Security Group Seminar, 10th October 1995

Speaker:
Bill Chambers, King's College, University of London

Date:
Tuesday 10th October

Place:
Room TP4, Computer Laboratory

Title:
PROBLEMS OF STREAM CIPHER GENERATORS WITH MUTUAL CLOCK CONTROL

The speaker has been looking at the cycle structure of an algorithm posted just over a year ago on the Internet and alleged to be the secret A5 algorithm used for confidentiality in the GSM mobile telephone system. This algorithm employs three mutually clock-controlled shift registers, and can fairly quickly enter a loop with what is essentially the shortest possible period, a number very small compared with the total number of states, or even its square root. Moreover this behaviour is robust, not being influenced by factors such as choice of primitive feedback polynomial or even clocking logic (with a proviso to be discussed). A fairly straightforward explanation for this behaviour has been found. Some ways of getting around the problem of excessively short periods are considered, as well as the behaviour of systems with different numbers of mutually clocked registers. In particular a mention is made of the wartime T52e cipher, perhaps the inspiration for "alleged A5".
From rah at shipwright.com Sun Dec 17 01:51:04 1995 From: rah at shipwright.com (Robert Hettinga) Date: Sun, 17 Dec 1995 17:51:04 +0800 Subject: (fwd) Showdown over e-cash Message-ID: --- begin forwarded text X-Sender: dmk at zp.tempo.att.com Mime-Version: 1.0 Date: Sat, 16 Dec 1995 20:27:29 -0500 To: www-buyinfo at allegra.att.com From: allegra!dmk at uunet.uu.net (Dave Kristol) Subject: Showdown over e-cash Take a look at the article by that title at http://www.upside.com/resource/print/9601/ecash.html It's a provocative and rather breathless account of the forthcoming demise of banks as we know them, brought on by electronic transactions. Dave Kristol --- end forwarded text ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA (617) 958-3971 "Reality is not optional." --Thomas Sowell The NEW(!) e$ Home Page: http://thumper.vmeng.com/pub/rah/ >>>>Phree Phil: Email: zldf at clark.net http://www.netresponse.com/zldf <<<<< From ncognito at gate.net Sun Dec 17 02:37:47 1995 From: ncognito at gate.net (Ben Holiday) Date: Sun, 17 Dec 1995 18:37:47 +0800 Subject: Secured RM ? (source) In-Reply-To: <199512170428.PAA22362@sweeney.cs.monash.edu.au> Message-ID: On Sun, 17 Dec 1995, Jiri Baum wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > There's no automatic rm that will also delete all backups of the file. > (You are keeping backups, aren't you?) > In this particular case what im concerned about is a temporary cleartext copy of a permanently encrypted document. The cleartext only exists for about 1-4 seconds, and then is deleted, so backups arent really a problem.. From dsmith at midwest.net Sun Dec 17 18:43:47 1995 From: dsmith at midwest.net (David E. Smith) Date: Sun, 17 Dec 95 18:43:47 PST Subject: Motorola Secure Phone Message-ID: <199512180304.VAA12327@cdale1.midwest.net> At 04:34 PM 12/15/95 -0800, you wrote: > My AT&T 900 (or is it 9000?) MHz digital cordless phone says >the same thing. I figure it uses a weak cryptosystem. There is >something about key setup when you return the handset to the base. > (The phone was $200, FWIW) That just refers to the fact that it is no longer legal to sell scanners that can listen in to that range. The same is true of the 800 MHz band (used for a lot of cellular phone traffic). Ah, I love my really old scanner that isn't bound by such limitations... (BTW, a couple of years ago Nuts & Volts ran an article with information on a program and some toys that let a laptop computer, properly wired into a cell phone, act as a cell scanner. Never did wire it up, but it looked like fun ;) ObCrypto: um, if you can find it, let me know :) ----- David E. Smith, c/o Southeast Missouri State University 1210 Towers South, Cape Girardeau MO USA 63701-4745, +1(573)339-3814 PGP ID 0x92732139, homepage http://www.midwest.net/scribers/dsmith/ Dec15-Jan15: (618)244-3340/2209 Perkins, Mt Vernon IL 62864Quote: "If I wanted thrills and danger and lots of rampant violence, I coulda been a postal worker!" -- Ben, "Sensational Spider-Man" From rick at muskoka.net Sun Dec 17 19:17:32 1995 From: rick at muskoka.net (Richard D. Sheffar) Date: Sun, 17 Dec 95 19:17:32 PST Subject: BIO-MUNITION: gifs of perl-RSA tattoo In-Reply-To: <730.9512122013@exe.dcs.exeter.ac.uk> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Tue, 12 Dec 1995 aba at atlas.ex.ac.uk wrote: > > People have been reading the list for a while will be familiar with > this piece of perl code used as a non-exportable, supposedly ITAR > controlled .sig: > > > #!/bin/perl -s-- -export-a-crypto-system-sig -RSA-3-lines-PERL > $m=unpack(H.$w,$m."\0"x$w),$_=`echo "16do$w 2+4Oi0$d*-^1[d2%Sa > 2/d0 pack('H*',$_)while read(STDIN,$m,($w=2*$d-1+length($n)&~1)/2) > Okay, I admit it I don't know everything. What does the perl script actually do. I saved to file, chmod 777 perly tried running the script and kept getting error line 3. What does it do, does it encrypt a file or what. What Have i done wrong? -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: PGP Signed with PineSign 2.2 iQBVAgUBMNTcedZnjIiISvIVAQF7IwH7BufPIuyXuJy6LJOsUnxJYIzv7GAly4FL OWL8xHaKZb/7Ltepmeyd988TM+3DAmIDzEW2EdX5Nwia8Scst3TnoA== =/gW7 -----END PGP SIGNATURE----- Please report any Strange behaviour by the Mail Monster to rick at muskoka.net ****************************************************************************** send mail w/ subject 'send help', To get Commands accepted by Mail Monster. rick at muskoka.net rick.sheffar at primetime.org PGP encrypted mail accepted and preferred! PGP key ID 0x884af215 PGP key finger print = 01 49 EA C6 42 90 21 02 9D CB 19 7E E3 23 66 58 ****************************************************************************** From ylo at cs.hut.fi Sun Dec 17 03:25:19 1995 From: ylo at cs.hut.fi (Tatu Ylonen) Date: Sun, 17 Dec 1995 19:25:19 +0800 Subject: Encrypted telnet... In-Reply-To: <9512151848.AA20590@spirit.aud.alcatel.com> Message-ID: <199512170136.DAA02488@trance.olari.clinet.fi> > I am looking for an encrypted telnet (or rlogin/etc) package > that supports a Windoze client. > > It looks like all the normal ones that I can find > (SSH, SRA telnet, SSLtelnet, etc) are just under Unixoids. > Don't get me wrong - I would prefer to use Unix, but I am > headed off to locations, where I know all I'll have access to > is Windows, with a PPP stack to some ISP. A preliminary windows client for SSH was recently announced by Cedomir Igaly . I am also working on a windows client myself, and expect early beta versions to be available in early January, and an official version in late February. [For more information on ssh, see http://www.cs.hut.fi/ssh.] Tatu From jirib at sweeney.cs.monash.edu.au Sun Dec 17 04:36:03 1995 From: jirib at sweeney.cs.monash.edu.au (Jiri Baum) Date: Sun, 17 Dec 1995 20:36:03 +0800 Subject: kocher's timing attack In-Reply-To: <199512150203.VAA00869@opine.cs.umass.edu> Message-ID: <199512170409.PAA22283@sweeney.cs.monash.edu.au> -----BEGIN PGP SIGNED MESSAGE----- Hello cypherpunks at toad.com (Cypherpunks Mailing List) and futplex at pseudonym.com (Futplex) Futplex writes: ... [in reply to others] ... > You are overlooking the main point that this is a _timing_ attack. Unless ... > Just beware of > people with extremely precise stopwatches at key signing parties ;> Hold on, you *never* sign directly at key signing parties! Never take your key where: - it could be stolen - you suspect others may wish to influence your signing - somebody might spy your passphrase (hidden cameras in ceiling) You take fingerprints, and sign when you get back home. Re the timing subject, do you think it'd make a good party trick? * Think of a number between 20 and 30. * for 4-5 numbers a, "Multiply the orignal number by " * the number you are thinking of is Now, anybody have statistics for mental arithmetic? Jiri - -- If you want an answer, please mail to . On sweeney, I may delete without reading! PGP 463A14D5 (but it's at home so it'll take a day or two) PGP EF0607F9 (but it's at uni so don't rely on it too much) -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMNOXuyxV6mvvBgf5AQFEtgP/Wf5I205BAuqiuSEwkslbGP0nwV8ylA0G nnmS1FFJjFkkfICxEp+/C0iQqLcYpp1ytio+yyWmAE+nDEomcmnQb40ElGjYB/2m btP6cT9ozfM8lXY6Tfn+G+kduZWfpKyngoMDSPzYSNAuizD5qyUodYJXyjfz4y0p BoXBMwB9IUA= =EpU4 -----END PGP SIGNATURE----- From holovacs at styx.ios.com Sun Dec 17 07:18:24 1995 From: holovacs at styx.ios.com (Jay Holovacs) Date: Sun, 17 Dec 1995 23:18:24 +0800 Subject: Is ths legal?... (fwd) Message-ID: On Sun, 17 Dec 1995, Declan B. McCullagh wrote: > Exactly. If Oklahoma University is private, it can establish and enforce > policies that would be unconstitutional at public schools. Those > policies become part of the contract and a student must abide by them, > except when they are administered arbitrarily and capriciously. At a > public universities, students probably would have more freedom to > challenge this policy. Think about this principle in light of the current political climate toward "privatization." Moves to privatize schools, prisons, even police forces in a few communities. Sounds like a good way around all those constitutional protections. > A recent article from the school's student newspaper says: > > "In the third part, the policy states that the university reserves the > right of access to user e-mail... It seems to me that there is some legal status to email established by Congress in the late '80s, especially that which comes in from outside with 'some expectation' of privacy. I've got to rummage around for the details however. Jay Holovacs PGP Key fingerprint = AC 29 C8 7A E4 2D 07 27 AE CA 99 4A F6 59 87 90 (KEY id 1024/80E4AA05) email for key From holovacs at styx.ios.com Sun Dec 17 07:22:38 1995 From: holovacs at styx.ios.com (Jay Holovacs) Date: Sun, 17 Dec 1995 23:22:38 +0800 Subject: Is ths legal?.. (fwd) Message-ID: This is the reference I couldn't find for my previous post. It would seem to have some relevance here Electronic Communications Privacy Act of 1986 (ECPA) (18 U.S.C. ss 2510 et seq.). "It shall not be unlawful under this chapter for an operator of a switchboard, or an officer, employee, or agent of a provider of wire *or electronic* communication service, whose facilities are used in the trans- mission of a wire communication, to intercept, disclose, or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service, except that a provider of wire communication service to the public shall not utilize service observing or random monitoring except for mechanical or service quality control checks." 18 USC section 2510(2)(a)(i). Doesn't seem to leave much room for snooping on contents of messages. Jay Holovacs PGP Key fingerprint = AC 29 C8 7A E4 2D 07 27 AE CA 99 4A F6 59 87 90 (KEY id 1024/80E4AA05) email me for key From unicorn at schloss.li Sun Dec 17 07:50:30 1995 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 17 Dec 1995 23:50:30 +0800 Subject: Is ths legal?.. (fwd) In-Reply-To: Message-ID: On Sun, 17 Dec 1995, Jay Holovacs wrote: > > > This is the reference I couldn't find for my previous post. It would seem > to have some relevance here > > Electronic Communications Privacy Act of 1986 (ECPA) (18 U.S.C. ss 2510 > et seq.). "It shall not be unlawful under this chapter for an operator of > a switchboard, or an officer, employee, or agent of a provider of wire *or > electronic* communication service, whose facilities are used in the trans- > mission of a wire communication, to intercept, disclose, or use that > communication in the normal course of his employment while engaged in any > activity which is a necessary incident to the rendition of his service or > to the protection of the rights or property of the provider of that > service, except that a provider of wire communication service to the > public shall not utilize service observing or random monitoring except for > mechanical or service quality control checks." 18 USC section > 2510(2)(a)(i). > > Doesn't seem to leave much room for snooping on contents of messages. I disagree. Instead it implies that interception and administrative review of content will be tolerated where it is "a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service." Note that it will be the provider who makes the definition in the ex ante application. Even worse, the protection that is given is for "a provider of wire communication service to the public." I would be very surprised if, 1> "provider" was anything but a narrowly drawn definition, 2> provider to the public is not specifically narrowed as well. > Jay Holovacs > PGP Key fingerprint = AC 29 C8 7A E4 2D 07 27 AE CA 99 4A F6 59 87 90 > (KEY id 1024/80E4AA05) email me for key > > --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From nobody at REPLAY.COM Sun Dec 17 07:59:20 1995 From: nobody at REPLAY.COM (Anonymous) Date: Sun, 17 Dec 1995 23:59:20 +0800 Subject: BosniaLINK Message-ID: <199512171340.OAA14680@utopia.hacktic.nl> URL: http://www.dtic.dla.mil/bosnia/ BosniaLINK Banner Welcome to BosniaLINK, the official Department of Defense information system about U.S. military activities in Operation JOINT ENDEAVOR, the NATO peacekeeping mission in Bosnia. This system is provided by the Office of the Assistant to the Secretary of Defense for Public Affairs. All information in BosniaLINK is publicly released information from the U.S. government or NATO headquarters. BosniaLINK contains operation maps, fact sheets, news releases, biographies of key commanders and leaders, and transcripts of briefings, speeches and testimony. It is also hyperlinked to the NATO and State Department information services. _________________________________________________________________ Contents * Maps (Dec 8) * Fact Sheets (Dec 12) * News Releases (Dec 15) * Photos (Dec 15) * Biographies of Key Commanders and Leaders (Dec 15) * Transcripts of Briefings (Dec 15) * Speeches and Testimony (Dec 15) _________________________________________________________________ RELATED SITES FOR BOSNIA INFORMATION Air Force Role in Bosnia NATO U.S. State Department: U.S. Policy on Bosnia Navy News Service: Bosnia Operations _________________________________________________________________ BosniaLINK is provided through the cooperative efforts of the Office of The Assistant to the Secretary of Defense (Public Affairs), and the Defense Technical Information Center. This is a government computer system. _________________________________________________________________ DefenseLINK Home From holovacs at styx.ios.com Sun Dec 17 08:02:45 1995 From: holovacs at styx.ios.com (Jay Holovacs) Date: Mon, 18 Dec 1995 00:02:45 +0800 Subject: Is ths legal?.. (fwd) In-Reply-To: Message-ID: On Sun, 17 Dec 1995, Black Unicorn wrote: > > I disagree. Instead it implies that interception and administrative > review of content will be tolerated where it is "a necessary incident to > the rendition of his service or to the protection of the rights or > property of the provider of that service." Note that it will be the > provider who makes the definition in the ex ante application. > The provider is allowed access ONLY for QC purposes. Getting back to thhe original point, the provider's ability to interpret the contents of the message is in no way required to monitor the system and cannot be used as a justification in itself for prohibiting use of crypto. Also, what if someone outside the system emails encrypted messages to the user. What authority would the sys admin have there?? Jay Holovacs PGP Key fingerprint = AC 29 C8 7A E4 2D 07 27 AE CA 99 4A F6 59 87 90 (KEY id 1024/80E4AA05) email for key From perry at piermont.com Sun Dec 17 10:12:24 1995 From: perry at piermont.com (Perry E. Metzger) Date: Mon, 18 Dec 1995 02:12:24 +0800 Subject: BosniaLINK In-Reply-To: <199512171340.OAA14680@utopia.hacktic.nl> Message-ID: <199512171747.MAA06815@jekyll.piermont.com> What I want to know is this: why the hell do you think this is interesting to cypherpunks, and why do people like you continue to post random URLs, news stories, etc, that have nothing to do with cryptography, privacy, or anything else remotely discussed on this mailing list, even though lots of people repeatedly state that it isn't desired? Are you an NSA operative attempting to reduce our effectiveness, or just from a drug company hoping to raise our blood pressure? .pm Anonymous writes: > > URL: http://www.dtic.dla.mil/bosnia/ > > BosniaLINK Banner > > Welcome to BosniaLINK, the official Department of Defense > information From unicorn at schloss.li Sun Dec 17 11:54:49 1995 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 18 Dec 1995 03:54:49 +0800 Subject: Is ths legal?... In-Reply-To: Message-ID: On Sat, 16 Dec 1995, Robert A. Hayden wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > On Sat, 16 Dec 1995, tallpaul wrote: > > > Second, if it is true, people frequently define the ability to do something > > as a "privledge" not a "right." As in a hypothetical "Use of student > > accounts at O.U. is a privledge extended to the students by the University. > > By using our computer you keep to our rules, including abandoning any > > notion you might have that your communications are in any way private" etc. > > etc. > > I believe there is a supreme court case that essentially says that a > public entity cannot define something as either privledge or right. I this ruling would prevent the Supreme Court from defining something as a privledge or right. It would also pose this limitation on states, as they are public entities, and thus driver's licenses cannot be defined as one or the other, which as we all very well know, they are. I'm > not sure the name, but the EFF has an abstract available. > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2 > Comment: PGP Signed with PineSign 2.2 > > iQCVAwUBMNN6WjokqlyVGmCFAQG6BwQAqqJhzk7BzJ+9Gmbl8Esf+8zcxVzEfAw+ > GgPr8AMNz0KzgkOHDZsQOwqFM5wVqkpk8bzSUTCHu5YW8/ORfXHB7b/lmn03qkBd > ZZFEldfhoZFINfm4tdAd/8YfWF0WZeXiuDsRqJA/V4iRyIRj9+axpUPOFefDqkMD > gQR8KyPuSrw= > =Wagv > -----END PGP SIGNATURE----- > > ____ Robert A. Hayden <=> hayden at krypton.mankato.msus.edu > \ /__ Finger for Geek Code Info <=> Finger for PGP Public Key > \/ / -=-=-=-=-=- -=-=-=-=-=- > \/ http://krypton.mankato.msus.edu/~hayden/Welcome.html > > -----BEGIN GEEK CODE BLOCK----- > Version: 3.1 > GED/J d-- s:++>: a-- C++(++++)$ ULUO++ P+>+++ L++ !E---- W+(---) N+++ o+ > K+++ w+(---) O- M+$>++ V-- PS++(+++)>$ PE++(+)>$ Y++ PGP++ t- 5+++ X++ > R+++>$ tv+ b+ DI+++ D+++ G+++++>$ e++$>++++ h r-- y+** > ------END GEEK CODE BLOCK------ > > --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From jimbell at pacifier.com Sun Dec 17 11:55:57 1995 From: jimbell at pacifier.com (jim bell) Date: Mon, 18 Dec 1995 03:55:57 +0800 Subject: Political Cleanup program Message-ID: Politics is traditionally corrupt, it appears, because donors to politicians and political campaigns expect a quid pro quo for their donations. Various unsatisfactory solutions include campaign spending limits, etc. It occurs to me that it would be a major advance if a system could be set up that would "blind" campaign donations as to their source: The donor could be satisfied that his donation gets to the candidate or cause, but the candidate couldn't know who actually paid the money (and the donor would be unable to prove that he made a donation, for example). Admittedly there are a lot of details that need to be worked out, but if this could be accomplished it would change politics as we know it. From declan+ at CMU.EDU Sun Dec 17 11:56:02 1995 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Mon, 18 Dec 1995 03:56:02 +0800 Subject: Is ths legal?... In-Reply-To: <199512170131.UAA03707@pipe6.nyc.pipeline.com> Message-ID: Excerpts from internet.cypherpunks: 16-Dec-95 Re: Is ths legal?... by tallpaul at pipeline.com > Second, if it is true, people frequently define the ability to do something > as a "privledge" not a "right." As in a hypothetical "Use of student > accounts at O.U. is a privledge extended to the students by the University. > By using our computer you keep to our rules, including abandoning any > notion you might have that your communications are in any way private" etc. > etc. Exactly. If Oklahoma University is private, it can establish and enforce policies that would be unconstitutional at public schools. Those policies become part of the contract and a student must abide by them, except when they are administered arbitrarily and capriciously. At a public universities, students probably would have more freedom to challenge this policy. A recent article from the school's student newspaper says: "In the third part, the policy states that the university reserves the right of access to user e-mail... Personal passwords may not be used to prevent access. In the fourth part, the policy states that e-mail is neither private nor confidential. The fifth part states important documents should be saved in the computer or converted to hard copy." (http://www.uoknor.edu/okdaily/issues/fall1995/dec-7/1-email.processed.html) To me, "personal passwords" sounds like a student newspaper trying to say "encryption." I've copied this message to a grad student privacy advocate quoted in the article and to the student newspaper. Perhaps they can shed more light on the situation. The best way to work against totalitarian administrators is to shine a bright light on their repressive policies. -Declan From declan+ at CMU.EDU Sun Dec 17 12:31:23 1995 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Mon, 18 Dec 1995 04:31:23 +0800 Subject: Is ths legal?... In-Reply-To: Message-ID: Disclaimer: I'm not a lawyer. Harvey is. (And a pretty damn good one, too.) -Declan ---------- Forwarded message begins here ---------- Date: Sun, 17 Dec 1995 14:38:24 +0001 (EST) From: Harvey A Silverglate Subject: Re: Is ths legal?... To: "Declan B. McCullagh" In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Declan - The answer to the "is this legal?" question is more complex than simply "private versus public" university. There are fairly strict federal anti-wiretapping laws. It is hardly clear that a private university may eavesdrop on students' phone or computer conversations, even if conducted over the university's network. Furthermore, many states have their own anti-wiretap and anti-eavesdrop laws, which are even stricter than federal standards. I don't have the time nor the inclination to do research into Oklahoma law, but we did some research into this area of state and federal law for the LaMacchia case and concluded that in its investigation of David LaMacchia, MIT very well might have violated federal laws. Harvey Silverglate From rcooper at the-wire.com Sun Dec 17 12:41:53 1995 From: rcooper at the-wire.com (Russ Cooper) Date: Mon, 18 Dec 1995 04:41:53 +0800 Subject: Political Cleanup program Message-ID: <01BACC91.AB611320@rcooper.the-wire.com> A much simpler solution might be to just force all politicians to give up their campaign funds when they retire, or even better, immediately following the elections. Today, whatever is left in their campaign funds are given over to them when they retire or are forced out of office, on top of their lucrative pensions. Cheers, Russ From alano at teleport.com Sun Dec 17 13:04:25 1995 From: alano at teleport.com (Alan Olsen) Date: Mon, 18 Dec 1995 05:04:25 +0800 Subject: Political Cleanup program Message-ID: <2.2b7.32.19951217203129.0089fe34@mail.teleport.com> At 11:04 AM 12/17/95 -0800, you wrote: >It occurs to me that it would be a major advance if a system could be set up >that would "blind" campaign donations as to their source: The donor could >be satisfied that his donation gets to the candidate or cause, but the >candidate couldn't know who actually paid the money (and the donor would be >unable to prove that he made a donation, for example). Admittedly there are >a lot of details that need to be worked out, but if this could be >accomplished it would change politics as we know it. I think you would see alot less donations by the corporate powers that be and the favormongers. (Which is why such a system will probibly never come into existance.) It would be a good step in the right direction. However... I live in a state which just inacted a series of campaign reforms. The first thing the lobbyists did was find a way to exploit every loophole possible to get around that legislation. Such a system would have to be pretty tight and pretty specific. (And therefore will be fought against by almost every politician ansd lobbyiest on the planet.) The fundraising dinners will certainly have to go... > > > > > > > | Remember: Life is not always champagne. Sometimes it is REAL pain. | |"It's only half a keyserver. I had to split the | Disclaimer: | |other half with the government man." - R. Rococo | Ignore the man | |`finger -l alano at teleport.com` for PGP 2.6.2 key | behind the keyboard.