net/mpj/public/pgp/pgp_swedish.txt MAILINGLISTE FUER PGP UND VERWANDTES (PGP MAILING LIST IN GERMAN) Die Listenadresse: pgp-friends at fiction.pb.owl.de Die *Request*adresse (fuer subscribe/unsubscribe und andere Administra- tiva): pgp-friends-request at fiction.pb.owl.de WHAT IS ALL THIS NONSENSE ABOUT EXPORT CONTROLS? For a detailed rant, get ftp://ftp.csn.net/mpj/cryptusa.zip The practical meaning, until the law is corrected to make sense, is that you are requested to get PGP from sites outside of the USA and Canada if you are outside of the USA and Canada. If you are in France, I understand that you aren't even supposed import it. Other countries may be worse. Make sure you follow the laws of your own country. If you want to officially export PGP, you may be able to get permission in limited cases and for a fee. Contact the U. S. Department of State for information. WHAT INTELLECTUAL PROPERTY RESTRICTIONS EXIST IN THE USA? MIT PGP is only for personal, noncommercial use because of restrictions on the licensing of both the RSA algorithm (attached to RSAREF) and the IDEA algorithm. PKP/RSADSI insist that we use RSAREF instead of the mpi library for reasons that make sense to them. For commercial use, use Viacrypt PGP, which is fully licensed to use both the RSA and IDEA algorithms in commercial and corporate environments (as well as personal use, of course). Another restriction is due to an exclusive marketing agreement between Philip Zimmermann and Viacrypt that applies to the USA and Canada only. Viacrypt has exclusive rights to market PGP commercialy in this area of the world. This means that if you want to market PGP commercially in competition with Viacrypt in the USA or Canada, you would have to create a new implementation of the functions of PGP containing none of Philip Zimmermann's copyrighted code. You are free to modify existing PGP code for your own use, as long as you don't sell it. Phil would also appreciate your checking with him before you distribute any modified versions of PGP as freeware. "PGP", "Pretty Good Privacy" and "Phil's Pretty Good Software" are trademarks owned by Philip Zimmermann. This means that if you modify an older version of PGP that was issued under the copyleft license and distribute it without Phil's permission, you have to call it something else. This avoids confusing all of us and protects Phil's good name. WHAT INTELLECTUAL PROPERTY RESTRICTIONS EXIST IN CANADA? MIT PGP is only for noncommercial use because of restrictions on the licensing of the IDEA algorithm. Because the RSA algorithm isn't patented in Canada, you are free to use the mpi library instead of RSAREF, if you want to, thus freeing yourself of the RSAREF license associated with the RSAREF copyright, which is valid in Canada. For commercial use, use Viacrypt PGP, which is fully licensed to use the IDEA algorithm in commercial and corporate environments. The exclusive marketing agreement with Viacrypt also applies in Canada. See the section on USA intellectual property restrictions for more details. WHAT INTELLECTUAL PROPERTY RESTRICTIONS EXIST OUTSIDE NORTH AMERICA? MIT PGP is only for noncommercial in areas where there is a patent on software implementations of the IDEA algorithm. Because the RSA algorithm isn't patented outside of the USA, you are free to use the mpi library instead of RSAREF, if you want to, thus freeing yourself of the RSAREF license restrictions. The RSAREF copyright holds outside of the USA, even though the RSA patent does not. The IDEA conventional block cipher is covered by US Patent 5,214,703 and European patent EP 0 482 154 B1. IDEA is a trademark of Ascom-Tech AG. Commercial users of IDEA (including commercial use of PGP) may obtain licensing details from Ph. Baumann, Ascom Tech Ltd., IDEA Lizenz, Postfach 151, CH-4502 Solothurn, Switzerland, Tel ++41 65 242828, Fax ++41 65 242847. WHAT IS COMMERCIAL USE? Use some common sense. If you are running a business and using PGP to protect credit card numbers sent to you electronically, then you are using PGP commercially. Your customers, however, need not buy the commercial version of PGP just to buy something from you, if that is the only commercial use they make of PGP (since they are spending, not making, money with PGP). If you are just encrypting love letters or other personal mail (for which you don't get paid) on your own personal computer, that is not commercial. If you are encrypting official business mail on your for-profit corporation's computer with PGP, that is commercial use. Note that there are some gray areas not covered above, and the patent owners of RSA and IDEA may differ from my interpretation in the areas not covered above, so if you are in doubt, you should consider the licensing of Viacrypt PGP (or outside of North America, direct licensing of IDEA) to be cheap legal insurance. Indeed, the license fee is probably a lot cheaper than a legal opinion from a lawyer qualified to make such a judgement. Note that I am not a lawyer and the above is not legal advise. Use it at your own risk. WHAT IS THE "TIME BOMB" IN MIT PGP 2.6? There was a version byte change in MIT PGP 2.6 as of 1 September 1994. See ftp://ftp.csn.net/mpj/pgpbomb.asc for details. ARE MY KEYS COMPATIBLE WITH THE OTHER PGP VERSIONS? If your RSA key modulus length is less than or equal to 1024 bits (I don't recommend less, unless you have a really slow computer and little patience), and if your key was generated in the PKCS format, then it will work with any of the current PGP versions (MIT PGP 2.6, PGP 2.6ui, or Viacrypt PGP 2.7). If this is not the case, you really should generate a new key that qualifies. MIT PGP 2.6.2 should be able to use 2048 bit keys. Generation of 2048 bit keys is supposed to automatically be enabled in PGP 2.6.2 in December, 1994. By then, hopefully, most people will have had a chance to upgrade to a version of PGP that can use them, so longer keys won't be a big problem. On the other hand, 1024 bit keys are probably beyond the reach of most criminals and spies to break, anyway. MORE WORLD WIDE WEB URLs http://draco.centerline.com:8080/~franl/pgp/pgp-mac-faq-hinely.html http://draco.centerline.com:8080/~franl/pgp/pgp.html http://draco.centerline.com:8080/~franl/crypto/cryptography.html http://www.pegasus.esprit.ec.org/people/arne/pgp.html http://rschp2.anu.edu.au:8080/crypt.html http://ibd.ar.com/PublicKeys.html http://www.ifi.uio.no/~staalesc/PGPversions.html WINDOWS SHELLS Several shells for running PGP with Microsoft Windows are available at the same places PGP can be found. MACPGP KIT The MacPGP kit is a user interface for the Mac version of PGP. See ftp://ftp.netcom.com/pub/qw/qwerty ftp://duke.bwh.harvard.edu:/pub/adam/mcip/MacPGP_icons.sit.hqx ftp://duke.bwh.harvard.edu:/pub/adam/mcip/MacPGPkit.hqx ftp://duke.bwh.harvard.edu:/pub/adam/mcip/MacPGPkitSources.sit.hqx BUGS See the documentation that comes with PGP in the latest versions for bugs in the older versions. The latest versions of PGP may not fully wipe all traces of plain text from a file when given the -w option. For more information, see http://www.mit.edu:8001/people/warlord/pgp-faq.html BETSI - BELLCORE'S TRUSTED SOFTWARE INTEGRITY SYSTEM For information on this service, send mail to certify at bellcore.com with the subject help, or check http://info.bellcore.com/BETSI/betsi.html HOW DO I PUBLISH MY PGP PUBLIC KEY? There are lots of ways. One way is to use a key server. Send mail to one of these addresses with the single word "help" in the subject line to find out how to use a key server. pgp-public-keys at pgp.iastate.edu public-key-server at pgp.ai.mit.edu pgp-public-keys at cs.tamu.edu pgp-public-keys at chao.sw.oz.au pgp-public-keys at jpunix.com pgp-public-keys at dsi.unimi.it pgp-public-keys at kiae.su pgp-public-keys at fbihh.informatik.uni-hamburg.de There is also an experimental public key server at http://ibd.ar.com/PublicKeys.html Another way is to upload it to the PGP public keys area of the Colorado Catacombs BBS (303-772-1062). Another way is to just send it to your correspondents. You could add it to your .plan file so that finger returns your key. You could add it to some of your postings. No matter which way you do it, you should have your key signed by someone who verifies that your key belongs to you, so that you don't have someone else generating a key that has your name on it, but that isn't yours. Here is my public key: - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.7 mQCNAi4PT2QAAAEEAPPCZnrshEJ9PSnV+mXEwjM4kzJF0kyg2MnLMzo83vWI40ei jogncqdkXT0c2TQWg+Bsu9ckFoXdId0utumYv0aqd8yI/oU/DwJ1zJrqRL2PFbxe ZLofHoKFjvq1TiNiJq9ps3jW6iYS4IU1SzyKhjmyE+K0+WyrPPX0zg8FAL9FAAUR tCdNaWNoYWVsIFBhdWwgSm9obnNvbiA8bXBqQGNzbi5vcmc+IG1wajiJAJUCBRAu G3chZXmEuMepZt0BAZtAA/0Rw5mintlUDgHycNbeoyIiMHoLu8jWaCSaiGSt+dDU 1A/bUCo+gorv5TYxOClRf3XHjD6zSooWyUz3ehotrzPYLunhVOE2YBxPU+OvKFOc 37mcZrnXGBlF5NblnSYxp0186tGaTm7WMWx7NDlHT4GvhzHJQSOoo48ykDkKm/mk LIkAlQIFEC4PWbs/ZwY8hTPrxQEBKyMD/A7kv91C1ZZIRtkbC9k9lsWOgOnO8wG8 bGMajaco465Z5llWD+Y8QCMdSWcowtOBGfW0Wv1bZ1uebeCpg1L66pJ7C+BOExrk gPqRVCstLLiVerKGeSOZo3yXtxYKYX7mHQPrHp98ef7fUG4IiKS+S+znmGxpJwrV sHZRlhJ3hXUsiQCVAgUQLg9ZefX0zg8FAL9FAQFBTAQAh4u4Vun7WhPuL6fsXiXm paaGfeLtd3biRj/aOMAG1eHuhVdWejx71ormyKTdNB2YV56bpsE3JQ/KhBuYDo0N SkRnqeM2S+Ef7aZEg6Q44uXG52pqCZUldtCeYfOs3aLCR9SMlc6Y3zmpSwB1wKP0 5+tN9zruNYVKKBLWEIFAY7W0K01pY2hhZWwgUGF1bCBKb2huc29uIDxtLnAuam9o bnNvbkBpZWVlLm9yZz60IE1pY2hhZWwgSm9obnNvbiA8bXBqQG5ldGNvbS5jb20+ tChNaWtlIEpvaG5zb24gPDcxMzMxLjIzMzJAY29tcHVzZXJ2ZS5jb20+tCtNaWNo YWVsIFAuIEpvaG5zb24gPG1wam9obnNvQG55eC5jcy5kdS5lZHU+tC1EbyBub3Qg dXNlIGZvciBlbmNyeXB0aW9uIGFmdGVyIDI3IEp1bmUgMTk5Ni4= =rR4q - -----END PGP PUBLIC KEY BLOCK----- Permission is granted to distribute unmodified copies of this FAQ. To get the latest version of this FAQ, get ftp://ftp.netcom.com/pub/mp/mpj/getpgp.asc or send mail to ftp-request at netcom.com with the line SEND mpj/getpgp.asc in the body of the message. There are many other frequently asked questions. Most of them are covered in the documentation that comes with PGP, and the few that aren't are addressed in documents referenced above. ___________________________________________________________ |\ /| | | | | \/ |o| | Michael Paul Johnson Colorado Catacombs BBS 303-772-1062 | | | | / _ | mpj at csn.org aka mpj at netcom.com m.p.johnson at ieee.org | | |||/ /_\ | ftp://ftp.csn.net/mpj/README.MPJ CIS: 71331,2332 | | |||\ ( | ftp://ftp.netcom.com/pub/mp/mpj/README -. --- ----- ....| | ||| \ \_/ |___________________________________________________________| -----BEGIN PGP SIGNATURE----- Version: 2.7 iQCVAgUBLtyzP/X0zg8FAL9FAQFUBAP7BGgnO/ceShksSff/iZ95K2rPgMWBXQ0n fqryrVHVhZJZ+ITQYYnPCfXEFQd5xhRmTE0MGv0ZB/lt5w5tCXr+R3hlJJ4Be/XV YdzJlmojYqKK5mixuKkMp19z7eAXWqSGVGCJuuKppJDVeNG3XNHG0Bc/ZFADFMGM qRuGUZNXUVg= =2gyb -----END PGP SIGNATURE----- From mpj at netcom.com Wed Nov 30 10:08:24 1994 From: mpj at netcom.com (Michael Paul Johnson) Date: Wed, 30 Nov 94 10:08:24 PST Subject: Where to get PGP (short version) Message-ID: -----BEGIN PGP SIGNED MESSAGE----- ===============================BEGIN SIGNED TEXT============================= WHERE TO GET THE PRETTY GOOD PRIVACY PROGRAM (PGP) -- ABRIDGED VERSION (Last modified: 30 November 1994 by Mike Johnson) WHAT IS THE LATEST VERSION? |-----------------+---------------------+---------------------------------| | Platform(s) | Latest Version | Distribution File Names | |-----------------+---------------------+---------------------------------| | DOS, Unix, | Viacrypt PGP 2.7 | disk sets | | Mac, Windows, | | | | or WinCIM/CSNav | | | |-----------------+---------------------+---------------------------------| | DOS, Unix, | MIT PGP 2.6.2 | pgp262.zip (DOS + docs) | | others | | pgp262s.zip (source) | | | | pg262s.zip source on CompuServe | | | | pgp262.tar.gz (source) | | | | pgp262.gz (same as above on DOS)| | | | pgp262.tar.Z (source) | | | | pgp262dc.zip (documentation) | | | | pg262d.zip (docs on CompuServe) | |-----------------+---------------------+---------------------------------| | Macintosh | MIT PGP 2.6 | MacPGP2.6.sea.hqx (binary+docs) | | | | macpgp26.hqx (same as above) | | | | MacPGP2.6.src.sea.hqx (source) | | | | macpgp26.src (same as above) | | | | MacPGP2.6-68000.sea.hqx (binary)| | | | mcpgp268.hqx (same as above) | |-----------------+---------------------+---------------------------------| | Amiga | PGP 2.6.2 Amiga 1.4 | pgp262-a14-000.lha | | | | pgp262-a14-020.lha | | | | pgp262-a14-src.lha | |-----------------+---------------------+---------------------------------| | Non-USA version | PGP 2.6.i from | pgp26i.zip | | to avoid RSAREF | Stale Schumacher | pgp26is.zip | | license. | | pgp26is.tar.gz | |_________________|_____________________|_________________________________| WHERE CAN I GET VIACRYPT PGP? If you are a commercial user of PGP in the USA or Canada, contact Viacrypt in Phoenix, Arizona, USA. The commecial version of PGP is fully licensed to use the patented RSA and IDEA encryption algorithms in commercial applications, and may be used in corporate and government environments in the USA and Canada. It is fully compatible with, functionally the same as, and just as strong as the freeware version of PGP. Orders may be placed by calling 800-536-2664 during the hours of 8:30am to 5:00pm MST, Monday - Friday. They accept VISA, MasterCard, AMEX and Discover credit cards. If you have further questions, please feel free to contact viacrypt at acm.org. WHERE CAN I GET THE FREEWARE PGP? There are several ways to get the freeware PGP: ftp, WWW, BBS, CompuServe, email ftp server, and sneakernet (ask a friend for a copy). Just don't ask Philip Zimmermann directly for a copy. FTP SITES IN NORTH AMERICA Telnet to net-dist.mit.edu, log in as getpgp, answer the questions, then ftp to net-dist.mit.edu and change to the hidden directory named in the telnet session to get your own copy. MIT-PGP is for U. S. and Canadian use only, but MIT is only distributing it within the USA (due to some archaic export control laws). 1. Read ftp://net-dist.mit.edu/pub/PGP/mitlicen.txt and agree to it. 2. Read ftp://net-dist.mit.edu/pub/PGP/rsalicen.txt and agree to it. 3. Telnet to net-dist.mit.edu and log in as getpgp. 4. Answer the questions and write down the directory name listed. 5. QUICKLY end the telnet session with ^C and ftp to the indicated directory on net-dist.mit.edu (something like /pub/PGP/dist/U.S.-only-????) and get the distribution files (see the above chart for names). If the hidden directory name is invalid, start over at step 3, above. You can also get PGP from: ftp.csn.net/mpj ftp://ftp.csn.net/mpj/I_will_not_export/crypto_???????/pgp/ See ftp://ftp.csn.net/mpj/README.MPJ for the ??????? ftp.csua.berkeley.edu (for U. S. or Canadian users) /pub/cypherpunks/pgp/ ftp.wimsey.bc.ca /pub/crypto/software/dist/US_or_Canada_only_XXXXXXX/PGP (U. S. and Canadian users only) See /pub/crypto/software/README for the characters for XXXXXXXX WORLD WIDE WEB ACCESS http://web.mit.edu/network/pgp-form.html http://www.ifi.uio.no/~staalesc/PGPVersions.html COMPUSERVE GO NCSAFORUM, see library 12. Read the instructions there for access. BULLETIN BOARD SYSTEMS Colorado Catacombs BBS, Longmont, Colorado, USA (303) 772-1062 The Freedom Files BBS, DeLand Florida, USA 904-738-2691 Exec-Net, New York, NY, USA (Host BBS for the ILink net) 914-667-4567 The Ferret BBS (North Little Rock, Arkansas) (501) 791-0124 also (501) 791-0125 Special PGP users account: login name: PGP USER password: PGP CVRC BBS 317-791-9617 CyberGold BBS 601-582-5748 Self-Governor Information Resource, El Paso, Texas, USA, 915-587-7888 In the UK, try 01273-688888 OTHER FTP SITES ftp.informatik.uni-hamburg.de /pub/virus/crypt/pgp ftp.netcom.com /pub/dc/dcosenza -- Some crypto stuff, sometimes includes PGP. /pub/gb/gbe/pgpfaq.asc -- frequently asked questions answered. /pub/qw/qwerty -- How to MacPGP Guide, largest steganography ftp site as well. PGP FAQ, crypto FAQ, US Crypto Policy FAQ, Steganograpy software list. MacUtilites for use with MacPGP. Stealth1.1 + other steganography programs. ftp.csua.berkeley.edu /pub/cypherpunks/pgp Also, try an archie search. FTPMAIL You can get FTP files mailed to you. Send a message saying "Help" to ftpmail at decwrl.dec.com. You will be sent an instruction sheet on how to use the ftpmail service. To get pgp 2.6.i by email: Send a message to hypnotech-request at ifi.uio.no with your request in the Subject: field. Subject What you will get GET pgp26i.zip MS-DOS executable (uuencoded) GET pgp26is.zip MS-DOS source code (uuencoded) GET pgp26is.tar.gz UNIX source code (uuencoded) LANGUAGE MODULES German * _UK:_ ftp://ftp.ox.ac.uk/src/security/pgp_german.txt * _US:_ ftp://ftp.csn.net/mpj/public/pgp/PGP_german_docs.lha Italian * _IT:_ ftp://ftp.dsi.unimi.it/pub/security/crypt/PGP/pgp-lang.italian.tar.gz Japanese * _US:_ ftp://ftp.csn.net/mpj/public/pgp/pgp-msgs-japanese.tar.gz Lithuanian * _US:_ ftp://ftp.csn.net/mpj/public/pgp/pgp23ltk.zip Russian * _RU:_ ftp://ftp.kiae.su/unix/crypto/pgp/pgp26ru.zip (MIT version) * _RU:_ ftp://ftp.kiae.su/unix/crypto/pgp/pgp26uir.zip (ui version) Spanish * _IT:_ ftp://ftp.dsi.unimi.it/pub/security/crypt/PGP/pgp-lang.spanish.tar.gz * _US:_ ftp://ftp.csn.net/mpj/public/pgp/pgp-lang.spanish.tar.gz Swedish * _UK:_ ftp://ftp.ox.ac.uk/src/security/pgp_swedish.txt WHAT IS ALL THIS NONSENSE ABOUT EXPORT CONTROLS? The U. S. International Traffic in Arms Regulations claim to prohibit export of PGP from the USA without a license, except to Canada. Canada has similar rules. Therefore, if you are outside of North America, please get your copy of PGP from a site outside of North America. WHAT INTELLECTUAL PROPERTY RESTRICTIONS EXIST IN THE USA? MIT PGP is only for personal, noncommercial use because of restrictions on the licensing of both the RSA algorithm (attached to RSAREF) and the IDEA algorithm. PKP/RSADSI insist that we use RSAREF instead of the mpi library for reasons that make sense to them. For commercial use, use Viacrypt PGP, which is fully licensed to use both the RSA and IDEA algorithms in commercial and corporate environments (as well as personal use, of course). Another restriction is due to an exclusive marketing agreement between Philip Zimmermann and Viacrypt that applies to the USA and Canada only. Viacrypt has exclusive rights to market PGP commercialy in this area of the world. This means that if you want to market PGP commercially in competition with Viacrypt in the USA or Canada, you would have to create a new implementation of the functions of PGP containing none of Philip Zimmermann's copyrighted code. You are free to modify existing PGP code for your own use, as long as you don't sell it. Phil would also appreciate your checking with him before you distribute any modified versions of PGP as freeware. "PGP", "Pretty Good Privacy" and "Phil's Pretty Good Software" are trademarks owned by Philip Zimmermann. This means that if you modify an older version of PGP that was issued under the copyleft license and distribute it without Phil's permission, you have to call it something else. This avoids confusing all of us and protects Phil's good name. WHAT INTELLECTUAL PROPERTY RESTRICTIONS EXIST IN CANADA? MIT PGP is only for noncommercial use because of restrictions on the licensing of the IDEA algorithm. Because the RSA algorithm isn't patented in Canada, you are free to use the mpi library instead of RSAREF, if you want to, thus freeing yourself of the RSAREF license associated with the RSAREF copyright, which is valid in Canada. For commercial use, use Viacrypt PGP, which is fully licensed to use the IDEA algorithm in commercial and corporate environments. The exclusive marketing agreement with Viacrypt also applies in Canada. See the section on USA intellectual property restrictions for more details. WHAT INTELLECTUAL PROPERTY RESTRICTIONS EXIST OUTSIDE NORTH AMERICA? MIT PGP is only for noncommercial in areas where there is a patent on software implementations of the IDEA algorithm. Because the RSA algorithm isn't patented outside of the USA, you are free to use the mpi library instead of RSAREF, if you want to, thus freeing yourself of the RSAREF license restrictions. The RSAREF copyright holds outside of the USA, even though the RSA patent does not. The IDEA conventional block cipher is covered by US Patent 5,214,703 and European patent EP 0 482 154 B1. IDEA is a trademark of Ascom-Tech AG. Commercial users of IDEA (including commercial use of PGP) may obtain licensing details from Ph. Baumann, Ascom Tech Ltd., IDEA Lizenz, Postfach 151, CH-4502 Solothurn, Switzerland, Tel ++41 65 242828, Fax ++41 65 242847. WHAT IS COMMERCIAL USE? Use some common sense. If you are running a business and using PGP to protect credit card numbers sent to you electronically, then you are using PGP commercially. Your customers, however, need not buy the commercial version of PGP just to buy something from you, if that is the only commercial use they make of PGP (since they are spending, not making, money with PGP). If you are just encrypting love letters or other personal mail (for which you don't get paid) on your own personal computer, that is not commercial. If you are encrypting official business mail on your for-profit corporation's computer with PGP, that is commercial use. Note that there are some gray areas not covered above, and the patent owners of RSA and IDEA may differ from my interpretation in the areas not covered above, so if you are in doubt, you should consider the licensing of Viacrypt PGP (or outside of North America, direct licensing of IDEA) to be cheap legal insurance. Indeed, the license fee is probably a lot cheaper than a legal opinion from a lawyer qualified to make such a judgement. Note that I am not a lawyer and the above is not legal advise. Use it at your own risk. MACPGP KIT The MacPGP kit is a user interface for the Mac version of PGP. ftp://duke.bwh.harvard.edu:/pub/adam/mcip/MacPGP_icons.sit.hqx ftp://duke.bwh.harvard.edu:/pub/adam/mcip/MacPGPkit.hqx ftp://duke.bwh.harvard.edu:/pub/adam/mcip/MacPGPkitSources.sit.hqx FOR MORE INFORMATION Permission is granted to distribute unmodified copies of this FAQ. To get the longer version of this FAQ, get ftp://ftp.netcom.com/pub/mp/mpj/getpgp.asc or send mail to ftp-request at netcom.com with the line SEND mp/mpj/getpgp.asc in the body of the message. There are many other frequently asked questions. Most of them are covered in the documentation that comes with PGP, and the few that aren't are addressed in documents referenced above. ___________________________________________________________ |\ /| | | | | \/ |o| | Michael Paul Johnson Colorado Catacombs BBS 303-772-1062 | | | | / _ | mpj at csn.org aka mpj at netcom.com m.p.johnson at ieee.org | | |||/ /_\ | ftp://ftp.csn.net/mpj/README.MPJ CIS: 71331,2332 | | |||\ ( | ftp://ftp.netcom.com/pub/mp/mpj/README -. --- ----- ....| | ||| \ \_/ |___________________________________________________________| -----BEGIN PGP SIGNATURE----- Version: 2.7 iQCUAgUBLtyzV/X0zg8FAL9FAQG1aAP4tukdmfhUqnZh4mE1KdsHaSeSIEySF4Rj YtFlU2dFQB6EUtohFU+fzRKOsIQ7B8N4Xj4fcaKytUfGsqI4aMQHFPFcSEJYQIfj x3xFSRUYOKFlH9ouMqj4ePZdl95sLm8lJRVFojXycN7eUxbTb27/R2+qMtZOgGuF 7W6GioDM4Q== =/lD+ -----END PGP SIGNATURE----- From jamesd at netcom.com Wed Nov 30 10:18:36 1994 From: jamesd at netcom.com (James A. Donald) Date: Wed, 30 Nov 94 10:18:36 PST Subject: Security Services In-Reply-To: <9411301438.ZM9135@wiley.sydney.sgi.com> Message-ID: <199411301817.KAA21274@netcom8.netcom.com> Ian Farquhar writes > > "Hundreds of top-secret documents relevant to the Federal > Government's inquiry into the Australian Secret Intelligence > Service were destroyed by a fire that swept through the ASIS > headquarters in Canberra at the weekend." > > "The fire has erased highly sensitive ASIS files and archives > that detailed the activities and operations of the troubled > spy agency over the past decade." Convenient fires are a rather common in Australia. Rupert Murdoch used to keep his records in old uninsured wooden buildings. These burnt down with the utmost regularity. Was the DFAT building also old, wooden, and uninsured? (Oh, I forgot, it is only taxpayer money, so I guess the building was probably new, expensive and uninsured.) > BTW, this was the same TLA which I mentioned some weeks ago in connection > with the bungled raid on the Sheraton Wentworth Hotel. As I recall it was ASIO, not ASIS, that bombed the Sheraton, not raided it -- (one hopes that they intended to "discover" the bomb, but failed to "discover" it in time) -- or am I mixing up two different incidents? -- --------------------------------------------------------------------- We have the right to defend ourselves and our property, because of the kind of animals that we James A. Donald are. True law derives from this right, not from the arbitrary power of the omnipotent state. jamesd at acm.org From crawford at scruznet.com Wed Nov 30 10:34:03 1994 From: crawford at scruznet.com (Michael D. Crawford) Date: Wed, 30 Nov 94 10:34:03 PST Subject: PGP hook for Eudora? Message-ID: <199411301833.KAA17566@scruz.net> >At 9:17 AM 11/30/94, dmandl at bear.com wrote: >>I keep hearing about PGP hooks for (Mac) Eudora, but a casual search >>of at least five advertised ftp sites has turned up nothing. Can >>someone post an address where this stuff can definitely be found? The commercial Eudora (2.0 or later) supports the Word Services Apple Events Suite. This allows text services such as spellchecking or encryption to be placed in the menu bar, without use of AppleScript. There is not yet a Word Services aware encryption program, though, but its not too hard to write one, starting from the existing MacPGP or pgptools code. The Word Services Software Development Kit should be on mac.archive.umich.edu. I'm going to put out an updated one for anonymous FTP pretty soon. The SDK only has example code for the client side (a simple, teachtext-like word processor), but between that and the protocol specification it should not be too hard to figure out. I developed the Word Services suite (with lots of help), and prepared the SDK, as well as implementing Word Services in Working Software's Spellswell 7 spellchecker. Michael D. Crawford crawford at scruznet.com <- Please note change of address. crawford at maxwell.ucsc.edu <- Finger me here for PGP Public Key. From dat at ebt.com Wed Nov 30 10:34:45 1994 From: dat at ebt.com (David Taffs) Date: Wed, 30 Nov 94 10:34:45 PST Subject: The Market for Crypto--A Curmudgeon's View In-Reply-To: <199411300734.XAA10429@largo.remailer.net> Message-ID: <9411301831.AA08382@veronica.EBT.COM> From Eric: Does a mark or a delay constitute an "effective bar" from participation on this list? I think not, although I'm entertaining arguments. A mark? No. A delay? Yes. Delays hurt the readers more than the posters, and help make discussions even more incoherent than usual, a bad thing for everybody IMHO. Marking is cool; validating and including a validation mark [yes/no] is even better. Forget the delay idea; it seems to me to hurt things more than it would help, and punishes the wrong people. No amount of coercion (at least no amount that I anticipate now) would get me to use digital signatures on my outgoing mail, until it gets substantially easier for me. It is hard enough to keep up with this list as it is. -- (david taffs) From jamiel at sybase.com Wed Nov 30 10:37:20 1994 From: jamiel at sybase.com (Jamie Lawrence) Date: Wed, 30 Nov 94 10:37:20 PST Subject: Effects of Marking/Delaying Nonsigned Posts Message-ID: At 12:34 AM 11/30/94, Eric Hughes wrote: >Does a mark or a delay constitute an "effective bar" from >participation on this list? I think not, although I'm entertaining >arguments. I don't think marking or delaying constitutes an effective bar from the list. I do think that marks are redundant (as Tim said, it is pretty obvious who signs and who doesn't), and that delays will degrade the quality of discussion on the list (time lag for only some has a way fragmenting discussion, as anyone with a sometimes-slow link can attest). Degrading the list value, I would think, not your intended goal and would punish the rest of the list members for a non-signer's sins, so to speak. This, of course, depends on the lag - 5 minutes won't matter, but why bother? 1 day would (IMHO) kill quite a bit of discussion. Somewhere in between (the 2-4 hours you mentioned in one post) could head either way. If you are set on this idea, may I echo someone else's suggestion of an autoresponder to annoy those posting without signing? Doesn't impact the list, we all still know who is not signing, and the culprit gets to delete a message informing them of where to find the latest version of PGP. >Eric -j From jamesd at netcom.com Wed Nov 30 10:44:11 1994 From: jamesd at netcom.com (James A. Donald) Date: Wed, 30 Nov 94 10:44:11 PST Subject: We are ALL guests (except Eric) In-Reply-To: <199411300945.BAA21574@netcom11.netcom.com> Message-ID: <199411301844.KAA25549@netcom8.netcom.com> Timothy C. May writes > Funny, I don't recall Eric ever claiming it was "his house" to do with > as he wishes. Seems to me that the list is an emergent entity, > presently being centrally distributed off a machine owned by John > Gilmore [...] Internet custom and precedent, as I understand it, seems to be that Usenet newsgroups are the collective property of the regular inhabitants, but that mailing lists are the private and individual property of the guy whose account they run out of. Even the commies on alt.politics.radical-left seem to be reluctantly and painfully accepting this doctrine. I am amazed that an ex-extropian does not. We can advise Eric that we think it might have an undesirable effect if he manages the list in certain ways. We cannot tell him that it is unfair or unjust to manage the list in certain ways. The extropians list claimed to be managed in accord with the principles of justice. Eric makes no such grandiose claim. The debates concerning ownership on extropians occurred because of that claim and, in my judgment, because the claim was obviously bogus. > I happen to think Eric is quite wrong in thinking that "behavior > modification" is needed, or practical. The list has done very well for > the past 26 months without rigid rules, and has never even had a > person kicked off the list (who didn't ask to be removed, back in the > pre-Majordomo manual processing days)). agreed. -- --------------------------------------------------------------------- We have the right to defend ourselves and our property, because of the kind of animals that we James A. Donald are. True law derives from this right, not from the arbitrary power of the omnipotent state. jamesd at acm.org From jamiel at sybase.com Wed Nov 30 10:55:18 1994 From: jamiel at sybase.com (Jamie Lawrence) Date: Wed, 30 Nov 94 10:55:18 PST Subject: Double Negatives and Ideology (Was: Re: We are ALL guests) Message-ID: At 11:44 AM 11/30/94, James A. Donald wrote: > ex-extropian Does this make one a Tropian? Just checking :) -j From jamesd at netcom.com Wed Nov 30 11:04:08 1994 From: jamesd at netcom.com (James A. Donald) Date: Wed, 30 Nov 94 11:04:08 PST Subject: Premail and transparent email In-Reply-To: <199411300033.QAA23322@netcom15.netcom.com> Message-ID: <199411301904.LAA28160@netcom8.netcom.com> Raph Levien writes > My intent is to get large numbers of people to use PGP to encrypt all > of their email, including casual stuff. This won't happen until > encryption and decryption are _totally_ transparent. This is the way to get people to use crypto. It would also be useful to patch majordomo to check signature consistency -- to check that a message signed by X is signed with the same public key as previous messages by X (a non trivial problem because of the key distribution issue). In the absence of such tools, nagging people to use crypto is unlikely to do much to further the cause. -- --------------------------------------------------------------------- We have the right to defend ourselves and our property, because of the kind of animals that we James A. Donald are. True law derives from this right, not from the arbitrary power of the omnipotent state. jamesd at acm.org From tcmay at netcom.com Wed Nov 30 11:08:01 1994 From: tcmay at netcom.com (Timothy C. May) Date: Wed, 30 Nov 94 11:08:01 PST Subject: We are ALL guests (except Eric) In-Reply-To: <199411301844.KAA25549@netcom8.netcom.com> Message-ID: <199411301907.LAA18500@netcom2.netcom.com> James A. Donald wrote: > Timothy C. May writes > > Funny, I don't recall Eric ever claiming it was "his house" to do with > > as he wishes. Seems to me that the list is an emergent entity, > > presently being centrally distributed off a machine owned by John > > Gilmore [...] > > Internet custom and precedent, as I understand it, seems to be > that Usenet newsgroups are the collective property of the > regular inhabitants, but that mailing lists are the private > and individual property of the guy whose account they run out > of. > > Even the commies on alt.politics.radical-left seem to be > reluctantly and painfully accepting this doctrine. I am > amazed that an ex-extropian does not. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ An issue of subtlety. I made no "commie" claims. > We can advise Eric that we think it might have an undesirable > effect if he manages the list in certain ways. We cannot > tell him that it is unfair or unjust to manage the list in > certain ways. I made no mention of "unfair" or "unjust." As I recall, I used the term "unwise" once or twice. Others have made similar points about compulsion and behavior control. (And we should avoid any nit-picking about how Eric cannot possibly use "compulsion" because it is his list, blah blah.) > The extropians list claimed to be managed in accord with the > principles of justice. Eric makes no such grandiose claim. This is a straw man, as I have made no mention of "justice." > > > I happen to think Eric is quite wrong in thinking that "behavior > > modification" is needed, or practical. The list has done very well for > > the past 26 months without rigid rules, and has never even had a > > person kicked off the list (who didn't ask to be removed, back in the > > pre-Majordomo manual processing days)). > > agreed. Good to end on agreeement. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. Cypherpunks list: majordomo at toad.com with body message of only: subscribe cypherpunks. FAQ available at ftp.netcom.com in pub/tcmay From an41389 at anon.penet.fi Wed Nov 30 11:09:17 1994 From: an41389 at anon.penet.fi (The Al Capone of the Info Highway) Date: Wed, 30 Nov 94 11:09:17 PST Subject: John Young's Informal survey.... Message-ID: <9411301734.AA28728@anon.penet.fi> Tis I, Wintermute, aka The Al Capone of the Info Highway. I checked through this info, and I seem to be safe and sound. It's interesting that your system does this. Thanks for letting me have a chance to protect myself.... Wintermute ******************************** Anon.penet.fi Header (Al Capone) >From owner-cypherpunks at toad.com Sun Nov 27 19:49 EST 1994 Received: from news.pipeline.com (news [198.80.32.5]) by pipeline.com (8.6.9/8.6.9) with ESMTP id TAA05980 for ; Sun, 27 Nov 1994 19:49:52 -0500 Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by news.pipeline.com (8.6.9/8.6.9) with ESMTP id TAA14755 for ; Sun, 27 Nov 1994 19:30:25 -0500 Received: from toad.com by relay2.UU.NET with SMTP id QQxrwz27537; Sun, 27 Nov 1994 19:29:53 -0500 Received: by toad.com id AA16432; Sun, 27 Nov 94 16:27:21 PST Received: from anon.penet.fi by toad.com id AA16426; Sun, 27 Nov 94 16:27:16 PST Received: by anon.penet.fi (5.67/1.35) id AA03124; Mon, 28 Nov 94 01:12:06 +0200 Message-Id: <9411272312.AA03124 at anon.penet.fi> To: cypherpunks at toad.com From: an41389 at anon.penet.fi (The Al Capone of the Info Highway) X-Anonymously-To: cypherpunks at toad.com Organization: Anonymous contact service Reply-To: an41389 at anon.penet.fi Date: Sun, 27 Nov 1994 23:12:05 UTC Subject: How to disable telnet to port 25 Sender: owner-cypherpunks at toad.com Precedence: bulk Content-Type: text Content-Length: 764 ------------------------------------------------------------------------- To find out more about the anon service, send mail to help at anon.penet.fi. Due to the double-blind, any mail replies to this message will be anonymized, and an anonymous id will be allocated automatically. You have been warned. Please report any problems, inappropriate use etc. to admin at anon.penet.fi. From anonymous-remailer at shell.portal.com Wed Nov 30 11:30:41 1994 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Wed, 30 Nov 94 11:30:41 PST Subject: require digital sigs Message-ID: <199411301930.LAA07172@jobe.shell.portal.com> Rather than engage in an extended debate (which is interesting I grant, but seems to be disintegrating into an agree/disagree impasse) I say just run the experiment and see the effects. Requiring digital signatures will artificially create the need for better crypto tools to make the whole process more convenient. This should spur progress. Another effect - lower list participatio:; fewer posts (crossposts from other lists, tv show reviews, personal mail sent to the list, Chomsky arguments, etc.) From jamesd at netcom.com Wed Nov 30 11:31:15 1994 From: jamesd at netcom.com (James A. Donald) Date: Wed, 30 Nov 94 11:31:15 PST Subject: We are ALL guests (except Eric) In-Reply-To: <199411301907.LAA18500@netcom2.netcom.com> Message-ID: <199411301931.LAA02490@netcom8.netcom.com> James A. Donald wrote: > > The extropians list claimed to be managed in accord with the > > principles of justice. Eric makes no such grandiose claim. Timothy C. May writes > This is a straw man, as I have made no mention of "justice." But the extropian list, which you cite as precedent, did make that claim. You also make the claim that Eric does not own the list. The question of ownership is only relevant to questions of what is just and fair. If you claim that Eric does not own the list then you claim that it is unjust for him to change the rules without consent. If I claim he owns the list then I claim that it perfectly proper for him to change the rules without consent, regardless of whether or not he has a good, or even sane, reason. (As it happens, I do not think he has a good reason.) My point was that the ownership debate on the extropians list was a result of the questionable and grandiose claim of extropian justice, and is therefore not a relevant precedent for the ownership of lists in general. You raised the issue of the extropian precedent. The extropian precedent is irrelevant because the *extropian* list management made the claim of "extropian justice". *Relevant* precedent and custom indicate that the list is Erics private property, and he may do as he pleases, wisely or unwisely. Such actions are morally neutral, except in that wisdom itself is good. -- --------------------------------------------------------------------- We have the right to defend ourselves and our property, because of the kind of animals that we James A. Donald are. True law derives from this right, not from the arbitrary power of the omnipotent state. jamesd at acm.org From rarachel at photon.poly.edu Wed Nov 30 12:05:07 1994 From: rarachel at photon.poly.edu (Arsen Ray Arachelian) Date: Wed, 30 Nov 94 12:05:07 PST Subject: Censorship In Cyberspace 1/6 Message-ID: <9411302008.AA00756@photon.poly.edu> This is a transcript of the FFE's Censorship in Cyberspace forum. This transcript was made possible by funds from John Young. Major thanks John. **** Feminists For Free Expression **** CENSORSHIP IN CYBERSPACE St. Peter's Church, New York City Saturday, October 22, 1994 Moderator: Joan Kennedy Taylor Panelists: Robert Corn-Revere Ellen Lafontaine Gerard Van Der Leun Philip Zimmermann TRANSCRIPT Censorship in Cyberspace The Panelists: Robert Corn-Revere is a partner in the Washington, D.C. office of Hogan & Hartson, specializing in First Amendment and communications law. He has extensive experience in practice before the Federal Communications Commission and federal courts. Mr. Corn-Revere received a B.A. from Eastern Illinois University in 1977 and an M.A. from the University of Massachusetts-Amherst in 1980. Ellen Lafontaine is completing her doctoral studies at New York University in International Education on a Foreign Language Area Studies fellowship. Her research focuses on the role of intercultural learning networks in the foreign language classroom. Ms. Lafontaine is one of the organizers of YouthCaN '95, an international youth conference for environmental projects via telecommunications. Gerard Van Der Leun is formerly with the Electronic Frontier Foundation. He is a serious hobbyist on the InterNet and has hosted several on-line conferences. Philip Zimmermann is the creator of the controversial "Pretty Good Privacy" encryption software (this "freeware" has spread as far away as Europe) for which he is now under criminal investigation, awaiting possible federal indictment. He lives in Boulder, Colorado. The Moderator: John Kennedy Taylor is the author of "Reclaiming the Mainstream: Individualist Feminism Rediscovered", published in 1992 by Prometheus Books. Her work has also appeared in, among other places, The Wall Street Journal, Success, and Reason. Ms. Taylor was a commentator on the Cato Institute's syndicated radio program, "Byline," for ten years (1979 through 1989). She is also Vice- President of Feminists For Free Expression. INTRODUCTION: Good afternoon, and welcome for joining us. It's an absolutely gorgeous afternoon, so we're very happy to see you here. I'm Trish Moynihan Williams. I'm a member of the Board of Directors of Feminists for Free Expression, and this afternoon I'm actually the voice of Rachel Hickerson, our Executive Director, who unfortunately has a bad case of laryngitis. So I'm speaking for her, but I really hope you won't miss the opportunity this afternoon to say hello to Rachel even though she may croak back, and get to meet our wonderful Executive Director. I wanted to tell you just a little bit about Feminists for Free Expression for those of you who are just getting to know our organization. We are a group of diverse feminists working to preserve the individual's right to read, hear, view and produce materials of her own choice without the intervention of the State "for her own good." I encourage you to learn more about us. There are pamphlets in the entry way as you came in if you haven't picked one up already. And to join us. We are a membership organization, and really need your support. As you see listed on your program this afternoon we have a stunning lineup for our program on Censorship in Cyberspace, and that program is going to be moderated by FFE's own Joan Kennedy Taylor. Joan has been [involved with] feminist issues since the early 1970's. She is the author of Reclaiming the Mainstream: Individualist Feminist Rediscovered, which was published in 1992 by Prometheus Books. In 1993 the Hoover Institution commissioned her to write the essay, "Women's Issues: Feminism, Classical Liberalism and the Future." Among the places where her work has appeared are the Wall Street Journal, Success, The Washington Times and Reason. She is Vice President of Feminists for Free Expression. So I am delighted to turn the program over to her. Joan. * * * KENNEDY TAYLOR: Can everybody hear all right? There is no sound system, but I am told the acoustics are excellent. Okay. This is a very exciting program for me, because so much is going on and so much is changing so quickly that every day brings something new. This is a new age in communications, and it also has its problems. On-line services are becoming gigantic. The InterNet makes national borders irrelevant, which to some people seems a real problem. Torrents of information and misinformation can be received or disseminated by anyone with a computer modem. Security establishments have lost their virtual monopolies on encryption to such an extent that an article in the Times compares trying to enforce a universal coding standard such as the Clipper Chip with trying to enforce prohibition. The U.S. Congress just before it adjourned passed the controversial Digital Telephony Act, a wiretapping bill that requires phone companies to keep their networks accessible to law enforcement wiretaps as they install new technologies. What does this all mean in the age old fight between those who want to control how ideas and expression are communicated and those who believe in the literalness of the First Amendment, that Congress shall make no law abridging the freedom of speech or of the press? We have asked a number of experts who also believe in civil liberties and the First Amendment to explain why we do not have to abandon these principles as we enter this confusing and exciting communications age. Our guests will speak in alphabetical order, and I hope you all have programs, which give you the back- ground of all our speakers. They will speak for twenty minutes each. Then there will be a brief period for any questions they may wish to put to each other and they will then take questions from the audience. First we turn to the relationship between law and technology. Advances in communications technology have always been greeted with suspicion. Should the law control what we do with them? Can the law control them? Robert Corn-Revere, a Washington lawyer specializing in communications law, looks at the past and the future to give us a legal doctrine for the Information Age. Robert. From rarachel at photon.poly.edu Wed Nov 30 12:06:20 1994 From: rarachel at photon.poly.edu (Arsen Ray Arachelian) Date: Wed, 30 Nov 94 12:06:20 PST Subject: Censorship In Cyberspace 2/6 Message-ID: <9411302009.AA00807@photon.poly.edu> CORN-REVERE: First I'd like to thank Feminists for Free Expression for inviting me to come and speak at this today. I think that the topic is one of the most important that at least those of us who care about communications are dealing with right now and it's one that's going to be developing very quickly. Although I have to say -- I'll apologize in advance. I'm from Washington. I used to work at the FCC, and so to be talking about these issues may seem to be a bit ironic. And to compound that, to have a lawyer to be the first person to speak in a discussion on Censorship in Cyberspace is a bit like having a hall monitor be the keynote speaker at a writer's conference. But it is an area that I have been writing about for some time and have some concern about, and hopefully discussions like this one will help move toward a greater understanding that can actually do some good. Being in Washington I'm always hesitant to say that, but it is possible sometimes. First of all I know it isn't in the program, it doesn't mention the term, but I'm going to just say that I hate the expression Information Superhighway. If there is a single thing that we could do to make some sense of what's going on we would eliminate that forever. I mean not only does it spawn just this avalanche of horrible metaphors -- on ramps, off ramps, toll booths, traffic cops. Name it, they're out there. It's just going to get worse, to the point where the Washington Post finally had a front page story that talked about the Information Superhypeway, which is pretty much what it's becoming. And in a way it I mean it really doesn't convey any information. In a way it's a lot like teenagers and sex. I mean, you know, everyone is talking about it. Everyone's convinced that everyone else is involved in it. The people who are talking about it don't really know much what it's about but are convinced that once they're doing it too it's going to be great! That's a lot of what is going on in the policy discussion in Washington, D.C. But I have a particular reason for disliking that expression, and that is that it tends to focus or it tends to direct peoples' attention to the means of transmission by calling it a highway. So we'll need traffic cops. And when you look at the method of transmission historically, that's been the hook, the jurisdictional hook, for governments to get involved in speech. For that reason I really think we would move a long way toward clarity if we could shift metaphors. As most of you I'm sure know, this year the Congress failed to pass telecommunications legislation wanting to be in the forefront of developing the Information Superhighway, talking about all the vital national policies that are involved. And while I don't discount the importance of the issues, I tend to think it's a little bit dangerous to start the debate and start from the proposition that Congress needs to be fashioning this for us, and I think that that's simply going to lead to more trouble. In really underscoring that, I think it's useful to talk about communications systems and talk about the development of these things from something of a historical perspective, because technology has always been an intimate part of the struggle for freedom of expression. It's no accident for example that the first official censorship bureau emerged shortly after the development of the printing press. None existed before then because none were necessary, and to that extent censorship was the bastard child of technology. You didn't need a central official authority to keep track of scribes. The Church did that very nicely, thank you. And the communications that they produced didn't really pose any kind of a threat to the State. First of all they were produced in small numbers, not mass produced, and in the second place you didn't have the ability to produce multiple volumes of a uniform copy, of a simultaneous transmission of exactly the same words. There were minor errors between them and it took a long time to copy addi- tional copies. But once you had because of the printing press the ability to crank out multiple documents that could all be trans- mitted simultaneously, then the communication tended to pose a threat to official authorities and for that reason you then had this drive to establish social policy, policy that would constrain or in some way control that communication for what were considered by those in power beneficial ends. And so you see that sort of history repeating itself over and over again, and ultimately in the end the technology tends to win. You can look at the successive means of censorship in the 16th and 17th centuries, whether they were official censorship bureaus or the Court of the Star Chamber or the Stationer's Company, and government monopoly licensing and those sorts of things. Each of them failed. Each of them went out of fashion because the technology of the printing press was superior to the ability of the bureaucrats to exert control -- up until the point when you get to the formation of the United States and the adoption of the First Amendment, where the United States became the first nation to embrace new technology as an essential component of its political system. That's what the First Amendment is about. It specifically identifies the press, that new technology of its day, or relatively new to the framers of the Constitution, as an essential component of what this country was about. So technology for the first time rather than just being a hindrance to official authorities became an essential part of what free expression is to be and came to be in this country. Despite that hopeful beginning, and despite the fact that it really took a couple of hundred years, well, 120 years anyway before the courts started to define what the First Amendment was about, technology continued to be something of a problem as new technolo- gies for communications were developed. The Supreme Court first faced this problem in 1915 when it was asked to rule on whether or not the cinema was protected by the First Amendment. And this was before the Supreme Court had actually addressed the issue of the First Amendment and what it meant in any way, but it was presented in this case about a licensing board, a trilogy of cases actually about a licensing board in Ohio. And in that case the Court simply said, "This is not speech. We're talking about film here. It's commerce. And besides, it's dangerous." And so they decided that the First Amendment simply didn't apply to the technology of film. Now thirty-seven years later the Supreme Court reversed itself and film was protected the same as the printed word. But it took thirty- seven years and actually longer than that for the pronouncement of the law to become disseminated through the country, where it wasn't until 1972 that the last film licensing board, municipal film licensing board, in Dallas, Texas, was abandoned. So it does tend to take a long time. The same thing has happened of course with television, and again, as with the Information Superhighway, the focus is on the means of transmission and the government's argument historically has been that we have this medium. It's scarce because you have a certain number of frequencies. If the government doesn't regulate it you'll have people speaking over each other, and so the government has to get involved. And by the way, we're not just going to be traffic cops to decide people don't run into each other in the air waves. We also need to control pretty much what's said in the broadcasting as well. And so again focussing on the way the communication was transmitted created the jurisdictional hook by which broadcasting has had second class rights under the First Amendment. Now that's changing. It's changing because the courts have come to be more sensitive to the First Amendment issues involving broadcasting. Most thoughtful observers recognize that the whole notion of scarcity (a) was created by government in the first place, and (b) if, to the extent it was ever true, because government of course decided how many of those frequencies would be used for communications, to the extent it ever was true it no longer is, again because of increases in technology, both because of digital compression, the ability to get a lot more out of the same band- width spectrum, and also because there are so many other techno- logies that can transmit the same information and more than just broadcasting. Whether it's cable television, whether it's fiber optic transmission, whether you're talking about videodiscs, videotapes, there are any number of ways you can transmit the same information. And so the courts are moving more toward an appreciation of the First Amendment status of broadcasting, to the point where the Supreme Court this summer in a case involving cable television essentially said that the government has no business dictating the content of broadcasting. Again, that was just language that the court used, but it tended the signal the direction they're heading. And I think ultimately again the technology will win. My concern though is at each stage where we're confronted with new technology we have to go through this process yet again. It happened with the printing press. It happened with film and then took four decades and longer for practical application, for that to get reversed. With broadcasting it first was regulated in 1927 as a scarce medium and then again that law was rewritten in 1934 and hasn't been rewritten since. We're on the verge of a rewrite, and that's what some of the telecommunications legislation is about, but it doesn't abandon these concepts of government control. In fact it strengthens them and would extend them to the newer technologies, whether it's fiber optics or something else, or direct broadcast satellites for that matter. So I think that it's time to recognize that all speech is the same under the First Amendment, and that the means of transmis- sion don't make any