| | http://www.teleport.com/~alano/ | alano at teleport.com | From jya at pipeline.com Mon Dec 18 05:54:49 1995 From: jya at pipeline.com (John Young) Date: Mon, 18 Dec 95 05:54:49 PST Subject: GLO_bul Message-ID: <199512181354.IAA29000@pipe1.nyc.pipeline.com> 12-18-95. NYPaper: "His Goal: Keeping the Web Worldwide." An adoration of selfless Tim Berners-Lee with a pan gloss of the World Wide Web Cartel. "From Mainframes to Global Networking." I.B.M.'s selfless strategy for Net supremacy, hand-in-hand with altruistic AT&T and eleemosynary Microsoft. GLO_bul (17kb) From unicorn at schloss.li Sun Dec 17 14:00:59 1995 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 18 Dec 1995 06:00:59 +0800 Subject: Is ths legal?.. (fwd) In-Reply-To: Message-ID: On Sun, 17 Dec 1995, Jay Holovacs wrote: > > On Sun, 17 Dec 1995, Black Unicorn wrote: > > > > I disagree. Instead it implies that interception and administrative > > review of content will be tolerated where it is "a necessary incident to > > the rendition of his service or to the protection of the rights or > > property of the provider of that service." Note that it will be the > > provider who makes the definition in the ex ante application. > > > The provider is allowed access ONLY for QC purposes. This is only explicit with regards to public providers. Getting back to thhe > original point, the provider's ability to interpret the contents of the > message is in no way required to monitor the system and cannot be used as > a justification in itself for prohibiting use of crypto. Oh? What if I say that I need to monitor e-mail for data corruption? Also, you might consider the definition of "intercept." I suspect it's a bit wider than you are accounting for. > Also, what if someone outside the system emails encrypted messages to the > user. What authority would the sys admin have there?? Entirely unrelated to the statute you cite. > Jay Holovacs > PGP Key fingerprint = AC 29 C8 7A E4 2D 07 27 AE CA 99 4A F6 59 87 90 > (KEY id 1024/80E4AA05) email for key > > --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From alano at teleport.com Sun Dec 17 14:02:13 1995 From: alano at teleport.com (Alan Olsen) Date: Mon, 18 Dec 1995 06:02:13 +0800 Subject: Is ths legal?... Message-ID: <2.2b7.32.19951217205443.008a13f0@mail.teleport.com> At 04:18 AM 12/17/95 -0500, you wrote: >Exactly. If Oklahoma University is private, it can establish and enforce >policies that would be unconstitutional at public schools. Those >policies become part of the contract and a student must abide by them, >except when they are administered arbitrarily and capriciously. At a >public universities, students probably would have more freedom to >challenge this policy. In looking at their homepage, it appears to be a state funded school. (There is not alot of background on the school history or affiliations on their homepage except for a note that it was founded by the territorial legislature a number of years before becoming a state..) | What is the Eye in the Food Pyramid? | alano at teleport.com | |"The moral PGP Diffie taught Zimmerman unites all| Disclaimer: | | mankind free in one-key-steganography-privacy!" | Ignore the man | |`finger -l alano at teleport.com` for PGP 2.6.2 key | behind the keyboard.| | http://www.teleport.com/~alano/ | | From unicorn at schloss.li Sun Dec 17 14:20:24 1995 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 18 Dec 1995 06:20:24 +0800 Subject: Political Cleanup program In-Reply-To: <01BACC91.AB611320@rcooper.the-wire.com> Message-ID: On Sun, 17 Dec 1995, Russ Cooper wrote: > A much simpler solution might be to just force all politicians to give up > their campaign funds when they retire, or even better, immediately > following the elections. Today, whatever is left in their campaign funds > are given over to them when they retire or are forced out of office, on top > of their lucrative pensions. UH....? > > Cheers, > Russ > > --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From hayden at krypton.mankato.msus.edu Sun Dec 17 16:22:34 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Mon, 18 Dec 1995 08:22:34 +0800 Subject: Is ths legal?... In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Sun, 17 Dec 1995, Black Unicorn wrote: > I this ruling would prevent the Supreme Court from defining > something as a privledge or right. > > It would also pose this limitation on states, as they are public > entities, and thus driver's licenses cannot be defined as one or the > other, which as we all very well know, they are. I am appending the file from the EFF that talks about the privledge/right distinction. There is a URL as part of the file. ========== =============== ftp://ftp.eff.org/pub/CAF/faq/just-a-privilege =============== q: If a state university calls computer or network access a "privilege", can they remove an individual's access arbitrarily? a: In most cases no. U.S. courts no longer recognize the wooden distinction between privileges and rights [Board of Regents v. Roth, 408 U.S. 564 (1972)]. One need only look at the Constitution to see that "privilege" is often used to mean something different than its informal use. The 14th Amendment says "No State shall make or enforce any law which shall abridge the privileges or immunities of citizens of the United States;". The Constitution also refers to the "privilege of the writ of habeas corpus", "privileges and immunities of citizens in the several States", and "privileged from arrest during their attendance at the session of their respective houses". In _Goss v. Lopez_, the Supreme Court said a "student's legitimate entitlement to a public education is a property interest which is protected by the Due Process Clause and .. may not be taken away for misconduct without adherence to the minimum procedures required by that Clause." The Court went on to say that "the Due Process Clause also forbids arbitrary deprivations of liberty. 'Where a person's good name, reputation, honor or integrity is at stake because of what the government is doing to him,' the minimal requirements of the Clause must be satisfied." So what are a university student's property rights? "The Fourteenth Amendment requires due process before a governmental entity, such as a public institution, may deprive one of life, liberty, or property. In a college setting, a student's good name and reputation are considered a 'liberty' right, and a student's right to attend college is considered a 'property' right. Due process would be required before a student is deprived of either at a public institution." [_A Practical Guide to Legal Issues Affecting College Teachers_ by Partrica A. Hollander, D. Parker Young, and Donald D. Gehring. (College Administration Publication, 1985).] So is a student's computer access a property right? I'd say it depends. On one extreme, I'm confident a student has a property right in account financed via the student computer or engineering fee. On the other extreme, if a professor informally gave a student an account on that professor's personal workstation, the professor could probably remove that access without due process. So what about department accounts? In the departments I know of, accounts are given to any students who meet some set of requirements. I think this makes them an entitlement for the students who qualify and hence some modicum of due process is necessary. ANNOTATED REFERENCES (All these documents are available on-line. Access information follows.) ================= faq/due-process ================= * Due Process q: Should users be suspended from the computer pending formal discipline? a: No, with one exception. Just as students should not be expelled ... ================= academic/student.freedoms.aaup ================= * Student Freedoms (AAUP) Joint Statement on Rights and Freedoms of Students -- This is the main U.S. statement on student academic freedom. ================= law/goss-v-lopez.mnookin ================= * Due Process -- When Required -- Goss v. Lopez -- Mnookin Comments from _In the Interest of Children_, R. Mnookin (Ed.), Franklin E. Zimring and Rayman L. Solomon (Contrib. Authors). It reports that the Supreme Court says that some modicum of due process is necessary unless the matter is trivial or there is an emergency. ================= law/goss-v-lopez.fischer ================= * Due Process -- When Required -- Goss v. Lopez -- Fischer Comments from _Teacher's and the Law_, 3rd edition, by Louis Fischer, et al. Published in 1991 by Longman. It reports that the Supreme Court says that some modicum of due process is necessary unless the matter is trivial or there is an emergency. ================= law/constraints.constitutional ================= * Constitution -- Public University -- Constraints Comments from _A Practical Guide to Legal Issues Affecting College Teachers_ by Partrica A. Hollander, D. Parker Young, and Donald D. Gehring. (College Administration Publication, 1985). Discusses the constitutional constraints on public universities including the requires for freedom of expression, freedom against unreasonable searches and seizures, due process, specific rules. ================= ================= If you have gopher, you can browse the CAF archive with the command gopher gopher.eff.org These document(s) are also available by anonymous ftp (the preferred method) and by email. To get the file(s) via ftp, do an anonymous ftp to ftp.eff.org, and then: cd /pub/CAF/faq get due-process cd /pub/CAF/academic get student.freedoms.aaup cd /pub/CAF/law get goss-v-lopez.mnookin cd /pub/CAF/law get goss-v-lopez.fischer cd /pub/CAF/law get constraints.constitutional To get the file(s) by email, send email to ftpmail at decwrl.dec.com Include the line(s): connect ftp.eff.org cd /pub/CAF/faq get due-process cd /pub/CAF/academic get student.freedoms.aaup cd /pub/CAF/law get goss-v-lopez.mnookin cd /pub/CAF/law get goss-v-lopez.fischer cd /pub/CAF/law get constraints.constitutional -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: PGP Signed with PineSign 2.2 iQCVAwUBMNRs8zokqlyVGmCFAQGgRwP/e2fqRuiVrDWGWuYAnq1IQhUlhULSPlGY f8/2+N2/VqblVFsXyOBDA6YgwzTiFgiljOVFo2Bxw3RYyBDxWxr6yDS7BxGf7Zdp QjhIPP7fAk6wNKu3ACwtq3iap9BsOGcZlF2fGrP3B0jsDQtFxosGMNUiPH8HPs5Z l1QTiAyZ8yw= =F7PT -----END PGP SIGNATURE----- ____ Robert A. Hayden <=> hayden at krypton.mankato.msus.edu \ /__ Finger for Geek Code Info <=> Finger for PGP Public Key \/ / -=-=-=-=-=- -=-=-=-=-=- \/ http://krypton.mankato.msus.edu/~hayden/Welcome.html -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GED/J d-- s:++>: a-- C++(++++)$ ULUO++ P+>+++ L++ !E---- W+(---) N+++ o+ K+++ w+(---) O- M+$>++ V-- PS++(+++)>$ PE++(+)>$ Y++ PGP++ t- 5+++ X++ R+++>$ tv+ b+ DI+++ D+++ G+++++>$ e++$>++++ h r-- y+** ------END GEEK CODE BLOCK------ From declan+ at CMU.EDU Sun Dec 17 17:45:21 1995 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Mon, 18 Dec 1995 09:45:21 +0800 Subject: Is ths legal?... In-Reply-To: <2.2b7.32.19951217205443.008a13f0@mail.teleport.com> Message-ID: Excerpts from internet.cypherpunks: 17-Dec-95 Re: Is ths legal?... by Alan Olsen at teleport.com > In looking at their homepage, it appears to be a state funded school. > (There is not alot of background on the school history or affiliations on > their homepage except for a note that it was founded by the territorial > legislature a number of years before becoming a state..) My understanding is that it is a state school. But for state action to be present, there has to be a significant interdependent relationship constituting a nexus of state action between the state and the university. Like administrators being appointed by agents of the state government. State funding by itself is not sufficient. If that were true, CMU -- which receives almost half its revenue from the government -- would have to behave reasonably. (It doesn't; check out http://joc.mit.edu/~joc/cmu.html) -Declan (not a lawyer) From prf at teleport.com Sun Dec 17 17:56:03 1995 From: prf at teleport.com (Paul Farago) Date: Mon, 18 Dec 1995 09:56:03 +0800 Subject: 2 websites Message-ID: Interested in Term Limits? See http://www.termlimits.org Grass Roots Research's "Portrait of America" at http://www.grr.com Paul R. Farago, Portland OR From anonymous-remailer at shell.portal.com Sun Dec 17 18:07:09 1995 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Mon, 18 Dec 1995 10:07:09 +0800 Subject: PAY-OFF TIME FOR BUG-BUSTERS, NETSCAPE PLEDGES "DOGFIGHT" Message-ID: <199512172339.PAA05833@jobe.shell.portal.com> On Fri, 15 Dec 1995 anonymous-remailer at shell.portal.com wrote: > On Fri, 15 Dec 1995, Alice de 'nonymous wrote: > > > Can anyone tell me whether Ian Goldberg and David Wagner got their $25,000 > > from Netscape for finding the HUGE security flaws in Netscape's existing > > product line?? > > > > Alice de 'nonymous ... > ^^^^^^^^^^^^^^^^^^^^^^^^ > > Heh, hey Alice, you know this discussion a short time ago where you > claimed that you wouldn't use PGP for signing because it wasn't secure > or something, what's with the use of the penet address? Uhhm, actually, I said that I don't have a secure machine to run PGP on, and that I didn't feel that I should have to travel across town to use a secure machine to ask whether or not Ian Goldberg and or David Wagner got any moola from Netscape or AT&T for helping to make these companies a fortune. Did they get their $25,000, or a scholarship, or a Christmas week or two at the Halekulani in Honolulu?? They helped out these companies, and here it is, less than ten days to Christmas, and what have these companies done?? Nothing ... nothing at all ... but freeload ... > Surely a penet address offers even less protection for your id? > > Or have you done something nifty like create the penet address with a > nymserver address? Yep, something like that ... you must be paying attention, my friendly "spoofing" shadow. The Penet address is simply to prevent huge email from being mailed to me. I don't want AT&T or Netscape to mailbomb me for simply writing the truth about them. Penet gives me some protection. I'm not looking to Penet to protect my "identity". All I want Penet to do is provide a way for people to write to me if they want to. Alice de 'nonymous ... ...just another one of those... P.S. This post is in the public domain. C. S. U. M. O. C. L. U. N. E. From anon-remailer at utopia.hacktic.nl Sun Dec 17 18:07:16 1995 From: anon-remailer at utopia.hacktic.nl (Anonymous) Date: Mon, 18 Dec 1995 10:07:16 +0800 Subject: What ever happened to... Cray Comp/NSA co-development Message-ID: <199512172232.RAA13063@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- O.K. I'm new... however... I remember reading an article about this news release in mid '94 (I believe it was the NY Times), about the time that Cray Computer Company (Seymour's unsuccessful spinoff company) was actively seeking bank financing. Anyone remember? The article was about an NSA contract award to Cray Computer. In some background: The Supercomputer industry had been struggling for a while with reductions in purchases from the U.S. government due to cutbacks on research spending and the 'end of the cold war'. The situation at MasPar had gotten to the point of court reorginization or worse. In June (of '94) Cray was in such a cash squeeze that it took out a $17.5 million secured loan to fend collapse. During July, Cray announced that it was seeking a "partner" to make an investment in exchange for technology access. Guess who shows up with plans to build "the ultimate spying machine"? Now, Seymour's a nice guy, but money is tight, so he buys in on the hopes for more a lucrative future relationship. The plot thickens. The contract calls for Cray to put up $4.6 million to cover the initial development (didn't they just take out a loan?) of which about $400,000 will go to the NSA for so called "software consulting services". It makes one wonder what the "real" contract was worth (such as producing this surveillance system in quantity)? There was some speculation in the article about what this system could be used for, such as DEA operations outside U.S. borders (Columbia perhaps) or foreign military communication or enhancement processing of spy satellite photos. What caught my attention was the architecture. A "hybrid design linking two supercomputer processors with an array of HALF A MILLION inexpensive processors" that were designed by the U.S. government laboratory affiliated with the NSA. The same chip house that brought us Clipper. I've not kept up with the "ultimate" demise that eventually befell Cray Computer Company, but the October 16 FBI filing on capacity for Digital Telephony got me thinking back to this article. 1% seems like a rather huge need for horsepower. And what if GAK doesn't fly? And the widespread use of hard crypto just keeps increasing? This kind of machine could, in theory: 1) Implement ALL Clipper(II) based Key Escrow functionality in silicon (the easy part) AND allow for simultaneous decrypt and surveil of 'who knows how many' Clipper based data streams. 2) Implement general RSA based Prime Factoring functionality in silicon (the not so easy part) AND allow massively parallel decrypt and surveil of 'who knows how many' RSA/etc. based data streams. 3) Implement it all, AND 'on-line' transaction based surveillance via the FBI's 1% capacity infrastructure. Chilling... Who needs key escrow (or RSA private keys) when you've got a massively parallel prime factoring machine. What if GAK was to become a 'non-issue'? How fast do you think a machine such as this could factor RSA 129? Makes you wonder if 2048 bits will be enough (my guess.. it won't). But then, I'm sure that when Cray Computer finally folded (has/hasn't?) all that tech just got sold for scrap eh? Anitro - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMNSadioZzwIn1bdtAQEgYwF+Nf5Azpeore6OPMNU94CpCawxPcPg8g7T kLQDY9I5Upk7vCe1dCpHm14g8jRYdSDx =vjJA -----END PGP SIGNATURE----- From unicorn at schloss.li Sun Dec 17 18:20:39 1995 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 18 Dec 1995 10:20:39 +0800 Subject: Is ths legal?... In-Reply-To: Message-ID: On Sun, 17 Dec 1995, Declan B. McCullagh wrote: > Excerpts from internet.cypherpunks: 17-Dec-95 Re: Is ths legal?... by > Alan Olsen at teleport.com > > In looking at their homepage, it appears to be a state funded school. > > (There is not alot of background on the school history or affiliations on > > their homepage except for a note that it was founded by the territorial > > legislature a number of years before becoming a state..) > > My understanding is that it is a state school. But for state action to > be present, there has to be a significant interdependent relationship > constituting a nexus of state action between the state and the > university. Like administrators being appointed by agents of the state > government. > > State funding by itself is not sufficient. If that were true, CMU -- > which receives almost half its revenue from the government -- would have > to behave reasonably. (It doesn't; check out > http://joc.mit.edu/~joc/cmu.html) > > -Declan > (not a lawyer) Obviously. > > --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From sethf at MIT.EDU Sun Dec 17 18:23:30 1995 From: sethf at MIT.EDU (sethf at MIT.EDU) Date: Mon, 18 Dec 1995 10:23:30 +0800 Subject: Oklahoma University: Is this legal?... Message-ID: <9512180009.AA18900@frumious-bandersnatch.MIT.EDU> Going on my past experiences with this sort of situation, I think the problem is a) Oklahoma University is public (seems true from http://www.uoknor.edu/) b) The state of Oklahoma has an "open public records" law so c) someone decided that everything stored on the University's computer system was therefore a "public record" (since the computer is "owned" by the public), and thus had to be accessible by law. This seems to be approximately what's going on: "Drafted by Associate Chief Counsel Kurt Ockershauser a year ago, the policy will make a legal statement that e-mail is running on state property, Colaw said. He said the policy is not an invasion of privacy." http://www.uoknor.edu/okdaily/issues/fall1995/dec-7/1-email.processed.html Someone needs to explain to him that what he is doing is not legally required, and perhaps violates the ECPA. ================ Seth Finkelstein sethf at mit.edu From stevenw at best.com Sun Dec 17 18:28:00 1995 From: stevenw at best.com (Steven Weller) Date: Mon, 18 Dec 1995 10:28:00 +0800 Subject: [NOISE] Screening of Unauthorized Access Message-ID: Saw this in the net. I know nothing about the movie personally. Perhaps someone on the list can comment? >Unauthorized Access, the documentary on the computer hacker underground from >an insiders point of view is screening in San Francisco!!! > >What the critics say: > >"Unauthorized Access lets you see and hear from those people that big >corporations and the government are so afraid of..." - The Seattle Stranger > >"If you want to know what a hacker really is, this is a must" - EXE Magazine > >"To see the hacking world from the Inside, try watching Unauthorized Access... >it shows hackers as they see themselves without the media's usual hype..." - >The New Scientist > >"As a cultural piece, it's what we've been waiting for. Many of us have long >suspected that modern-day hackers have a unique and rich culture. >Unauthorized Acess is something we can point to to prove it." - 2600 - The >Hacker Quarterly > >"Annaliza Savage has made a fascinating documentary about the sick world of >criminal hacking..." Mich Kabay - NCSA > >"It's a kafka-esque expose of the computer underground, a must see for all >security experts. This made me want to go out and become a cop." - Cult of >the Dead Cow > >Question and Answer session after the screening.... > >Unauthorized Access is screening at: >Artists Television Access in San Francisco >Thursday, December 21, 1995 - 8:30 pm >922 Valencia Street (at 21st) SF, CA 94110 >(415) 824 3890 > >For more info on Unauthorized Access http://bianca.com/bump/ua/ ------------------------------------------------------------------------- Steven Weller | "The Internet, of course, is more | than just a place to find pictures | of people having sex with dogs." stevenw at best.com | -- Time Magazine, 3 July 1995 From gary at kampai.euronet.nl Sun Dec 17 18:29:29 1995 From: gary at kampai.euronet.nl (Gary Howland) Date: Mon, 18 Dec 1995 10:29:29 +0800 Subject: BosniaLINK Message-ID: <199512172151.QAA12926@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- [ Irrelevant crap deleted ] Don't post irrelevant stuff here. I've noticed an awful lot of crap posted from the replay remailer to this group over the last few months. Wish I could figure out