difference whatsoever. The fact that some communications may have social force or power to change things isn't a reason again for government to get involved. That's why the printing press was controlled. That's why we adopted a First Amendment in the first place. And so the method of transmission shouldn't make any difference whatsoever. The other thing that I think is fairly dangerous when it's handled in the way that it's currently being considered is that if things have moved slowly in the past wait until they become the subject of a regulatory agency. Having worked at the FCC I can tell you a lot about that. Things move much more slowly in the regulatory state. We are controlled by endless numbers of defini- tions, and once you fit into a regulatory pigeonhole, a defini- tional pigeonhole, you will stay there either until the courts turn it over, knock it down, or until some sixty years later or however many years later someone decides that that may have been a bad idea in the first place. So I'm very concerned about carving these things into the stone of legislation and then using that as the model for extending government control over communications. The whole idea of having this network, this notion of instantaneous communication, is to free up speech and not to create jurisdictional reasons to exert greater control. For that reason I am particularly concerned about the Digital Telephony Bill that was just passed. It was passed by both houses of Congress in early October, and it does require tele- phone companies to cooperate and assist law enforcement authorities in wiretapping and issues like that. In some ways it doesn't change the preexisting state of the law. In 1986 there was a rewrite of the Federal Wiretapping Law that essentially brought that into, recognized, digital communications. It did require that kind of cooperation. This really more clarifies that rather than imposes a new obligation. The other clarifying part of it thankfully is that it says that federal authorities have to get a warrant before they can do it. But it still maintains the essential premise of governmental control, and I think that what we need to working toward is an understanding that the First Amendment and the Fourth Amendment, because they work together, must be recognized for all technologies as we move on into the future. I'll just say one or two more things because I know I've taken a bit of your time, just to say that if nothing else, because again I've been talking legal structures because that's the world that I work in, but if nothing else it would helpful if people could get an understanding that when they're approaching a new type of communications they're not approaching something fundamentally different, and I'll give you two examples that I think tend to underscore that. One is a recent action by an export office in the Department of State that denied an export license for the disk version of a book on encryption, while the print version is freely available and as a matter of fact 20,000 copies have been sold worldwide. Now the justification is that when you put it on a computer disk it is somehow different and can be disseminated differently when of course anyone can take the print version and key it in and you have the same thing. But that's one example of where the understanding of what the communication is, what the information is, is treated differently under the law because it is in a different technological form. Another has to do with a recent case involving a regional office of the Department of Education's Office for Civil Rights, an action that ended closing down a men's only and women's only computer bulletin system at Santa Rosa Junior College because of allegations of sexual harassment and people saying generally not nice things on this computer bulletin board. But as part of this ruling, and it's still being worked out, it isn't final yet, the Office of Civil Rights took the position that a computer bulletin board is not subject to the same free speech rights as if you were talking about a physical bulletin board or if you were talking about the campus newspaper. It is somehow different. I think these are very dangerous beginnings, very dangerous trends, and unless we address these questions both in terms of our understanding of what's going on and in terms of the law then what we've seen in history will be perpetuated and it will take a far longer time, decades, if we're lucky, for that to be sorted out. So that's why I think this is one of the most important topics that we could talk about today, because I think that communications has been historically a vital force in society and it's only going to get more important. Thank you. * * * From rarachel at photon.poly.edu Wed Nov 30 12:07:38 1994 From: rarachel at photon.poly.edu (Arsen Ray Arachelian) Date: Wed, 30 Nov 94 12:07:38 PST Subject: Censorship In Cyberspace 3/6 Message-ID: <9411302010.AA00872@photon.poly.edu> MODERATOR: What about the children? Our new technolo- gies expose children to information and ideas from all over the world. Some of it is information. Some of it is misinformation. Should we take steps to restrict this access? Ellen Lafontaine will explore this area with examples of educational alternatives to censorship. LAFONTAINE: Thank you, Joan. I have a little cold, so I hope that you can hear me. I hope I won't cough halfway through. As we all know, cyberspace or the InterNet is a very popular subject today. When one adds the issue of censorship it becomes even more compelling and controversial. Today you will be presented with the legal, political and technical viewpoints of the censorship debate. However, I contend that while these perspec- tives are illuminating there is the danger of missing the far more important issue of the right to free speech for students in its application to this medium of technology. This issue of censorship is not solely one of a technical nature, for instance how to block access to pornographic material and banned books. A cursory glance at the variety of news groups and conferences on the InterNet may seem, depending upon your point of view, as either provocative or offensive. For example, it is possible to obtain an erotic article from the news group ALT.REC.SEX.WITH.OTHERS, or a few passages from Huck Finn, a banned book in some school districts. Indeed many educators and parents spend a lot of time worrying over whether Susan or Jimmy will accidentally read material that's not appropriate for their age. However, restricting access to news groups and conferences dealing with objectionable content matter is simply a subtractive strategy, subtractive in the sense of a withdrawal. The real issue instead involves the much great social challenge of placing in our schools this technological medium that has the potential to encourage student dialogue on any number of controver- sial issues. Increasingly our schools have greater access to the InterNet. We can expect that some educators and parents will perceive its introduction as dangerous as rolling a Trojan Horse into the classroom. Therefore a different and far more interesting approach to the issue of censorship is to focus upon the students themselves and their right to free expression in the classroom. To us this is an additive strategy, allowing our students to confront difficult realities both on a local level and a global scale and to successfully engage in the necessary conflicts that will inevitably result. The questions that we need to ask are: Can we tolerate and actively promote the desanitizing of the curriculum by allowing this new form of communication and inquiry into the classroom? Can we encourage our students to pursue the right to free expression and not turn their backs on controversy when it ensues? And lastly, can we create a critical literacy among students so that they are not only better prepared to confront the issues of tomorrow but also can be instrumental in changing or improving today's world for the better? To illustrate my point I would like to tell a story drawn from a paper that I coauthored with Professor Dennis Sayers of New York University. The research was originally compiled for his forthcoming book, Brave New Schools. The story concerns the use of a global learning network in an English class at a high school in Long Island. The network, supported by the Copland Family Fund, is called IERN, which stands for International Educational and Resource Network. The IERN network allows students to use telecom- munications to carry out projects with students from other parts of the world. The students at Cold Spring Harbor use the network to collect articles written by students from many different countries for a magazine called The Contemporary. Although produced at the high school, The Contemporary is so much a part of the IERN network that it is considered an official publication of that network. As its editors write, "The Contemporary is a student news magazine, international in scope, that aims to provide teenagers with a way to learn about issues of national and global importance as the first step toward understanding how youth can have an impact on the direction taken by our world." And one point I'd like to make. These are 14 to 17-year-olds that write, so I think you're all going to be very impressed by the level of their writing. Even though at times these issues of national and global importance were controversial in nature, this didn't stop the student editors from writing about them. However they were soon to find out that encouraging a debate on one of these controversial issues would lead to not one but two conflicts and near losses of their right to free expression, and surprisingly from two entirely different directions. It all began with the Middle East section of the January 1994 issue, which contained writings from Palestinian and Israeli teachers and students. Kristin Lucas, the 11th grade editor of the special sections, recounts her original motivations for collecting the writings. "At the start of my project my goal was to inform students around the world about recent developments in the long lived Middle East crisis. I set out with the belief that students from Israel and the occupied Palestinian territories needed to realize the similarities in their hopes and fears in order to pave the way for a more peaceful future." Using electronic mail and video send (ph), Kristin and the other students editors were able to collect several pieces of writing from both Palestinian and Israeli students and teachers. It was their intention to pair these writings next to one another in the Middle Eastern section for maximum impact. However, as they were going to press one of the Palestinian teachers, upon learning of Kristin's decision to intersperse the Israeli and Palestinian writings, and also objecting to some of the content in Kristin's introductory article, threatened to pull every one of the Palestinian writings. Kristin and her fellow editors were astounded. She spent seven periods of two school days trying to reach a compromise that wouldn't breach her right to free expres- sion. At the end they published all of the letters, but in separate sections of the magazine. This was a disappointing compromise for Kristin and her co-editors. In their opinion the initial attempt to foster a student dialogue on a controversial topic had failed. So they decided to exploit the technology to an even greater extent. Instead of relying upon letters and articles sent through elec- tronic mail, they opened a conference area on the network hoping this time for a more extensive, true back and forth student dialogue. Little were they to know that world events would sadly offer them one more Middle Eastern controversy. As we can all recall, on February 23, 1994 Baruch Goldstein murdered 50 Arabs and wounded many others at a mosque in Hebron (ph). This massacre triggered many Palestinian demonstrations on the streets of the occupied territories, which led to beatings and killings by Israeli authorities and reprisal murders by members of extremist groups on both sides. As a result extensive curfews were enforced and schooling for the Palestinians was suspended. Thus the resulting turmoil provoked a flurry of letters back and forth on many topics, one of which was the Western media coverage of the events. As one 12-year-old writes, Ranin Kiryan (ph), "The Western media is always at the scene when both Israelis and Arabs are killed, and the coverage is much more in favor of the Palestinian side in the opinion of Israel's. My opinion in general is that the Palestinians deserve a country." A Palestinian student disagreed with Ranin Kiryan. "I believe the Western media is not always at the scene when both Arabs and Jews are killed, and the coverage is in favor of the Israelis. But it's not important that the media covers this or that. What is important is that the killings stop. I respect your opinion that the Palestinians deserve a State." These two excerpts out of a handful of many demonstrate the enormous power of telecommunications to foster student partici- pation in an open and free dialogue. These students are learning tolerance by respecting each other's opinions on a very controver- sial topic. They are communicating in a real fashion about issues of social justice. One Israeli student who wished to remain anonymous, likely because his or her opinion would have sparked debate among his or her Israeli classmates, disputed the frequent press descrip- tions of Baruch Goldstein as an insane killer who acted alone. He or she says, "I believe that the massacre was not the action of a lone lunatic but one taken by a gunman acting under the influence of a radical minority group. This group deserves to be condemned, but the entire Israeli population should not be blamed. Similarly, the extremists among the Palestinians should be condemned but not all the Palestinian people." Truthfully, how many adults can master that concept, the few do not represent the many, as our anonymous contributor obviously has? Moreover, how many could acquire this understanding on such a controversial issue so close to home? Clearly these excerpts from the students' writings demonstrate the success of Kristin's original goals, to promote dialogue on a hotly contested issue in the Middle East with the hopes of illuminating common ground for peaceful coexistence. The Contemporary included these and many other letters in the May 1994 issue. There were also letters from students in other countries sharing their opinions and applying lessons from what they were reading to their own reality at home. Phoebe McDunna, a student from Australia, writes: "In my country we have many people from different backgrounds and we have grown to communicate and to accept everyone. This all sounds like Australia is a very loving and understanding country, but the sad truth is our native Australians, the Aborigines, are the last ones to become accepted and to be treated equally." Thus the debate that Kristin had sparked on the political turmoil in the Middle East led to students in faraway countries extrapolating lessons about the expansionist policies at the roots of their own countries' origins. So in going to press with this final issue of the school year, Kristin and her fellow students were pleased that they had achieved the goal of using telecommu- nications for opening and sustaining an extensive dialogue on a controversial issue. Kristin writes, "I've had the opportunity to accomplish what many other students may never have a chance to attempt. Even though I don't have the influence to reverse the sometimes harsh sentiments of these people, I would like to come away thinking that at least I did something to help the peace process along." Unfortunately Kristin had no idea of the new conflict for the May issue, this time much closer to home. Peter Copland (ph) is the head of the Copland Family Foundation that has supported the IERN network since its inception. His vision was to explore the potential of telecommunications to give youth a voice in shaping and improving their world. To this end he established IERN, providing funding from the Copland Family Foundation to underwrite the network during its formative years until it established a clear identity and had become self sufficient. This support took many forms, ranging from assisting in covering the cost of telecom- munications for some schools in North America and in other countries to assure cultural diversity in the networking projects and to contributing to special projects such as the Holocaust Genocide Project, with a range of funding demands including publications and study trips to Poland and Israel. So when Peter Copland asked to meet with the editorial staff and the faculty adviser at Cold Spring High to voice objec- tions to their coverage in the Middle East sections they were all very surprised. In his view, however, the coverage was biased toward the Palestinian point of view. He also felt that the writings from the adult contributors was a major departure from the original mission of the student magazine. Although he insisted that he didn't want to limit their editorial freedom he felt that The Contemporary's designation as an official annual IERN project should be reconsidered, and the controversial nature of the topics it covered might generate disagreements within IERN and jeopardize the willingness of some schools, for example in Israel and the U.S., to continue participating in the network. So the student editors met and drafted a response to Copland's concerns, and I'll quote a few passages. It was a very long letter, but I think this is very important: We sought to give all interested parties a chance to state their views and respond to each other. Did the contributors hear one another? Well, most seemed to listen but a few seemed to hear very well. Did we try to make the Middle East section a safe place to conduct such a discussion? Yes, but we realize that when feelings run as hot as they do in the Middle East there may be no such thing as a safe place to discuss any subject. Does this mean that we did not make a contribution to the resolu- tion of the problems discussed? No. We feel progress in this instance ought to be measured simply by the fact that the contending parties at least talked to each other and read what each other was feeling and thinking. Finally, dialogue, no matter how contentious it may seem, is the first step toward resolving any problem. These responses demonstrate the remarkably high level of critical thinking generated by engaging in such projects on a global learning network over the InterNet. The students developed a working knowledge of how to confront the possible loss of their right to free speech. Once again they negotiated a compromise by relinquishing the annual IERN project status for The Contemporary and incorporating a disclaimer for each issue. The final result was a conceptual awareness of the relationship of free expression and of the media of telecommunication that went far beyond the issue of keeping objectionable material out of young peoples' hands. In closing I will quote one student's real understanding of the individual right to free expression: "I think free and open communication is a wonderful thing. Perhaps with this experience some students will prize dialogue more dearly in the future. Hope- fully if we try to understand each other more we might be more willing to talk things out instead of going to war over them." Thank you. * * * From rarachel at photon.poly.edu Wed Nov 30 12:09:09 1994 From: rarachel at photon.poly.edu (Arsen Ray Arachelian) Date: Wed, 30 Nov 94 12:09:09 PST Subject: Censorship In Cyberspace 4/6 Message-ID: <9411302011.AA00961@photon.poly.edu> MODERATOR: Thank you very much, Ellen. Now. Can we imagine what it would be like if there were no traffic cops in communication? Well, we don't really need to, because no laws control the InterNet and no one owns it. How does it work? Gerard Van Der Leun, who was the first Communications Director of the Electronic Frontier Foundation, finds that free speech and civil liberties are, as he puts it, "the default state of the global InterNet," and he will tell us why and how. VAN DER LEUN: Hi. My name is Boswell at BELL.COM (ph), and I'm a Cyberholic. I started out chipping with an RCA dumb monitor at 300 baud, and now I'm looking to start mainlining off a slip connection. There's just never enough for me. I first sort of became I guess aware of the potential of this when I was a book editor in the mid 1980's at Houghton-Mifflin in Boston. Through a series of events I no longer recall I bumped into this woman named Elizabeth Ferrarini (ph) who was verging on a functional illiterate but wanted to write a book about her experiences on the fledgling nets then. I think she was one of the early members of The Source. And she used to log on with the handle "THIS IS A NAKED LADY." So those of you with any experience on the Net know what kind of E-mail and sends this starts to draw to you while you're on the Net. Her keystroke cup will runneth over in no time. Actually knowing nothing about this I ended up (a) commissioning the book, (b) rewriting it, and (c) publishing it. It became a book called Infomania: Life in the On-Line World. I think it was sort of the first book about this subject, and dutifully sank into obscurity by being the first in about 1987. A couple of years later in another incarnation I was at a tag sale and I bought a box for $60. It was an RCA dumb monitor with a 300 baud modem, and you could put about ten phone numbers in it. And I took it home, sort of figured it out from the manual, I went to Computer Shopper, found a BBS with my area code on it and bingo -- I was in Dave's Cave, a Fidonet (ph) node, looking for filthy stories and other things. And then it came to me one night in an epiphanous moment that you could actually with a telephone connection basically get things onto the disk of your computer you didn't have to type in yourself. Ah, revelation. This was nice. And from then, you know, just like Topsy the addiction simply grew until I sort of found myself floating around the InterNet for many years now, and actually in different years I've become one of the rarer breeds of people on the Net. I actually manage to make a modest living out of it rather than just shoveling lots of connect time dollars back into it. In the course of this I guess I stumbled into a system on the West Coast, if anything can be said to be anywhere in cyber- space, called The Well. Most people that have been on the Nets for some time have a vague idea that the Well is actually one of these systems whose impact is bigger than its userbase, and while on The Well I bumped into other denizens of cyberspace such as Mnemonic, who is actually Mike Godwin, one of the legal beagles for the Electronic Frontier Foundation in Washington, and also into this very strange, slightly seedy cowpoke named Barlow, who had with his palaver actually talked Mitch Kapur (ph) into parting with some hard change to fund and found the Electronic Frontier Foundation, which at its inception was actually a very exciting organization to be involved with since they basically wanted to defend young hack- ing kids against big crackdowns by Feds. I'm always looking for a good game of Feds and Heads in my life. I like to play with the Heads. You know, the EFF later devolved into what's now sort of a wonk tank and luncheon society down in Washington, D.C., but that was after my time, or I should say my time ended when it evolved into lunching with lobbyists. But since then I've gone on to be I guess a gadfly around the Net and on The Well to people. On The Well I run a conference that's called, well, I run two conferences. One is called Z (ph), which is basically a digest of all the other conferences, the best and the worst, what have you. And then the conference I'm proudest of is called The Weird Conference, and The Weird Conference's rule is that we don't have any rules, and you can say anything you want and nothing is forbidden. And nothing is ever censored except sometimes by me in a purely arbitrary fashion to keep people aware of what censorship feels like. It's true. Boswell will sometimes just log on and say, "Well, I'm going to erase your comment because I just don't like it." Checheche cht -- gone. What? What? There it is. Anyway, I was just sort of looking at the Net and I've been thinking about censorship, and I've been through Operation Sun Devil and I've seen Hacker Crackdown and I have Digital Telepathy and I'm aware -- I'm sure Mr. Zimmermann will enlighten you of what can happen to someone who goes out to play on the Nets when it's an essential Net tool. I mean you need to pack a lunch and have a legal fund. Nevertheless, I would say to you today, not just to this small group but almost to anyone, that my basic state is one of really intense optimism. I think the war against censorship is effectively over and we've won. I think what we're going to be dealing with now in policy areas and programming areas is what I would call mopping up operations and attempts by local and global authority to put the genie back in the bottle. But it's gone. I mean it's out there. The Net is out there. The Net has, in my mind at least, the Net has no center. It has no owners, none that I know of. It respects no borders. I mean, you know, Australia is just a domain name to the Net. It doesn't really matter where you are. English is pretty much its default language, much like air traffic control. I'm sure there's going to be a lot of waves of efforts to limit and otherwise control this medium. I would think, if you look at the growth statistics on the Net, if you look at the number of people coming on and you look at the kind of minds you're dealing with when you're dealing with the Net, I mean you are not dealing with the left side of the Bell curve when you're hitting on the Net. I mean you are dealing with people who are bright enough to get there, because it isn't easy. You're dealing with people who are really sharp about this new technology, because some of them write the programs that it runs on. You're also dealing, way at the bottom of the InterNet you're dealing with software, you're dealing with Send Mail, you're dealing with Read This, you're dealing with a lot of assorted software that all nodes have to have to talk to each other, and if you really look at that code and say, "Who wrote this code? Who wrote the thing that -- who created the water in which all this information swims?" Well, I think if you look at those original people a lot of them were basically anarcho-crypto heads that happened to be programmers and just wanted to, you know, send jokes to each other and talk about computers. I think it's --, you know, the default state of the Net is absolute freedom. In fact it's to such an extent that a large part of the Net is sort of set up to recognize attempts at censor- ship as system damage and simply route around it. I want to send pedophile memoirs from site A to site C. Well, you know, it's supposed to take the most efficient route and that's through site B. Well, this happens to be Jerry Falwell's machine. He decides what he wants on his machine in his "home." That's fine with me. So down it goes. Whup! Sorry. We don't take any pedophile stuff through this site. Boom! We'll kick it to D. D doesn't care. Boom! You know. I don't care if Jerry -- you know, it's fine with me what people have in their home. It's more complicated than this obviously and there's going to be a lot of argument and a lot of, you know, shouting back and forth and a lot of federal regulations passed and all of that, but I think what's happening here is we -- you know, what is the Net? The Net is basically the medium, and