who this jerk is. Gary - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMNSQ+CoZzwIn1bdtAQHrHQF8DyOXYfMYV5czKkMXDqJtMYWaReg1IYiX QSG801r5LE3hMDa7ooSrQH6LwgDwPAYs =r8dB -----END PGP SIGNATURE----- From ses at tipper.oit.unc.edu Sun Dec 17 18:30:51 1995 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Mon, 18 Dec 1995 10:30:51 +0800 Subject: Is ths legal?... In-Reply-To: Message-ID: On Sun, 17 Dec 1995, Declan B. McCullagh wrote: > State funding by itself is not sufficient. If that were true, CMU -- > which receives almost half its revenue from the government -- would have > to behave reasonably. (It doesn't; check out > http://joc.mit.edu/~joc/cmu.html) There is some precedent for Federal funding being used to influence the behaviour of universities - most notably with anti-discrimination. I don't think federal contracts affect this particular area. Simon From vznuri at netcom.com Sun Dec 17 18:34:03 1995 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Mon, 18 Dec 1995 10:34:03 +0800 Subject: Political Cleanup program In-Reply-To: Message-ID: <199512172204.OAA22202@netcom23.netcom.com> JB: >Politics is traditionally corrupt, it appears, because donors to politicians >and political campaigns expect a quid pro quo for their donations. Various >unsatisfactory solutions include campaign spending limits, etc. I have an unusual view that I've never seen elsewhere: the problem with our government is not that money or PACs are involved, but that the system does not handle or resolve the conflicts between them very well. in other words, in contrary to the current view that all PACs are evil, I think the problem is not that we have PACs, but that our current system does not balance their demands in some sensible manner. the system is susceptible to corruption. it is conceivable however that there would be a system that involves money and politics but still avoids corruption. there seem to be a lot of people who suggest that merely because politics involves money, it is therefore corrupt. this is an awfully vague and nebulous line of thinking in my view. are we to suppose that any industry that involves money (all of them, of course) inevitably moves in the direction of corruption? perhaps some more "cynicalpunks" may have this view, but I don't share it. >It occurs to me that it would be a major advance if a system could be set up >that would "blind" campaign donations as to their source: The donor could >be satisfied that his donation gets to the candidate or cause, but the >candidate couldn't know who actually paid the money (and the donor would be >unable to prove that he made a donation, for example). Admittedly there are >a lot of details that need to be worked out, but if this could be >accomplished it would change politics as we know it. what you describe would allow anonymous bribes. the giver could always identify his cash donation "out of band" to the receiver. moreover, other observers would not be aware of the relationship. why do you think this would be an improvement? to the contrary our current system works hard to require the disclosure of who donated what to a candidate, so the candidate's potential hidden agendas and ulterior motives can be revealed. seems reasonable to me. you are probably barking up the wrong tree here on cypherpunks, however, because most of the key "insiders" here are convinced that democracy is a proven failure, and that in fact government is invariably corrupt and oppressive, no matter what the implementation. the "solutions" advocated here are chiefly withdrawal and subterfuge. needless to say I disagree with this. I wonder if some day someone will invent a "killer app" that doubles as a political governing system. it seems to me politics is one of the last most intractable areas of human interaction when many others have been harmonized and systematized by the information revolution. I suspect it will eventually succumb to technological ingenuity as well. the end result would be a government that is not perfect, but is at least as good as the population that drives it, and no worse. (in contrast today we seem to have a government that is no better than the least common denominator). JB, I have to wonder however how your ideas about campaign reform tie into your prior advocation of political assinations as a legitimate form of citizen power. have you given up on the idea of murdering politicians as a means of political reform? or are you now just coupling that idea with campaign reform to put some new bells and whistles on your overall ideological package? From RDHeffren at gnn.com Sun Dec 17 18:45:02 1995 From: RDHeffren at gnn.com (Robert) Date: Mon, 18 Dec 1995 10:45:02 +0800 Subject: Is ths legal?.. (fwd) Message-ID: <199512172313.SAA25145@mail-e1b.gnn.com> Sun, 17 Dec 1995 10:18:50 -0500 (EST) Black Unicorn writes: > > On Sun, 17 Dec 1995, Jay Holovacs wrote: > > Electronic Communications Privacy Act of 1986 (ECPA) (18 U.S.C. ss 2510 > > et seq.). "It shall not be unlawful under this chapter for an > > operator of a switchboard, or an officer, employee, or agent of a > > provider of wire *or electronic* communication service, whose > > facilities are used in the trans-mission of a wire communication, > I disagree. Instead it implies that interception and administrative > review of content will be tolerated where it is "a necessary > incident to the rendition of his service or to the protection of the > rights or property of the provider of that service." Note that it > will be the provider who makes the definition in the ex ante application. > Even worse, the protection that is given is for "a provider of wire > communication service to the public." I also disagree because I would interpret it as "It shall not be unlawful...to intercept, disclose or use that communication...except by utilizing *service observing* or *random monitoring*." That indicates to me that specific monitoring is fine, but random monitoring must be used for quality control. And how do you become specific without being random? QC could be whatever the providers deem it to be, the public be damned. "..anything not specifically allowed is expressly forbidden..." RDHeffren at gnn.com RobertH677 at aol.com id=0x95AA98CD From jimbell at pacifier.com Sun Dec 17 21:07:44 1995 From: jimbell at pacifier.com (jim bell) Date: Mon, 18 Dec 1995 13:07:44 +0800 Subject: Political Cleanup program Message-ID: At 02:04 PM 12/17/95 -0800, Detweiler wrote: > >JB: >>Politics is traditionally corrupt, it appears, because donors to politicians >>and political campaigns expect a quid pro quo for their donations. Various >>unsatisfactory solutions include campaign spending limits, etc. > >I have an unusual view that I've never seen elsewhere: the problem with >our government is not that money or PACs are involved, but that the system >does not handle or resolve the conflicts between them very well. in other >words, in contrary to the current view that all PACs are evil, I think the >problem is not that we have PACs, but that our current system does not >balance their demands in some sensible manner. the system is >susceptible to corruption. it is conceivable however that there would be >a system that involves money and politics but still avoids corruption. Here's a question I have never heard anyone else ask (or answer!). "What is the purpose of a PAC? To be more specific, a PAC simply seems to be a funnel through which individual donations flow; why do we need a PAC? Is it to keep records of "who's naughty and nice"? Any contribution that can be made by a PAC could just as easily be made by one individual. >>It occurs to me that it would be a major advance if a system could be set up >>that would "blind" campaign donations as to their source: The donor could >>be satisfied that his donation gets to the candidate or cause, but the >>candidate couldn't know who actually paid the money (and the donor would be >>unable to prove that he made a donation, for example). Admittedly there are >>a lot of details that need to be worked out, but if this could be >>accomplished it would change politics as we know it. > >what you describe would allow anonymous bribes. Which, I suggest, is better than a non-anonymous bribe. > the giver could always "always"? Are you sure about that? >identify his cash donation "out of band" to the receiver. It is exactly this that the system I'd propose would prevent. I realize that you may not be able to imagine such a system, but that doesn't mean that such a system could be designed. (Before 1975, most of us would not have been able to imagine public-key encryption, for example.) A giver could CLAIM to make any sort of donation at all; but if the system were properly designed he could simply be lying to the officeholder. > moreover, other observers >would not be aware of the relationship. Not IMMEDIATELY, perhaps, but eventually the books could be opened, perhaps as much as years later. (Let's say, 3 months before the end of the term of the politician. And the amounts donated could withheld, with only the total donated reported every 3 months or so. (And perhaps only to 1 or 2 significant digits of accuracy.) For example, a Senator will be told on January 1, 1996, that up until that point he's received "about" $1.4 million dollars of donations. He would not be able to link these donations with any particular claim. Somebody could claim to have given him "$2000" of donation, which wouldn't even show up to the accuracy of the amount told the politician. Further techniques could be used to disguise the rate of giving. >why do you think this would be an improvement? Easy. It would remove much of the reason for a politician to treat one citizen differently from another citizen. >to the contrary our current system works hard to require >the disclosure of who donated what to a candidate, so the candidate's potential >hidden agendas and ulterior motives can be revealed. seems reasonable to >me. _EVENTUAL_ public disclosure of such information is not inconsistent with my idea. >you are probably barking up the wrong tree here on cypherpunks, however, >because most of the key "insiders" here are convinced that democracy is >a proven failure, and that in fact government is invariably corrupt and >oppressive, no matter what the implementation. the "solutions" advocated >here are chiefly withdrawal and subterfuge. I don't disagree with that assessment. However, that does not mean that I don't want to make life as difficult for the politicians as possible until they are swinging from a rope. >needless to say I disagree with this. I wonder if some day someone will >invent a "killer app" that doubles as a political governing system. >it seems to me politics is one of the last most intractable areas of >human interaction when many others have been harmonized and systematized >by the information revolution. I suspect it will eventually succumb to >technological ingenuity as well. the end result would be a government >that is not perfect, but is at least as good as the population that >drives it, and no worse. (in contrast today we seem to have a government >that is no better than the least common denominator). > > >JB, I have to wonder however how your ideas about campaign reform tie into >your prior advocation "Prior"? It's not "prior." I haven't changed my previous position one bit. > of political assinations as a legitimate form of >citizen power. have you given up on the idea of murdering politicians as >a means of political reform? Not "political reform." Political ELIMINATION. I want to eliminate the entire concept of a heirarchial government. > or are you now just coupling that idea with >campaign reform to put some new bells and whistles on >your overall ideological package? I repeat my previous statement. I'm happy to see them squirm before they are led to the gallows. Making life as difficult as possible for them is my goal. Using technology to disable their normal methods of corruption would be an excellent start. From ses at tipper.oit.unc.edu Sun Dec 17 21:20:06 1995 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Mon, 18 Dec 1995 13:20:06 +0800 Subject: Political Cleanup program In-Reply-To: Message-ID: On Sun, 17 Dec 1995, jim bell wrote: > > It occurs to me that it would be a major advance if a system could be set up > that would "blind" campaign donations as to their source: The donor could > be satisfied that his donation gets to the candidate or cause, but the > candidate couldn't know who actually paid the money (and the donor would be > unable to prove that he made a donation, for example). Admittedly there are > a lot of details that need to be worked out, but if this could be > accomplished it would change politics as we know it. Just a straight Chaumian style blinding won't work, as there are too many covert channels available via both timing and amounts; For example, Joe Random Capitalist-Oppressor could arrange to pay a series of relatively small amounts wth different values in the cents field which could be used to confirm their payment (e.g. they could be composed to form a digitally signed value of some kind ("pollution rools" or "lung cancer is kool") :) Sen. Dianne Running-Dog could then look for a matching set of donations and confirm that the bribe had in fact been paid. There are much better ways of reforming the political system -the formation of proper political parties with real programmes (the one good thing about the newtoid surge); changing the rules for TV advertising, etc. Blinding just makes things worse. Simon // Introducing Covert Chunnels- the british side has a really slow rate, and the french won't let there citizens use their side.. From jimbell at pacifier.com Sun Dec 17 21:26:14 1995 From: jimbell at pacifier.com (jim bell) Date: Mon, 18 Dec 1995 13:26:14 +0800 Subject: Political Cleanup program Message-ID: Well, I don't consider these two ideas mutually exclusive. As I pointed out to Detweiler (under his alias "Nuri") I'm happy to see the politicians tortured before they are killed. At 02:48 PM 12/17/95 -0800, you wrote: >Good ideas, but you're getting soft. I liked the death lotto much better. > > Mike > >> Politics is traditionally corrupt, it appears, because donors to politicians >> and political campaigns expect a quid pro quo for their donations. Various >> unsatisfactory solutions include campaign spending limits, etc. >> >> It occurs to me that it would be a major advance if a system could be set up >> that would "blind" campaign donations as to their source: The donor could >> be satisfied that his donation gets to the candidate or cause, but the >> candidate couldn't know who actually paid the money (and the donor would be >> unable to prove that he made a donation, for example). Admittedly there are >> a lot of details that need to be worked out, but if this could be >> accomplished it would change politics as we know it. > > From wlkngowl at unix.asb.com Sun Dec 17 22:01:25 1995 From: wlkngowl at unix.asb.com (Mutatis Mutantdis) Date: Mon, 18 Dec 1995 14:01:25 +0800 Subject: Encrypted telnet... Message-ID: <199512180438.XAA08244@UNiX.asb.com> On Fri, 15 Dec 95 12:48:41 CST, you wrote: An alternative to writing an entirely new proggie might be to write an add-on DLL for Windoze telnet clients that support add-ons... EWAN comes to mind here. >I am looking for an encrypted telnet (or rlogin/etc) package >that supports a Windoze client. >It looks like all the normal ones that I can find >(SSH, SRA telnet, SSLtelnet, etc) are just under Unixoids. >Don't get me wrong - I would prefer to use Unix, but I am >headed off to locations, where I know all I'll have access to >is Windows, with a PPP stack to some ISP. >I'ld write it myself, - pasteing different packages together, >but I need it working in a day or two. Can anyone help me here? >Thanks, >Dan >------------------------------------------------------------------ >Dan Oelke Alcatel Network Systems >droelke at aud.alcatel.com Richardson, TX From rsalz at osf.org Sun Dec 17 22:12:08 1995 From: rsalz at osf.org (Rich Salz) Date: Mon, 18 Dec 1995 14:12:08 +0800 Subject: IETF draft on data protection via crypto API Message-ID: <9512180438.AA02976@sulphur.osf.org> A Revised Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Common Authentication Technology Working Group of the IETF. Title : Independent Data Unit Protection Generic Security Service Application Program Interface (IDUP-GSS-API) Author(s) : C. Adams Filename : draft-ietf-cat-idup-gss-03.txt Pages : 35 Date : 12/14/1995 The IDUP-GSS-API extends the GSS-API [RFC-1508] for applications requiring protection of a generic data unit (such as a file or message) in a way which is independent of the protection of any other data unit and independent of any concurrent contact with designated "receivers" of the data unit. Thus, it is suitable for applications such as secure electronic mail where data needs to be protected without any on-line connection with the intended recipient(s) of that data. Subsequent to being protected, the data unit can be transferred to the recipient(s) - or to an archive - perhaps to be processed ("unprotected") only days or years later. Internet-Drafts are available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-cat-idup-gss-03.txt". A URL for the Internet-Draft is: ftp://ds.internic.net/internet-drafts/draft-ietf-cat-idup-gss-03.txt Internet-Drafts directories are located at: o Africa Address: ftp.is.co.za (196.4.160.8) o Europe Address: nic.nordu.net (192.36.148.17) Address: ftp.nis.garr.it (192.12.192.10) o Pacific Rim Address: munnari.oz.au (128.250.1.21) o US East Coast Address: ds.internic.net (198.49.45.10) o US West Coast Address: ftp.isi.edu (128.9.0.32) Internet-Drafts are also available by mail. Send a message to: mailserv at ds.internic.net. In the body type: "FILE /internet-drafts/draft-ietf-cat-idup-gss-03.txt". NOTE: The mail server at ds.internic.net can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e., documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. For questions, please mail to Internet-Drafts at cnri.reston.va.us. From ylo at cs.hut.fi Sun Dec 17 22:35:04 1995 From: ylo at cs.hut.fi (Tatu Ylonen) Date: Mon, 18 Dec 1995 14:35:04 +0800 Subject: Motorola Secure Phone In-Reply-To: <199512152338.XAA22526@pop01.ny.us.ibm.net> Message-ID: <199512171141.NAA02997@trance.olari.clinet.fi> > What about cellular phones, especially GSM? As I have heard GSM is > supposed to be secure, at least thats what the salespersons tell every > time they are selling a GSM. > > I know ciphering algorithms A3, A8 and A5 are used in GSM phones, but I > know nothing more about them. I got the following from mjos at math.jyu.fi a couple of months ago. Unfortunately I was unable to attend or listen on mbone. Does anyone know more about this? > University of Cambridge Computer Laboratory > > SEMINAR SERIES > > > 10th October Bill Chambers, King's College, London > PROBLEMS OF STREAM CIPHER GENERATORS WITH MUTUAL CLOCK > CONTROL > > .. > GSM:n salausalgoritmi on juuri tuota tyyppi�. Chambers yritti pit�� tuota > nimenomaista esitelm�� jo yli vuosi sitten, mutta silloin viralliset tahot > puuttuivat asiaan ja esitys peruttiin. H�n on l�yt�nyt algoritmista aukkoja, > joiden avulla purkuaika saadaan eritt�in lyhyeksi. > > ps. ne meist�, jotka p��sev�t mboneen k�siksi, voivat seurata tapahtumia > liven� :) [Free translation: The GSM encryption algorithm is of exactly that type. Chambers tried to have this particular presentation over an year ago, but at that time the official side interfered and the presentation was cancelled. He has found holes in the algorithm that can be used to make decryption (without key) very quick. PS. Those of us who can get access to mbone, can follow it live.] Tatu From jim at acm.org Sun Dec 17 23:32:02 1995 From: jim at acm.org (Jim Gillogly) Date: Mon, 18 Dec 1995 15:32:02 +0800 Subject: What ever happened to... Cray Comp/NSA co-development In-Reply-To: Message-ID: <199512180550.VAA13167@mycroft.rand.org> Correction of one detail: > tcmay at got.net (Timothy C. May) writes: > When you've done this, and concluded that RSA-129 could be done in, say, X > minutes, then move on to RSA-384 (the BlackNet key cracked by the MIT > group), and on to the 1024- and 2048-bit keys. Tell us how many years or > centuries it will take. (Hint: Rivest and Schneier have done these The BlackNet key break didn't have any MIT involvement: it was done by Paul Leyland of Oxford, Arjen Lenstra of Bellcore, Alec Muffet of Sun UK, and Jim Gillogly of Cypherpunks, RAND, and Gillogly Software in no particular order. Jim Gillogly Trewesday, 28 Foreyule S.R. 1995, 05:49 From gbroiles at darkwing.uoregon.edu Sun Dec 17 23:32:16 1995 From: gbroiles at darkwing.uoregon.edu (Greg Broiles) Date: Mon, 18 Dec 1995 15:32:16 +0800 Subject: Political Cleanup program Message-ID: <199512180553.VAA12388@darkwing.uoregon.edu> At 07:35 PM 12/17/95 -0800, you wrote: >Here's a question I have never heard anyone else ask (or answer!). "What is >the purpose of a PAC? > >To be more specific, a PAC simply seems to be a funnel through which >individual donations flow; why do we need a PAC? Is it to keep records of >"who's naughty and nice"? Any contribution that can be made by a PAC could >just as easily be made by one individual. PACs are to politics what mutual funds are to investing - that is, a mechanism for investors to diversify their holdings, and to allow for the managers of those holdings to use their expert/specialized knowledge to achieve better returns (at the cost of some frictional skimmings-off) than individuals would on their own. But I'm not sure what this has to do with C-punks any longer. -- "The anchored mind screwed into me by the psycho- | Greg Broiles lubricious thrust of heaven is the one that thinks | gbroiles at netbox.com every temptation, every desire, every inhibition." | -- Antonin Artaud | From jimbell at pacifier.com Mon Dec 18 00:44:30 1995 From: jimbell at pacifier.com (jim bell) Date: Mon, 18 Dec 1995 16:44:30 +0800 Subject: Campaign Finance Reform Message-ID: At 07:43 PM 12/17/95 PST, you wrote: >On December 17th you wrote: > >>To: cypherpunks at toad.com >>From: jim bell >>Subject: Political Cleanup program >> >>Politics is traditionally corrupt, it appears, because donors to politicians >>and political campaigns expect a quid pro quo for their donations. Various >>unsatisfactory solutions include campaign spending limits, etc. >> >>It occurs to me that it would be a major advance if a system could be set up >>that would "blind" campaign donations as to their source: The donor could >>be satisfied that his donation gets to the candidate or cause, but the >>candidate couldn't know who actually paid the money (and the donor would be >>unable to prove that he made a donation, for example). Admittedly there are >>a lot of details that need to be worked out, but if this could be >>accomplished it would change politics as we know it. > >If you'll give it some more thought, Jim, you'll see that it has a loophole >in it you could drive a semi through. There is no way to keep a donor from >passing the word to the recipient. No matter how you work out the details, >it's impossible to keep the information from passing. It could never work. It is absolutely true that you couldn't stop a person from communicating claims of a donation to a politician. But what you COULD do is to ensure that the donor couldn't PROVE that he made such a donation. In other words, _I_ could claim that I gave $1K to Senator Sludgepump (a lie) and the good senator would have no idea that I wasn't telling the truth. The people who REALLY made such donations would be helpless. >Consider a more radical, and possibly workable, solution to the thorny issue >of campaign finance. If we go back to the root of the problem, it seems >clear that it is the high cost of a campaign. If a typical campaign were to >cost a tenth or a twentieth of what it presently costs, we'd have gone a >long way towards ameliorating the situation. How to do it? Simply ban all >paid political spot ads - TV, radio, newspaper - all of them. Write it so >that there's damned little wiggle room - a candidate can use lawn signs, but >not billboards. They can use personal appearances, but not commercials. >They can spend all the gas money they want running around their state or >district, but not a dime for media spots. > Well, I have an even better and cheaper solution to the problem of government and politics. At an average of $20,000 per Congressman, we could clean up Washington for $10 million dollars. From futplex at pseudonym.com Mon Dec 18 00:47:29 1995 From: futplex at pseudonym.com (Futplex) Date: Mon, 18 Dec 1995 16:47:29 +0800 Subject: The Elevator Problem & Groucho's Duck In-Reply-To: <199512160537.AAA23233@pipe6.nyc.pipeline.com> Message-ID: <199512180803.DAA01695@opine.cs.umass.edu> tallpaul writes: > At this point, this holiday season, I had an image of Merkle sitting by the > tree putting an infinite number of prime numbers in an infinite number of > boxes. (In the real world I've been fighting with my landlord and suddenly > thought of Cantor's first description of the landlord's dilema where a > landlord has an infinite number of rooms, all full, when another guest > shows up and wants a room.) :] > At this point, I suddenly had an image of Cantor sitting on the floor next > to Merkle. Merkle would pack an infinite number of boxes and hand each box > to Cantor who would proceed to wrap each box in an infinite number of > sheets of wrapping paper. > > Suddenly, I saw that my first suggested solution put all of the major work > on Alice. She had to generate 10^6 prime pairs and send them all to Bob > then brute force an average of (10^6)/2 attempts to discover the one pair > Bob picked ot factor. > > This process *might* be speeded up if Bob would, Cantor-like, help out. In > other words, have Alice generate and transmit 10^3 prime pairs and have Bob > do the same. This cuts transmission time by 5*(10^5), a considerable > savings. Mmm, didn't you just cut it in half (assuming simultaneous receive/transmit), saving about 10^3 time ? (I can't get through to the archives at the moment.) Anyway, it's a nice improvement to the protocol. > Then Alice and Bob each have to brute force an average of 5*(10^2) attempts > to discover each others primes, for a similar savings. > > However, you still need a nonpatented algorythm that lets them use the four > primes to encypher their message(s) while forcing the others on the > elevator to factor an average of (10^3^2)/2 products instead of > 2*((10^3)/2). > > This is still very far from a solution to the elevator problem as re-posed > by Futplex but creates at least one way of *potetentially* shortening the > prime generation and transmission time issue he was kind enough to point > out. I guess we should once again wish Roger Schlafly the best of luck in his ongoing litigation. While we're on the subject, I've just noticed an interesting protocol in Schneier, "invented by Shamir but never published", for communication over an insecure channel without a shared secret ["Shamir's Three Pass Protocol" in v.1,Sec.16.1,pp.376-377]. This protocol seems to have very appealing features, so I'm a little surprised that only the initial reference is given in Schneier. Using Shamir's proposed commutative symmetric cipher with it, I suppose it's probably slower than DH for key exchange, and progress on the discrete log problem would affect it just as much as RSA. Anyone have other references offhand, or know any other reasons this protocol isn't so useful ? -Futplex From thad at hammerhead.com Mon Dec 18 01:03:03 1995 From: thad at hammerhead.com (Thaddeus J. Beier) Date: Mon, 18 Dec 1995 17:03:03 +0800 Subject: What ever happened to... Cray Comp/NSA co-development Message-ID: <199512180038.QAA01725@hammerhead.com> "Anitro" speculated about the fate and capabilities of the CCC PIM (processor-in-memory) machine. A friend of mine was working on it, and it would have been a screaming machine, no doubt about it. He said that the Cray mostly acted like a really fast network for the processor chips. As "Anitro" said, the PIM chips were made by a dedicated NSA company, Supercomputer Research Center, in Bowie MD. But, it was nowhere near finished when the company finally went down, and the team was completely disbanded. My friend was talking about going to the auction when the parts of the various machines were going to be sold, I don't know if he did so. He suspected that the various pieces would end up going back east to the Fort Meade area. Still, it is such an odd machine that you would probably have to transfer the staff to finish it, and that didn't happen. In any case, while it was fast (1/2 million 1-bit processors, perhaps as low as 1 nanosecond (1 GHz) cycle time), it was not fast enough to brute force reasonably strong ciphers. It's really no joke that it would take a computer with picosecond clocks the size of the earth more than the age of the universe to brute force IDEA, for instance. It would have made a great DES cracker, though; my back-of-the-envelope calculation has it cracking one key every .75 days on the average. thad -- Thaddeus Beier email: thad at hammerhead.com Technology Development vox: 408) 286-3376 Hammerhead Productions fax: 408) 292-2244 From jamesd at echeque.com Mon Dec 18 01:03:33 1995 From: jamesd at echeque.com (James A. Donald) Date: Mon, 18 Dec 1995 17:03:33 +0800 Subject: Political Cleanup program Message-ID: <199512180430.UAA02707@blob.best.net> At 11:04 AM 12/17/95 -0800, jim bell wrote: > It occurs to me that it would be a major advance if a system could be set up > that would "blind" campaign donations as to their source: The donor could > be satisfied that his donation gets to the candidate or cause, but the > candidate couldn't know who actually paid the money To make this work, the government would need to prohibit individuals from campaigning for politicians, taking out ads with political consequences, and so on and so forth. A short step from totalitarianism A better solution is to move assets and money into forms where politicians cannot get at them, thus reducing the power of politicians, and thus the incentive to buy favors from them. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From jimbell at pacifier.com Mon Dec 18 01:08:48 1995 From: jimbell at pacifier.com (jim bell) Date: Mon, 18 Dec 1995 17:08:48 +0800 Subject: Political Cleanup program Message-ID: At 07:03 PM 12/17/95 -0500, you wrote: >On Sun, 17 Dec 1995, jim bell wrote: > >> >> It occurs to me that it would be a major advance if a system could be set up >> that would "blind" campaign donations as to their source: The donor could >> be satisfied that his donation gets to the candidate or cause, but the >> candidate couldn't know who actually paid the money (and the donor would be >> unable to prove that he made a donation, for example). Admittedly there are >> a lot of details that need to be worked out, but if this could be >> accomplished it would change politics as we know it. > >Just a straight Chaumian style blinding won't work, as there are too many >covert channels available via both timing and amounts; For example, Joe >Random Capitalist-Oppressor could arrange to pay a series of relatively >small amounts wth different values in the cents field which could be used >to confirm their payment (e.g. they could be composed to form a digitally >signed value of some kind ("pollution rools" or "lung cancer is kool") :) Yes, as I suggested a number of details would be necessary to avoid this. Reporting only cumulative donations, occasionally over a long period of time (once every three months, for instance), and even then only approximating the total number would make doing such a correlation extremely difficult. >Sen. Dianne Running-Dog could then look for a matching set of donations >and confirm that the bribe had in fact been paid. > >There are much better ways of reforming the political system -the >formation of proper political parties with real programmes (the one good >thing about the newtoid surge); changing the rules for TV advertising, >etc. Blinding just makes things worse. The blinding needs only be temporary; long enough so the politician can't act improperly on the donation, but eventually revealed in enough time to expose political influence before the next election. Besides, I have already proposed what I consider to be a _better_ method of reforming government. It's called "Assassination Politics." Perhaps you've heard of it. From ncognito at gate.net Mon Dec 18 01:12:40 1995 From: ncognito at gate.net (Ben Holiday) Date: Mon, 18 Dec 1995 17:12:40 +0800 Subject: Secured RM ? (source) In-Reply-To: <199512171048.VAA23204@sweeney.cs.monash.edu.au> Message-ID: On Sun, 17 Dec 1995, Jiri Baum wrote: > > In this particular case what im concerned about is a temporary cleartext > > copy of a permanently encrypted document. The cleartext only exists for > > about 1-4 seconds, and then is deleted, so backups arent really a > > problem.. > > Is it then necessary to write it to disk? Im pretty sure that its nessecary.. at least at this point. Basically what im working on is a bit of front end that trys to make keeping things encrypted a bit less of a hassle. It needs to be able to read multiple file types, and as such it does some odd things. It opens the file and figures out the magic for it, closes it, then jumps to the right routine for reading the particular thing.. the file is opened again, perhaps once, perhaps repeatedly, depnding on the nature of what is going on.. then when it finishes with the file the cleartext copy is removed.. the main idea pushing me here is that if you were to encrypt things on your harddrive for storage, you would most likely want access to them at some point, and if your like me, you'd want access to them on a regular basis. Prior to starting work on this project i would manually decode whichever file i needed, work with it, andd then delete it. This was a pain in the ass, and also somewhat less secure since im only human and could conceivabley forget to resecure the file after im done using it. So looking at it from a relaxed standpoint.. the code as it stands now is at least as good as the previou method i was using, and is alot simpler. :) To be a bit more critical, neither method seems to be the BEST method.. I hate saying this cause it feels like a cop out, but I keep coming back to the question of usability versus iron-clad security. At this point there is no noticible speed difference between using the program with encrypted versus decrypted files. Im pretty concerned about the overhead of getting too involved in a flawless implementation. I think at this point if i could produce a first release that would be "good enough" to pass (for example) a moderatly sophisticated once over by local law enforcement, i would be content. Once thats available I have alot of other things tthat I'd like to see done better.. Incidentally, i'm planning to post the full details including an FTP site sometime in january or febuary.. at that point i expect to be torn to shreds by the cryptographic comunity.. :) From markm at voicenet.com Mon Dec 18 01:12:52 1995 From: markm at voicenet.com (Mark M.) Date: Mon, 18 Dec 1995 17:12:52 +0800 Subject: [NOISE] BIO-MUNITION: gifs of perl-RSA tattoo In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Sun, 17 Dec 1995, Richard D. Sheffar wrote: [Perl RSA sig deleted] > Okay, I admit it I don't know everything. > What does the perl script actually do. > I saved to file, chmod 777 perly > tried running the script and kept getting error line 3. > What does it do, does it encrypt a file or what. What Have i done wrong? > The script, when supplied with a exponent (public or secret) and a modulus, encrypts standard input with the RSA algorithm and sends the result to standard output. You can get all the info on this from http://dcs.ex.ac.uk/ ~aba/rsa/. In response to why it doesn't work, did you check to see if you have a working copy of the UNIX program "dc"? -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMNTogrZc+sv5siulAQHqPQP+LDCv8cNmyQh0vxcF5hS+Mk96PgpygmL4 QLjcdHZTUKHxRD8/V0b84+JITqc8uPKy/aN6Vp9ZiihRb8VBxWQzbJt5w2YIglW0 jzh1IFiRQ1O2oJzNG+mNjJfrJYwXG88BcajOd7JrsPj0uC9oh5hkRMFgMtFSjNsm m5G+F4rLlBM= =D9LX -----END PGP SIGNATURE----- finger markm at voicenet.com for Public Key http://www.voicenet.com/~markm/ Key-ID: 0xF9B22BA5 Fingerprint: bd24d08e3cbb53472054fa56002258d5 -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GAT d- s:- a? C++++ U+++>$ P+++ L++(+++) E--- W++(--) N+++ o- K w--- O- M- V-- PS+++>$ PE-(++) Y++ PGP+(++) t-@ 5? X++ R-- tv+ b+++ DI+ D++ G+++ e! h* r! y? ------END GEEK CODE BLOCK------ From alano at teleport.com Mon Dec 18 01:13:32 1995 From: alano at teleport.com (Alan Olsen) Date: Mon, 18 Dec 1995 17:13:32 +0800 Subject: [more NOISE] BIO-MUNITION: gifs of perl-RSA tattoo Message-ID: <2.2b7.32.19951218083043.0088d0c0@mail.teleport.com> At 11:06 PM 12/17/95 -0500, you wrote: [Much noise on Perl-RSA tatoo and compile problems deleted] The only thought that came to mind on this thread was how closely the tatoo artist spellchecked that tatoo. It would be pretty funny to have a "munitions violation" that was non-functional due to tatooing errors. | Remember: Life is not always champagne. Sometimes it is REAL pain. | |"It's only half a keyserver. I had to split the | Disclaimer: | |other half with the government man." - R. Rococo | Ignore the man | |`finger -l alano at teleport.com` for PGP 2.6.2 key | behind the keyboard.| | http://www.teleport.com/~alano/ | alano at teleport.com | From tcmay at got.net Mon Dec 18 01:23:49 1995 From: tcmay at got.net (Timothy C. May) Date: Mon, 18 Dec 1995 17:23:49 +0800 Subject: What ever happened to... Cray Comp/NSA co-development Message-ID: At 10:32 PM 12/17/95, Anonymous wrote: >What caught my attention was the architecture. > >A "hybrid design linking two supercomputer processors with an >array of HALF A MILLION inexpensive processors" that were >designed by the U.S. government laboratory affiliated with the >NSA. The same chip house that brought us Clipper. First, half a million chips is not that big a deal...the Connection Machine had up to 64,000. Very few cryptographic problems of interest to us will be affected by a mere factor of a million or so. Second, there was work on a "processor-in-memory" architecture, in conjunction with a Bowie, Maryland spook-connected company. Perhaps this is what you are thinking of? Third, all avenues of continued funding having fallen through, Cray Computer (not Cray Research, of course) was shut down and assets liquidated. I haven't heard what's become of Seymour, though. (He is undoubtedly an asset, buy I doubt the Agency would have him liquidated.) >I've not kept up with the "ultimate" demise that eventually >befell Cray Computer Company, but the October 16 FBI filing >on capacity for Digital Telephony got me thinking back to this >article. 1% seems like a rather huge need for horsepower. And >what if GAK doesn't fly? And the widespread use of hard crypto >just keeps increasing? The tightly-coupled supercomputers are hardly needed for these sorts of problems. >This kind of machine could, in theory: > >1) Implement ALL Clipper(II) based Key Escrow functionality in > silicon (the easy part) AND allow for simultaneous decrypt and > surveil of 'who knows how many' Clipper based data streams. Huh? First, what evidence do you have for this claim? Second, who cares? Implementing Clipper in a Cray Computer machine--why bother? As to the claim that a million-processor machine could do this, you need to work out the math. (If a backdoor exists, or the LEAF has been gotten, a supercomputer is not needed....) >2) Implement general RSA based Prime Factoring functionality in > silicon (the not so easy part) AND allow massively parallel > decrypt and surveil of 'who knows how many' RSA/etc. based > data streams. Prime Factoring? Primes are easy to factor, of course. (Hint: Every prime has two factors.) If you mean using supercomputers to brute force the general factoring of an RSA modulus, this is nonsense. While there may be math shortcuts we don't yet publically know about which make factoring easier than we currently think it is, a mere million or even a billion processors will not make a dent in the factoring of, say, a 700-digit modulus. See the tables in Schneier and elsewhere for some estimates of factoring efforts needed. >3) Implement it all, AND 'on-line' transaction based surveillance > via the FBI's 1% capacity infrastructure. Let's see some numbers. (On second thought, let's not.) >Chilling... Who needs key escrow (or RSA private keys) when >you've got a massively parallel prime factoring machine. What if >GAK was to become a 'non-issue'? How fast do you think a machine >such as this could factor RSA 129? Well, do the math. The MIPS-years for the RSA-129 crack were publicized, so the computation for a million SPARC-equivalent (or even UltraSPARC-equivalent) can be done. When you've done this, and concluded that RSA-129 could be done in, say, X minutes, then move on to RSA-384 (the BlackNet key cracked by the MIT group), and on to the 1024- and 2048-bit keys. Tell us how many years or centuries it will take. (Hint: Rivest and Schneier have done these calculations....) --Tim May, who fears that he's just been trolled by Derek Atkins Views here are not the views of my Internet Service Provider or Government. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 | black markets, collapse of governments. "National borders are just speed bumps on the information superhighway." From jlasser at rwd.goucher.edu Mon Dec 18 03:02:53 1995 From: jlasser at rwd.goucher.edu (Jon Lasser) Date: Mon, 18 Dec 1995 19:02:53 +0800 Subject: Campaign Finance Reform In-Reply-To: Message-ID: On Sun, 17 Dec 1995, jim bell wrote: > >>It occurs to me that it would be a major advance if a system could be set up > >>that would "blind" campaign donations as to their source: The donor could > >>be satisfied that his donation gets to the candidate or cause, but the > >>candidate couldn't know who actually paid the money (and the donor would be > >>unable to prove that he made a donation, for example). Admittedly there are > >>a lot of details that need to be worked out, but if this could be > >>accomplished it would change politics as we know it. > > > >If you'll give it some more thought, Jim, you'll see that it has a loophole > >in it you could drive a semi through. There is no way to keep a donor from > >passing the word to the recipient. No matter how you work out the details, > >it's impossible to keep the information from passing. It could never work. > > It is absolutely true that you couldn't stop a person from communicating > claims of a donation to a politician. But what you COULD do is to ensure > that the donor couldn't PROVE that he made such a donation. In other words, > _I_ could claim that I gave $1K to Senator Sludgepump (a lie) and the good > senator would have no idea that I wasn't telling the truth. The people who > REALLY made such donations would be helpless. A tricky way around this, if it's done ALMOST properly, is to donate in odd amounts... ie "Senator Sludgepump, I am going to donate $469.23 to your campaign..." All this means is that the donations would have to be lumped in some way so that Senator Sludgepump can't find out the exact amounts donated by any individual. ObCrypto: Donating a specific amount of money could be considered a covert channel. Jon ------------------------------------------------------------------------------ Jon Lasser (410)494-3072 Visit my home page at http://www.goucher.edu/~jlasser/ You have a friend at the NSA: Big Brother is watching. Finger for PGP key. From jim at bilbo.suite.com Mon Dec 18 20:02:48 1995 From: jim at bilbo.suite.com (Jim Miller) Date: Mon, 18 Dec 95 20:02:48 PST Subject: Java and timing info - second attempt Message-ID: <9512190402.AA12992@bilbo.suite.com> I asked about using Java scripts to capture remote timing info before and got no response. I assume everyone thought it was a stupid question. Therefore, I'll ask it again. The thing that makes Java a big deal is that you execute other people's code on your machine. You browse a Java-enhanced Web page, click on something interesting, suck across an applet, and execute it on your machine. This setup enables a bunch of nifty interactive Web stuff. Turn the picture around: You setup a Java-enhanced Web page, include some interesting buttons to click, write some clever applet, and people around the world suck your applet onto their machine and execute it. Combine this with some a standard crypto API for doing Web-based digital signatures or authentication or encryption and you may begin to see some possibilities. Would it be possible to create a Java applet that causes the client machine to sign or encrypt something with their private key, and then send back timing info? For the answer to be YES a few things need to be true. There needs to be some sort of standard crypto API in use that can be accessed by a Java script, and Java scripts need to be able to capture and send back timing info. Does anyone on this list know enough about Java to know if it can do any of these things? Jim_Miller at suite.com From aba at atlas.ex.ac.uk Mon Dec 18 04:15:09 1995 From: aba at atlas.ex.ac.uk (aba at atlas.ex.ac.uk) Date: Mon, 18 Dec 1995 20:15:09 +0800 Subject: BIO-MUNITION: gifs of perl-RSA tattoo In-Reply-To: Message-ID: <14204.9512181148@exe.dcs.exeter.ac.uk> Richard Sheffar writes on cpunks: > Okay, I admit it I don't know everything. > What does the perl script actually do. It does RSA encrypt/decrypt, works with keys up to 1024 bits (and larger). > I saved to file, chmod 777 perly > tried running the script and kept getting error line 3. You need two utils installed on your machine: perl and dc. Not having dc would cause an error on line 3. Try getting gnu dc (bc-1.03.tar.gz from gnu sites, see: http://www.dcs.ex.ac.uk/~aba/rsa/dc.html ) > What does it do, does it encrypt a file or what. What Have i done wrong? To encrypt: rsa -k=11 -n=ca1 < plaintext > ciphertext to decrypt: rsa -d -k=ac1 -n=ca1 < ciphertext > out you can extract pgp keys to use with it, that was a 32 bit key for demonstrational purposes and offers no security. See: http://www.dcs.ex.ac.uk/~aba/rsa/pgpacket.html for extracting pgp keys in hex format. Adam From dan at milliways.org Mon Dec 18 07:29:46 1995 From: dan at milliways.org (Dan Bailey) Date: Mon, 18 Dec 1995 23:29:46 +0800 Subject: Motorola Secure Phone Message-ID: <199512181337.NAA28013@pop01.ny.us.ibm.net> On Sun, 17 Dec 1995 17:38:49 -0800 you wrote: >At 06:40 PM 12/15/95 EST, you wrote: >> > >I don't know Moto's phone models, but there are some cordless phones, >especially long-range 900MHz ones, that are "secure" because of >spread-spectrum, and others that call themselves "secure" because >they're "digital", so you can't eavesdrop on them just by playing >with a scanner and maybe single-sideband. Sigh. > Well, just to finish the story, I ended up getting the Cincinatti Microwave Escort 9000 (yes, the radar detector people). It's 900 MHz digital spread-spectrum, although it's still unclear how secure their implementation is. I'll call them and see what I can come up with....I realize it's *not* going to give me military-style security. But really all I'm interested in is making it simpler (ie cheaper) for Big Brother to wiretap me than to deal with trying to scan me without court authorization. Dan *************************************************************** #define