the Net reminds me of this book that was published at the end of the '70's where a man said, "Well, my idea for a really great book is a book of 350 pages and there's nothing on any of the pages. So I'm going to call it the Nothing Book." And everyone said, "What a terrible commercial idea." Well, of course he published the Nothing Book and now you go into any bookstore there's, you know, a big case of blank books. What we've got with the Net is we have, fundamentally we have the linking of millions and millions of hard drives. This fulfills the dream of every computer junkie in the world, that you have infinite drive space. You basically have infinite drive space. The Net is really -- what it is, is what we make it, every- body individually. It's like sort of the largest group hack in history. I think second to the phone company it's certainly the largest machine that's ever been built. Some people will get rather mystical. Under certain chemicals I'll get mystical and tell you it's the emergence of the World Mind. And like anything in the World Mind, it's got a lot of dark areas in it. Well, we'll just have to live with our dark fantasies as we live with our better deeds. To deny them is not really a good idea. I think one of the things that we're feeling right now with the immense growth is we're feeling three fundamental tensions within the Net, and I would also propose to you that for each ten- sion the Net also has the capacity to alleviate that tension. I think the first tension is between the concepts which can exist in a single human mind, in a single human society, that on the one hand ideas, ideas, need to be free. They need to be exchanged. They need to have no limit to the ability to make them baroque or make them fresh or make them new. But at the same time the same mind that has ideas that need to be free, we also hold within ourselves beliefs that need to be protected. Censorship is bad. I believe that. I need to protect that idea. That's central to something important to me. As an idea, censorship is bad? That may not be such a fundamentally true idea. Maybe there are some cases that people can make that censorship is good. All right. But my belief needs to be protected, although my ideas need to be free. Well, how does the Net deal with that? The Net, or UseNet, which is sort of this large machine, this large sort of Mother Ship of interest groups that rides upon the vast InterNet ocean, basically just creates infinite areas in which all beliefs can exist and all ideas can be free. And if you wander into an area with a certain belief -- say you wander into -- oh, the sex areas are always good because that's where everyone gets excited. You wander into ALT.SEX.MEMBERS OF THE SAME SEX. MOTSS. And you say, as we see in that group every month, you enter a message with the stirring headline, "FAGS MUST DIE." Well, it will be about four nanoseconds before about thirty other people will flame you hairless. Your I.D. will be exposed either in its strength or its weakness by thirty other minds working on that -- whew. At the same time you might want to say, "I believe that everyone should worship Jesus. Christ. Christian." Right? Well, you might sort of wander over to the Muslim and you might not feel too comfortable in the ALT.MUSLIM area doing that, but the Net has created, the wonderful alt groups have created ALT.CHRISTNET. They even have ALT.CHRISTNET.SEXUALITY. So what happens is when people feel a need to have a belief area in which their beliefs can be protected they'll just create an area and anybody who wanders in there that's not quite in the program, just flamed hairless and thrown out. That's all right, because you can wander over, you know, to another area or to a "secret moderated (ph) mailing list" that says, you know, "Kill Catholics Mailing List." Okay? We're going to talk with six other people on the Net about killing Catholics. That's a good idea. We'll just all be in that room together. You know, other people just put you in their Kill file and you're out of here. So the Net sort of resolves those two, that particular tension set. Next tension set, tension set number two, is information. Hmmmm. Information wants to be free. All right. Information wants to be free. True. True thing. All information wants to be free, and we don't really want to pay connect time charges to get it, either. On the other hand information is generated by people, and people need to be paid, okay? Because, you know, the information environment that makes my apartment, the landlord wants to be paid for that solid piece of information I live in so I need to get something coming in the other way. Well, I would propose to you that the way that both we can have free information and also have information which returns some kind of money or token back to its creator is probably at hand within the InterNet within the crypto environment. In other words I get a little sample of something. If I want to have the whole thing maybe I have to send $5 down the line on my Master Charge in order to get the key back. Mr. Zimmermann could probably talk a little bit more specifically about how cryptography and things like that probably hold the key to a real kind of commercial series of transactions over the InterNet. So that is sort of the Net. But on the one hand we have, you have to consider there's two things going on on the InterNet. One is speech, and people feel ASCII is speech and if you don't think it's speech say that on the Net and they'll probably come back to you and hand you your ASCII on a platter. Which empowers individuals. That's why we love it. At the same time the other question is how are we going to maintain copyright? Because people feel that maintaining copy- right disempowers individuals. Correct. Copyright was not created by the United States Government back in the dawn of government to empower individuals. That was a side effect. Copyright was created because people saw right away that unless people uld enjoy the fruits of their labor there wouldn't be quite so much invention within society and it was held to be a good thing to spur invention within society. I think that's probably the fundamental reason for copyright. And I think again, you know, the Net will give us the tools to do that. The Net has been as a global machine and through a pact that nobody intended and nobody created an extremely, surprisingly responsive organism to solving its own problems. They get solved on a pretty fast track. The final tension is sort of what is going on on the Net all the time in the way the Net only mirrors what we are and what we make it and who we are as a society, and that is the tension between the desire for liberty and the fear of liberty that leads us to yearn for some kind of authority. You see this polarity move along on the Net all the time. You see sort of libertarian -- libertarian anarchists are very big on the Net, are here, and then there's control freaks. They're also here. Anybody who's been out there for a while sees these people go at each other all the time. Then of course we have Net Heads, or Heads, whatever, and of course we have Feds, you know. And Heads and Feds have been playing games on the Net now for almost a decade. There's no reason to think they're going to stop. They sort of need each other. The Christ and the Antichrist in an eternal conflict. But meanwhile everybody else is just, you know, passing recipes back and forth and, you know, here's my, you know, here's my secret pedophile journal over here. Everybody's -- here's how you crochet something. Here's some code. Here's a filthy E of me and my dog. Just download, send money, state preferences. Then of course you have the anarchists, like I am. Hey! No rules, nothing. Let's just do it. You know, you're there. You are free. Just assume it and act on it, and -- THE NET POLICE. "You know, you're really a Nazi for saying it that way." In fact the famous Mneumonics law on the Net says that the longer any Net argument goes on, the more, the more ready you are to put us into -- "as length of the UseNet argument continues, the probability of a comparison to the Nazis approaches 1." And this happens. Then of course you have intellectual political explorers, you know, of all kinds, you know. Now we even have a Nazi, AMERICAN NAZI.COM on the Net. No longer are we approaching 1; the Nazis are already on the Net. But we have infinite disk space and they just go off in their little room. And then we also have PC people on the Net. PC's are very big on the Net, and very big on college bulletin boards. These are the people that believe that we can sort of control people in being nice, wonderful people, and when everybody's nice and wonderful and has no bad thoughts then it's going to be the Millenium. Hearts will open. You know, all will walk naked in the world. And then you have sort of the hackers and the crackers, you know, and there's a great deal of confusion about who's hacking and who's cracking. You know, if I'm cracking and I'm doing it because it's cool, I'm hacking, right? If someone's hammering on my password file they're cracking. I don't care how cool they are. So I think my fundamental statement about the Net is that it is literally the greatest tool for free speech that has ever been, ever been invented. Free speech is, you know, freedom of the press is available to those that own one. Hey. Two grand. We all own one. That's about the total cash investment. Never have printing presses with 15 million potential readers been so cheap, all over the world. I don't really despair for the future of the Net. I think the Net is probably the greatest tool for the potential liberation of the mind and spirit of all human beings that's ever existed on the planet. I view it as sort of the peoples' publish- ing company, that rejects no manuscripts, you know, that has all books available for ten cents each, you know, if that. You know, please. Read my screen. And then you're always coming back with the Net tension people saying, "Yes. But now that the people have the ability to communicate with each other globally on any issue from any point of view that they want to and governments can't really stop it that easily and it just sort of flows through these borders, don't you think it's time to call for all of us who use the Net to use it in a responsible manner?" And I say screw that. I say screw responsibility. Just do what you want. That's what it is there for. "Well, you have to telecommunicate responsibly." Well, I don't have to put a condom over my modem. Enough of this. You know, I mean everybody's always got to, you know, "We have a vast new medium. We must use it responsibly." No, I say we use it irresponsibly. I say we just fool around with it. We hack on it. We hammer on it. We pound it. We just see what happens. Who knows? You know, it might be a pi$ata and we crack it open and, you know, a lot of manure falls out. Or we might crack the pi$ata open and a huge Mardi Gras party will be wandering out. We don't know, you know. But I think we have to use it and use it heavily, because, you know, as they say in aerobics, "Use it or lose it." That's all I have to say. * * * From rarachel at photon.poly.edu Wed Nov 30 12:10:13 1994 From: rarachel at photon.poly.edu (Arsen Ray Arachelian) Date: Wed, 30 Nov 94 12:10:13 PST Subject: Censorship In Cyberspace 5/6 Message-ID: <9411302012.AA01012@photon.poly.edu> MODERATOR: Well. Getting back to censorship. I'm not quite sure what Phil Zimmermann is going to talk about, but I have a feeling that unlike some computer experts that I've talked to who think that the wide dissemination of encryption software like Phil Zimmermann's Pretty Good Privacy make the Digital Telephony Act no big deal because all the government will get is static when they tap in on these new phones, I have a feeling that he is a little bit more suspicious of the possibility of restrictive government action. So perhaps we can now find out what we might loosely call "the censorship crunch" (ph) and what is going to happen in it. Phil Zimmermann. ZIMMERMANN: How many people here know what PGP is? Okay. How many people don't? Okay. Looks like we've got about half and half maybe. Well, I'm not here to talk about PGP mostly but rather government policies, but I'll just talk about it a little bit. Cryptography is the art of making secret writing. It's been around for a long time. The problem is if I want to send you a message I use a key to scramble that message up and then you have to use the same key to unscramble it. The problem is how do I tell you what the key is? Do I tell you over the telephone what the key is to unscramble the message? If I do that then it can be inter- cepted, and so that's the problem with cryptography. In fact that has been the problem with cryptography since the days of Julius Caesar. But in the late 1970's some mathematicians at Stanford and M.I.T. devised another kind of cryptography that solves that problem of key distribution. It's called Public Key Cryptography, and the way it works is that there are really two keys. One encrypts, the other decrypts. As a matter of fact the two keys have a kind of yin-yang relationship so that either one will decrypt what the other one encrypts. This means that if you generate a pair of these keys, everybody generates a unique pair of keys for themselves, the keys have this mathematical relationship like this. They're kind of like Siamese twins. And you separate them at birth and you broadcast one of them to the world and put it on all your business cards and in your telephone book and, you keep the other one secret. Then if anyone wants to send you a message they encrypt it with the key that you published. That's your public key. But you're the only person in the world that can decrypt that message with the corresponding secret key. This solves the problem of key distribution. You don't need secure channels to distribute keys beforehand. With the old way that cryptography used to work before Public Key Cryptography came along, you needed a secure channel for the prior distribution of keys. Well, if you had a secure channel for the prior distribu- tion of keys then why do you need to use any cryptography at all? You know, I remember my Mom used to tell me when I was a kid that if you sprinkle salt on a bird's tail you can catch the bird. And for years I wondered about that. You know, maybe there's something about salt and birds. But I finally figured out why you can catch a bird if you can sprinkle salt on its tail. So if you could get a secure channel to distribute keys, then you've got the communica- tion problem solved. But maybe you could just send your message through that secure channel. Well, with Public Key Cryptography you don't need any secure channels. So if you combine that with the technologies of the Information Age, modems, personal computers, fax machines, etc., then you have a really good synergistic combination of tech- nologies that makes it possible for the first time for cryptography to affect millions of people in their everyday lives. In the old days before Public Key Cryptography you would have to do this prior distribution of keys. Governments didn't mind doing this, because they could put a guy on a plane to Moscow with a satchel handcuffed to his wrist carrying keys to the Embassy there. They don't mind paying the salary of somebody and buying them an airline ticket to do that. But if you're going to talk to your cousin in Colorado you're not going to do it by sending a courier carrying keys. So cryptography never had a chance to affect the lives of millions of people until Public Key Cryptography was invented and personal computers and the Information Age came along. Well, how many people here don't know what the Clipper Chip is, or haven't heard of it? Or just don't know what it is? Okay. I see almost everybody does. I'll just say a couple of words, but I'll abbreviate my remarks about the Clipper Chip. The Clipper Chip is an encryption device that the government is making for us that they hope we'll put in all of our telephones. It encrypts our telephone conversations so we can talk to other tele- phones that also have the Clipper Chip. The trick though is that at the time of manufacture the government puts the keys for encryp- tion and decryption in these chips, and they keep a copy of these keys for wiretap purposes. You know, I haven't talked to an audience where it wasn't immediately obvious to everybody that there's a problem with that as far as -- you know, I was talking on the phone the other day with the General Counsel of the NSA. I'm going to be debating him next week in Los Angeles and so we were talking about what we were going to do in the debate. And I made the remark that there is a difference in attitude between people on the inside and people on the outside. What I was talking about of course was inside the government, and in particular the law enforcement and the intel- ligence agencies. He said something like, that I was assuming a lot to think that it was just people on the inside who were for the Clipper Chip, and, you know, I just -- I don't remember running into too many people on the outside that felt differently. The government is trying to at first not pass legislation to make us use the Clipper Chip but rather to use government spend- ing power to make an awful lot of Clipper Chips deployed. They're using government spending power both to buy Clipper Phones that have the Clipper Chip in it and then they're going to use govern- ment spending power to require government contractors to buy Clipper Phones if they want to talk to the government. Well, this kind of gets the production lines going and brings the cost down. It makes it cheap enough so that it can be used more and more by the general population, the related chips to the Clipper Chip. It's not just the Clipper Chip. There's a whole series of chips the government's making. Capstone (ph) is another chip. They have this little card, a PCMCIA card. It's something that slips into your personal computer, into your notebook computer, that they're calling the Tessera Card, and the Tessera Card has got something similar to the Clipper Chip in it and it can do digital signatures, and they want you to file your taxes with it electron- ically. You know, it's funny. They call it the Tessera Card. Now I looked up "tessera" in the dictionary. I've got one of those giant, thick dictionaries. And tessera is a name that ancient Rome had for these little cards that were kind of like that, the size and shape of a Tessera Card, kind of a tile. And it was an identity card. And slaves were required to carry it, and if you didn't they could chop your head off or something awful like that. And I thought what a brilliant stroke of naming, you know? Who thought of that? I was talking to Clint Brooks, the Assistant to the Director of the NSA, in Los Angeles a couple of months back. We were on a panel together to argue this point. And he said that he was the one who named the Clipper Chip, and he was thinking that for these things, for example the Clipper Chip may not have been the best choice of names for it because people think of clipper as clipping the wings of democracy. Of course cryptographers like to rearrange letters and things because we like to do that, so we kind of just moved a couple of letters around and called it the Cripple Chip. So anyway what they're trying to do is to use government spending power to change the facts on the ground. Not by legis- lation, but by changing the facts on the ground. We don't have any laws requiring us to use 120 volt AC power, but we do. When was the last time you saw a 48 volt vacuum cleaner? It's the tyranny of the installed base. That's why, you know, all computers are Windows or MS-DOS computers or Macintoshes. It's something that, if it's out there and it's -- deployment wins, in other words. Well, the government is not the only ones that can change the facts on the ground. I can change the facts on the ground. I've already done that to some extent. And I'm going to do it some more. You know if we wake up one morning with 100 million Clipper Phones installed it's going to be too late to worry about changing government policy. It doesn't matter who we elect President. We could have somebody elected President that says, "Elect me and I promise to get rid of all these Clipper Phones." It won't do any good at all. The installed base and the technology infrastructure is more powerful than a government, is more powerful than government policy. There is no way we could change, you know, our power standards. There is no way that a government can decide that we're not going to use PC's anymore or something like that. So that's what they hope to do with Clipper. Well right now PGP, Pretty Good Privacy, a program that I wrote that does E-mail encryption using Public Key Cryptography and using other algorithms that were chosen from the academic literature, the most powerful algorithms, the ones that had been the best peer reviewed, not my own home grown invented algorithms, because those had not been through the kind of peer review it takes to stand up to major governments. PGP uses the best algorithms in the academic literature. PGP has become the most widely used program in the world for E-mail encryption, bar none. Nothing else comes even close. It's used all over the world. It's used in Burma by political opposition groups in Burma, freedom fighters in Burma. Burma has an absolutely wretched government. They torture and kill thousands of people. They have a Nobel Peace Prize Laureate in custody in Burma. They're being trained to use PGP in Burma in jungle training camps on portable computers. They take this knowledge to other jungle training camps and teach them too. I talked to somebody who's connected with those groups and they tell me that it's raised morale quite a bit because before PGP came along captured documents would lead directly to the arrest and torture and execution of entire families. I talked with a guy who was a human rights worker in Central America. This was at the offices of the American Association for the Advancement of Science in Washington. They have a human rights group there. And he told me that he was documenting atrocities, death squads, and he encrypts his files with PGP. But if the government found his files they would go and kill all his witnesses, probably not very fast either. PGP is saving lives there. I gave him a few pointers on good disk hygiene, how to keep his stuff clean, not just -- using PGP alone isn't enough. Well, my next project is a secure voice project. I just a couple of nights ago spent about a half an hour talking to one of my lawyers over it. I haven't put the encryption in yet. It does it all without encryption. But you talk into your personal com- puter with a SoundBlaster board that compresses your voice, digi- tizes, compresses and encrypts your voice, sends it out through a modem, and at the other end it reverses those steps. So we have this in test now, and I hope to release this through M.I.T. M.I.T. is the current official publisher of PGP. They have what is known as an FTP (ph) site. That's something on the InterNet. It means that anybody can get a file from their computer by just reaching in and grabbing it. But their FTP site is structured in such a way that people outside the United States can't do that. They won't let people in from outside the United States. And not only that, even if you're inside the United States it makes you answer a questionnaire saying that you are an American, that you're not going to export this and promise not to export it, and if you answer yes to the right questions it will let you get PGP. It didn't take very long before PGP showed up in Europe after that, probably the same day. Information wants to be free. Apparently that applies to free software more than anything else. PGP was published in June of 1991 initially. It spread like dandelion seeds blowing in the wind. It didn't take very long for it to spread to Europe. Now M.I.T. with their lawyers and their prestige is standing there publishing PGP in a way identical to the encryption methods that they have used for publishing other encryption software without any previous harassment by the federal government on their doing it improperly, so they haven't gotten any complaints about the way they're publishing PGP either. All future versions of PGP for the foreseeable future are going to be pub- lished that way, so I hope that that will protect it. You [Corn-Revere] mentioned the Carr (ph) case. There is a book by Bruce Schneider called Applied Cryptography, and it has encryption algorithms in it. I liked it. I like the book, the preface of the book. It's good. He says, "There are two kinds of cryptography in this world: the kind that can prevent your kid sister from reading your messages and the kind that can prevent major governments from reading your messages. This book is about the latter." You know, I wanted to steal that line for my book because he stole many lines from my book in his book without an attribution. But that's okay because information wants to be free and I like to be quoted even if he doesn't credit. So I might call up Bruce and ask him if I could put that in my preface for that book. A guy named Phil Carr took Bruce Schneider's book and applied for an export license. Actually he applied for a commodities jurisdiction grant by the State Department that the book can be -- that this item can be exported. It was immediately granted, because it was a book. He then applied for a CJ, commo- dities jurisdiction, to export a floppy disk containing the same source code in the book, exactly byte for byte the same source code, and they said no. He has appealed it. They said no again. Members of my own legal defense team are helping in his appeal. This is a multifront war. You know, it's funny. The number of lawyer jokes that I've told has gone down in the last year. I'm starting to run into lawyers that are actually men of conscience. It's great. I'm about to publish the source code for PGP in a book through M.I.T. Press. Books may be exported. I'm going to put it in an OCR font. We're going to apply for a commodities jurisdic- tion. We're probably going to get it, we presume. If they don't it's going to be the first time that it was ever declined for a book and I think the press would probably make much of that. They probably know that, and they'll probably take that into their calculations when they decide whether to grant this jurisdiction. If they do that then I'll also publish the secure voice project I'm working on in a book through M.I.T. press and see what happens with that. The government is -- you know, I found this interesting, the point about the different media affecting what the government tries to say, what we have free speech in. When telephones were first invented there was an attitude in the government that you could wiretap these things without a court order because they didn't go into your house to do it. It was not a violation of the Fourth Amendment of unreasonable search and seizure because they could just go down the block and attach their alligator clips to the copper and that would be all that's needed. So it took fifty years of litigation to come up with the idea, or rather to establish the idea that you need a court order to do a wiretap. Well, we're facing the same thing again on the InterNet. When the Founding Fathers made the Constitution they didn't think it was necessary to say that we had a right to a private conversa- tion, because there was no technology at the time that made it hard to have a private conversation. If you want to just go talk behind the barn with somebody you can say whatever you want and you don't have to worry. You don't have to codify it in the Constitution that you're allowed to do that. But now most of our conversations are over copper or glass fiber. Most of the people I talk to I've never seen the face. Maybe I will when they have those AT&T things. Have you ever had a $10,000 phone bill? I know I don't plan on installing a videophone in my house, because most of my East Coast clients think that I wear a suit all the time. They don't know how I work. I ought to be able to whisper in your ear even if your ear is 1,000 miles away. And the government says I can't do that, and that's what this whole thing is about, removing all of our communication from vibrating air molecules to photons. As more and more of our traffic switches to electronic media it becomes more and more lucrative to tap into it. You can't read all the paper mail. The government can't read it all. They can read one per- son's paper mail if they target somebody, but they can't read it all. It's too much work to read everyone's paper mail. But they can read everyone's E-mail. A single government computer could scan every single piece of E-mail in the country, all of it, every day, constantly. Now I'm not saying they do that, but the technology exists that they could. And it could scan for subversive key words and it could look for political troublemakers. It could look for, you know, the next anti-Vietnam War protesters or the next civil rights protesters or the next environmental protesters, whatever the issue of the day is. Some unpopular war or something like that could come up again, and they'll be able to find people who are talking about it. What could Joe McCarthy have done with these kinds of tools? What about traffic analysis? What about all these E-mail headers that say who it's from, who it's to, what the subject is and so on? I think this means that we should try to encrypt all of our E-mail, because that's the only way to put it back the way it was with paper mail. In fact it puts it beyond that. This is not a black and white issue, because there are some downsides to this. There's never been a time in our history where it's been possible to place information beyond the reach of the collective efforts of society, but with modern cryptography you can. You know, if you put information in a bank vault you can always get it out with dynamite or welding torches or something like that. I remember in Butch Cassidy and the Sundance Kid, you know, the dynamite, where it's raining money, you know? Used enough dynamite there, Butch? You can always get that information when it's physically protected. But it's now possible for the first time in history to place information beyond the reach of the collective efforts of society. The Gross National Product is not enough to get it out. It takes less energy to make a round trip to the nearest solar system than it does to compute the prime factors of some large composite number. I'm going to read you a quote that I got from a guy in Latvia. I always read this quote, so to those of you who've heard me speak before I apologize for the repetition. I got this, it was sent to me by E-mail, on the day that Boris Yeltsin was shelling his Parliament building in October of '93. It says, "Phil, I wish you to know. Let it never be, but if dictatorship takes over Russia your PGP is widespread from Baltic to Far East now and will help democratic people if necessary. Thanks." That's the best mail I've ever gotten on PGP. I want to read you a quote that Louis Fried (ph), FBI Director Louis Fried, said recently at a conference on global cryptography, on September 26th. Steven Levy (ph) put a question to him about what would happen if Clipper doesn't catch on, doesn't get wide acceptance. What would the FBI do in response to that. Would they outlaw other kinds of cryptography? Here's a transcript of this: At first they didn't understand this question. "You mean if the software that we write doesn't work?" He said, "No. If all you get is encrypted forms and you can't decipher them." "The terms of encryption being a voluntary standard?" Steven Levy said, "Yes." The answer from Louis Fried, FBI Director, was, "Oh, yeah, definitely. If five years from now we solve the access problem but what we're hearing is all encrypted, I'll probably if I'm still here be talking about that in a very different way. The objective is the same. The objective is for us to get those conversations, whether they're by an alligator clipped on ones and zeros [it's kind of garbled, I think] ... whoever they are, whatever they are, I need them." It was obvious to everyone there who got a little bit clearer view of it than the transcriber of the transcript here that what he was talking about is that he would seek legislative relief, in other words outlaw other kinds of cryptography. This is the first time an Administration official has said something along these lines. Just a couple of weeks back the FBI Wiretap Bill passed requiring phone companies to build all their equipment wiretap ready. The analogy to this is requiring new home builders to put video cameras wired to a police station, with a promise to only turn them on with a court order. The assumption is that as we build a new technology infrastructure we have to guarantee to the police, to the government, that they will have access to our private communications. This is a dangerous precedent. The FBI Wiretap Bill passed without too much trouble, largely in part because of the efforts of the Electronic Frontier Foundation I'm disappointed to say. John Curry Barlow (ph) made the remark that he could have changed the vote of one of the Senators, and he told him to go ahead and vote for it because it was in the EFF's view the best deal they could get. I think that we could have stopped it. Last year it was introduced and it didn't get a single sponsor. This year it had money in it for the phone companies to pay for the infrastructure changes. The phone companies stopped opposing it for that reason. We can't let some future legislation come down that will slip by us that outlaws other kinds of cryptography. Cryptography is our one guarantor of privacy on the Information Superhighway, the Infoban. I was talking to a Swedish reporter recently and I used the word "Infoban," and he said, "Oh, I wish you wouldn't use that word. It sounds too German. So I understand the new word is I-way. I saw that in Wired. It's a little too hip for me. We have to stop this. There's only one chance to fill with this technology niche. You see, your voice is going to be digitized at your telephone not down at the office, so there's going to be a computer in your phone. And once it's digitized it's practically free to encrypt it. It will be encrypted. The question is will it be encrypted with technology that we control or technology the government controls. If we build a technology infrastructure that some future government might inherit, a future government that could be a bad government -- you know, sometimes economies change. Germany in the 1930's, Russia in the 1990's, we don't know where our economy will be twenty years from now, thirty years from now. A government could emerge with fascist tendencies. If they inherit a technology infrastructure that allows them to monitor every movement of their political opposition, every transaction, every conversation and every communication, every bit of travel, then they'll be able to hold onto power. It could very well be the last government we ever elect. I think if you're trying to analyze technology policy you should ask yourselves what kinds of technologies would strengthen the hand of a police state, and then don't deploy those technolo- gies. This is a matter of good civic hygiene. So that's about all I have to say. I guess we can have our question and answer period. * * * From rarachel at photon.poly.edu Wed Nov 30 12:10:59 1994 From: rarachel at photon.poly.edu (Arsen Ray Arachelian) Date: Wed, 30 Nov 94 12:10:59 PST Subject: Censorship In Cyberspace 6/6 Message-ID: <9411302013.AA01065@photon.poly.edu> MODERATOR: I think first I'm going to give the membeQ of the panel the opportunity to ask any questions that they want of each other. Does anybody have a question for another panelist? Okay. Well, then, the floor is open for questions. Yes. Q: Miss Lafontaine, your student editor, Kristin, why didn't she tell the teacher in Palestine to (inaudible)? I mean the children were the ones that submitted the material. Their free expressions had already gone out. What did she care what they said? LAFONTAINE: Because it took her about a year to be able to get a contact in the Palestinian schools. See, that's one thing that we don't understand. In a school to get even a modem in and then to get a network and to get $100 maybe a year to do this is miraculous, and then to find the contacts for partner schools is even more miraculous. And this school has been working on this for five years. Q: Didn't they cut their nose off to spite their face? Cut themselves off from (inaudible)? LAFONTAINE: Yeah, I think that this particular person, the teacher in the Palestinian occupied territories, would have said, "That's it. We're not communicating anymore." And, you know, it was really her vision to get some communication. MODERATOR: Yes. Q: Mr. Corn-Revere, with respect to the problems that Mr. Zimmermann was raising just now with respect to the Clipper Chip, I wonder if there isn't some way to find this legislation unconstitutional, as burdening the rights to interstate commerce or the right to travel? CORN-REVERE: Not really, because it's an extension of a legal structure that's existed for some time. It's quite right in talking about the problem of wiretapping being one as old as tele- phones, and the Supreme Court really first addressed it in 1928 and at the time the only Justice who really understood what was going on was Louis Brandeis, who basically said it's not going to stop with wiretapping. Some day the government may develop even more advanced technological means of rifling through drawers, obtaining access to peoples' papers without having to go inside their homes, which is exactly what we're talking about. But in terms of the Constitutionality, at the time the Court said that wiretapping isn't a search in violation of the Fourth Amendment because there's no physical intrusion. They reversed themselves in 1967, but as with all or most Constitutional rights, or particularly Fourth Amendment rights, because it says you can't do an unreasonable search without getting a warrant, you really just need a legal structure that defines when you need to get a warrant. The latest Wiretap Bill extends that into newer technologies, but again it does require the cooperation of the phone companies. It requires them to be wiretap ready. The condi- tions for getting a warrant, which is what the Constitution speaks to, are the same. Q: But what I'm wondering is if requiring that techno- logy, that the actual product be structured in a certain way or include a certain feature, I wonder if that wouldn't even infringe individuals' right to contract, to have a certain kind of, to not be able to buy a certain kind of product. I don't want this product in my phone. It seems like the government is entering into some kind of monopoly with the phone company. So I'm wondering if it's possible -- CORN-REVERE: They've been doing that for some time. Q: -- to come at this from something other than just a Fourth Amendment and First Amendment perspective. CORN-REVERE: Yeah. I understand the point. I don't know that there's a Constitutional right to buy a particular kind of product. But a good first step would be for people to under- stand exactly what's going on with this legislation. I think, you know, what Phil Zimmermann was talking about is the best first step, for people to really understand the implications of this, because I think they're truly frightening. Q: I agree with the distaste for the Information Superhighway metaphor. I was wondering if any of you had ideas about a better metaphor, because -- VAN DER LEUN: I'd like to just kill all these metaphors now. The whole medium is in the throes of these metaphors, and then people take them generally in a much more concrete way and we have just endless tedious discussions talking about what the metaphors mean, what they don't mean. I was thinking about this this morning. There's a problem -- occasionally The Well, my own system, has these global problems that all the users get involved in, and one is currently going on, and I'm just watching everybody stumble over all the metaphors that we've sort of pulled up over the years to discuss what we do there, and I felt myself yearning for people just to sweep these metaphors away and just actually look at the actual medium, which is sort of characters on a blue screen, almost down on that level, to try and become fresh again. I know, as you say, the dissatisfaction, especially for the Information Superhighway, is basically because this is the year in which every mind open to the media is going to be paved over by this concept. And it's just tedious. It's like blather and spew. CORN-REVERE: But I'm not talking about just words in a literary vein. Lawyers deal in concepts, usually not very well, but also in terms of very broad concepts, in broad generalities, and metaphors are important in abstract reasoning process. And so when you're describing what is possible under the law the metaphors you use are very important, which is what happened in broadcasting. VAN DER LEUN: Legal fictions. CORN-REVERE: Yeah, legal fictions. They deal with legal fictions all the time and give them definitions, and to the extent that it gets pigeonholed, whatever "it" is, by these legal constructs and descriptions and metaphors that it limits what's possible legally to do then. Now I agree that ultimately tech- nology wins. But government can slow it down. Q: The problem is that that metaphor has inhabited the space of the discussion, so that, you know, Al Gore or whoever, you know, appeals to it and it catches in peoples' minds until you displace it with another and better metaphor, which would be a very creative thing to describe. I was wondering if in the history of this kind of technology whether you could look at how other meta- phors have been used to describe printing or film -- VAN DER LEUN: I think it's very difficult right now because at the same time we have this metaphor about the Information Superhighway that is displayed around and everyone's tired of you have to realize that that arises out of a sort of shared mental substrate that we're all consciously or not in right now, which has to do with the tendency to describe everything that's going on in the world in sort of terms of the computer, much in the way that the universe used to be discussed as a large clock. Now the universe is a large sort of computer with lots of disks, and God has RAM as big as all outdoors. So that metaphor exists within this sort of larger substrate. This is how -- it's the dominant -- the computer itself is immensely sort of loaded with metaphoric possibilities and possibilities for analogy, so I don't see this being done away with any time soon because something else will just -- Q: The thought just occurs to me hearing you speak, something like Minsky's notion of society. It would be much harder for people to agree with the Al Gore (Inaudible; overlap) MODERATOR: This is now becoming sort of a very interest- ing conversation,ut perhaps a conversation that might be carried on at the wine and cheese party. Did you have a question? Q: Yes. I saw a conflict emerging between the optimism of Mr. Van Der Leun's the technology is going to beat efforts to suppress and Mr. Zimmermann's conversations about all the ways that the government can suppress it by using technology to encrypt, to, as you say, to put in our computers what's the equivalent of the voltage system. I was wondering if somehow you could discuss it or resolve it or expand on this. Between the two of you, which -- ZIMMERMANN: I'd like to say something about that. I run into people all the time who say that the war is over. It's just a matter of mopping up now. I don't think it is. The government can pass laws against things and put people in jail, and Louis Fried's comments indicate that if he tries to press for legislative relief they could pass it, like they passed the FBI Wiretapping. What happened there, I mean a friend of mine who was active in the Nuclear Freeze said, "You know, you guys are totally unorganized. How could you possibly let something as big as the FBI Wiretap Bill just said right on past? Where were all the letters to the Congressmen? Where were all the phone calls? Congress didn't hear a peep out of anybody about this. How did this happen?" If we're asleep at the switch while we all talk to each other in our little tiny private news groups, you know, with our little inbred little circles of friends, we're not going to affect Congressional policy, Congressional laws, legislative activity. What happens the next time when they pass a law outlawing other kinds of cryptography except for escrowed (ph) encryption systems? That could happen. The ship of state has a very large turning radius. We're going to have to start trying to turn this super- tanker right now. It may take years before they pass legislation outlawing other kinds of cryptography. I don't know. Certainly it's going to be at least a year, but it could be five years. But we have to start now. We have to really start pressing and not just talk amongst ourselves in InterNet news groups. VAN DER LEUN: Of course I was around with the EFF for a lot of this thing, but I certainly disagree with the need for constantly being citizen active. Where was everyone? Well, like I said, I think the EFF became sort of a luncheon lobby. It basically lost the grassroots support when it made certain policy turns a while back. I mean I was sort of shocked to hear -- did Barlow really tell you that he could have changed the vote of a Senator but he didn't because that law was best they could get? I mean that can't -- ZIMMERMANN: No, he didn't tell me that. Steve Levy told me that. I think he read it on the Net, so -- VAN DER LEUN: If that's true (Inaudible) -- you know, I mean there was a -- not that EFF is particularly powerful about this, but it was for a while until they started going in another direction. We certainly have to deal with this but I think, you know, everybody talks from what I like to call the illusion of central position and I think that obviously we're going to go forward and do what we can to resist government moves on this point but I don't think the rest of the Net is going to slow down. I mean without the Net would there be a Zimmermann? Would there be a Net in the future without a Zimmermann? You know I think the two are almost symbiotic, or probably will turn out to be in the future. Tools, not rules, and -- but that doesn't mean we quit trying to shape the rules. You know, I think the other thing is it's just a big blip on most Americans' horizons. CORN-REVERE: That's the problem. VAN DER LEUN: Well, but maybe that is not something we're going to do by just waving our modem and saying it's important. CORN-REVERE: True, but that's what you have groups like EFF for ideally. Unfortunately, being based in Washington you tend to get absorbed into the atmosphere, the environment of Washington. If you want to be a player you go for the best you can get, which is what happens to lobbying groups all the time. They figure if they want anyone to listen to them they'll make the compromises that they need to make. The problem is politically that on the Hill who's going to say no to the FBI? People don't vote against FBI-backed measures. It's not just in the days of J. Edgar Hoover. It continues today. It was true in the '80's when they rewrote the Wiretapping Law for the first time then to include digital communication. It started out as a fairly decent bill, and then the Justice Department and the FBI got hold of it and riddled it with exceptions. So now it's up again, and the next bill will be the encryption bill. And it's not that every citizen everywhere has to constantly be marching in picket lines saying this is the most important issue in the world. It's just that when you have a group that's supposed to pay attention to these things I think it helps if they take a principled position and at least makes these issues known to the extent that they can. But if their mission is to have lunch with lobbyists and get the best deal that they can, then there's nobody watching the store. ZIMMERMANN: The Electronic Privacy Information Center in Washington, EPIC, is a real, committed, true blue, principled organization dedicated to trying to hold the line on these issues. They used to be Computer Professionals for Social Responsibility, but they had a Washington office which specialized in electronic privacy and so they created this special group out there. If you want to support somebody who's really consistent on this, they're a good one to support. Q: The Electronic Privacy Information Center? ZIMMERMANN: Yes. VAN DER LEUN: They're much more principled about it than EFF. They're always quick. They're always on a very strong and positive side of the issues. The tragedy is they're not as well funded as the EFF group. MODERATOR: I would like to suggest that not everybody who really feels principally concerned about this issue is on-line, and it's possible that if an effort was made to get in touch with people like Feminists for Free Expression or the Civil Liberties Union or something like that rather than relying on on-line communication -- I didn't even know that the Bill was up until I was at a meeting and somebody said, "The Senate is voting at seven o'clock, right now. And the House has passed it." And it wasn't in the paper. I think that a lot of people who would have protested it just didn't know. VAN DER LEUN: I'm in the Net all the time and I didn't know. I didn't see it on the Net. I don't snoop around in those groups. Q: On that same note people who haven't even been on the InterNet or any sort of electronic medium are affected. There are instances that I've heard of, that I've read about, where the federal and state governments are avoiding FOIA, Freedom of Information Act requirements, and Sunshine Laws by holding elec- tronic conferences. I was wondering if Congress has addressed that at all, if anyone can answer that question. [Inaudible - no response] MODERATOR: The gentleman in the back? Q: The problem with the philosophy (inaudible) to the UseNet is that what it fails to do is it fails to teach us how to form a consensus and how to form a coalition. While the Net has all these great individuals that might lead the fight, it doesn't do a very good job on building networks, and that's really a problem. The problem is that we've lost sight that the idea of free speech is not merely that you can be a talking head but that speech is a tool for persuasion. If we don't address this problem of consensus, organizations like the FBI don't even care about consensus will always (inaudible). ZIMMERMANN: Yeah. You become marginalized, where you only talk to people that believe the same thing that you do. In fact these news groups are especially designed for that. The technology of the news groups is especially designed to isolate people from each other. People with the same interests are drawn together in the news groups, but they're isolated movements in society. MODERATOR: Yes? Oh, I'm being signalled from the back and I believe that I'm being signalled because it is time for our discussion to end. Is that the case? Yes. The lady with laryn- gitis is nodding her head. One minute. One more question. Yes. Q: I just wanted to ask, at the risk of sounding naive I'm very alarmed by some of the things here that Mr. Zimmermann has said and I'd like to know if you have any suggestions of what we can. Why didn't we know about this? I didn't know that they can now put something in our phones that allows them to easily wiretap. How do we get this out to the public? Do any of you have any suggestions about this? I mean I don't want to leave here feeling helpless. VAN DER LEUN: It hasn't been an under reported item. I mean I don't want to give anyone the impression this is like some secret document or technology handed out in a back room. It has been noted in the Wall Street Journal, in the New York Times, on television. ZIMMERMANN: Yeah, but what can you do is the question. I think that you should write letters to the editor, talk to your Congressman, especially your Congressman, and to your Senator of course, too. You know, I've been so focussed on my specialty that I thought everyone else was going to try to cover the Wiretap Bill. It's all I can do to juggle with all the set of chainsaws that I've got in my hands right now. My arms are getting tired. So I just assumed that somebody else would handle the FBI Wiretap Bill, and in fact a lot of us have come to rely on the EFF to handle these things. So getting the watchdog to take a nap certainly was a highly effective means of getting that one to sail right on through. CORN-REVERE: You mentioned your specialty. And we all come from different specialties. I mean my background isn't computers. I've recently started getting into some on-line services, but that isn't my background. I started as a communi- cations lawyer doing broadcast law and cable television law and things like that. My main interest is in making sure that tech- nology doesn't determine what the legal structure is and it doesn't determine what your Constitutional rights are, and so I'm moving naturally towards these areas. There is more than just a conver- gence of technology going on and a convergence of media. There's a convergence of specialties. It takes people from our respective disciplines getting together to try and get at these issues. ZIMMERMANN: You know I think we're in need of a real political movement to get started on privacy. You know, we've got these very small lobbying organizations and 501(C)(3) educational organizations like EPIC, the Electronic Privacy Information Center, and I think EPIC does a good job for what they do. But what we need is, drawing back to the experience of the Nuclear Freeze era it's going to be hard to get that kind of groundswell. You're not going to get a million people marching in Central Park for elec- tronic privacy. But you can get a big grassroots thing going if you really work at it. You know, in the early days of the Nuclear Freeze you'd have meetings that were very sparsely populated like this one. But as a few years went by and Reagan was rattling the saber and talking Evil Empire and (inaudible) with enough shovels and things like that the churches began to fill up. MODERATOR: Well, that's a good note for us to offer, since we are sparsely populated, a glass of wine. Come and join us for some wine and cheese. [END OF MEETING] From tcmay at netcom.com Wed Nov 30 12:19:25 1994 From: tcmay at netcom.com (Timothy C. May) Date: Wed, 30 Nov 94 12:19:25 PST Subject: We are ALL guests (except Eric) In-Reply-To: <199411301931.LAA02490@netcom8.netcom.com> Message-ID: <199411302019.MAA28634@netcom20.netcom.com> James A. Donald wrote: > > James A. Donald wrote: > > > The extropians list claimed to be managed in accord with the > > > principles of justice. Eric makes no such grandiose claim. > > Timothy C. May writes > > This is a straw man, as I have made no mention of "justice." > > But the extropian list, which you cite as precedent, did make > that claim. Strange logic. I indeed mentioned experiments and debate on that list, but hardly transferred any mention of "justice" or "fairness" on _that_ list to _this_ list. > You also make the claim that Eric does not own the list. > > The question of ownership is only relevant to questions of what is > just and fair. First, I don't accept this last point: issues of "ownership" and "control" are more related to policy, access, and rule enforcement than to issues of "what is just and fair." I rarely argue in terms of justice and fairness, so please don't imply that I have done so. Second, my discussion of the "ownership" and "whose house" issues was more nuanced than a simple "You also make the claim that Eric does not own the list." (To elaborate on this, I claim that the Cypherpunks list emerged in 1992 as a gathering/meeting/club/gang of folks with converging interests in the topics at hand. We began to meet, to converse. A mailing list was created by Hughes and Daniel, running on the machine owned by Gilmore, to meet various and diverse purposes. That among these were the pursuit of digital liberty and cyberspatial happiness. Common sense tells us that the operator(s) of the list--the "owners" of toad, the listadmin, etc.