private public dan at milliways.org Worcester Polytechnic Institute and The Restaurant at the End of the Universe *************************************************************** From jya at pipeline.com Mon Dec 18 07:31:28 1995 From: jya at pipeline.com (John Young) Date: Mon, 18 Dec 1995 23:31:28 +0800 Subject: GIA_nts Message-ID: <199512181341.IAA28130@pipe1.nyc.pipeline.com> 12-18-95. NYPaper: "Telecommunications Giants Join Internet Security Quest." The consortium seeks to establish a layer of software and hardware standards that would effectively rest atop the Internet. Their goal is to make the Internet more secure, reliable and easy to use. The consortium started meeting last summer, and had seven core members: AT&T, Deutsche Telekom, Lotus, Novell, NTT, the Telstra Corporation and Unisource. The group held private meetings from Dec. 6 through Dec. 9 in New York, attended by 24 phone carriers and 14 computer companies, including Intel, Microsoft, Sun and the Hewlett-Packard. "The prospect of Internet censorship raises troubling issues for business." Denise Caruso's column. While most of the outcry has raised valid concerns about the First Amendment and civil liberties, little of the discussion has focused on how censorship could cripple much of the Internet's commercial potential. "This proposal will have more than a chilling effect," Ms. Fulton said. "It may well mean a cold death for everyone except very rich and very cautious media companies." GIA_nts (11 kb) From raph at CS.Berkeley.EDU Mon Dec 18 07:53:20 1995 From: raph at CS.Berkeley.EDU (Raph Levien) Date: Mon, 18 Dec 1995 23:53:20 +0800 Subject: List of reliable remailers Message-ID: <199512181450.GAA18890@kiwi.cs.berkeley.edu> I operate a remailer pinging service which collects detailed information about remailer features and reliability. To use it, just finger remailer-list at kiwi.cs.berkeley.edu There is also a Web version of the same information, plus lots of interesting links to remailer-related resources, at: http://www.cs.berkeley.edu/~raph/remailer-list.html This information is used by premail, a remailer chaining and PGP encrypting client for outgoing mail, which is available at: ftp://ftp.csua.berkeley.edu/pub/cypherpunks/premail/premail-0.33a.tar.gz For the PGP public keys of the remailers, finger pgpkeys at kiwi.cs.berkeley.edu This is the current info: REMAILER LIST This is an automatically generated listing of remailers. The first part of the listing shows the remailers along with configuration options and special features for each of the remailers. The second part shows the 12-day history, and average latency and uptime for each remailer. You can also get this list by fingering remailer-list at kiwi.cs.berkeley.edu. $remailer{"extropia"} = " cpunk pgp special"; $remailer{"portal"} = " cpunk pgp hash"; $remailer{"alumni"} = " cpunk pgp hash"; $remailer{"bsu-cs"} = " cpunk hash ksub"; $remailer{"c2"} = " eric pgp hash reord"; $remailer{"penet"} = " penet post"; $remailer{"ideath"} = " cpunk hash ksub reord"; $remailer{"hacktic"} = " cpunk mix pgp hash latent cut post ek"; $remailer{"flame"} = " cpunk mix pgp. hash latent cut post ek reord"; $remailer{"rahul"} = " cpunk pgp hash filter"; $remailer{"mix"} = " cpunk mix pgp hash latent cut ek ksub reord ?"; $remailer{"syrinx"} = " cpunk pgp hash cut reord mix post"; $remailer{"ford"} = " cpunk pgp hash ksub"; $remailer{"hroller"} = " cpunk pgp hash latent ek"; $remailer{"vishnu"} = " cpunk mix pgp. hash latent cut ek ksub reord"; $remailer{"robo"} = " cpunk hash mix"; $remailer{"replay"} = " cpunk mix pgp hash latent cut post ek"; $remailer{"spook"} = " cpunk mix pgp hash latent cut ek reord"; $remailer{"rmadillo"} = " mix cpunk pgp hash latent cut"; $remailer{"ecafe"} = " cpunk mix"; $remailer{"wmono"} = " cpunk mix pgp. hash latent cut ek"; $remailer{"shinobi"} = " cpunk mix hash latent cut ek reorder"; $remailer{"amnesia"} = " cpunk mix pgp hash latent cut ek ksub"; $remailer{"gondolin"} = " cpunk mix pgp hash latent cut ek reord"; $remailer{'alpha'} = ' alpha pgp'; $remailer{'gondonym'} = ' alpha pgp'; catalyst at netcom.com is _not_ a remailer. lmccarth at ducie.cs.umass.edu is _not_ a remailer. usura at replay.com is _not_ a remailer. Groups of remailers sharing a machine or operator: (c2 robo hroller alpha) (gondolin gondonym) (flame hacktic replay) (alumni portal) Use "premail -getkeys pgpkeys at kiwi.cs.berkeley.edu" to get PGP keys for the remailers. Fingering this address works too. Over the past few weeks, the remailer-list has been showing somewhat poor performance of the remailers. Well, most of the problem was my fault, rather than that of the remailers. I had managed to turn off suid on my sendmail binary, with bad results. It's fixed now. Last update: Mon 18 Dec 95 6:49:26 PST remailer email address history latency uptime ----------------------------------------------------------------------- mix mixmaster at remail.obscura.com __...-++-+++ 9:56:07 99.98% hacktic remailer at utopia.hacktic.nl *********+* 7:46 99.94% ecafe cpunk at remail.ecafe.org #-##_#--#### 49:58 99.92% c2 remail at c2.org + ++-.--++++ 1:27:22 99.91% flame remailer at flame.alias.net *********+* 12:10 99.85% amnesia amnesia at chardos.connix.com +--+------- 2:55:50 99.84% portal hfinney at shell.portal.com ####*# .#**+ 54:51 99.80% replay remailer at replay.com ** ********# 24:11 99.80% bsu-cs nowhere at bsu-cs.bsu.edu #_##.#*#-# 50:50 99.64% rmadillo remailer at armadillo.com + +++++++ ++ 39:23 99.55% vishnu mixmaster at vishnu.alias.net #-*#*++* 20:25 99.40% alumni hal at alumni.caltech.edu #_*_.-+*++ 1:00:21 99.37% ford remailer at bi-node.zerberus.de .--._._.-+++ 14:08:00 99.24% spook remailer at valhalla.phoenix.net **** - * *+* 22:56 99.10% hroller hroller at c2.org ## -...-##+# 44:42 98.83% wmono wmono at valhalla.phoenix.net * * .* *+* 16:13 98.72% penet anon at anon.penet.fi _--_--__.. 31:02:40 98.56% shinobi remailer at shinobi.alias.net - -_- +++-- 52:27 96.76% extropia remail at extropia.wimsey.com .----_.-.- 13:31:30 94.19% rahul homer at rahul.net +**+*_.*#++# 1:18:24 99.92% gondolin mix at remail.gondolin.org -_.------ 8:23:37 79.17% robo robo at c2.org # *# 3:38 57.61% History key * # response in less than 5 minutes. * * response in less than 1 hour. * + response in less than 4 hours. * - response in less than 24 hours. * . response in more than 1 day. * _ response came back too late (more than 2 days). cpunk A major class of remailers. Supports Request-Remailing-To: field. eric A variant of the cpunk style. Uses Anon-Send-To: instead. penet The third class of remailers (at least for right now). Uses X-Anon-To: in the header. pgp Remailer supports encryption with PGP. A period after the keyword means that the short name, rather than the full email address, should be used as the encryption key ID. hash Supports ## pasting, so anything can be put into the headers of outgoing messages. ksub Remailer always kills subject header, even in non-pgp mode. nsub Remailer always preserves subject header, even in pgp mode. latent Supports Matt Ghio's Latent-Time: option. cut Supports Matt Ghio's Cutmarks: option. post Post to Usenet using Post-To: or Anon-Post-To: header. ek Encrypt responses in reply blocks using Encrypt-Key: header. special Accepts only pgp encrypted messages. mix Can accept messages in Mixmaster format. reord Attempts to foil traffic analysis by reordering messages. Note: I'm relying on the word of the remailer operator here, and haven't verified the reord info myself. mon Remailer has been known to monitor contents of private email. filter Remailer has been known to filter messages based on content. If not listed in conjunction with mon, then only messages destined for public forums are subject to filtering. Raph Levien From bdavis at thepoint.net Mon Dec 18 08:19:25 1995 From: bdavis at thepoint.net (Brian Davis) Date: Tue, 19 Dec 1995 00:19:25 +0800 Subject: Campaign Finance Reform In-Reply-To: Message-ID: On Mon, 18 Dec 1995, Jon Lasser wrote: > On Sun, 17 Dec 1995, jim bell wrote: ... > > It is absolutely true that you couldn't stop a person from communicating > > claims of a donation to a politician. But what you COULD do is to ensure > > that the donor couldn't PROVE that he made such a donation. In other words, > > _I_ could claim that I gave $1K to Senator Sludgepump (a lie) and the good > > senator would have no idea that I wasn't telling the truth. The people who > > REALLY made such donations would be helpless. > > A tricky way around this, if it's done ALMOST properly, is to donate in > odd amounts... ie "Senator Sludgepump, I am going to donate $469.23 to > your campaign..." > > All this means is that the donations would have to be lumped in some way > so that Senator Sludgepump can't find out the exact amounts donated by > any individual. Cancelled checks. Or, hand check in addressed, stamped envelope to Senator Sludgepump and ask him if he would mind sealing it and dropping it in a mailbox. Etc., etc. For once, you guys aren't being very creative. From perry at piermont.com Mon Dec 18 08:25:48 1995 From: perry at piermont.com (Perry E. Metzger) Date: Tue, 19 Dec 1995 00:25:48 +0800 Subject: redirect of newsgroups In-Reply-To: <9511188193.AA819305757@cc2.dttus.com> Message-ID: <199512181543.KAA09973@jekyll.piermont.com> "David Klur" writes: > For those of us sitting behind a firewall that blocks out all of the > alt, rec, etc.. newsgroups...is there another way to access these > groups? 1) Firewalls don't block newsgroups. 2) This has nothing to do with cryptography. .pm From frissell at panix.com Mon Dec 18 10:33:52 1995 From: frissell at panix.com (Duncan Frissell) Date: Tue, 19 Dec 1995 02:33:52 +0800 Subject: Political Cleanup program Message-ID: <2.2b8.32.19951218161154.0069e694@panix.com> At 10:35 AM 12/18/95 -0500, Brian Davis wrote: >> A better solution is to move assets and money into forms where >> politicians cannot get at them, thus reducing the power of politicians, >> and thus the incentive to buy favors from them. > >I'm not sure what you mean here: are politicians to be prohibited from >campaigning (which cost money)? And if politicians, who generally take >the form of human beings, can't get at $$$, how can you or I? Brian, the above means cut the power and the purse of politicians so they have nothing to sell to contributors so no contributors will buy. DCF From rah at shipwright.com Mon Dec 18 10:43:05 1995 From: rah at shipwright.com (Robert Hettinga) Date: Tue, 19 Dec 1995 02:43:05 +0800 Subject: (fwd) the anonymizer (Mac Anonymous Web Proxy?) Message-ID: > >Date: Sun, 17 Dec 1995 10:04:16 -0700 >From: webmaster at silkpresence.com (Pete Storm) >To: apple-internet-providers at solutions.apple.com >Subject: the anonymizer >Message-ID: > > hi all, > > if everyone could take a look at >, i'd appreciate it. by >following a link at this site, you begin surfing anoymously. now, can this >be programmed and run on a mac(s)? if so, please contact me personally and >we'll talk about my clients contracting out for this. > > if you can't get ahold of my (e.g. mail bounces) try >webmaster at joshua.silkpresence.com or webmaster at aimc.com as well as we're in >the middle of registering the new network. > >thanks, >phs > > >>>>>> > >Pete Storm >SilkPresence.Com Internet/WWW Publishing and Solutions >webmaster at SilkPresence.Com http://SilkPresence.Com > >Fabio Casartelli (August 1, 1970 - July 18, 1995) (TdF No. 114) > >Fallen in the quest for ultimate glory... > > ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA (617) 958-3971 "Reality is not optional." --Thomas Sowell The NEW(!) e$ Home Page: http://thumper.vmeng.com/pub/rah/ >>>>Phree Phil: Email: zldf at clark.net http://www.netresponse.com/zldf <<<<< From andr0id at midwest.net Mon Dec 18 10:54:13 1995 From: andr0id at midwest.net (andr0id at midwest.net) Date: Tue, 19 Dec 1995 02:54:13 +0800 Subject: Motorola Secure Phone Message-ID: <199512181805.MAA11178@cdale1.midwest.net> >That just refers to the fact that it is no longer legal to sell >scanners that can listen in to that range. I havn't seen any scanners that block the 900 MHz range. Didn't think they were blocking that. There isn't any reason to. After all they don't block the 49 MHz. >(BTW, a couple of years ago Nuts & Volts ran >an article with information on a program and some toys that let >a laptop computer, properly wired into a cell phone, act as a >cell scanner. Never did wire it up, but it looked like fun ;) > Most cellular phone like the Motorola and the NEC can scan cellular channels. Whats neat is that they require little or no modification. They can scan through all cellular channels including control, pause on a channel that has audio, and should signal level. I've use the Novatel and Motorola phones to even force the transmit on my phone on a channel that was already in conversation and create a three way call. Since the cellular system already proccessed the original MIN and ESN of the calling party my ESN is never checked. All of this without modifying my phone internaly or adding a computer. This type of stuff makes encryption needed. More and more people are using PCMCIA cellular modems for all kinds of transaction not realizing that anyone can pretty much intercept and use that information. Digital will help in some ways but harm on others. $49 bucks will buy you an upconverter that will enable any scanner that can pick up the 400 MHz range to pickup cellular. Dr0id From bdavis at thepoint.net Mon Dec 18 11:10:31 1995 From: bdavis at thepoint.net (Brian Davis) Date: Tue, 19 Dec 1995 03:10:31 +0800 Subject: Political Cleanup program In-Reply-To: <199512180430.UAA02707@blob.best.net> Message-ID: On Sun, 17 Dec 1995, James A. Donald wrote: > At 11:04 AM 12/17/95 -0800, jim bell wrote: > > It occurs to me that it would be a major advance if a system could be set up > > that would "blind" campaign donations as to their source: The donor could > > be satisfied that his donation gets to the candidate or cause, but the > > candidate couldn't know who actually paid the money > See my earlier post. > To make this work, the government would need to prohibit individuals > from campaigning for politicians, taking out ads with political > consequences, and so on and so forth. A short step from > totalitarianism Not to mention the death of the First Amendment. Which, under your scenario, would probably mean the death (or curtailment) of Cypherpunks. > A better solution is to move assets and money into forms where > politicians cannot get at them, thus reducing the power of politicians, > and thus the incentive to buy favors from them. I'm not sure what you mean here: are politicians to be prohibited from campaigning (which cost money)? And if politicians, who generally take the form of human beings, can't get at $$$, how can you or I? > of animals that we are. True law | James A. Donald > arbitrary power of the state. | jamesd at echeque.com > > EBD From reh at wam.umd.edu Mon Dec 18 11:31:20 1995 From: reh at wam.umd.edu (Richard Huddleston) Date: Tue, 19 Dec 1995 03:31:20 +0800 Subject: Political Cleanup program Message-ID: <199512181412.JAA08672@exp2.wam.umd.edu> Detweiler wrote: * >JB: * >>Politics is traditionally corrupt, it appears, because donors to politicians * >>and political campaigns expect a quid pro quo for their donations. Various * >>unsatisfactory solutions include campaign spending limits, etc. * > * >I have an unusual view that I've never seen elsewhere: the problem with * >our government is not that money or PACs are involved, but that the system * >does not handle or resolve the conflicts between them very well. in other * >words, in contrary to the current view that all PACs are evil, I think the * >problem is not that we have PACs, but that our current system does not * >balance their demands in some sensible manner. the system is * >susceptible to corruption. it is conceivable however that there would be * >a system that involves money and politics but still avoids corruption. Not to sound like a dupe or anything, but every time I get discouraged at the rampant mealyism of our political system I go read the first couple of paragraphs of a text from GOVT 101. There, I get reminded that the way most political debate is handled elsewhere is with bullets. Personally, I welcome a complete equity between all lobbyists seeking to obtain a politico's ear. Take the money out of the equation, and let the merits of their causes, if any, stand on their own. Happy holidays, Richard From jcorgan at aeinet.com Mon Dec 18 11:35:21 1995 From: jcorgan at aeinet.com (Johnathan Corgan) Date: Tue, 19 Dec 1995 03:35:21 +0800 Subject: Political Cleanup program Message-ID: <199512181833.KAA13146@scruz.net> At 11:11 AM 12/18/95 -0500, Duncan Frissell wrote: >At 10:35 AM 12/18/95 -0500, Brian Davis wrote: > >>> A better solution is to move assets and money into forms where >>> politicians cannot get at them, thus reducing the power of politicians, >>> and thus the incentive to buy favors from them. >> >>I'm not sure what you mean here: are politicians to be prohibited from >>campaigning (which cost money)? And if politicians, who generally take >>the form of human beings, can't get at $$$, how can you or I? > >Brian, the above means cut the power and the purse of politicians so they >have nothing to sell to contributors so no contributors will buy. Yep. If politicians didn't have capricious, arbitrary, and absolute power over individuals and businesses, there would be no market for influence peddling. From tcmay at got.net Mon Dec 18 12:15:02 1995 From: tcmay at got.net (Timothy C. May) Date: Tue, 19 Dec 1995 04:15:02 +0800 Subject: What ever happened to... Cray Comp/NSA co-development Message-ID: At 5:50 AM 12/18/95, Jim Gillogly wrote: >Correction of one detail: > >> tcmay at got.net (Timothy C. May) writes: >> When you've done this, and concluded that RSA-129 could be done in, say, X >> minutes, then move on to RSA-384 (the BlackNet key cracked by the MIT >> group), and on to the 1024- and 2048-bit keys. Tell us how many years or >> centuries it will take. (Hint: Rivest and Schneier have done these > >The BlackNet key break didn't have any MIT involvement: it was done by >Paul Leyland of Oxford, Arjen Lenstra of Bellcore, Alec Muffet of Sun UK, >and Jim Gillogly of Cypherpunks, RAND, and Gillogly Software in no >particular order. > Sorry, Jim. I thought that Derek Atkins was involved, which led to thinking it was MIT. Now that you've reminded me, some of the details are beginning to come back. (I knew that someone from our list was involved....) --Tim May Views here are not the views of my Internet Service Provider or Government. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 | black markets, collapse of governments. "National borders are just speed bumps on the information superhighway." From kadie at eff.org Mon Dec 18 12:23:33 1995 From: kadie at eff.org (Carl M. Kadie) Date: Tue, 19 Dec 1995 04:23:33 +0800 Subject: Oklahoma University: Is this legal?... In-Reply-To: Message-ID: <199512181751.JAA07443@eff.org> No state law does or could prempt the 5th Amendment, the ECPA, or the FERPA. Moreover, the one state FOIA (Illinois') I've read in detail *doesn't* even try to do this. I'm enclosing two FAQ's. The first is about email privacy. The second is about student media. I also suggest sending email to marsha-w at uiuc.edu (Marsha Woodbury) she is an expert in the application of FOIA laws to universities and a CPSR officer. - Carl Carl Kadie -- I do not represent EFF or my employer; this is just me. =Email: kadie at eff.org, kadie at cs.uiuc.edu = =URL: , = =============== ftp://ftp.eff.org/pub/CAF/faq/email.privacy =============== q: Can (should) my university monitor my email? a: Ethically (and perhaps legally) email communications should have the same privacy protection as telephone calls. It would be unwise for any university employee to tap email communications without authorization from the university president, university legal counsel, and the academic freedom committee. According to Mike Godwin, legal services counsel for the Electronic Frontier Foundation (EFF), the U.S.'s Electronic Communications Privacy Act (ECPA) could be reasonably construed to protect university email. This is also the reported opinion of the U. of Michigan's lawers. Also, the U.S.'s Family Educational Rights and Privacy Act gives students at all public and most private schools some privacy rights. A U.S. government task force says that "[Email] monitoring [of government employees] of actual communications and communicators may impinge on the Constitutional rights of freedom of speech (1st Amendment), against unreasonable search and seizure (4th Amendment), and against self-incrimination (5th amendment), as well as on the right to privacy, specifically as set forth in both the Privacy Act and the ECPA." In the context of libraries, the American Library Association's Policy on Confidentiality of Library Records suggests this procedure to deal with an official or police request for information about users: 'When drafting local policies, libraries should consult with their legal counsel to insure these policies are based upon and consistent with applicable federal, state, and local law concerning the confidentiality of library records, the disclosure of public records, and the protection of individual privacy. Suggested procedures include the following: 1. The library staff member receiving the request to examine or obtain information relating to circulation or other records identifying the names of library users, will immediately refer the person making the request to the responsible officer of the institution, who shall explain the confidentiality policy. 2. The director, upon receipt of such process, order, or subpoena, shall consult with the appropriate legal officer assigned to the institution to determine if such process, order, or subpoena is in good form and if there is a showing of good cause for its issuance. 3. If the process, order, or subpoena is not in proper form or if good cause has not been shown, insistence shall be made that such defects be cured before any records are released. (The legal process requiring the production of circulation or other library records shall ordinarily be in the form of subpoena "duces tecum" [bring your records] requiring the responsible officer to attend court or the taking of his/her deposition and may require him/her to bring along certain designated circulation or other specified records.) 4. Any threats or unauthorized demands (i.e., those not supported by a process, order, or subpoena) concerning circulation and other records identifying the names of library users shall be reported to the appropriate legal officer of the institution. 