--have a kind of caretaker arrangement. The list could move, could become an unmoderated newsgroup, etc. I'm not advocating this, just rejecting the "Foobar owns the list--if Foobar tells us to wear funny hats when we post to the list, we'd damn well better do so." There are more nuances to the issues of "ownership" involved.) > If you claim that Eric does not own the list then you claim that it > is unjust for him to change the rules without consent. This chain of logic falls because the premise is false. Further, the term "own" is not well-defined, as just discussed. > If I claim he owns the list then I claim that it perfectly proper > for him to change the rules without consent, regardless of whether > or not he has a good, or even sane, reason. For the second time in pointing this out, I used the term "unwise." Face it, there are places where syllogistic reasoning like you are using is useless. Especially when no mention of "justice and fairness" was made. I think it's unwise for a listadmin, or a site owner, to impose rules about the wearing of funny hats, for example. The mandaory signing of posts is not quite in this category, but I still think it unwise. (Phil Zimmermann does not, as is well known, often use PGP. He rightly considers it a drag on his productivity. Not everyone has the same connectivity: some are on CompuServe, some on Prodigy, some on AOL, etc. It would seem "unwise" to, for example, exclude from this forum someone who cannot reasonably sign or encrypt all of their messages.) > My point was that the ownership debate on the extropians list > was a result of the questionable and grandiose claim of extropian > justice, and is therefore not a relevant precedent for the ^^^^^^^^^^^^^^^^^^^^^^^^ > ownership of lists in general. > > You raised the issue of the extropian precedent. The extropian > precedent is irrelevant because the *extropian* list management > made the claim of "extropian justice". I never cited it as "precedent," legal or otherwise. I mentioned the debate which had ensued on that list. Jeesh! > *Relevant* precedent and custom indicate that the list is Erics > private property, and he may do as he pleases, wisely or unwisely. > > Such actions are morally neutral, except in that wisdom itself is > good. What moral claims did I make? The "private property" argument is more murky than you claim. Last I checked, John Gilmore owns toad and the disk space used, and he pays for the Net connections. Does this make him the owner? Because of these nuances--which is why I mentioned the Extropian list experiences--it is not useful to make propertarian arguments when policy changes are being planned. --Tim May (I am not getting list traffic right now, presumably due to the Netcom overload problem, and so am only seeing messages I am directly copied on. And maybe not all of them, either. Why this is so has to do with how toad tries to connect with Netcom's mail machine--Hugh Daniel and John Gilmore have both tried to get this fixed, claiming Netcom is not properly handling mail. No resolution.)) -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. Cypherpunks list: majordomo at toad.com with body message of only: subscribe cypherpunks. FAQ available at ftp.netcom.com in pub/tcmay From rarachel at prism.poly.edu Wed Nov 30 12:25:18 1994 From: rarachel at prism.poly.edu (Arsen Ray Arachelian) Date: Wed, 30 Nov 94 12:25:18 PST Subject: "You aren't following the _rules_!" In-Reply-To: <199411290736.XAA17767@netcom6.netcom.com> Message-ID: <9411302011.AA10944@prism.poly.edu> I agree with Tim on this. There's no way I'm going to leave PGP on poly's machines with the key right there for anyone who manages to hack into photon or prism (and yes, it has happened) to set up a fake pgp asking for the passphrase to my key. I usually dial in to poly, I don't have (yet) a unix box on the net to make signing easy. Until the DOS or Mac versions of PGP include a built in terminal and mailer... From cactus at bb.hks.net Wed Nov 30 12:36:47 1994 From: cactus at bb.hks.net (L. Todd Masco) Date: Wed, 30 Nov 94 12:36:47 PST Subject: We are ALL guests (except Eric) In-Reply-To: <199411301931.LAA02490@netcom8.netcom.com> Message-ID: <3bio0m$ojh@bb.hks.net> In article <199411301931.LAA02490 at netcom8.netcom.com>, James A. Donald wrote: >*Relevant* precedent and custom indicate that the list is Erics >private property, and he may do as he pleases, wisely or unwisely. Not true. The more "social" a list is, the less it is considered any individual's property. Don't confuse ownership of the resources with authority over other people's actions. In a social list, it is presumed that the maintainer gets paid in enhancement to reputation and whatever personal good feelings she gets for serving peers. A purely technological list, such as bind or firewalls, is closer to what you suggest: the maintainer is providing a service and may do whatever he wishes. The former involves questions like peer respect and how one treats one's friends. In practice, trying to force social peers to do something against their will generates ill will. Trying to attribute ownership of a list of people and addresses is absurd -- let's talk about real actions and their consequences. Lists that come to mind are elbows, void, kabuki-west, any of -kin lists, etc. On at least 3 of those lists, a list maintainer tried to take some arbitrary unilateral action and had to later back down because nobody was willing to put up with such shit. Most recently it was where a maintainer decided to drop followups (messages with "Re: " in the subject or "References:" headers)... some people are still annoyed at the person who tried it. It's a little more difficult in the case of c'punks where traffic includes social, technological interest, and sociological discussions. It is certainly not a clear case in my mind: Eric might be able to pull it off without pissing too many people off, he might not. This discussion is part of what will determine that. I'll make a prediction: requiring digital signatures will annoy most those people who are independant and don't care to be told that they should at least ostensibly provide a strong identity/posting mapping. I thought that this was one of the common assumptions of this list: that anonymity as well as pseudonymity was a goal worth achieving. Requiring signatures seems several steps backwards. Of course, in the end people will vote with their feet. Since the list membership is available with a mere "who cypherpunks," it's trivial to set up a "cypherpunks at netcom.com" address, for example, that has the same membership and no signature policy. Similarly, as I suggested last night, such a list address could be set to automatically sign all posts and people could be encouraged to use that address since "otherwise their mail will be delayed." No mention of digital signatures need be made. -- Todd Masco | "Roam home to a dome, Where Georgian and Gothic once stood cactus at hks.net | Now chemical bonds alone guard our blond(e)s, cactus at bb.com | And even the plumbing looks good." - B Fuller From cactus at hks.net Wed Nov 30 12:43:02 1994 From: cactus at hks.net (L. Todd Masco) Date: Wed, 30 Nov 94 12:43:02 PST Subject: Authentication at toad.com: WTF? Message-ID: <199411301638.PAA05151@seabsd.hks.net> Does the idea of having the list software check signatures strike anybody else as a Bad Idea? Signatures should be checked locally by the recipient -- otherwise one might as well ask the sender to include a statement stating whether or not a message is authentic and should be believed. I wouldn't want to see cypherpunks being used to propogate this false security -- majordomo can no more be trusted, as an external agent, than a message's sender. From perry at imsi.com Wed Nov 30 12:53:01 1994 From: perry at imsi.com (Perry E. Metzger) Date: Wed, 30 Nov 94 12:53:01 PST Subject: We are ALL guests (except Eric) In-Reply-To: <3bio0m$ojh@bb.hks.net> Message-ID: <9411302052.AA00844@snark.imsi.com> L. Todd Masco says: > In article <199411301931.LAA02490 at netcom8.netcom.com>, > James A. Donald wrote: > >*Relevant* precedent and custom indicate that the list is Erics > >private property, and he may do as he pleases, wisely or unwisely. > > Not true. The more "social" a list is, the less it is considered > any individual's property. Eric can turn the list on and off at will. By my lights, that gives him control, and thus a proprietary interest, i.e. the list is his property. You may be correct that it would be foolish of him to annoy people, just as if you have houseguests it is foolish to suddenly say "if you want to stay in this house you have to pierce your genitals NOW!". It is none the less his right to annoy people if he wants to, however, just as it is your right to demand anything of your houseguests as a condition of their remaining in your home. They, of course, are under no obligation to decide to remain.... Perry From dmandl at bear.com Wed Nov 30 12:56:59 1994 From: dmandl at bear.com (dmandl at bear.com) Date: Wed, 30 Nov 94 12:56:59 PST Subject: We are ALL guests (except Eric) Message-ID: <9411302051.AA02048@yeti.bsnet> > From: > > If you claim that Eric does not own the list then you claim that it > is unjust for him to change the rules without consent. > > If I claim he owns the list then I claim that it perfectly proper > for him to change the rules without consent, regardless of whether > or not he has a good, or even sane, reason. [...] So what's the point? Fortunately, Eric and not you is running the list, and he's a reasonable man. Yeah, sure, according to the rules of PPL or Roman Law or mathematics or whatever, he has every right to take unilateral action and do whatever he wants to with the list. OK, he's the "owner," so? This is the real world, not an algebra lesson: the whole reason this discussion is happening is that Eric realizes there are a few hundred friends (damn, I should have said "comrades") involved here and he would like to discuss the issue. This "ownership" thread seems like a gratuitous exercise in abstract propertarian philosophy. Man, some people actually seem EAGER to have Eric make some drastic unilateral move just so they can bleat "Yes sir, he's the owner, that's his right! Yes sir, he's the owner, that's his right!" and have their worldview sanctioned. Yes, that IS his right, but he's obviously too nice a guy to just do it tomorrow morning without discussing it first and then inform us all of the new status of his "property." So why don't we just discuss his proposal? I agree with Tim that effortless encryption/signing of email is still a dream for most of us. I don't think there should be any "punishment" for not signing (not even having the non-signer's mail delayed). I do think signing should be encouraged. I think that at some time in the future (a year?) Eric's proposal may be reasonable, but I don't think it's time yet. --Dave. From tcmay at netcom.com Wed Nov 30 13:15:09 1994 From: tcmay at netcom.com (Timothy C. May) Date: Wed, 30 Nov 94 13:15:09 PST Subject: "Cyherpunks Named Official Signing Authority" In-Reply-To: <199411301638.PAA05151@seabsd.hks.net> Message-ID: <199411302114.NAA06386@netcom20.netcom.com> L. Todd Masco wrote: > Does the idea of having the list software check signatures strike > anybody else as a Bad Idea? Signatures should be checked locally > by the recipient -- otherwise one might as well ask the sender to > include a statement stating whether or not a message is authentic > and should be believed. I wouldn't want to see cypherpunks being > used to propogate this false security -- majordomo can no more be > trusted, as an external agent, than a message's sender. I absolutely agree. Having a central "Signing Authority" (analogies with Turing Authority?) is a step backward. Single-point failures and all that, vs. the distributed, end-user, local process. If the intent of a "Compelled Signature" (tm) policy is to get people used to signing messages, why not get them used to _verifying_ sigs as well? (I suspect fewer than 1% of all messages have their sigs checked.) Very loosely speaking--and with no imputations of motives, ideology, natch--such a central signing authority could play into the hands of those on the Net today who are talking about forcing all Net users to "identify themselves" clearly. Imagine the P.R. value to these Net.Cops: "But even the Cypherpunks require all posts to be signed!." I say we stick to the anarchy which has worked so well. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. Cypherpunks list: majordomo at toad.com with body message of only: subscribe cypherpunks. FAQ available at ftp.netcom.com in pub/tcmay From cactus at hks.net Wed Nov 30 13:22:01 1994 From: cactus at hks.net (L. Todd Masco) Date: Wed, 30 Nov 94 13:22:01 PST Subject: We are ALL guests (except Eric) In-Reply-To: <3bio0m$ojh@bb.hks.net> Message-ID: <199411301717.QAA05193@seabsd.hks.net> Perry E. Metzger writes: > Eric can turn the list on and off at will. By my lights, that gives > him control, and thus a proprietary interest, i.e. the list is his > property. I can forge a flurry of unsubscribe requests (turn the list off) and set up the same list on another host (turn it on) at will. All of us can do this with varying degrees of difficultly. Who owns the list? (Substitute any denial of service attack for "turning off the list" if you're not convinced of the strength of the forged unsubscribes.) The list is not the software it runs on: nobody cares very much whether it runs on toad.com or c2.org except in avoiding the inconvenience of updating pointers. This is not a specious argument: in practice, people do take lists of subscribers to other machines. See recent traffic on list-maintainers for examples from exclusively professional scientific lists. As I went on to say, arguing the "ownership" of the list is absurd... it's more reasonable (and productive) to discuss actions and their expected consequences. I think the only thing that will keep people from immediately stomping away is that Eric has a strong reputation totally separate from his "bureaucratic" role of list maintainer. It remains to be seen how much that affects peoples' behaviors and how much respect he will lose for coercing, however mildly, people into using signatures. -- Todd From perry at imsi.com Wed Nov 30 13:26:53 1994 From: perry at imsi.com (Perry E. Metzger) Date: Wed, 30 Nov 94 13:26:53 PST Subject: We are ALL guests (except Eric) In-Reply-To: <199411301717.QAA05193@seabsd.hks.net> Message-ID: <9411302125.AA00909@snark.imsi.com> "L. Todd Masco" says: > > Perry E. Metzger writes: > > Eric can turn the list on and off at will. By my lights, that gives > > him control, and thus a proprietary interest, i.e. the list is his > > property. > > I can forge a flurry of unsubscribe requests (turn the list off) and > set up the same list on another host (turn it on) at will. I can steal your car or buy one of my own. Does that make your car not your property? Perry From cactus at hks.net Wed Nov 30 13:31:51 1994 From: cactus at hks.net (L. Todd Masco) Date: Wed, 30 Nov 94 13:31:51 PST Subject: We are ALL guests (except Eric) In-Reply-To: <199411301717.QAA05193@seabsd.hks.net> Message-ID: <199411301727.QAA05211@seabsd.hks.net> Perry E. Metzger writes: > > "L. Todd Masco" says: > > > > Perry E. Metzger writes: > > > Eric can turn the list on and off at will. By my lights, that gives > > > him control, and thus a proprietary interest, i.e. the list is his > > > property. > > > > I can forge a flurry of unsubscribe requests (turn the list off) and > > set up the same list on another host (turn it on) at will. > > I can steal your car or buy one of my own. Does that make your car not > your property? I don't think so -- but by the argument you gave (above), it does. Ergo, your argument strikes me as insufficient. -- Todd From JLICQUIA at mhc.uiuc.edu Wed Nov 30 13:40:11 1994 From: JLICQUIA at mhc.uiuc.edu (JEFF LICQUIA (CEI)) Date: Wed, 30 Nov 94 13:40:11 PST Subject: Authentication at toad.com: WTF? Message-ID: -----BEGIN PGP SIGNED MESSAGE----- > From: "L. Todd Masco" > Does the idea of having the list software check signatures strike > anybody else as a Bad Idea? Signatures should be checked locally > by the recipient -- otherwise one might as well ask the sender to > include a statement stating whether or not a message is authentic > and should be believed. I wouldn't want to see cypherpunks being > used to propogate this false security -- majordomo can no more be > trusted, as an external agent, than a message's sender. It is a LITTLE more secure than trusting the message sender. After all, the cypherpunks sig checker would be an independent party. Sure, if Eric decided he didn't like someone, he could hack the sig checker to always reject that person's signatures; on the other hand, he could hack the list server right now to reject people's posts outright. As long as it were recognized as an "outside authority" (with proper disclaimers), I think it would be useful. At the very least, one would always have the option of checking the sig also. The problem is that checking the digsigs of everyone posting to the list is pretty tedious and time-consuming; consequently, the sigs generally go unchecked. I think they still hold a benefit both as spoof/fraud insurance and as an evangelism tool (a fact I have just today been reminded of). Another good argument for "automatic" crypto in news/mail readers! -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLtzwSTER5KvPRd0NAQEHBwQAmM9Gk7q6Ieh/QAw+2ardAgMrhUJWLVpG FByPwJGhm/OIvya6Bx+A1en9eTvatL2CwScXaLQiatBqOy7Zxlh1Edv5FUFlONqV ShsZ8G9LOldYfqqI5Q0ifTh9uWEZLIfxb6AW7ZqwoDTHvtthoVhdyy4gucf3Dp41 FssfdkqoFJw= =nziF -----END PGP SIGNATURE----- From eric at remailer.net Wed Nov 30 13:43:59 1994 From: eric at remailer.net (Eric Hughes) Date: Wed, 30 Nov 94 13:43:59 PST Subject: Mandatory sig workaround In-Reply-To: <199411301438.JAA19795@dunx1.ocs.drexel.edu> Message-ID: <199411302242.OAA11728@largo.remailer.net> From: Bob Snyder I don't sign/encrypt to mailing list, as many people get disgruntled by it, and can cause problems of it's own. Now encryption I can see disgruntlement at, but a cleartext signature? How about just an annoyance responder that sends a piece of mail to people who post without signing/encrypting, telling them they should be encrypting, that it's the preferred method of doing things, and to do so in the future if possible? I've convinced myself this is a good idea for my own personal mail, at least. As for the list server, some explanation and pointers are in order, to be sure, though not with each message. But "just" a responder? I don't think that induces a sufficient incentive. As a side note, if you want people to sign their notes, why aren't you doing so now? For the same reason that Tim isn't--it's too difficult. Now I've just recently set up a new email machine and I expect that I'll be able to get signing set up on it before the end of the year. I have plenty of irons in the fire already, and this isn't the top priority. it would seem that signing your own messages would be a good way of starting things toward the direction you want to go. It certainly would. My priorities on this are to get myself set up for signing. Then I need to get a recognizer written, then to hack vacation to use alternate database files, then to get my own personal resource list compiled, then to set my personal nagware. Only after all that do I intend to alter the list. Eric From perry at imsi.com Wed Nov 30 13:50:44 1994 From: perry at imsi.com (Perry E. Metzger) Date: Wed, 30 Nov 94 13:50:44 PST Subject: We are ALL guests (except Eric) In-Reply-To: <199411301727.QAA05211@seabsd.hks.net> Message-ID: <9411302150.AA00948@snark.imsi.com> "L. Todd Masco" says: > > Perry E. Metzger writes: > > > > "L. Todd Masco" says: > > > > > > Perry E. Metzger writes: > > > > Eric can turn the list on and off at will. By my lights, that gives > > > > him control, and thus a proprietary interest, i.e. the list is his > > > > property. > > > > > > I can forge a flurry of unsubscribe requests (turn the list off) and > > > set up the same list on another host (turn it on) at will. > > > > I can steal your car or buy one of my own. Does that make your car not > > your property? > > I don't think so -- but by the argument you gave (above), it does. Ergo, > your argument strikes me as insufficient. Pardon. Eric has more or less total control over the mailing list. The control is imperfect -- I could, for instance, blow up the machine. You claim this imperfection is reason to consider it to be "community property" or some such. You also noted that you could create another list and somehow claimed that this reduced Eric's proprietary interest in the list. As I noted, were your argument correct, then your car would not be your property because it, too, is not perfectly within your control and others may duplicate it. In any case, given that Eric can simply kick anyone off the list or add anyone on that he likes at will, you are free to refer to the list as a commune, an empire, or a supreme overlordship with yourself as supreme overlord. The fact remains that Eric can implement any change he has unilaterally. If you don't like the term "property" call it "gazorknoplant" instead. The word is not what matters. The point is that your opinion can influence him but that ultimately the decisions are all his, just as with your car, which is also your gazorknoplant just as the list is Eric's gazorknoplant. Perry From eric at remailer.net Wed Nov 30 13:50:59 1994 From: eric at remailer.net (Eric Hughes) Date: Wed, 30 Nov 94 13:50:59 PST Subject: Effects of Marking/Delaying Nonsigned Posts In-Reply-To: Message-ID: <199411302249.OAA11745@largo.remailer.net> From: jamiel at sybase.com (Jamie Lawrence) [...] delays will degrade the quality of discussion on the list (time lag for only some has a way fragmenting discussion, as anyone with a sometimes-slow link can attest). If the delays remained entirely unexpected or random, quality would degrade. Humans, however, have an uncanny ability to modify their own behavior. I am also willing to risk a small amount of degradation to encourage people to actually use encryption tools. If you are set on this idea, may I echo someone else's suggestion of an autoresponder to annoy those posting without signing? I think this is a good idea which will help the communication intent of the whole proposal. [...] we all still know who is not signing [...] Having notification that a message wasn't signed was never presented as one of the purposes of the proposal. Eric From majordomo at toad.com Wed Nov 30 13:53:38 1994 From: majordomo at toad.com (The new cypherpunks signature checking agent) Date: Wed, 30 Nov 94 13:53:38 PST Subject: Authentication at toad.com: WTF? Message-ID: <199411302142.QAA19892@bronze.lcs.mit.edu> The below message was found to have a valid signature from "JEFF LICQUIA (CEI) " JLICQUIA at mhc.uiuc.edu. -----BEGIN PGP SIGNED MESSAGE----- I trust that this will illustrate my point a little more effectively. It's being sent to cypherpunks as well for informational purpose: to spoof to the entire list would require a slight amount more sophistication. -- Todd -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLtzwSTER5KvPRd0NAQEHBwQAmM9Gk7q6Ieh/QAw+2ardAgMrhUJWLVpG FByPwJGhm/OIvya6Bx+A1en9Asdlkjaso819A/jaAOOISDcalAL77YhaIk7f9s+a ShsZ8asdIU8hfGhY7u8JK94HhhSDY7Sk93KjjkPosj8Hjkhk+asdJ87l/aDHjDj1 FssfdkqoFJw= =nziF -----END PGP SIGNATURE----- From cactus at hks.net Wed Nov 30 13:58:45 1994 From: cactus at hks.net (L. Todd Masco) Date: Wed, 30 Nov 94 13:58:45 PST Subject: We are ALL guests (except Eric) In-Reply-To: <199411301727.QAA05211@seabsd.hks.net> Message-ID: <199411301754.QAA05251@seabsd.hks.net> Perry E. Metzger writes: > Pardon. > > Eric has more or less total control over the mailing list. The control > is imperfect -- I could, for instance, blow up the machine. > > You claim this imperfection is reason to consider it to be "community > property" or some such. Not at all. I'm making no positive claim: I just do not see any particular reason to consider the list Eric's. Perhaps you should clarify what you mean by "the list": do you mean the set of bits that describe the mailing addresses of every person on the list or do you simply mean the instance of majordomo running on toad.com with the previous bit stream loaded? I'm thinking of the former as being "the list" and thus squarely in the realm of intellectual property and all the snags that entails. If it's the latter you're referring to, sure, we can call it "Eric's." But so what? That and a subway token will get you to Brooklyn. My main point, which you keep dropping off, is that the instantiation of the set of mailing addresses at a particular site is a relatively minor factor in the continuity of a mailing list. -- Todd From JLICQUIA at mhc.uiuc.edu Wed Nov 30 13:59:01 1994 From: JLICQUIA at mhc.uiuc.edu (JEFF LICQUIA (CEI)) Date: Wed, 30 Nov 94 13:59:01 PST Subject: Auto-Verifying of Sigs Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Thinking about this requiring/checking sigs thing, I thought of something... Really, the only "unknown" with signed messages is whether they are valid or not; it's pretty easy to distinguish the unsigned posts. Furthermore, it seems to be my observation with verifying digsigs (as I do in non-crypto groups I subscribe to) that the vast majority of sigs will turn up OK. It seems, therefore, that expending a lot of effort to change the current list to allow this would be wasteful considering the relatively few times that it would produce any useful information. May I propose a "better" way (you be the judge here): Proxy the job. Have a 'bot subscribe to the list (through whatever way), armed with a complete keyserver keyring. Its only function is to check all signed messages from the list. Unsigned messages, messages with sigs that checked OK, and messages signed with unknown keys would generate no response from the 'bot. A failed sig, however, would cause the 'bot to send a (digitally signed, optionally) message to the list to the effect of "This message here didn't check OK" (complete with disclaimers and warnings about trusting authorities blindly). This would be a totally automated way of checking sigs, and wouldn't involve any new code on the list's part. Those who didn't want the intruding messages could killfile the 'bot, and the rest of us wouldn't be bothered with redundant information on every post. What say ye all? I can tentatively volunteer my business account to do the work (have to talk to my boss about it first, as that account has to pay for volume and phone time). I'll play with some code in the meantime and see what I can come up with. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLtz1EjER5KvPRd0NAQEx7gP+IlVoJG1YVXKmQViVCtabX1owrH2MHDBg MpKBq7T6NbPMTDUWLE7HNWTfw5BvZbSCC1uRRM2rKV6xHZPxU0buUsoDc5QLT10b xYbs9/j81dlTve7/fMToJjNJuls61289XaOIlfPN+sBIGX1TwrtDKek6To8GsdAN YmkUYUUFzL8= =3fF9 -----END PGP SIGNATURE----- From mark at unicorn.com Wed Nov 30 14:19:01 1994 From: mark at unicorn.com (Mark Grant) Date: Wed, 30 Nov 94 14:19:01 PST Subject: Authentication at toad.com: WTF? Message-ID: On Wed, 30 Nov 1994, The new cypherpunks signature checking agent wrote: > The below message was found to have a valid signature from "JEFF LICQUIA (CEI) > " JLICQUIA at mhc.uiuc.edu. If you're going to do this, I'd much prefer that you put this in the header or in a Comment: field in the PGP block. My mail program automatically verifies all signed messages (except those that get trashed by MIME-mailers), but if it's got cack like this at the top of the message then it (deliberately) displays the whole thing and doesn't verify the signature. This is in some respects a bug in my program, however I've been unable to come up with a sensible method of dealing with messages when only part of them is signed. Mark From ianf at sydney.sgi.com Wed Nov 30 14:19:31 1994 From: ianf at sydney.sgi.com (Ian Farquhar) Date: Wed, 30 Nov 94 14:19:31 PST Subject: Security Services In-Reply-To: <199411301817.KAA21274@netcom8.netcom.com> Message-ID: <9412010908.ZM10841@wiley.sydney.sgi.com> On Nov 30, 10:17am, James A. Donald wrote: > Was the DFAT building also old, wooden, and uninsured? My recollection of the DFAT building was that it was quite old (by Canberra standards, which means built in the 1950's or so), but reasonably well maintained. Most of the bus tour operators will point out the fourth floor anyway. It's good touristy stuff. > (Oh, I forgot, it is only taxpayer money, so I guess the > building was probably new, expensive and uninsured.) > As I recall it was ASIO, not ASIS, that bombed the Sheraton, not > raided it -- (one hopes that they intended to "discover" the bomb, > but failed to "discover" it in time) -- or am I mixing up > two different incidents? You are. ASIS bungled a training exercise, at the Melbourne Sheraton, which led to an embarrasing public disclosure of the organisation's existance. It was pure keystone cops stuff. Ian. From tcmay at netcom.com Wed Nov 30 14:21:39 1994 From: tcmay at netcom.com (Timothy C. May) Date: Wed, 30 Nov 94 14:21:39 PST Subject: Shouldn't "toad" messages be signed? Message-ID: <199411302220.OAA08565@netcom11.netcom.com> ---BEGIN PGP SIGNED MESSAGE--- This message originates at "toad.com" and is hereby signed by the Cypherpunks Signature Authority: ---BEGIN PGP SIGNED MESSAGE--- It seems clear to me that by the logic of this thread, *all* messages passing through toad to us should naturally be _signed_. After all, how do we know if an "approved" message has indeed passed through toad? Someone else could be spoofing the account. If we are to place additional trust in toad.com, via the proposed checking of sigs, then toad itself should sign all messages! This will produce nested sigs, as I attempted to illustrate above (apologies if I got the precise syntax wrong). And (at least) two full sig blocks at the bottom (not illustrated here). At the least, short messages will become quite a bit longer. And will today's tools allow easy extraction of first the toad sig, then the enclosed sig? Seems to me that if Eric wants to start encouraging use of sigs, that a good first start would be for toad to sign all messages. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. Cypherpunks list: majordomo at toad.com with body message of only: subscribe cypherpunks. FAQ available at ftp.netcom.com in pub/tcmay From eric at remailer.net Wed Nov 30 14:41:50 1994 From: eric at remailer.net (Eric Hughes) Date: Wed, 30 Nov 94 14:41:50 PST Subject: We are ALL guests (except Eric) In-Reply-To: <199411301844.KAA25549@netcom8.netcom.com> Message-ID: <199411302340.PAA11838@largo.remailer.net> From: jamesd at netcom.com (James A. Donald) We cannot tell him that it is unfair or unjust to manage the list in certain ways. Oh, you can, but I am Free To Ignore you. These discussions on the interest of power are fascinating to me. So many of them do not take into account my own desires to create a useful discussion forum, which desires bind me tighter than any law ever could. There are some very interesting implications of this _de facto_ solipsism to achievement of equilibria in games with iterated dominance. Eric From cactus at bb.hks.net Wed Nov 30 14:42:47 1994 From: cactus at bb.hks.net (L. Todd Masco) Date: Wed, 30 Nov 94 14:42:47 PST Subject: Auto-Verifying of Sigs In-Reply-To: Message-ID: <3bivdk$q1t@bb.hks.net> In article , JEFF LICQUIA (CEI) wrote: >May I propose a "better" way (you be the judge here): Proxy the job. ... >What say ye all? I can tentatively volunteer my business account to do >the work (have to talk to my boss about it first, as that account has to >pay for volume and phone time). I'll play with some code in the meantime >and see what I can come up with. Now this is a good idea. In order to successfully spoof a message, you would have to block delivery of the spoofed message to the proxy checker or block transmission of the proxy checker agent's warning. If you're willing to write the code for it, I'm willing to provide the machine on the Internet for it to run on. It shouldn't take too much effort, but I've already got a gazillion different pots in the fire as is (not the least of which is getting some c'punk services up on hks.net). -- Todd Masco | "Roam home to a dome, Where Georgian and Gothic once stood cactus at hks.net | Now chemical bonds alone guard our blond(e)s, cactus at bb.com | And even the plumbing looks good." - B Fuller From jamiel at sybase.com Wed Nov 30 14:43:14 1994 From: jamiel at sybase.com (Jamie Lawrence) Date: Wed, 30 Nov 94 14:43:14 PST Subject: Effects of Marking/Delaying Nonsigned Posts Message-ID: >If the delays remained entirely unexpected or random, quality would >degrade. Humans, however, have an uncanny ability to modify their >own behavior. I disagree with your inferrence that quality would stay roughly the same. >From Tim May: >(I am not getting list traffic right now, presumably due to the Netcom >overload problem, and so am only seeing messages I am directly copied >on. And maybe not all of them, either. [...] This seems to indicate that Tim is currently having trouble taking part in much of the discussion that is currently not directed at him due to delays in email processing. Gosh, I wonder if that effects the quality of his Cypherpunks Experience(tm). Multiply that by a possible 25% (arbitrary) of the list being delayed andmy crystal ball says round after round of the same replies and comments from different people will filter in after the discussion of the original comment ceaces. This frustrates the readership who is trying to find the meat of the list as well as the senders (which, it should be noted, is the desired goal) by having thier material appear irrelevent due to being delayed. I'm worried about the reader, mostly, but then there are those who will be frusterated enough to leave, for example Tim. Or perhaps I am one of the few here who values Tim's comments to the list enough to think the list would loose something if he took off. And I'd wager that Tim isn't the only one who would leave. Perhaps your ability to filter the garbage from the treasure is truly uncanny, Eric, and all this wouldn't effect you. I don't think most of the rest of us are quite so amazing. >I am also willing to risk a small amount of degradation to encourage >people to actually use encryption tools. I guess this is the answer then. There we go. >Having notification that a message wasn't signed was never presented >as one of the purposes of the proposal. My mistake then, I thought you had proposed marking messages as unsigned as an intermediate step. Too hard to keep track of who is saying what in this particular thread. -j, preparing to start the Cypherpunks Postal List. After all, what's a little delay? >Eric From eric at remailer.net Wed Nov 30 14:45:28 1994 From: eric at remailer.net (Eric Hughes) Date: Wed, 30 Nov 94 14:45:28 PST Subject: "You aren't following the _rules_!" In-Reply-To: <9411302011.AA10944@prism.poly.edu> Message-ID: <199411302344.PAA11847@largo.remailer.net> From: rarachel at prism.poly.edu (Arsen Ray Arachelian) I agree with Tim on this. There's no way I'm going to leave PGP on poly's machines with the key right there for anyone who manages to hack into photon or prism (and yes, it has happened) to set up a fake pgp asking for the passphrase to my key. Your key, singular? Keys are cheap! Everyone should have a bundle. In addition, since I'm not planning on verifying the signatures at the server, you are free to fake them. Of course, if you fake them, you'll have to set up just about the same amount of software as if you used real crypto. Since so much of deployment delay comes from bad architecture, I consider setting up to fake a good thing. Eric From JLICQUIA at mhc.uiuc.edu Wed Nov 30 14:52:23 1994 From: JLICQUIA at mhc.uiuc.edu (JEFF LICQUIA (CEI)) Date: Wed, 30 Nov 94 14:52:23 PST Subject: Authentication at toad.com: WTF? Message-ID: -----BEGIN PGP SIGNED MESSAGE----- > From: Mark Grant > On Wed, 30 Nov 1994, The new cypherpunks signature checking agent wrote: > > > The below message was found to have a valid signature from "JEFF LICQUIA (CEI) > > " JLICQUIA at mhc.uiuc.edu. > > If you're going to do this, I'd much prefer that you put this in the > header or in a Comment: field in the PGP block. My mail program > automatically verifies all signed messages (except those that get trashed > by MIME-mailers), but if it's got cack like this at the top of the message > then it (deliberately) displays the whole thing and doesn't verify the > signature. > > This is in some respects a bug in my program, however I've been unable to > come up with a sensible method of dealing with messages when only part of > them is signed. Uh... don't think your program would have done much good with that sig anyway. 'Twas a spoof by L. Todd Masco to drive home a point (and a well-done spoof, I might add!) Out of curiosity, exactly what is your program? What platform does it run on? It might be interesting as a good solution to the auto-reply proposal, especially if it can be made cross-platform. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLt0BVjER5KvPRd0NAQFoXQP/dptB3u2JtxQAiDjxrzGixeWxup3bAgN5 KQ4MyX48nOMgnmLhxrXObbhtJvbMzQuqcafdKzMhsBVx0PbtW1c1LJcpcR1hn2gp EJ/Feyo+tRCWKpnlgDN6YUvfBLo0PrC8Dsyct+ze25dZYbgKDxWAvH0Vj0Be6OJ3 2KH1i2JUXfg= =DzXy -----END PGP SIGNATURE----- From eric at remailer.net Wed Nov 30 15:11:41 1994 From: eric at remailer.net (Eric Hughes) Date: Wed, 30 Nov 94 15:11:41 PST Subject: We are ALL guests (except Eric) In-Reply-To: <3bio0m$ojh@bb.hks.net> Message-ID: <199412010010.QAA11906@largo.remailer.net> From: cactus at bb.hks.net (L. Todd Masco) Todd's good discussion of social lists addresses well some of the social aspects of a decision to modify the server to do something. It is certainly not a clear case in my mind: Eric might be able to pull it off without pissing too many people off, he might not. This discussion is part of what will determine that. What is certainly clear enough to me is that the list is certainly social enough that without discussion the endeavor would certainly fail. I'll make a prediction: requiring digital signatures will annoy most those people who are independant and don't care to be told that they should at least ostensibly provide a strong identity/posting mapping. 1. Independence. Higher levels of richness (and I mean much more than wealth) require higher levels of interaction. There is a qualitative difference between, on one hand, violence and coercion and, on the other, inducements and interactions. Both can reduce independence. Then again I don't feel that liberty and independence are what I desire most. 2. Strong mappings. Two solutions already presented here allow a workaround. Pseudonymous and one-time keys both work, as does an autosigning alternate entry point. I say great, build them. Apropos of one-time use keys, will PGP function properly on a 20 bit modulus? Another non-key would be to generate a short key and post both public and private halves. thought that this was one of the common assumptions of this list: that anonymity as well as pseudonymity was a goal worth achieving. Requiring signatures seems several steps backwards. The first time a signature appears, it's anonymous. The second time it appears it's pseudonymous, and references the preceding message. Requiring signatures does not prevent anonymity. as I suggested last night, such a list address could be set to automatically sign all posts Why do I suspect that such a service will be available at cypherpunks at hks.net? I don't mind; I think it would be useful service and entirely compatible with what I want to accomplish. Eric From eric at remailer.net Wed Nov 30 15:21:04 1994 From: eric at remailer.net (Eric Hughes) Date: Wed, 30 Nov 94 15:21:04 PST Subject: Authentication at toad.com: WTF? In-Reply-To: <199411301638.PAA05151@seabsd.hks.net> Message-ID: <199412010019.QAA11912@largo.remailer.net> From: "L. Todd Masco" Does the idea of having the list software check signatures strike anybody else as a Bad Idea? You mean, like the proposer (me)? I think it _would_ be a bad idea to have the server check all signatures, and I said so last night. That's why I only plan on doing syntactic checks. Steve Witham understands this. Steve, didn't you used to fake all of your sigs, from the last time this got discussed? Eric From eric at remailer.net Wed Nov 30 15:32:54 1994 From: eric at remailer.net (Eric Hughes) Date: Wed, 30 Nov 94 15:32:54 PST Subject: We are ALL guests (except Eric) In-Reply-To: <9411302051.AA02048@yeti.bsnet> Message-ID: <199412010031.QAA11938@largo.remailer.net> From: dmandl at bear.com I agree with Tim that effortless encryption/signing of email is still a dream for most of us. I don't think there should be any "punishment" for not signing (not even having the non-signer's mail delayed). Delay seems to be now third on the list of potential server actions. First and second are adding header lines and sending back exhortations and pointers. It may be that we never need to add delay. I'm not stuck to the idea and am content to see what actually happens. Eric From jamesd at netcom.com Wed Nov 30 15:52:09 1994 From: jamesd at netcom.com (James A. Donald) Date: Wed, 30 Nov 94 15:52:09 PST Subject: We are ALL guests (except Eric) In-Reply-To: <3bio0m$ojh@bb.hks.net> Message-ID: <199411302352.PAA03703@netcom10.netcom.com> L. Todd Masco writes > On at least 3 of those lists, a list maintainer tried to take > some arbitrary unilateral action and had to later back down because > nobody was willing to put up with such shit. Same thing happened when Coca Cola tried to change their formula: Should we therefore conclude that Coke does not own coke? I did not say "Eric owns the list, so there is no point in discussing the matter." In case you have not noticed I have been arguing against the change. What I implied is that voting on it is absurd, and that arguing that Eric is not entitled to do as he pleases is absurd. -- --------------------------------------------------------------------- We have the right to defend ourselves and our property, because of the kind of animals that we James A. Donald are. True law derives from this right, not from the arbitrary power of the omnipotent state. jamesd at acm.org From eric at remailer.net Wed Nov 30 15:53:43 1994 From: eric at remailer.net (Eric Hughes) Date: Wed, 30 Nov 94 15:53:43 PST Subject: "Cyherpunks Named Official Signing Authority" In-Reply-To: <199411302114.NAA06386@netcom20.netcom.com> Message-ID: <199412010052.QAA11972@largo.remailer.net> From: tcmay at netcom.com (Timothy C. May) If the intent of a "Compelled Signature" (tm) policy [...] Putting it in quotes doesn't prevent it from being a misrepresentation. Are you saying that adding notifications and delays is compulsion, or not? [...] is to get people used to signing messages, why not get them used to _verifying_ sigs as well? If the crypto hooks are there for sending mail, you're more than halfway there for receiving mail. And yes, this is also something to encourage. Your argument can be construed to say that since I can't encourage signature checking, that I should add that to my list of requirements. I've been pretty vocal about my desire for partial benefit short of what is possible. If server actions don't help signature checking, OK, well then, they don't, ca va. Imagine the P.R. value to these Net.Cops: "But even the Cypherpunks require all posts to be signed!." If the net cops are going to acknowledge a merit in a cypherpunks position, I say let them. The opportunity to educate the other listeners that signatures are not the same as personal identity is an opportunity not to be missed, especially when your opponent hands it to you. Eric From cactus at bb.hks.net Wed Nov 30 16:12:43 1994 From: cactus at bb.hks.net (L. Todd Masco) Date: Wed, 30 Nov 94 16:12:43 PST Subject: We are ALL guests (except Eric) In-Reply-To: <199412010010.QAA11906@largo.remailer.net> Message-ID: <3bj4m6$r4a@bb.hks.net> In article <199412010010.QAA11906 at largo.remailer.net>, Eric Hughes wrote: >Todd's good discussion of social lists addresses well some of the >social aspects of a decision to modify the server to do something. Thank you! At least I've gotten _something_ out of too many years of flamewars... What makes this a difficult issue to call (for me) is that you have partial authority as an "original founder," a much more persuasive position than the bureaucratical "list maintainer" status. So, I retreat to a (much more comfortable) pragmatist stance that you might be able to pull it off, you might not. I'm not (usually) an absolutist: if you decide to do something, I'll deal. > I'll make a prediction: requiring digital signatures will annoy most > those people who are independant and don't care to be told that they > should at least ostensibly provide a strong identity/posting mapping. > >1. Independence. Higher levels of richness (and I mean much more than >wealth) require higher levels of interaction. There is a qualitative >difference between, on one hand, violence and coercion and, on the >other, inducements and interactions. Both can reduce independence. >Then again I don't feel that liberty and independence are what I >desire most. I think the question is not whether you desire liberty and independence but whether you desire the company of those who value liberty and independence strongly enough to abandon this forum at the slightest perceived breach of their autonomy. This is an altogether different question that has to do with communicated respect for where other people draw their own ideological lines. Tim's come out strongly against the proposal, as has James. As far as I can see, Tim's the only one that's raised the stakes to the ultimatum, "Do it and I leave" (although it's not clear whether he means the rejection or the slowdown of unsigned posts, and whether he'd instead decide to use an auto-signing service. Tim?) I think that you'll probably be able to pull off some compromise: the one that I like most is that of an independent agent or two, automatically checking all signatures and occasionally admonishing those who don't use them. The former would even be a valuable tool with far wider application than cypherpunks, esp. if written such that it could be used on newsgroups or even over NNTP. The thing that's particularly alluring about the independent agent idea is that you don't have to (ab?)use your position as list maintainer to implement it, thus sidestepping questions from others about whether you have any sort of responsibility to subscribers and/or authority to decide or to avoid enforcing how the people known as "cypherpunks" will interact. >Apropos of one-time use keys, will PGP function properly on a 20 bit >modulus? Another non-key would be to generate a short key and post >both public and private halves. It's not clear to me; I'll have to hack some PGP code to generate one, as PGP forces a minimum of a 384 bit modulus at key generation time. I'll probably see how well it works with a 4 or 5 bit modulus: it'd be nice to be able to feasably break the key by hand as an exercise, to underscore the unreliability of the signing agent's signatures. > as I suggested last night, such a list address could be set to > automatically sign all posts > >Why do I suspect that such a service will be available at >cypherpunks at hks.net? I don't mind; I think it would be useful service >and entirely compatible with what I want to accomplish. I actually hadn't been strongly advocating or offering such a service: this discussion has just tapped into several issues that I've been interested in for years, especially having to do with the interactions of technologically powerful peers. At this point, I don't have much of a strong feeling about signing stuff, since I've been thinking of setting up some automatic stuff on my private Amiga UNIX box. Signing c'punks posts is a pain, though, since I read news (incl. cypherpunks) on a non-private machine (IE, other people have accounts on it). OTOH, it sounds like a fun hack to do and I've been working on automatic mail agents, so it should be simple at this point. OTGH, pgp is a bigger cycle-sucker than I necessary want to have running all the time on our poor little microVAXen. If I can get it to deal with smaller keys, then I'll probably do it soon (what the hell). Otherwise, I'll have to wait until my own crypto package (which I described to a deafening silence months ago) is ready. -- Todd Masco | "Roam home to a dome, Where Georgian and Gothic once stood cactus at hks.net | Now chemical bonds alone guard our blond(e)s, cactus at bb.com | And even the plumbing looks good." - B Fuller From cactus at bb.hks.net Wed Nov 30 16:14:30 1994 From: cactus at bb.hks.net (L. Todd Masco) Date: Wed, 30 Nov 94 16:14:30 PST Subject: Authentication at toad.com: WTF? In-Reply-To: <199412010019.QAA11912@largo.remailer.net> Message-ID: <3bj4pv$r62@bb.hks.net> In article <199412010019.QAA11912 at largo.remailer.net>, Eric Hughes wrote: > From: "L. Todd Masco" > > Does the idea of having the list software check signatures strike > anybody else as a Bad Idea? > >You mean, like the proposer (me)? Sorry, I wasn't implying that you liked the idea: there are others on the list who've been advocating this. -- Todd Masco | "Roam home to a dome, Where Georgian and Gothic once stood cactus at hks.net | Now chemical bonds alone guard our blond(e)s, cactus at bb.com | And even the plumbing looks good." - B Fuller From eric at remailer.net Wed Nov 30 16:20:33 1994 From: eric at remailer.net (Eric Hughes) Date: Wed, 30 Nov 94 16:20:33 PST Subject: Auto-Verifying of Sigs In-Reply-To: Message-ID: <199412010119.RAA12002@largo.remailer.net> From: "JEFF LICQUIA (CEI)" Really, the only "unknown" with signed messages is whether they are valid or not; it's pretty easy to distinguish the unsigned posts. The purpose of adding a header line to mark unsigned articles is _not_ to indicate that they aren't signed, it's to editorialize on the fact that they're not signed. There has been an argument that since marking doesn't accomplish anything you couldn't already see, that it's useless. Fine, the premise is specious, because it's not intended to mark unsigned posts, it's to comment on them. May I propose a "better" way (you be the judge here): Proxy the job. A proxy should have it's own subscription list, which makes it an opt-in system. Other than that, I think a verifying proxy is a good idea. Eric From eric at remailer.net Wed Nov 30 16:32:07 1994 From: eric at remailer.net (Eric Hughes) Date: Wed, 30 Nov 94 16:32:07 PST Subject: Shouldn't "toad" messages be signed? In-Reply-To: <199411302220.OAA08565@netcom11.netcom.com> Message-ID: <199412010130.RAA12026@largo.remailer.net> From: tcmay at netcom.com (Timothy C. May) It seems clear to me that by the logic of this thread, *all* messages passing through toad to us should naturally be _signed_. Perhaps someone else's logic. Not mine. I'm not talking about putting cryptographic material on toad. There are not only key distribution problems (for sig checking) but also security problems (for sig making). I've stated clearly two or three times now that I was planning to use syntactic and not cryptographic recognition. After all, how do we know if an "approved" message has indeed passed through toad? Someone else could be spoofing the account. This is specious. The server exists as a communication mechanism, not as an authentication mechanism. Were the list restricted, either in acceptance or in transmission, it would have authentication properties. It's not, and it doesn't. This will produce nested sigs, as I attempted to illustrate above (apologies if I got the precise syntax wrong). The precise syntax doesn't matter. The nesting problem is a weakness in PGP, which can't add on a second signature to the block at the bottom of a clearsigned message. And will today's tools allow easy extraction of first the toad sig, then the enclosed sig? I doubt it. On the other hand, my original proposal was to encourage the _making_ of signatures, not their checking. If you insist that my proposal includes checking as a basic element, you'll be arguing against a straw man. Seems to me that if Eric wants to start encouraging use of sigs, that a good first start would be for toad to sign all messages. What Eric wants to very specifically encourage is the making of signatures on outgoing posts. Anything else is a bonus, not a premise to find inconsistency in. Eric From jamesd at netcom.com Wed Nov 30 16:38:58 1994 From: jamesd at netcom.com (James A. Donald) Date: Wed, 30 Nov 94 16:38:58 PST Subject: We are ALL guests (except Eric) In-Reply-To: <199411302019.MAA28634@netcom20.netcom.com> Message-ID: <199412010039.QAA09228@netcom10.netcom.com> Timothy C. May writes > I rarely argue in terms of > justice and fairness, so please don't imply that I have done so. Look at the title of this thread. If what you say is true, you would not have responded to this thread. The title would be meaningless or irrelevant to you. As Starr pointed out to you a long time ago, it is almost impossible to discuss human affairs without using moral categories either explicitly or implicitly. You use such categories implicitly as much as I use them explicitly. > The list could move, could become an unmoderated newsgroup, etc. I'm > not advocating this, just rejecting the "Foobar owns the list--if > Foobar tells us to wear funny hats when we post to the list, we'd damn > well better do so." There are more nuances to the issues of > "ownership" involved.) In the highly unlikely event that Eric started acting like an asshole we would move, as individuals and in different directions, but the list would not move. Existing newsgroups would change flavor as cypherpunks moved onto them. Somebody might create alt.cypherpunks, but it would have a significantly different flavor with a significantly different membership. The list would only move as a whole if Eric dropped dead or abruptly lost interest or handed it over to someone else. The question of who owns the list is indeed irrelevant to the question of whether the proposed change would further crypto. It is however relevant to to the question of whether we should hold a vote or establish a consensus. You agree, I assume, that holding a vote is absurd. Perhaps you think that Eric should establish a consensus of "real" cypherpunks. Yet if a vote is absurd, then then surely a consensus is absurd. And if you agree that neither vote or consensus is relevant, except perhaps in the sense of a marketing survey for Eric, then you agree that Eric owns the list. This list has been a success largely because Eric has followed anarchist, rather than fascist policies. Now if some other cypherpunk owned the list, the policy would have been different, not necessarily worse, but not the same, and the list would not be the same. -- --------------------------------------------------------------------- We have the right to defend ourselves and our property, because of the kind of animals that we James A. Donald are. True law derives from this right, not from the arbitrary power of the omnipotent state. jamesd at acm.org From jrochkin at cs.oberlin.edu Wed Nov 30 16:43:32 1994 From: jrochkin at cs.oberlin.edu (Jonathan Rochkind) Date: Wed, 30 Nov 94 16:43:32 PST Subject: We are ALL guests (except Eric) Message-ID: >L. Todd Masco writes >> On at least 3 of those lists, a list maintainer tried to take >> some arbitrary unilateral action and had to later back down because >> nobody was willing to put up with such shit. > >Same thing happened when Coca Cola tried to change their formula: > >Should we therefore conclude that Coke does not own coke? If my and my friends don't like coke, we can't copy their secret formula and sell something in a red can with a white curve down the side and "Coca-cola" written on it in cursive lettering. We'll be in court in about four minutes. If me and my friends don't like the cypherpunks list, we can start our own list called "cypherpunks." We can even get the list of subscribers from toad (it's public information), and subscribe them all to our list, although they might not appreciate it so much. Or, if we really had a problem with the signature-requirement, we could start up our own list and actually subscribe our list to cypherpunks, and cypherpunks to our list. Everyone on our list would get all cypherpunks mail, and as well as mail sent to our list specifically. And cypherpunks would get our list. So if you didn't want to sign, you could join our RebelCypherpunks list which would be identical to cypherpunks except you could contribute to it without signing, and others on our list would get your posts. If you did want to sign, joining our list would be identical to joining cypherpunks, since all mail from our list gets forwarded to cypherpunks anyhow. "Ownership" of a mailing list isn't a simple thing. The exact instance of majordomo running on toad and administered by Eric is not "the cypherpunks list." From werewolf at io.org Wed Nov 30 17:09:08 1994 From: werewolf at io.org (Mark Terka) Date: Wed, 30 Nov 94 17:09:08 PST Subject: Keyserver at kub.nl Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Anyone know if this server is down? I didn't see it in the most recent edition of the FAQ and it hasn'r responded to requests lately. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLt0UDK+YbMzawbu5AQGl+AQAvyVjB8CVZDHjYlroylWbDXoVs0nmrpZE j7YwsJJipmixysH/Mv9UTbJuGIE9/zaRlTtlXqyUzuIPiKR25JtleskL51Q4Avia nul18SGBp/Sn4pQEOyF42NTXNnvsHs5BDV7UEkcDarj2pesST2jiT/N4F4CNPnl1 kKJzQENkJbo= =17Ze -----END PGP SIGNATURE----- From dcwill at python.ee.unr.edu Wed Nov 30 17:20:49 1994 From: dcwill at python.ee.unr.edu (Dr. D.C. Williams) Date: Wed, 30 Nov 94 17:20:49 PST Subject: Warm, fuzzy, misleading feelings Message-ID: <199412010119.RAA06900@python> I've been following the dig sig fracas with great interest. While I can see merit in both sides, the pro-sig argument is weakened by their endorsement of sig spoofing. If the object is to heighten awareness of crypto and digital signatures, what possible Good can follow from setting the example that "cypherpunks simulate signatures"? The way I see it, either sign or don't sign, but attaching a bogus signature block to a message for the sole purpose of pacifying a mailing list requirement diminishes the significance of crypto and sullies the image of all who participate. If sigs are required, then valid sigs should be required. Make a new key pair that's used solely for the purpose of signing your list mailings. Any resulting damage to reputations or egos signed by a pilfered low security key would be no more significant than a forged message left unsigned. By the same token, I don't see how this proposal does much to spread the Good Word. Maybe the sole intent is for the participants to share in the warm, fuzzy feelings of "doing their part". Like flying a kite for peace or dumping red paint on an already-dead furry animal carcass, the primary goal of promoting the proper use of crypto seems less important here than the _perception_ of promoting it. Not everything that feels good is good for you. =D.C. Williams From pfarrell at netcom.com Wed Nov 30 17:41:50 1994 From: pfarrell at netcom.com (Pat Farrell) Date: Wed, 30 Nov 94 17:41:50 PST Subject: "Cyherpunks Named Official Signing Authority" Message-ID: <74242.pfarrell@netcom.com> -----BEGIN PGP SIGNED MESSAGE----- This thread is starting to sound a lot like a religious argument. Lets try to act like adults and hold off on the "did so" "did not" arguments. If we have to agree to disagree, fine. Not to point at eric in the above, this is in response to one of his messages, and I don't want to increase the volume on the list by using two. eric at remailer.net (Eric Hughes) writes: > If the crypto hooks are there for sending mail, you're more than > halfway there for receiving mail. And yes, this is also something to > encourage. > > Your argument can be construed to say that since I can't encourage > signature checking, that I should add that to my list of requirements. > I've been pretty vocal about my desire for partial benefit short of > what is possible. If server actions don't help signature checking, > OK, well then, they don't, ca va. There is a key point that is missed here. Lets assume you hack majordomo so that it pipes messages thru a filter to classify signatures. We get classes like: 1) "gold star: its signed" like this message. 2) "silver star: signed by an unknown nym" 3) "non-follower alert: unsigned message" 4) "unverified key, be _very_ careful" 5) "bogus alert: fraud! fake signature" (no one we know would do that :-) and whatever else makes sense. So the hacked majordomo puts in a new header that classifies the message according to this taxonomy. It mails/forwards the messages to the thousands of waiting c'punks. Maybe after a delay or two. I get the message, look at the header, and say, Hmmm. Has someone hacked the classification? Maybe we need to have majordomo sign the message/header so we know that the true c'punk classifier has verified it? But then we ask, Hmmm, is this a hacked majordomo? After all, no sane person will read and manually verify the flood of c'punk messages. So some daemon is doing it all. And daemons can be hacked. Pretty soon, we end up with cycles and epicycles, worse than medival planatary motion theory. Not a winner. I don't see a robust solution, even granting that Eric et al are smart, hardworking, etc. anyone else see a solution? Other than dropping this thread, or sending mail to cypherpunks at c2.org, of course... Pat -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBLt0hLrCsmOInW9opAQF8MAP9HgyKfRsCo17EujXBJgDrYhYCmlqEf1do riMON+tKtzFCIgzK4s6kS4t1ULYuLaYIpcI4kulHECi7uJ5dMkkyboqiJpmSP4Zo IAIQvaLSXX7gHIF1J2dwSuakDDgr8OomHuSCWMsWx+piAX+vY4n/kiAjmmZWYY7k 6O+/twNTba0= =ZXOx -----END PGP SIGNATURE----- Pat Farrell Grad Student pfarrell at cs.gmu.edu Department of Computer Science George Mason University, Fairfax, VA Public key availble via finger #include From turcotte at io.com Wed Nov 30 18:03:27 1994 From: turcotte at io.com (Brett Turcotte) Date: Wed, 30 Nov 94 18:03:27 PST Subject: Mandatory sig workaround Message-ID: <199412010203.UAA29036@pentagon.io.com> -----BEGIN PGP SIGNED MESSAGE----- > From: Bob Snyder > > I don't sign/encrypt to > mailing list as many people get disgruntled by it and can cause > problems of it's own. > >Now encryption I can see disgruntlement at but a cleartext signature? Haven't been living in the BBS world much lately have you? There was a monster debate recently on Fidonet's Encryption Forum and some folks from Net 106 (Houston, TX, if I recall correctly) with some sysops in that region claiming that the signature was encryption and who were therefore bouncing things because they didn't want encrypted things on their boards. Sigh....out in the world some *serious* education is needed. Brett Turcotte. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLt0tCOZ0KZVyrk5FAQFoHAQAp/tXplm+LimcoToFUD6HOSGCpd322Tw5 VxKr141BvzmTKfvFBoElnHckN8IXPkvapMsvyJel49V+q7caf687TfgUKq4uA3+K LzPQ0nAij5rd9NBR2yu3755jLYYpU/I27g8w122Ob7uxqP/ygPwHyIKMe/rl89Wc ZzselV0J1rE= =JwEI -----END PGP SIGNATURE----- From eric at remailer.net Wed Nov 30 18:15:37 1994 From: eric at remailer.net (Eric Hughes) Date: Wed, 30 Nov 94 18:15:37 PST Subject: We are ALL guests (except Eric) In-Reply-To: <3bj4m6$r4a@bb.hks.net> Message-ID: <199412010314.TAA12186@largo.remailer.net> From: cactus at bb.hks.net (L. Todd Masco) What makes this a difficult issue to call (for me) is that you have partial authority as an "original founder," a much more persuasive position than the bureaucratical "list maintainer" status. Thank god you didn't capitalize those. I think the question is not whether you desire liberty and independence but whether you desire the company of those who value liberty and independence strongly enough to abandon this forum at the slightest perceived breach of their autonomy. I don't. I apply Tim's Calvinist Stoicism stance to this situation. Put crudely, if people bolt at the first sign of encroachment, fuck 'em. There is a matter of degree here which is quite important. A small notification in the header of the message is hardly much at all. Preventing a message from going through, however, is a qualitatively different thing. If there are people who can't tell the difference, or worse yet, who won't acknowledge it, I'm not going to feel too unhappy. I think that you'll probably be able to pull off some compromise: the one that I like most is that of an independent agent or two, automatically checking all signatures and occasionally admonishing those who don't use them. That and simple notification in the header. I am as yet undecided which one I think might come first. The former would even be a valuable tool with far wider application than cypherpunks, esp. if written such that it could be used on newsgroups or even over NNTP. Well, I did say today that I'll get the thing working on my own personal mailbox first. The thing that's particularly alluring about the independent agent idea is that you don't have to (ab?)use your position as list maintainer to implement it, This is both an advantage and a disadvantage. On one hand, harmony is maintained. (I hear the guffaws too.) On the other, the message isn't nearly as strong. To reiterate, I am willing to use my position to send a stronger message. OTGH, pgp is a bigger cycle-sucker than I necessary want to have running all the time on our poor little microVAXen. Yet another reason to have an less-than-fully secure key for that location. Eric From eric at remailer.net Wed Nov 30 18:21:34 1994 From: eric at remailer.net (Eric Hughes) Date: Wed, 30 Nov 94 18:21:34 PST Subject: Effects of Marking/Delaying Nonsigned Posts In-Reply-To: Message-ID: <199412010320.TAA12195@largo.remailer.net> From: jamiel at sybase.com (Jamie Lawrence) Multiply that by a possible 25% (arbitrary) of the list being delayed [...] This afternoon I considered starting the initial delay at one minute and incrementing the delay by one minute each time a message gets delayed. Perhaps the increment would be 15 or 30 seconds--whatever. The point is that the delay would ease in slowly and folks would get a chance to adjust. >Having notification that a message wasn't signed was never presented >as one of the purposes of the proposal. My mistake then, I thought you had proposed marking messages as unsigned as an intermediate step. I had proposed marking them, true, though not as notification, but rather as automated commentary. Notification is a (trivial and useless) effect of the measure, but not its purpose. Eric From cactus at bb.hks.net Wed Nov 30 18:56:00 1994 From: cactus at bb.hks.net (L. Todd Masco) Date: Wed, 30 Nov 94 18:56:00 PST Subject: We are ALL guests (except Eric) In-Reply-To: <199412010314.TAA12186@largo.remailer.net> Message-ID: <3bje7f$snh@bb.hks.net> In article <199412010314.TAA12186 at largo.remailer.net>, Eric Hughes wrote: >That and simple notification in the header. I am as yet undecided >which one I think might come first. FWIW, my vote would be "autonag" first. > The thing that's particularly alluring about the independent agent idea > is that you don't have to (ab?)use your position as list maintainer to > implement it, > >This is both an advantage and a disadvantage. On one hand, harmony is >maintained. (I hear the guffaws too.) On the other, the message >isn't nearly as strong. To reiterate, I am willing to use my >position to send a stronger message. Sure. I'm not sure the message would get through as you're framing it, though. People don't react well to messages that are put too strongly... a gentle, gradual approach is more likely to get through. "Cypherpunks grok the importance of digital signatures" is the message you want to get through, not "Eric wants to punish people who don't use digital signatures," no? Somebody here suggests: "I think he should send everyone who uses digital signatures a cookie. A big chocolate chip cookie." It is understood that delivery might be a problem. I can offer habaneros. It's not clear whether that would be a stick or a carrot. -- Todd Masco | "Roam home to a dome, Where Georgian and Gothic once stood cactus at hks.net | Now chemical bonds alone guard our blond(e)s, cactus at bb.com | And even the plumbing looks good." - B Fuller From werewolf at io.org Wed Nov 30 18:59:41 1994 From: werewolf at io.org (Mark Terka) Date: Wed, 30 Nov 94 18:59:41 PST Subject: Warm, fuzzy, misleading feelings In-Reply-To: <199412010119.RAA06900@python> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- In article <199412010119.RAA06900 at python>, "Dr. D.C. Williams" wrote: > >I've been following the dig sig fracas with great interest. While >I can see merit in both sides, the pro-sig argument is weakened >by their endorsement of sig spoofing. If the object is to heighten > >The way I see it, either sign or don't sign, but attaching a >bogus signature block to a message for the sole purpose of pacifying >a mailing list requirement diminishes the significance of crypto >and sullies the image of all who participate. I'm not entirely sure, but I thought that 90% of the "anti-sig" argument was that it was a pain in the ass because the tools did not exist on some machines to allow relatively seamless signing for some users (in a secure fashion). If thats the case.....isn't it an equal pain in the ass to go to the trouble of forging a sig? :> You would likely have to go through more key strokes and other routines to forge one. Why not just play by the rules and sign a message? -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLt02ia+YbMzawbu5AQFzCQP7BTP5dyuQf8nmFIeEGeTzxjaTrWYbB9no ZHQIC2u86TbQX1EAiA8LMCWlk+CHhvMJSMXt7QpK6h+ylpYQxJuEwebQcPPdqYAb szD+AfeFMGEovGpt2LxQXnAT098uyIgSkf0ALGd7iTWDBsVJz74M59m8thqpHs92 W27FsPThttY= =Orub -----END PGP SIGNATURE----- From lmccarth at ducie.cs.umass.edu Wed Nov 30 19:26:03 1994 From: lmccarth at ducie.cs.umass.edu (L. McCarthy) Date: Wed, 30 Nov 94 19:26:03 PST Subject: Hazards of encouraging forged dig sigs In-Reply-To: Message-ID: <199412010326.WAA22171@ducie.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Mark Terka writes: > If thats the case.....isn't it an equal pain in the ass to go to the trouble > of forging a sig? :> You would likely have to go through more key strokes and > other routines to forge one. Why not just play by the rules and sign a > message? I imagine it would be a breeze to attach a forged PGP sig to every message using most mailers etc. The signature block is easy -- simply append it to the contents of the .sig autoappended by many mailers/newsreaders. All that remains is a macro or a bit of cutting & pasting to toss in the --- BEGIN PGP line at the top. Now that Eric has made it abundantly clear he envisions syntactic but not semantic checks of sigs, I am opposed to the proposition. I foresee a situation in which a large portion of the list traffic uses forged or meaningless signing-server-appended dig sigs. When I establish automatic signature validation for incoming mail here Real Soon Now, there will be plenty of noise generated by all the `false' negatives in the data to make a mockery of the authentication process. Encouraging cryptographically valid signatures was the first suggestion I'd seen in this entire debate which seemed to promise tangible benefits; encouraging cryptographically invalid signatures is the first notion which appears to offer tangible detriment. Disclaimer acronym of the day: ECDWHW. Eric Can Do Whatever He Wants. BTW, Tim, why do you seem so surprised by JD's style of discourse ? Just mention Chomsky and be done with the damn thing, it's not going to be productive anyway. - -L. Futplex McCarthy; PGP key by finger or server "Don't say my head was empty, when I had things to hide...." --Men at Work -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBLt1CSGf7YYibNzjpAQEquAP5Aa0aVKiWW39kxxZEkvYHRFJBEOkZSVE5 ZCjUABEx7hki2+uaGvIDJyGlb73mxMeiT1iM8N1BBzbztSWbRN4wUbLsaRD27gQz NY/g/eOvylZcphFzxLWRNWBnmGSgGgN+miMv0sVxSJkdq41fjSTW9ziH8mOrGRif ZfYlP21LOSc= =W8Wf -----END PGP SIGNATURE----- From pstemari at fsp.fsp.com Wed Nov 30 19:58:07 1994 From: pstemari at fsp.fsp.com (Paul Ste. Marie) Date: Wed, 30 Nov 94 19:58:07 PST Subject: Need program pointers In-Reply-To: <199411270330.WAA02572@freenet3.carleton.ca> Message-ID: <9412010358.AA16958@fsp.fsp.com> > There is a commonly-held belief that there is a US government standard > for declassifying magnetic media which involves overwriting it three > times. In fact this method is for declassifying core (computer memory) > rather than magnetic media. The government standard for declassifying > magnetic media probably involves concentrated acid, furnaces, belt > sanders, or any combination of the above. For magentic media, which includes core :), I believe the standard is overwriting the info alternately with 0's and 1's 100x. Paul From unicorn at access.digex.net Wed Nov 30 20:03:45 1994 From: unicorn at access.digex.net (Black Unicorn) Date: Wed, 30 Nov 94 20:03:45 PST Subject: Need program pointers In-Reply-To: <9412010358.AA16958@fsp.fsp.com> Message-ID: On Wed, 30 Nov 1994, Paul Ste. Marie wrote: > > There is a commonly-held belief that there is a US government standard > > for declassifying magnetic media which involves overwriting it three > > times. In fact this method is for declassifying core (computer memory) > > rather than magnetic media. The government standard for declassifying > > magnetic media probably involves concentrated acid, furnaces, belt > > sanders, or any combination of the above. > > For magentic media, which includes core :), I believe the standard is > overwriting the info alternately with 0's and 1's 100x. > > Paul > Close contact with a thermite gernade is the standard most agencies I know of follow. 073BB885A786F666 nemo repente fuit turpissimus - potestas scientiae in usu est 6E6D4506F6EDBC17 quaere verum ad infinitum, loquitur sub rosa - wichtig! From rshea at netcom.com Wed Nov 30 20:56:49 1994 From: rshea at netcom.com (rex) Date: Wed, 30 Nov 94 20:56:49 PST Subject: "You aren't following the _rules_!" In-Reply-To: <9411302011.AA10944@prism.poly.edu> Message-ID: > I usually dial in to poly, I don't have (yet) a unix box on the net > to make signing easy. Until the DOS or Mac versions of PGP include > a built in terminal and mailer... You can use uqwk to download/upload both news and mail. You can then read/reply with an offline reader like yarn or ReadMail. Yarn has hooks to PGP, so signing a message is a menu choice. Installation could be easier, but once it's done, the combo works very smoothly. -rex From skaplin at skypoint.com Wed Nov 30 22:20:23 1994 From: skaplin at skypoint.com (Samuel Kaplin) Date: Wed, 30 Nov 94 22:20:23 PST Subject: Sign-or-delay In-Reply-To: <9411300425.AA21554@anchor.ho.att.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- In article <9411300425.AA21554 at anchor.ho.att.com>, you wrote: > -----BEGIN PGP SIGNED MESSAGE----- (Error in ASCII armour) > > -----BEGIN PGP SIGNATURE----- > Version: 3.2beta > > AjtHiSiSnOtAsIgNaaTuretHiSiSnOtAsIgNaaTuretHiSiSnOtAsIgNaaTurexZ > ITsBoGustHiSiSnOtAsIgNaaTuretHiSiSnOtAsIgNaaTuretHiSiSnOtAsIgfoo > ReAlLyTrUsTmetHiSiSnOtAsIgNaaTureLouisFreehWasHeretHiSiSnOtAsIgN > tAsIgNaaT > -----END PGP SIGNATURE----- Cute!!! Kind of like Kevin Neelan's subliminal bit on SNL. ============================================================================== When smashing monuments, save the pedestals - they always come in handy. - Stanislaw Lec ============================================================================== skaplin at skypoint.com | "...vidi vici veni" - Overheard | outside a Roman brothel. PGP encrypted mail is accepted and | preferred. | Change is the only constant in the | Universe..."Four quarters, please." E-mail key at four11.com for PGP Key or | Finger skaplin at mirage.skypoint.com | Smile!! Big brother is watching. ============================================================================== -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLt1qSApnimeWAf3FAQGTOAQApoqF6t0el0/ho6B9J5MeBNK4/MZiLJIs rbKm04Yk5EFddWUYK1v/OXKaOZDdmbA9gsBddmsfN/feNNfcFN09cWsf+vY3ZlQx FvvR46AksStFXVJZEUE3nXaZ7IJZXg/TiAi9tGJVhkxIoPM82VwiCsXBAW1GaaJ4 z4/cgl1+q0M= =Ip5k -----END PGP SIGNATURE----- From skaplin at skypoint.com Wed Nov 30 22:20:34 1994 From: skaplin at skypoint.com (Samuel Kaplin) Date: Wed, 30 Nov 94 22:20:34 PST Subject: "You aren't following the _rules_!" In-Reply-To: Message-ID: <7SMtkKjqRa71075yn@skypoint.com> -----BEGIN PGP SIGNED MESSAGE----- In article , you wrote: > > I usually dial in to poly, I don't have (yet) a unix box on the net > > to make signing easy. Until the DOS or Mac versions of PGP include > > a built in terminal and mailer... > > You can use uqwk to download/upload both news and mail. You can then > read/reply with an offline reader like yarn or ReadMail. Yarn has hooks > to PGP, so signing a message is a menu choice. Installation could be > easier, but once it's done, the combo works very smoothly. Even better yet use AUTOPGP and everything is signed automagicly. ============================================================================== One of the weaknesses of our age is our apparent inability to distinguish our needs from our greeds. - Don Robinson, quoted in "Reader's Digest", 1963 ============================================================================== skaplin at skypoint.com | "...vidi vici veni" - Overheard | outside a Roman brothel. PGP encrypted mail is accepted and | preferred. | Change is the only constant in the | Universe..."Four quarters, please." E-mail key at four11.com for PGP Key or | Finger skaplin at mirage.skypoint.com | Smile!! Big brother is watching. ============================================================================== -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLt1qQQpnimeWAf3FAQGyZwP+L/y2RfmvXR923KEL18H//ZBH0BqIp7m2 0E2tnZfQr2ZynF8RIF6JTXV+C1hTMIAjPISyqxCXdFP6ElTqCARgU6HribZY7i/N x6vMJROP6IvunihX0IvFu9ewzSIcldVB4V8hSvAd2x/2gndVl+GTe1UNnz7JDJT3 GnwxIbxAjUo= =U2qH -----END PGP SIGNATURE----- From shamrock at netcom.com Wed Nov 30 22:51:08 1994 From: shamrock at netcom.com (Lucky Green) Date: Wed, 30 Nov 94 22:51:08 PST Subject: Hazards of encouraging forged dig sigs Message-ID: <199412010651.WAA21620@netcom11.netcom.com> -----BEGIN PGP SIGNED MESSAGE----- "L. McCarthy" wrote: >Now that Eric has made it abundantly clear he envisions syntactic but not >semantic checks of sigs, I am opposed to the proposition. I foresee a >situation in which a large portion of the list traffic uses forged or >meaningless signing-server-appended dig sigs. Perhaps, though I doubt it. I still think that "incentivising" (I just love this word) the use of crypto on this list will lead to better tools and therefore to more people in the world at large using crypto. Since that is what we all want, can't we at least give it a try? There is nothing to lose and everything to gain. - -- Lucky Green PGP encrypted mail preferred. "The very atmosphere of firearms anywhere and everywhere restrains evil interference - they deserve a place of honor with all that's good." -----BEGIN PGP SIGNATURE----- Version: 2.6ui iQCVAgUBLt1xxASQkem38rwFAQGELwP+Ms7eKLCysRTLeLITah2aoGYo1cvrkoNh XMfv6E7qdLIrwoQaFgaREtFFp3RkTP6lPmzJePgvC4Rkl+SBIKM8eFxgOa3scJ9t QaEE5D5Rz9zZpD3D13thRQnshk9PdIc8LDv6FoEvfDGXtChEyiXWVUiRTRRJob1b LZmyV7Hed0Y= =Uo3r -----END PGP SIGNATURE----- From abostick at netcom.com Wed Nov 30 23:56:31 1994 From: abostick at netcom.com (Alan Bostick) Date: Wed, 30 Nov 94 23:56:31 PST Subject: The Market for Crypto--A Curmudgeon's View In-Reply-To: <199411300734.XAA10429@largo.remailer.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- In article <199411300734.XAA10429 at largo.remailer.net>, you wrote: > Let me be REAL clear about this. The immediate proposal is to mark > and possibly delay unsigned messages to the list. In my view, delaying unsigned messages is only moderately better than dropping them. It punishes users for having non-crypto-friendly email setups (and makes things somewhat more confusing for other list readers, even the ones who sign their messages). > From: tcmay at netcom.com (Timothy C. May) > > Not to trivialize this proposal by frivolously insulting it, but > consider a mailing list that decided to delay/bounce any messages that > were not written in TeX, or in Acrobat, or whatever. > > I don't think you are frivolously insulting it, but I do think you are > ignoring the basic distinction I made about the difference between > measures which prevent use and measures which do not. The use of the > syntax "delay/bounce" denies exactly this distinction. Yes, but you are denying the way in which delaying, like bouncing, actively interferes with the timely forwarding of non-signers' messages, while merely marking them is a more passive form of harrassment. Yes, there is a distinction between delaying and bouncing. There is also a distinction between battery and homicide. You keep insisting that delaying unsigned messages does not interfere with non-signers' abilities to participate in the discussion. I say you are wrong. It's a positive hindrance. It punishes people for circumstances that may well be beyond their control. It's a bad idea. You maintain the list, you can do what you want. As you can plainly see (Tim's right on this one), I sign my posts to the list, and my posts would get the favored treatment. No one can stop you; but if you do something that makes valued contributors take a walk, you wouldn't be doing the list any favors. (Are you going to make sure that all the signatures are valid, or will you accept someone sticking a PGP signature into their .sig and using it over and over?) | In the other room I passed by Ellen Leverenz as Alan Bostick | someone asked her "Do you know any monopole abostick at netcom.com | jokes?" finger for PGP public key | "Sure," she said. "In fact, I know two of them." Key fingerprint: | -- Terry Carr, GILGAMESH 50 22 FB 46 41 A3 17 9D F7 33 FF E1 4E 1C 89 79 +legal_kludge=off -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQB1AgUBLt1TQeVevBgtmhnpAQEHRgMAolHcawJ0g9KuZ3NI4DzeyNMJilO3wq/6 ABPmZiXGjxAxNXPiO1I3D9ZgjBYmglJiSo/mjfT0EyqA3UWDq801/4HegO7+3g8w xvhDa2KKvLi1iwO205rVPIIZ6pAfWupF =UYbe -----END PGP SIGNATURE-----