5. Any problems relating to the privacy of circulation and other records identifying the names of library users which are not provided for above shall be referred to the responsible officer.' - Carl M. Kadie ANNOTATED REFERENCES (All these documents are available on-line. Access information follows.) ================= law/ecpa.1986.godwin ================= * Privacy -- E-mail -- ECPA - University Site Mike Godwin, legal services counsel for the Electronic Frontier Foundation (EFF), says that the Electronic Communications Privacy Act (ECPA) could be reasonably construed to protect university email. ================= law/ferpa.text ================= * Privacy -- Students -- FERPA (Buckley Ammendment) The full text of the Family Educational Right to Privacy Act (Buckley Amendment). ================= faq/email.policies ================= * Email -- Policies q: Do any universities treat email and computer files as private? a: Yes, many universities treat email and computer files as private. ... ================= library/confidentiality.1.ala ================= * Confidentiality -- 1 (ALA) The American Library Association's "Policy on Confidentiality of Library Records" Suggests how to handle police or official requests for information about a user. ================= library/computer.draft.ala ================= * DRAFT: Access to Electronic ... Services and Networks ... (ALA) A draft interpretation by the American Library Association of the "Library Bill of Rights" Says in part: "Libraries and librarians exist to facilitate [freedom of speech and freedom to read] by providing access to, identifying, retrieving, organizing, and preserving recorded expression regardless of the formats or technologies in which that expression is recorded." ================= statements/bill-of-rights.aahe ================= * Bill of Rights ... for Electronic ... Learners This is the "Bill of Rights and Responsibilities for the Electronic Community of Learners". It could become the first widely endorsed statement directly related to computers and academic freedom. ================= statements/caf-statement ================= * Computer and Academic Freedom Statement -- Draft This is an attempt to codify the application of academic freedom to academic computers. It reflects our seven months of on-line discussion about computers and academic freedom. It covers free expression, due process, privacy, and user participation. Comments and suggestions are very welcome (especially when posted to CAF-talk). All the documents referenced are available on-line. (Critiqued). ================= statements/caf-statement.critique ================= * Computer and Academic Freedom Statement -- Draft -- Critique This is a critique of an attempt to codify the application of academic freedom to academic computers. It reflects our seven months of on-line discussion about computers and academic freedom. It covers free expression, due process, privacy, and user participation. Additional comments and suggestions are very welcome (especially when posted to CAF-talk). All the documents referenced are available on-line. ================= academic/student.freedoms.aaup ================= * Student Freedoms (AAUP) Joint Statement on Rights and Freedoms of Students -- This is the main U.S. statement on student academic freedom. ================= academic/speech-codes.aaup ================= * Speech Codes (AAUP) On Freedom of Expression and Campus Speech Codes Expression - An official statement of the American Association of University Professors (AAUP) It says in part: "On a campus that is free and open, no idea can be banned or forbidden. No viewpoint or message may be deemed so hateful or disturbing that it may not be expressed." ================= law/uwm-post-v-u-of-wisconsin ================= * Expression -- Hate Speech -- UWM Post v. U Of Wisconsin The full text of UWM POST v. U. of Wisconsin. This recent district court ruling goes into detail about the difference between protected offensive expression and illegal harassment. It even mentions email. It concludes: "The founding fathers of this nation produced a remarkable document in the Constitution but it was ratified only with the promise of the Bill of Rights. The First Amendment is central to our concept of freedom. The God-given "unalienable rights" that the infant nation rallied to in the Declaration of Independence can be preserved only if their application is rigorously analyzed. The problems of bigotry and discrimination sought to be addressed here are real and truly corrosive of the educational environment. But freedom of speech is almost absolute in our land and the only restriction the fighting words doctrine can abide is that based on the fear of violent reaction. Content-based prohibitions such as that in the UW Rule, however well intended, simply cannot survive the screening which our Constitution demands." ================= law/gillard-v-schmidt ================= * Privacy -- School -- Staff Desk -- Gillard v. Schmidt Description of an appellate court ruling that the school board could not search the desk of a school counselor without a warrant. ================= law/email.gov-employee ================= * Privacy -- E-mail -- Government Employees A U.S. government task force: "[Email] monitoring [of government employees] of actual communications and communicators may impinge on the Constitutional rights of freedom of speech (1st Amendment), against unreasonable search and seizure (4th Amendment), and against self-incrimination (5th amendment), as well as on the right to privacy, specifically as set forth in both the Privacy Act and the ECPA." Enclosed are guidelines for legitimate monitoring of government employee email. ================= law/mass-student-searches ================= * Privacy -- Mass Students Searches An excerpt from The ACLU Handbook: _The Rights of Students_, stating that "there must a reasonable suspicion directed specifically at each student before a school official can search students." ================= law/constraints.constitutional ================= * Constitution -- Public University -- Constraints Comments from _A Practical Guide to Legal Issues Affecting College Teachers_ by Partrica A. Hollander, D. Parker Young, and Donald D. Gehring. (College Administration Publication, 1985). Discusses the constitutional constraints on public universities including the requires for freedom of expression, freedom against unreasonable searches and seizures, due process, specific rules. ================= law/ecpa.umich ================= * Privacy -- E-mail -- ECPA - University Site A summary of a newspaper report that the U. of Michigan's lawyers believe(d) that the institution is barred under the federal Electronic Communications Privacy Act from reading electronic mail. ================= law/privacy.email ================= * Privacy -- E-mail -- Law -- Hernandez "Computer Electronic Mail and Privacy", an edited version of a law school seminar paper by Ruel T. Hernandez. ================= law/privacy.workplace ================= * Privacy -- Workplace Comments from and about _The new hazards of the high technology workplace_ see (1991) 104 _Harvard Law Review_ 1898. Talks about email and other electronic monitoring. ================= law/email.bib ================= * Privacy -- E-mail -- Bibliography I have been having an e-mail conversation with Stacy Veeder for several days on the topic of e-mail privacy. She mailed me this bibliography which she has compiled for two papers which she is currently writing. I post it here with permission. PS - She is interested in talking with anyone who has some views on the topic/information to share. Mark N. ================= ================= If you have gopher, you can browse the CAF archive with the command gopher gopher.eff.org These document(s) are also available by anonymous ftp (the preferred method) and by email. To get the file(s) via ftp, do an anonymous ftp to ftp.eff.org, and then: cd /pub/CAF/law get ecpa.1986.godwin cd /pub/CAF/law get ferpa.text cd /pub/CAF/faq get email.policies cd /pub/CAF/library get confidentiality.1.ala cd /pub/CAF/library get computer.draft.ala cd /pub/CAF/statements get bill-of-rights.aahe cd /pub/CAF/statements get caf-statement cd /pub/CAF/statements get caf-statement.critique cd /pub/CAF/academic get student.freedoms.aaup cd /pub/CAF/academic get speech-codes.aaup cd /pub/CAF/law get uwm-post-v-u-of-wisconsin cd /pub/CAF/law get gillard-v-schmidt cd /pub/CAF/law get email.gov-employee cd /pub/CAF/law get mass-student-searches cd /pub/CAF/law get constraints.constitutional cd /pub/CAF/law get ecpa.umich cd /pub/CAF/law get privacy.email cd /pub/CAF/law get privacy.workplace cd /pub/CAF/law get email.bib To get the file(s) by email, send email to ftpmail at decwrl.dec.com Include the line(s): connect ftp.eff.org cd /pub/CAF/law get ecpa.1986.godwin cd /pub/CAF/law get ferpa.text cd /pub/CAF/faq get email.policies cd /pub/CAF/library get confidentiality.1.ala cd /pub/CAF/library get computer.draft.ala cd /pub/CAF/statements get bill-of-rights.aahe cd /pub/CAF/statements get caf-statement cd /pub/CAF/statements get caf-statement.critique cd /pub/CAF/academic get student.freedoms.aaup cd /pub/CAF/academic get speech-codes.aaup cd /pub/CAF/law get uwm-post-v-u-of-wisconsin cd /pub/CAF/law get gillard-v-schmidt cd /pub/CAF/law get email.gov-employee cd /pub/CAF/law get mass-student-searches cd /pub/CAF/law get constraints.constitutional cd /pub/CAF/law get ecpa.umich cd /pub/CAF/law get privacy.email cd /pub/CAF/law get privacy.workplace cd /pub/CAF/law get email.bib =============== ftp://ftp.eff.org/pub/CAF/faq/netnews.writing =============== q: Should my university allow students to post to Netnews or have Web pages? a: Yes. Free inquiry and free expression are an important part of a university's mission. Most universities encourage and support student expression and publication. Most universities also seem to give full network access to all users, even students. (This conclusion is based on an informal survey posted to comp.admin.policy in October, 1991. [cafv01n33]) There is probably no need to create special rules for student computer media; your university likely already has rules for student media. (Look in your Student Code.) In the U.S., most student publications are free of university screening, censorship, and most retaliation. (For state universities, this is a legal requirement.) At the same time, most universities disclaim responsibility for student publications, even when the university "owns the presses." The American Library Association's draft policy recommendation on electronic services and networks says (in part): No user should be restricted or denied access for expressing or receiving constitutionally protected speech. No user's access should be changed without due process, including, but not limited to, notice and a means of appeal. - Carl ANNOTATED REFERENCES (All these documents are available on-line. Access information follows.) ================= library/computer.draft.ala ================= * DRAFT: Access to Electronic ... Services and Networks ... (ALA) A draft interpretation by the American Library Association of the "Library Bill of Rights" Says in part: "Libraries and librarians exist to facilitate [freedom of speech and freedom to read] by providing access to, identifying, retrieving, organizing, and preserving recorded expression regardless of the formats or technologies in which that expression is recorded." ================= statements/caf-statement ================= * Computer and Academic Freedom Statement -- Draft This is an attempt to codify the application of academic freedom to academic computers. It reflects our seven months of on-line discussion about computers and academic freedom. It covers free expression, due process, privacy, and user participation. Comments and suggestions are very welcome (especially when posted to CAF-talk). All the documents referenced are available on-line. (Critiqued). ================= statements/caf-statement.critique ================= * Computer and Academic Freedom Statement -- Draft -- Critique This is a critique of an attempt to codify the application of academic freedom to academic computers. It reflects our seven months of on-line discussion about computers and academic freedom. It covers free expression, due process, privacy, and user participation. Additional comments and suggestions are very welcome (especially when posted to CAF-talk). All the documents referenced are available on-line. ================= statements/bill-of-rights.aahe ================= * Bill of Rights ... for Electronic ... Learners This is the "Bill of Rights and Responsibilities for the Electronic Community of Learners". It could become the first widely endorsed statement directly related to computers and academic freedom. ================= academic/student.freedoms.aaup ================= * Student Freedoms (AAUP) Joint Statement on Rights and Freedoms of Students -- This is the main U.S. statement on student academic freedom. ================= academic/speech-codes.aaup ================= * Speech Codes (AAUP) On Freedom of Expression and Campus Speech Codes Expression - An official statement of the American Association of University Professors (AAUP) It says in part: "On a campus that is free and open, no idea can be banned or forbidden. No viewpoint or message may be deemed so hateful or disturbing that it may not be expressed." ================= academic/academic-freedom.wus ================= * Academic Freedom (WUS) The Lima Declaration on Academic Freedom and Autonomy of Institutions of Higher Education, an international declaration by the World University Service. Source: _World University Service Academic Freedom 1990: A Human Rights Report_ by Laksiri Fernando, et al. ================= academic/academic-freedom.can ================= * CAUT-ACPU Policy on Academic Freedom (Canada) Policy statement on academic freedom for the Canadian Association of University Teachers. ================= policies/netnews.uwm.edu ================= * Edu -- U. of Wisconsin-Milwaukee -- Netnews These are the network policy resolutions developed by the Computer Policy Committee at the University of Wisconsin-Milwaukee. The resolutions were approved by the Committee and forwarded to the Chancellor. They were given final approval by the Chancellor as campus administrative policy (memo dated 02/23/93). They say (to paraphrase) 1) Netnews is important 2) No restrictions should be imposed without wide consultation 3) The principles of intellectual freedom developed for university libraries apply to Netnews material 4) The principles of intellectual freedom developed for publication in traditional media apply to computer media. ================= policies/netnews.uwo.ca ================= * U. of Western Ontario -- Netnews policy It says in part: "In its publications regarding Usenet, CCS should make it clear that the individual user bears the primary responsibility for the material that he or she chooses to send or display on the network or on the University's computer systems." It also specifies a procedure for dealing with challenges to material. ================= news/cafv01n33 ================= [No annotation available.] ================= faq/netnews.reading ================= * Netnews -- Policies on What Users Read q: Should my university remove (or restrict) Netnews newsgroups because some people find them offensive? If it doesn't have the resources to carry all newsgroups, how should newsgroups be selected? a: Material should not be restricted just because it is offensive to ... ================= faq/media.control ================= * University Control of Media q: Since freedom of the press belongs to those who own presses, a public university can do anything it wants with the media that it owns, right? a: No. Like any organization, the U.S. government must work within its ... ================= law/rosenberger_v_u_virginia ================= * Expression -- Public Forum -- Rosenberger v. U. of Virginia A 1995 U.S. Supreme Court decision that says that it is illegal for a state univeristy to deny funds to a student newspaper on the grounds that the newspaper is religious. The decision confirms that the government cannot discriminate on the basis of viewpoint in (government-owned)limited public forums. ================= law/san-diego-committee-v-gov-bd ================= * Expression -- Public Forum -- Overview -- San Diego Committee v. Gov Bd Excerpts from San Diego Committee v. Governing Bd., 790 F.2d 1471. A decision by an appellate court that applied the Supreme Court's Public Forum Doctrine (to a school newspaper). ================= law/stanley-v-magrath ================= * Expression -- Public Forum -- Closing -- Stanley v. Magrath Comments from _Public Schools Law: Teachers' and Students' Rights_ 2nd Ed. by Martha M. McCarthy and Nelda H. Cambron-McCabe, published in 1987 by Allyn and Bacon, Inc. It says, in part, "[a]lthough school boards are not obligated to support student papers, if a given publication was originally created as a free speech forum, removal of financial or other school board support can be construed as an unlawful effort to stifle free expression." Also, "school authorities cannot withdraw support from a student publication simply because of displeasure with the content" and "the content of a school-sponsored paper that is established as a medium for student expression cannot be regulated more closely than a nonsponsored paper". Also, it tells what to do about libel in student publications. ================= law/student-publications.misc ================= * Expression -- Offensive -- Student Publications -- Misc Quotes from the book _Law of the Student Press_ by the Student Press Law Center (1985,1988). They say that four-letter words are protected speech, that public universities are not likely to be liable for publications that they for which they do not control the contents, and that the _Hazelwood_ decision does not apply to universities. ================= law/uwm-post-v-u-of-wisconsin ================= * Expression -- Hate Speech -- UWM Post v. U Of Wisconsin The full text of UWM POST v. U. of Wisconsin. This recent district court ruling goes into detail about the difference between protected offensive expression and illegal harassment. It even mentions email. It concludes: "The founding fathers of this nation produced a remarkable document in the Constitution but it was ratified only with the promise of the Bill of Rights. The First Amendment is central to our concept of freedom. The God-given "unalienable rights" that the infant nation rallied to in the Declaration of Independence can be preserved only if their application is rigorously analyzed. The problems of bigotry and discrimination sought to be addressed here are real and truly corrosive of the educational environment. But freedom of speech is almost absolute in our land and the only restriction the fighting words doctrine can abide is that based on the fear of violent reaction. Content-based prohibitions such as that in the UW Rule, however well intended, simply cannot survive the screening which our Constitution demands." ================= law/rust-v-sullivan ================= * Expression -- Gag Rule -- Rust v. Sullivan The decision and decent for the so-called abortion information gag rule case. The decision explicitly mentions universities as a place where free expression is so important that gag rules would not be allowed. ================= law/rav-v-st-paul.1 ================= * Expression -- Hate Speech -- RAV v. St Paul -- 1 The Supreme Court's _R.A.V. v. City of St. Paul_ decision about hate crimes. The Court overturned St. Paul's Bias-Motivated Crime Ordinance, which prohibits the display of a symbol which one knows or has reason to know "arouses anger, alarm or resentment in others on the basis of race, color, creed, religion or gender." By 9-0, the Court said the law as overly broad. By 5-4, the Court said that the law was also unfairly selective because it only tried to protect some groups. Included: summary, majority opinion, 3 concurring opinions. ================= law/perry-v-perry ================= * Expression -- Public Forum -- Campus Mail -- Perry v. Perry Comments from the ACLU Handbook _The Rights of _Teachers_. It says that campus mail systems (and other school facilities) may or may not be limited public forums depending on how they are managed. (Perry v. Perry was about an interschool mail system that was managed as a nonpublic forum. It was one of the cases that defined the Public Forum Doctrine.) Also, a paraphrase from an ACLU handbook _The Rights of Teachers_. It says that generally, speech, if otherwise shielded from punishment by the First Amendment, does not lose that protection because its tone is sharp. Also, from p. 92, it says that there are legal limits to the oaths a (public) school can ask its teachers to sign. [Some of these same limits might apply to what a school can ask a user to sign as a condition of getting (or keeping) a computer account.] ================= law/broadrick-v-oklahoma ================= * Expression -- Vague Regulation -- Broadrick v. Oklahoma, et al. Summary of case law on overly vague regulation of expression. It says a statute is unconstitutionally vague when "men of common intelligence must necessarily guess at its meaning." ================= law/naacp-v-button ================= * Expression -- Overbroad Regulation -- NAACP v. Button, et al. Summary of case law on overly broad regulation of expression. It says "[b]ecause First Amendment freedoms need breathing space to survive, government may regulate in the area only with narrow specificity." ================= law/pd-of-chicago-v-mosley ================= * Expression -- Content Regulation -- Police Department of Chicago v. Mosley Summary of case law on content-based regulation of expression. It says that "above all else, the First Amendment means that government has no power to restrict expression because of its message, its ideas, its subject matter, or its content." ================= law/cohen-v-california.4 ================= * Expression -- Regulation of Tone -- Cohen v. California -- 4 A short quote from _Cohen v. California_: "We cannot sanction the view that the constitution, while solicitous of the cognitive content of individual speech, has little or no regard for that emotive function which, practically speaking, may often be the more important element of the overall message sought to be communicated." ================= ================= If you have gopher, you can browse the CAF archive with the command gopher gopher.eff.org These document(s) are also available by anonymous ftp (the preferred method) and by email. To get the file(s) via ftp, do an anonymous ftp to ftp.eff.org, and then: cd /pub/CAF/library get computer.draft.ala cd /pub/CAF/statements get caf-statement cd /pub/CAF/statements get caf-statement.critique cd /pub/CAF/statements get bill-of-rights.aahe cd /pub/CAF/academic get student.freedoms.aaup cd /pub/CAF/academic get speech-codes.aaup cd /pub/CAF/academic get academic-freedom.wus cd /pub/CAF/academic get academic-freedom.can cd /pub/CAF/policies get netnews.uwm.edu cd /pub/CAF/policies get netnews.uwo.ca cd /pub/CAF/news get cafv01n33 cd /pub/CAF/faq get netnews.reading cd /pub/CAF/faq get media.control cd /pub/CAF/law get rosenberger_v_u_virginia cd /pub/CAF/law get san-diego-committee-v-gov-bd cd /pub/CAF/law get stanley-v-magrath cd /pub/CAF/law get student-publications.misc cd /pub/CAF/law get uwm-post-v-u-of-wisconsin cd /pub/CAF/law get rust-v-sullivan cd /pub/CAF/law get rav-v-st-paul.1 cd /pub/CAF/law get perry-v-perry cd /pub/CAF/law get broadrick-v-oklahoma cd /pub/CAF/law get naacp-v-button cd /pub/CAF/law get pd-of-chicago-v-mosley cd /pub/CAF/law get cohen-v-california.4 To get the file(s) by email, send email to ftpmail at decwrl.dec.com Include the line(s): connect ftp.eff.org cd /pub/CAF/library get computer.draft.ala cd /pub/CAF/statements get caf-statement cd /pub/CAF/statements get caf-statement.critique cd /pub/CAF/statements get bill-of-rights.aahe cd /pub/CAF/academic get student.freedoms.aaup cd /pub/CAF/academic get speech-codes.aaup cd /pub/CAF/academic get academic-freedom.wus cd /pub/CAF/academic get academic-freedom.can cd /pub/CAF/policies get netnews.uwm.edu cd /pub/CAF/policies get netnews.uwo.ca cd /pub/CAF/news get cafv01n33 cd /pub/CAF/faq get netnews.reading cd /pub/CAF/faq get media.control cd /pub/CAF/law get rosenberger_v_u_virginia cd /pub/CAF/law get san-diego-committee-v-gov-bd cd /pub/CAF/law get stanley-v-magrath cd /pub/CAF/law get student-publications.misc cd /pub/CAF/law get uwm-post-v-u-of-wisconsin cd /pub/CAF/law get rust-v-sullivan cd /pub/CAF/law get rav-v-st-paul.1 cd /pub/CAF/law get perry-v-perry cd /pub/CAF/law get broadrick-v-oklahoma cd /pub/CAF/law get naacp-v-button cd /pub/CAF/law get pd-of-chicago-v-mosley cd /pub/CAF/law get cohen-v-california.4 From hallam at w3.org Mon Dec 18 13:03:22 1995 From: hallam at w3.org (hallam at w3.org) Date: Tue, 19 Dec 1995 05:03:22 +0800 Subject: Political Cleanup program In-Reply-To: Message-ID: <9512181620.AA10316@zorch.w3.org> The main problem with anonymous political donations is that it is easy enough to create linkage if the recipient and the donor conspire together. There are many other things that campaign laws are intended to achieve beyond avoiding bribery. For example foreign nationals cannot make donations to US parties. It would be a good thing if there were similar laws in the UK since at the last election a foreign national with links to organised crime alledghedly made a multi million donation to the Conservative party. Of course in the absence of full disclosure of details of party records nobody can be sure. We are as voters entitled to consider the worst however. Similarly it would be bad if a politician could obtain huge sums of money simply by espousing causes backed by lartge sums of cash. A candidate that proposed making large federal donnations to the arms industry (codeword "Strong defence") might expect substantially more donations than one who proposed a reversal of this policy. Similarly candidates supporting private prisons might expect funds from the likely beneficiaries and so on. The starting point for campaign reform has to be to cap the amount that can be spent on a campaign. Most countries have such laws to prevent the political process from being owned by the rich. Unfortunately this has happened in the US with the effect that both parties are much further to the right than in any other Western democracy. Phill From rah at shipwright.com Mon Dec 18 13:07:25 1995 From: rah at shipwright.com (Robert Hettinga) Date: Tue, 19 Dec 1995 05:07:25 +0800 Subject: Fwd: Results of Internet Protest Message-ID: --- begin forwarded text Date: Mon, 18 Dec 1995 11:16:31 -0500 Subject: Fwd: Results of Internet Protest From: Joel Bowers Mime-Version: 1.0 Apparently-To: Subject: Results of Internet Protest Sent: 12/18 2:06 AM Received: 12/18 8:18 AM From: mcnmembers at macn.com To: MCNMembers at macn.com From: mcnmembers at macn.com (MCN Members) Sender: jfried at desktopdesign.com (John Friedlander) To: MCNMembers at macn.com (MCN Members) ======================================================================== CAMPAIGN TO STOP THE NET CENSORSHIP LEGISLATION IN CONGRESS THE NET ROCKS AMERICA'S CAPITOL - NEARLY 20,000 PARTICIPANTS THURSDAY DECEMBER 14, 1995 SENATE CONFEREES COULD STILL VOTE THIS WEEK RALLIES HAPPENING IN AUSTIN, NEW YORK, SF, & SEATTLE PLEASE WIDELY REDISTRIBUTE THIS DOCUMENT WITH THIS BANNER INTACT REDISTRIBUTE ONLY UNTIL December 25, 1995 ________________________________________________________________________ RECAP: INTERNET DAY OF PROTEST: TUESDAY DECEMBER 12, 1995 The net came into its own as a political force on Tuesday. The press release has more details. If you haven't taken a moment to call, fax, or email, do so now. We're still keeping track and only need a few more to break 20,000. VTW had someone onhand in DC monitoring the response at the Congressional offices. The feedback was amazing; Congress got the message. We need to sustain that by continuing to tell them we're not happy with the options being offered to us at this time. Directions for calling Congress can still be found at http://www.vtw.org/ and the many other sites listed at the end of this message. Take a moment to call! Don't forget to mail us a note at protest at vtw.org to let us know you took part in the Day Of Protest (and Day 2, and Day 3, and Day 4). FOR IMMEDIATE RELEASE December 13, 1995 Contact: Steven Cherry (718) 596-2851 stc at vtw.org Shabbir Safdar (718) 596-2851 shabbir at vtw.org New York, NY Are 20,000 phone calls a lot? 30,000? 50,000? They are if you're one of a handful of Congressional staffers trying to field them. Tuesday, December 12th was the Internet's Day of Protest. A variety of net-activists and telecommunications-related services exhorted the on-line community to call a selected group of Senators and Representatives to declare their opposition to the threat of Internet censorship. And call they did. As the Senate members of the Telecommunications Reform conference committee contemplated portions of legislation that would censor "indecent" material on-line, their staffers were being overwhelmed with phone calls. Senator Inouye's office said they were "getting lots and lots of calls and faxes." Senator Lott's said they were "flooded with calls." At Senator Stevens' office there were so many calls they couldn't keep a complete tally. At Senator Exon's office, the fax machine was "backed up." And at one point, activists couldn't even get through to Senator Gorton's office to ask. Exon is the Senator whose Communications Decency Act started the nearly year-long struggle between those who would create special regulations to restrict speech on-line (even, in certain instances, private email between two individuals) to a greater extent than even traditional broadcast media; regulations that, according to the ACLU and many other civil liberties groups, will certainly be proven to be unconstitutional if passed into law. "We've never seen anything like it," said Stanton McCandish of the Electronic Frontier Foundation (EFF). The EFF is one member of the on-line coalition that has been fighting an array of censorship legislation since this spring, when Senator Exon introduced his Communications Decency Act. "We may have almost overwhelmed our provider," said Shabbir Safdar, head of Voter's Telecommunications Watch (VTW). VTW is the organization that organized the on-line coalition. Their on-line connectivity is provided by Panix.com, a New York-area Internet service provider. "Panix has been doing some maintenance work today, so it's hard to tell," Safdar continued. "But we think it's actually made a dent in their connection to the rest of the Net." How many calls were actually made? No one can tell. For Leslie Miller, a reporter for USA Today, it took much of the afternoon to get some counts from Congressional staffers, and she couldn't get any report from the Senate's Sergeant-At-Arms, the office nominally responsible for the Senate's telephone system. VTW may be the only organization that can really make an educated guess. "In our Alerts we ask that people drop us an email note after they call," explained VTW board member Steven Cherry. "The message count peaked in the late afternoon at over 70 per minute. Many of those were from people who called several offices. By 7:30 P.M. (EST) we had gotten 14,000 messages. By Wednesday morning the count was over 18,000. And of course there are the people who called but didn't send us email. So all told, our very rough guess is there were well over 50,000 phone calls and faxes made on the one day." "The Net is coming of age, politically," said Jerry Berman, Director of the Center for Democracy and Technology (CDT), another member of the on-line coalition. Safdar, of VTW, concurred, saying, "I think Washington got the message today that there's a new grass-roots interest group around, and we're going to be a big part of the 1996 elections." (VTW's initial election activities can be found at http://www.vtw.org/pledge.) In addition to the Day of Protest, rallies are scheduled on Thursday, December 14th, in San Francisco and Seattle, and a protest will be held that day at 2:00 in New York City. The New York rally will be at the Cyber-Cafe, 273A Lafayette St from 2-3pm on Thursday, Dec 14th. Contact Steven Cherry or Shabbir J. Safdar for details. The Austin rally is planned for Tue. Dec 19th. No more information is available at this time. Information about the San Francisco rally can be obtained from http://www.hotwired.com/staff/digaman/. Information about the Seattle rally can be obtained from http://www.wnia.org/WNIA/hap/rally.html. Voters Telecommunications Watch is a volunteer organization, concentrating on legislation as it relates to telecommunications and civil liberties. VTW publishes a weekly BillWatch that tracks relevant legislation as it progresses through Congress. It publishes periodic Alerts to inform the about immediate action it can take to protect its on-line civil liberties and privacy. More information about VTW can be found on-line at gopher -p 1/vtw gopher.panix.com www: http://www.vtw.org or by writing to vtw at vtw.org. The press can call (718) 596-2851 or contact: Shabbir Safdar Steven Cherry shabbir at vtw.org stc at vtw.org ________________________________________________________________________ WHERE CAN I LEARN MORE? At this moment, there are several organizations with WWW sites that now have, or will have, information about the net censorship legislation and the National Day Of Protest: American Civil Liberties Union (ftp://ftp.aclu.org/aclu/) Center for Democracy and Technology (http://www.cdt.org/) Electronic Frontier Foundation (http://www.eff.org/) Electronic Privacy Information Center (http://www.epic.org/) Wired Magazine (http://www.hotwired.com/special/indecent/) Voters Telecommunications Watch (http://www.vtw.org/ or finger vtw at panix.com) ________________________________________________________________________ End Alert ======================================================================== ----------------------- Headers -------------------------------- _________________________ Joel M Bowers & Assoc [jmba at jmba.com] Multiuser Database Design [MCN,ASPN & Claris Solutions Alliance] _________________________ Voice 603-778-7494 Fax 603-778-7484 _________________________15 Curtis Road, Hampton Falls, NH 03844 --- end forwarded text ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA (617) 958-3971 "Reality is not optional." --Thomas Sowell The NEW(!) e$ Home Page: http://thumper.vmeng.com/pub/rah/ >>>>Phree Phil: Email: zldf at clark.net http://www.netresponse.com/zldf <<<<< From dklur at dttus.com Mon Dec 18 13:13:06 1995 From: dklur at dttus.com (David Klur) Date: Tue, 19 Dec 1995 05:13:06 +0800 Subject: redirect of newsgroups Message-ID: <9511188193.AA819305757@cc2.dttus.com> For those of us sitting behind a firewall that blocks out all of the alt, rec, etc.. newsgroups...is there another way to access these groups? For example, redirecting the contents of alt.2600 to, say, comp.2600 (because this firewall allows the comp.xxx groups through). Or any other hacks around this inconvenience? -----BEGIN PBP SIGNATURE----- Version: 1.0.0, Copyright 1995, Pretty Bad Privacy David Klur dklur at dttus.com I am who I am because I say so. So there. -----END PBP SIGNATURE------- From markm at voicenet.com Mon Dec 18 13:43:09 1995 From: markm at voicenet.com (Mark M.) Date: Tue, 19 Dec 1995 05:43:09 +0800 Subject: Securing the end-points In-Reply-To: <608235518.31497752@BayNetworks.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On 18 Dec 1995, Glen McBride wrote: > Greetings! > I was wondering if in addition to all the work and discussion regarding > crypto which generally centres around the transmission path information takes > traveling from end-point to end-point, there is any work being done to secure > the end-points themselves (I.e. files on your PC etc.) > > In my view the end-points present the most vulnerability in the overall > message path from person to person. It is at these points that the > message/information exists as cleartext even if for a short period of time. > While of course it is possible to PGP encode your files is this a practical > way to go about securing your system? I am aware or RSA secure but is that > all there is out there? > > Thanks in advance > > Glen McBride > Bay Networks ASIA-PAC customer service > Australia > The best way to secure the endpoints of communication is to use a sector level encryption TSR like SecureDrive. In a program like this, when a file is opened for reading or writing, the TSR automatically en/decrypts the data before it is processed by the calling application. Aside from a slightly slower disk access rate, a program like this is not inconvenient to use at all. SecureDrive is available at ftp://ftp.csua.berkeley.edu/pub/cypherpunks/ filesystems/secdr13c.zip. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMNXTIrZc+sv5siulAQHCEQQAoe+4m0mbN9vjQwsO3cDbC/f/HQv5wlv5 TMRIsyYZ7JdYbFqoBIJyHCvKrVu+D41MsOJBZYpdOvd6pn9sQZA8jf2MaSFFnV7O MgeupyvG3/gvHYFCobFWYfpDzjHHJt57CxxVHb8q3q+pJs2uF0fDTtWUxvBjk4ym cJgsC3sc1jo= =x6Ca -----END PGP SIGNATURE----- finger markm at voicenet.com for Public Key http://www.voicenet.com/~markm/ Key-ID: 0xF9B22BA5 Fingerprint: bd24d08e3cbb53472054fa56002258d5 -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GAT d- s:- a? C++++ U+++>$ P+++ L++(+++) E--- W++(--) N+++ o- K w--- O- M- V-- PS+++>$ PE-(++) Y++ PGP+(++) t-@ 5? X++ R-- tv+ b+++ DI+ D++ G+++ e! h* r! y? ------END GEEK CODE BLOCK------ From wilcoxb at taussky.cs.colorado.edu Mon Dec 18 13:43:58 1995 From: wilcoxb at taussky.cs.colorado.edu (Bryce) Date: Tue, 19 Dec 1995 05:43:58 +0800 Subject: my idea of the ideal encryption tool for the masses In-Reply-To: <199512170710.SAA17896@molly.cs.monash.edu.au> Message-ID: <199512182100.OAA06654@taussky.cs.colorado.edu> -----BEGIN PGP SIGNED MESSAGE----- Jiri Baum wrote in private e-mail: > > Apart from that, this kind of thing has been proposed before, > and (for payment at least) I've read a paper somewhere that > uses something like this to get off-line anon. e-cash with > multi-party mistrust. (Ie nobody trusts anybody.) Yes, even such klooges such as Mondex might be considered a variation on my idea. Ultimately, though, I expect this device to become my *only* interface with the Net. I don't own any long-term storage device. Instead I just rent it over the Net and encrypt any long-term data that I consider private. I do any *sensitive* processing on the CPU in my handheld computer, but if it's a big job and I don't mind people watching then I rent a CPU over the Net to chew on it. This device is perfectly portable and can be plugged into any Net jack in an office or telephone booth, or perhaps it can do wireless. The important point is that no matter where I am physically, or what long-term storage device I am using via the Net, I have complete crypto security. (Mod Tempest- surveillance, physical subversion of my crypto box, etc.) If it were done right I could use this same box for my notepad, wallet, e-mail agent, Web browser, game-player, etc. etc. etc. > (But that requires the bank to trust tamper-proof h/w; if you > give up anon, as you have, you don't need that because it only > need resist until Joe can revoke his key - easily enough done > because the shop needs to have a list of valid ones anyway. > Alternatively you can keep anon but make clearing on-line, > which results in what is usually called a digital wallet.) Hm. As often happens in these kinds of discussions, we've missed each other because of different semantic conventions or something. My idea does not depend upon tamper-proof hardware in the sense that the owner must be prevented from cracking it open, but it *does* (as does every conceivable crypto system) depend on tamper-prevention in the sense that those antagonistic to the owner must be prevented from cracking open his box! Also I haven't given up anonymity at all. Oh! You mean in my example of Joe paying at the grocery store. Well he can have a pseudonymous account at that store if he wants. There is certainly no *necessity* to give up self-identity-control in any way. > > It only does this in response to some kind of > > authentication-action from Joe himself. Perhaps he > > inputs a 4-digit PIN. (It should be designed so that > ... > > Fingerprint scan? I thought about that but I personally wouldn't trust it. It might fail to recognize my fingerprint at an important moment. Besides, I hate the thought of a mugger taking my index finger also when he takes my wallet... Regards, Bryce signatures follow "To strive, to seek, to find and not to yield." -Tennyson bryce at colorado.edu -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.01 iQCVAwUBMNXSW/WZSllhfG25AQEF4AP9GKHbSh5RgROKFclm/fgkpI+FcZjagTo9 SBa7Kdn9sFczdk23u6mHbKufDKFJO5oyri5MOPvU2QZwa9iP3zGjaBKcS6QbSOJ2 c4W71cFVJ+YZw8nnsMGwNmdISl2T0VYjQo/za4D2blZMRGDLdHgcl/E3FfTXxn5K vBEUglr59Gs= =ksB+ -----END PGP SIGNATURE----- From wwwziff at internet.com Tue Dec 19 06:04:36 1995 From: wwwziff at internet.com (ZD Net / World Wide Web Edition) Date: Tue, 19 Dec 95 06:04:36 PST Subject: ZD Net Update v.1 #4 Message-ID: <199512191404.JAA25130@yipee.internet.com> ______________________ZD Net Update_______________________ v. 1 #4 12-11-95 Welcome to ZD Net Update, the free E-mail newsletter created especially for registered users of Ziff-Davis Interactive's ZD Net/World Wide Web Edition. ZD Net Update is a bi-weekly bulletin that alerts you to new and exciting developments on ZD Net. In this issue: > YAHOO, ZIFF-DAVIS ANNOUNCE PLAN TO JOIN FORCES > PC MAGAZINE UNWRAPS ITS 1995 HOLIDAY GIFT GUIDE > COMPUTING TRAILBLAZER HELPS YOU "BUY IT ONLINE" * * * * * * * * * * YAHOO, ZIFF-DAVIS ANNOUNCE PLAN TO JOIN FORCES On Tuesday, December 12, Yahoo Corp. and Ziff-Davis Publishing Co. announced a strategic relationship that establishes a new, Web- driven publishing model for delivering content via print, online, and CD ROM. The relationship leverages the expertise and brand names of Yahoo, operator of the leading directory on the Web, and Ziff- Davis, the leading publisher of computer magazines and computing content online, including ZD Net. The new alliance is initially focused on two media products: Yahoo Internet Life and ZD/Yahoo Computing. Yahoo Internet Life is an interactive magazine based on one of the most popular sites on the World Wide Web. ZD/Yahoo Computing seeks to become the ultimate value-added, online directory of computing resources on the Web. Yahoo Internet Life combines a Web site, a print publication, and a CD ROM. Each issue of the quarterly magazine will include a CD ROM that contains virtually everything in the magazine as well as the software that users need to connect to the Web. The print version of Yahoo Internet Life will debut on newsstands in February 1996. Bill Machrone, Editor-in-Chief of ZD Internet Life and Ziff-Davis's Vice President of Technology, was named Editor-in-Chief of Yahoo Internet Life. ZD/Yahoo Computing will be the definitive online guide to finding and using computing resources on the Web. It will incorporate an enhanced version of The Computing Trailblazer, a popular feature of the ZD Net Web site that reviews computing sites on the Internet, as well as new features to help people find computing products, companies, and services. ZD/Yahoo Computing will be available in early 1996. For more information about the announcement, including a Shockwave file and VDOLive video clips, check out the ZD Public Relations site at: http://www.zdnet.com/pr/ * * * * * * * * * * PC MAGAZINE UNWRAPS ITS 1995 HOLIDAY GIFT GUIDE The holidays are fast approaching, you're faced with tons of folks who need gifts, and you have no idea what to buy them. How to get in the holiday spirit? Don't despair. Your shopping list may be long, but PC Magazine's list of gift ideas is bound to be longer. The editors at PC Magazine have gathered 101 of the best educational and entertainment products to hit the shelves since last holiday season. Nearly all of these products are Windows-based, except for the games, most of which run under DOS. For the youngest folks on your list, the Kids' Software section includes a selection of learning games covering all the basic subject areas, many of which star characters the kids will recognize. For those hard-to-please gamers, this holiday offers an abundance of riches in all categories: action and adventure games, arcade games and puzzles, strategy and simulation games, and sports games. Looking for something a bit less frivolous? Then check out the reference offerings and the selection of personal productivity software. For gadget lovers, there's a fun and funky array of PC peripherals that would look great on any desktop. And don't miss the list of 10 great gifts under $35. So forget about fretting over that holiday shopping list. PC Magazine gives you 101 reasons to celebrate this holiday season. Discover a little holiday cheer at: http://www.zdnet.com/~pcmag/issues/1422/pcm00154.htm * * * * * * * * * * COMPUTING TRAILBLAZER HELPS YOU "BUY IT ONLINE" Looking for an easier way to get your hands on the latest hardware and software? Why not go online? Introducing "Buy It Online," the newest category in The Computing Trailblazer, Ziff-Davis's guide to computing resources on the Web. Each of the nearly two dozen sites that are reviewed in Buy It Online offers a strong selection of computer products for sale, and many also enable online purchasing (which is likely to become a firm requirement for this category in the near future). Some of the sites provide links to manufacturers' sites and other Internet resources of value to their customers. Others are just plain fun to visit for their contests, downloads, and freebies. A few are works in progress that show great potential. What are the common characteristics that mark the better sites? For starters, secure credit-card transactions, up-to-date price lists, and catalog items that link to product information combining overview articles, feature lists, and tech specs. If you order computer products on the Web, please click the Feedback button tell the Trailblazer editors what your experience was like. Good or bad, Trailblazer wants to know about it. For the latest word on the best computing sites, including more than 300 (and growing) site-reviews under familiar computer headings, check out Trailblazer today at http://www.zdnet.com/~zdi/tblazer/ * * * * * * * * * * ZD Net Update is the official newsletter of ZD Net/World Wide Web Edition. It is compiled by Tom Schmidt (tom_schmidt at zd.com). Feel free to respond with news, notes, comments, or suggestions. To unsubscribe to ZD Net Update, point your browser to: http://www.zdnet.com/cgi-bin/ziffmail.pl/update and select "Unsubscribe to ZD Net Update." From warlord at MIT.EDU Mon Dec 18 14:14:48 1995 From: warlord at MIT.EDU (Derek Atkins) Date: Tue, 19 Dec 1995 06:14:48 +0800 Subject: What ever happened to... Cray Comp/NSA co-development In-Reply-To: <199512180550.VAA13167@mycroft.rand.org> Message-ID: <199512181815.NAA15202@toxicwaste.media.mit.edu> Correction of another detail: > > tcmay at got.net (Timothy C. May) writes: > > When you've done this, and concluded that RSA-129 could be done in, say, X > > minutes, then move on to RSA-384 (the BlackNet key cracked by the MIT > > group), and on to the 1024- and 2048-bit keys. Tell us how many years or > > centuries it will take. (Hint: Rivest and Schneier have done these RSA-129 is 129 decimal digits, not 129 bits. This computes to about 425 bits, which is actually more difficult than the 384-bit Blacknet key. -derek From mittonk at ucsu.colorado.edu Mon Dec 18 14:23:36 1995 From: mittonk at ucsu.colorado.edu (Mitton Ken) Date: Tue, 19 Dec 1995 06:23:36 +0800 Subject: redirect of newsgroups Message-ID: <199512182116.OAA21364@ucsu.colorado.edu> -----BEGIN PGP SIGNED MESSAGE----- Might be able to if you had admin-level access to the newsserver, but if there's a firewall between you and the nearest uncensored newsserver, I doubt that's the case... had the same problem on my school machine. Ended up just getting an account on another machine. --Ken Mitton mittonk at colorado.edu http://ucsu.colorado.edu/~mittonk/ PGP KeyID: BAB3CF0D -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQBVAwUBMNXZ7Wzuqz+6s88NAQHrwQIA0bHF+6yxLHPcFIdODJhTH7Mq4+vKxho+ Jq4xOBn+yB8KY0mhPFUKQx43xmULt44AB2Jeo1cEt9FTRAFSIvua3A== =mTvu -----END PGP SIGNATURE----- From trei at process.com Tue Dec 19 06:32:17 1995 From: trei at process.com (Peter Trei) Date: Tue, 19 Dec 95 06:32:17 PST Subject: (Fwd) SECURITY ALERT: Password protection bug in Netsca Message-ID: <9512191432.AA28817@toad.com> Jeff writes: > This report is mostly bogus. Netscape does not, and never > has stored http auth passwords in files on your disk. However > we do cache documents from servers that use http auth. > In this case the user had their preferences set to check the > host site for updated content "once per session". There is > a bug, which we are fixing before 2.0 ships, that if the > auth fails the document should be removed from the cache but > was not. If the user had set their cache checking to "never", > then if the document is in the cache, it will always be shown to > the user, since no connection is made to the server. > Content providers who don't want their web pages cached > should use the 'Pragma: no-cache' http header. This will > tell the navigator to not save the document in the disk cache. > > --Jeff Thanks for clearing that up - I see you've already been over to www-security. The fast response Netscape (and in particular, you yourself) make to reported problems is something I'm very pleased to see. Peter Trei trei at process.com From EALLENSMITH at ocelot.Rutgers.EDU Mon Dec 18 14:44:51 1995 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Tue, 19 Dec 1995 06:44:51 +0800 Subject: What ever happened to... Cray Comp/NSA co-development Message-ID: <01HYYJ27WNYQ8Y51HJ@mbcl.rutgers.edu> From: tcmay at got.net (Timothy C. May) >First, half a million chips is not that big a deal...the Connection Machine had up to 64,000. Very few cryptographic problems of interest to us will be affected by a mere factor of a million or so. -------------------- While the cryptographic stuff isn't much of a problem, how about text analysis of multiple sources, possibly via a neural net simulation (which IIRC a massively parallel machine is nice for)? -Allen From iagoldbe at calum.csclub.uwaterloo.ca Mon Dec 18 14:51:41 1995 From: iagoldbe at calum.csclub.uwaterloo.ca (Ian Goldberg) Date: Tue, 19 Dec 1995 06:51:41 +0800 Subject: PAY-OFF TIME FOR BUG-BUSTERS, NETSCAPE PLEDGES "DOGFIGHT" In-Reply-To: <199512151800.KAA11304@jobe.shell.portal.com> Message-ID: <4b4nnc$b57@calum.csclub.uwaterloo.ca> In article <199512151800.KAA11304 at jobe.shell.portal.com>, wrote: >On Mon, 11 Dec 1995, Michael Coates wrote: > >> PAY-OFF TIME FOR BUG-BUSTERS, NETSCAPE PLEDGES "DOGFIGHT" >> Netscape Communications has awarded two software sleuths $1,000 each for >> finding security gaps in its Netscape Navigator 2.0 software. The company >> also awarded gifts to 50 other contestants in its "Bugs Bounty" program for >> identifying non-security problems. (Wall Street Journal 11 Dec 95 B7) > >Can anyone tell me whether Ian Goldberg and David Wagner got their $25,000 >from Netscape for finding the HUGE security flaws in Netscape's existing >product line?? > >I can't remember whether they got anything or not ... That would be no (well, except for the nifty T-shirt from Sameer; Thanks!). - Ian "There's a reason people talk about `starving grad students'..." From andr0id at midwest.net Mon Dec 18 14:56:47 1995 From: andr0id at midwest.net (andr0id at midwest.net) Date: Tue, 19 Dec 1995 06:56:47 +0800 Subject: ADDRESS DATABASE? Message-ID: <199512181805.MAA11175@cdale1.midwest.net> >I'm not familiar with this aspect - how do cellular services store and >make use of billing information, as opposed to traditional phone services? > Most cellular systems still write billing tapes and send them to a clearing house for proccessing. It may take 2 or 3 days before a bill is updated. Thats not including that it takes sometimes up to a month before your roaming charges are recorded from all of the other cellular carriers. Some carriers have realtime billing but it still doesn't take into account roaming. >> If >> cellular customers start getting sales calls from a company that received a >> list from a cellular carrier, the cellular carrier is obligated to refund >> the customers bill for those calls if the customer complains becuase the >> customer pays for calls comming or going. > >Is this obligation incurred by the contract between the customer and the >cellular service, by statute, or otherwise? Contracts can always be >broken, and passing laws to guard the guardians generally amounts to >having the fox guard the henhouse... > This obligation is uncurred mostly by the fact that cellular carriers HATE to loose customers. If refunding a few min. of air-time helps keep a customer then they will. Unlike the phone company, a threat to discontinue service with a cellular carrier works well in getting your way. Dr0id From bdavis at thepoint.net Mon Dec 18 15:21:58 1995 From: bdavis at thepoint.net (Brian Davis) Date: Tue, 19 Dec 1995 07:21:58 +0800 Subject: Campaign Finance Reform In-Reply-To: Message-ID: On Mon, 18 Dec 1995, jim bell wrote: > At 10:41 AM 12/18/95 -0500, you wrote: > >On Mon, 18 Dec 1995, Jon Lasser wrote: > > > >> On Sun, 17 Dec 1995, jim bell wrote: > >... > >> > It is absolutely true that you couldn't stop a person from communicating > >> > claims of a donation to a politician. But what you COULD do is to ensure > >> > that the donor couldn't PROVE that he made such a donation. In other > words, > >> > _I_ could claim that I gave $1K to Senator Sludgepump (a lie) and the good > >> > senator would have no idea that I wasn't telling the truth. The people who > >> > REALLY made such donations would be helpless. > >> > >> A tricky way around this, if it's done ALMOST properly, is to donate in > >> odd amounts... ie "Senator Sludgepump, I am going to donate $469.23 to > >> your campaign..." > >> > >> All this means is that the donations would have to be lumped in some way > >> so that Senator Sludgepump can't find out the exact amounts donated by > >> any individual. > > > >Cancelled checks. > > > >Or, hand check in addressed, stamped envelope to Senator Sludgepump and > >ask him if he would mind sealing it and dropping it in a mailbox. > > > All of which raises numerous opportunities for sting operations against > politicians, done by individuals by procedures provided for under law. > Escrow (Okay, I know that's a dirty word around here, but...) an encrypted > statement of how you intend to run the sting, to be opened by the escrow > agent at some point in the future, explaining who you're going after and > how. Make the contribution, keep evidence, and if you're successfull the > congressman goes to jail for a few years. The problem with the private investigation is that law enforcement may not believe you were an "innocent" citizen conducting an investigation. Remember the ABSCAM Congressman who contended he was conducting his own investigation ... Escrowing what you intend to do could be seen as blackmail ammunition if the Congressman fails to produce. Unfortunately for the Cryptoanarchists (tm -- in more ways than one), absent law enforcement running the "sting" you are taking a risk of being stung yourself. EBD From anon-remailer at utopia.hacktic.nl Mon Dec 18 15:37:15 1995 From: anon-remailer at utopia.hacktic.nl (Anonymous) Date: Tue, 19 Dec 1995 07:37:15 +0800 Subject: What ever happened to... Cray Comp/NSA co-development Message-ID: <199512182241.RAA01276@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- At 09:15 PM 12/17/95 -0500, Thaddeus J. Beier wrote: > ---------- > ... about the fate and capabilities of the CCC PIM > (processor-in-memory) machine. A friend of mine was > working on it, and it would have been a screaming machine, > no doubt about it. He said that the Cray mostly acted like > a really fast network for the processor chips. I had thought that it may have been similar to an Active Memory design, but had no real clues to go by. Wasn't sure about the chip array path width either, but thought that 1 bit was probably the way to go given the array size. > ... the PIM chips were made by a dedicated NSA company, > Supercomputer Research Center, in Bowie MD. Hmm... is that the name? > But, it was nowhere near finished when the company finally went > down, and the team was completely disbanded. My friend was talking > about going to the auction when the parts of the various machines > were going to be sold, I don't know if he did so. He suspected that > the various pieces would end up going back east to the Fort > Meade area. Still, it is such an odd machine that you would > probably have to transfer the staff to finish it, and that didn't > happen. Sorry Thad... but NOTHING 'just disappears' at the NSA... > In any case, while it was fast (1/2 million 1-bit processors, > perhaps as low as 1 nanosecond (1 GHz) cycle time), it was not fast > enough to brute force reasonably strong ciphers. It's really no joke > that it would take a computer with picosecond clocks the size of the > earth more than the age of the universe to brute force IDEA, for > instance. Hahahahahahahah!!!!!!!!!! A cryptographer's most POWERFUL weapon, is A False Sense of Security... If you've read Kocher's abstract, you would NO DOUBT realize that there are ALWAYS options to be explored and exploited. I'm sorry, don't take it personal, but I think that this 'til the end o' time' argument leaks like a "sieve"... it's the classic linear thinking thing. > It would have made a great DES cracker, though; my > back-of-the-envelope calculation has it cracking one key every > .75 days on the average. This sounds pretty pessimistic too... > thad > -- Thaddeus Beier email: thad at hammerhead.com > Technology Development vox: 408) 286-3376 > Hammerhead Productions fax: 408) 292-2244 > > ---------- Well... maybe the timing wasn't right for the system's completion. After all, designing a computer with <1 nanosecond cycle time is not child's play. And in quantity it is even more difficult. A few more years of development with Transphaser logic and Holographic storage could work some wonders in computational capailities. Anitro - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMNXt+SoZzwIn1bdtAQEQAQF/YKCYcSiH4BRswP7+4Sv1VIYynpH738vF LFa/31pQBJiEkmkpiykmOcL3YySghGsf =3nUQ -----END PGP SIGNATURE----- From jamesd at echeque.com Tue Dec 19 07:58:08 1995 From: jamesd at echeque.com (James A. Donald) Date: Tue, 19 Dec 95 07:58:08 PST Subject: (fwd) Economics of Digital Money. Message-ID: <199512191557.HAA20962@blob.best.net> > But electronic checking it is a substitute for > conventional checking, it would just increase the > speed of the transaction. From the economic standpoint, > there is no difference in the dynamics of the checking > process from normal checks And email is no different from mail, right? Wrong: When computer programs start spending money and receiving money on behalf of their masters, we will see vast economic changes. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From frissell at panix.com Tue Dec 19 08:36:15 1995 From: frissell at panix.com (Duncan Frissell) Date: Tue, 19 Dec 95 08:36:15 PST Subject: Antiterrorism Bill Dead Message-ID: <2.2b10.32.19951219163342.006753a4@panix.com> At last some good news from the Hill. The House Judiciary Committee has announced that they are unable to vote on Chukie Schumer's Antiterrorism bill at this time. It is "dead for now." That means that the $500 million for the telecoms companies to carry out the Digital telphony Initiative is also dead for now. Thanks to an heroic coalition of leftist civil liberties types and right wing nuts (including the Fundies) for squashing it for now. Now if we could only convince the Fundies that the Klinton Admin was going to use the Exxon amendment to outlaw religious speech on the nets on the grounds of political indecency. But maybe the Telecoms bill will die too. It did last time. DCF From GLEN_MCBRIDE at BayNetworks.com Mon Dec 18 16:45:26 1995 From: GLEN_MCBRIDE at BayNetworks.com (Glen McBride) Date: Tue, 19 Dec 1995 08:45:26 +0800 Subject: Securing the end-points Message-ID: <608235518.31497752@BayNetworks.com> -----BEGIN PGP SIGNED MESSAGE----- Greetings! I was wondering if in addition to all the work and discussion regarding crypto which generally centres around the transmission path information takes traveling from end-point to end-point, there is any work being done to secure the end-points themselves (I.e. files on your PC etc.) In my view the end-points present the most vulnerability in the overall message path from person to person. It is at these points that the message/information exists as cleartext even if for a short period of time. While of course it is possible to PGP encode your files is this a practical way to go about securing your system? I am aware or RSA secure but is that all there is out there? Thanks in advance Glen McBride Bay Networks ASIA-PAC customer service Australia Views are my own and do not represent those of my employer ===== CURRENT PGP KEY FOLLOWS ===== - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQERAzDFDk4AAAEIAJvkPKWMS8TR5eNNQZw5FjUg8roSe/wFdw3d8vCEfb2lX3G+ qBAQKuTSUAhO8marZvNWF9VPuyqkOGEOrwzdont8jSHAdF9dguh1sP56eGXzyn8n mDN1Fw8vQiNrttvCEYUjvLEML8tFlLc7QlQRkAMEGrkH29D4ck3wOkJLEaSZrTcO RIZAzOBVVvrJORVKsREnGG4IrItJCiREw7Gp/LXIHMSEBCdu2+uaNc9nHQxKcYZc yx9UiiZ0XP6TzzUtkD00ZDtO8OdZCAhXdj0zbCUKVrzuY37EgnFVFQ7SlZZAQn/U Jx26k0eZvZhXjhSVd3QyElbJYNFVLrdyU+h+Gt0AIwQAAAABtCpHbGVuIE1jQnJp ZGU8R0xFTl9NQ0JSSURFQGJheW5ldHdvcmtzLmNvbT4= =N/lg - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMNS1vy63clPofhrdAQHn1wgAjHV2vKXIEY4qZ/Rm2rq4hnJsUJDt+zd5 BbYo/BZBruwX+gqylYlbOemkPvZ7ktAMdu9jUFfaJQ7Cb3jT4kgfp2dqqle6yaq1 0nxU9m7BMiVnSqevtK5Fy+thR/yVZWdHi1LFMy48yp8FCaqvMkEruscOsG0ydUNM lyf3OCNGdN7LQcxQkRE9UzKPwEpacDD/afU5W5aZhhchkpAH9t/kqKzvgXxia1VF 4hfOEcCMN21JO6QGqdnHASVNoIdV44O6BlUPhv5omAqofgU58tnbJ9G3/24zjecM QhxTMGBv+aDB1DtQ+k9wDJTdPBLwhqyWUZWImN3RPVnQb1Ec1CVM8A== =yLIB -----END PGP SIGNATURE----- From jwarren at well.com Tue Dec 19 09:17:11 1995 From: jwarren at well.com (Jim Warren) Date: Tue, 19 Dec 95 09:17:11 PST Subject: Oklahoma University: Is this legal?... Message-ID: At 07:09 PM 12/17/95, sethf at MIT.EDU wrote: > c) someone decided that everything stored on the University's >computer system was therefore a "public record" (since the computer is >"owned" by the public), and thus had to be accessible by law. Uh, every PRA (public records act) in the nation hase extensive exceptions -- for school records, collective bargaining, various investigative records, etc. NO state PRA or federal FOIA declares blanket access to all public-agency records -- often justifiably; sometimes for agency arse-covering. --jim Jim Warren, GovAccess list-owner/editor (jwarren at well.com) Advocate & columnist, MicroTimes, Government Technology, BoardWatch, etc. From trei at process.com Mon Dec 18 17:32:23 1995 From: trei at process.com (Peter Trei) Date: Tue, 19 Dec 1995 09:32:23 +0800 Subject: (Fwd) SECURITY ALERT: Password protection bug in Netscape 2.0b Message-ID: <9512190026.AA15461@toad.com> Haven't had time to test this myself. Peter Trei ------- Forwarded Message Follows ------- Date: Mon, 18 Dec 95 17:18:28 From: Subject: SECURITY ALERT: Password protection bug in Netscape 2.0b3 To: www-security at ns2.rutgers.edu, jcarroll at redman.canada.dg.com Cc: tara at linkage.cpmc.columbia.edu A potentially serious bug has just come to my attention concerning the handling of password-protected pages accessed via Netscape 2.0b3. Apparently when you type in the password to access a protected document Netscape stores the password in a local hidden file (in one of the .db files created in the .netscape directory on UNIX systems, and in the Netscape Preferences file on Macintoshes). This password is then used for accessing the document during subsequent accesses. The problem is that Netscape does not delete the stored password when the program quits. The problem has been reproduced on Unix and Macintosh platforms. I haven't tried the Windows implementation yet, but I suspect the same problem exists. This leads to the following behavior: 1) Open up Netscape and access a password-protected document. 2) Quit Netscape 3) Start Netscape again and try to retrieve the document. When the password-entry dialog comes up, click "Cancel". 4) Try to access the document a second time. Now Netscape lets you in without asking for the password! On Unix systems, this means that if you go over to a associate's machine to show him a protected document, Netscape will record your typed in password for posterity. Your associate now has full access to this page. The situation is particularly dangerous on PCs in a shared "computer lab" environment. Everybody who uses Netscape unwittingly makes his passwords available to all other users. Please let me know if anyone finds out more about this problem. I'm going to add it to the WWW security FAQ. Lincoln ======================================================================== Lincoln Stein, M.D.,Ph.D. lstein at genome.wi.mit.edu Director: Informatics Core MIT Genome Center (617) 252-1916 Whitehead Institute for Biomedical Research (617) 252-1902 FAX One Kendall Square Cambridge, MA 02139 =================http://www-genome.wi.mit.edu/~lstein==================== From andrew_loewenstern at il.us.swissbank.com Tue Dec 19 09:38:34 1995 From: andrew_loewenstern at il.us.swissbank.com (Andrew Loewenstern) Date: Tue, 19 Dec 95 09:38:34 PST Subject: Java and timing info - second attempt Message-ID: <9512191737.AA00980@ch1d157nwk> Jim Miller (jim_miller at bilbo.suite.com) writes: > Would it be possible to create a Java applet that causes the client > machine to sign or encrypt something with their private key, and > then send back timing info? Since access to a private key should always be strictly mediated by the user any Java implementation would probably pop up a panel asking permission for every single private-key encryption operation requested by the applet. The timing attacks require many timed encryptions to get enough information about the key. Even if the user was completely clueless and had no idea what the applet was trying to do I would imagine that they would get tired of clicking "OK" long before sufficient key information was leaked ..... Of course it would be a lot easier for the applet to just try to read the secret key file, encrypt it with an embedded public key, and post it to alt.anonymous.messages. Depending on how security was setup there might be only one or two panels that the user has to dismiss. It would probably get past the same number of clueless users that a more complicated timing attack would fool. andrew From rschlafly at attmail.com Mon Dec 18 18:27:18 1995 From: rschlafly at attmail.com (Roger Schlafly) Date: Tue, 19 Dec 1995 10:27:18 +0800 Subject: RSA Data v. Cylink hearing Message-ID: Another hearing in the public-key patent saga. Cylink/CKC is going for a preliminary injunction against RSA Data for contributory infringement of the Stanford patents. RSA Data has a license to the Stanford patents, but has no sublicensing authority. It has been selling RSA & Diffie-Hellman toolkits and telling customers that they don't need PKP or Stanford patent licenses, and even indemnifying those customers against a patent infringement claim. An arbiter has already ruled that RSA Data's license does not cover customers shipping products. Of course I take the position that these patents are invalid, and now that Bidzos has lost control of them, he suddenly agrees with me. (Sorry, no ruling yet in my case. Stay tuned.) But RSA Data lawyers will have to stand up in court and say that after enforcing the Stanford patent against all public-key users for 5 years, RSA Data suddenly had a revelation that the Stanford patents are invalid after all. It should be amusing. 2:00 pm, Thurs., Jan. 4, 1996 RSA Data v. Cylink/CKC, Case C-95-03256 WHO SF Federal Bldg, court #7, Judge Orrick 450 Golden Gate Ave Directions: Take 9th up from Market -- it turns into Larkin and the federal bldg is on the corner with Golden Gate Ave. docket clerk: 415-522-2060 Roger Schlafly phone: 408-476-3550 CompuServe: 76646,323 US Mail: PO Box 1680, Soquel, CA 95073 USA Internet: rschlafly at attmail.com From EALLENSMITH at mbcl.rutgers.edu Tue Dec 19 11:25:26 1995 From: EALLENSMITH at mbcl.rutgers.edu (E. ALLEN SMITH) Date: Tue, 19 Dec 95 11:25:26 PST Subject: Political Cleanup program [NOISE] Message-ID: <01HYZTGSFLM48Y529F@mbcl.rutgers.edu> From: IN%"hallam at w3.org" 19-DEC-1995 13:48:07.90 >It is very strange the way that "Libertarians" are so able to turn all rights into property rights. Thus freedom of speech become freedom to have influence on the politicial process in direct proportion to wealth. ------------------ Funny, I'm disagreeing with you, and I believe that government ought to be involved with making sure everyone has a chance to make political speech (via subsidies of education). That doesn't mean that those who can make more speech (through money or any other ability) should be handicapped. ------------------ >I began work on the web in '92 because I saw its potential as a political tool which did not have the bias of wealth. It has the potential to create a new kind of political dialogue. When the Web becomes as ubiquitous as the telephone we will still see inequalities of power, the homeless and the poor will still be underrepresented. But that situation must be judged against our own where the political process can be bought and traded as if it were any other form of comodity. ------------------ You're making the classic PC (otherwise known as distorted egalitarian) mistake: you're wanting equality of results instead of equality of opportunity. Freedom of speech and the press doesn't mean that everyone gets a free press subsidized by the government, and no usage of means outside of that. It means that everyone _potentially_ can influence the political process and the marketplace of ideas. ------------------ >It is not simply an issue of money, it is an issue of national security. If a foreigner were to control the majority of the media there would be a significant threat to the national interest. This threat has been realised in the UK with the comming to power of Rupert Murdoch. Fortunately his influence on the US political scene has thus far been minor. In his own country he has brought down the government more than once. ----------------- This argument looks quite similar to those used for Canadian Content restrictions. "We can't let in Hollywood, they might be more demanded by the people than our own culture." "We can't let in Rupert Murdoch, his product might be more demanded by the people than our own products." It all comes down to people not having the courage to let their ideas be tested by what will get the most demand. -Allen From adam at lighthouse.homeport.org Mon Dec 18 19:32:52 1995 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Tue, 19 Dec 1995 11:32:52 +0800 Subject: redirect of newsgroups In-Reply-To: <9511188193.AA819305757@cc2.dttus.com> Message-ID: <199512190221.VAA20286@homeport.org> Yeah, buy an account on a local ISP, or on C2, got.net, or some other cypherpunk run/supporting business. Adam | For those of us sitting behind a firewall that blocks out all of the | alt, rec, etc.. newsgroups...is there another way to access these | groups? For example, redirecting the contents of alt.2600 to, say, | comp.2600 (because this firewall allows the comp.xxx groups through). | Or any other hacks around this inconvenience? -- "It is seldom that liberty of any kind is lost all at once." -Hume From a-kurtb at microsoft.com Tue Dec 19 11:33:19 1995 From: a-kurtb at microsoft.com (Kurt Buff (Volt Comp)) Date: Tue, 19 Dec 95 11:33:19 PST Subject: Political Cleanup program [NOISE] Message-ID: ---------- From: hallam at w3.org[SMTP:hallam at w3.org] Sent: Tuesday, December 19, 1995 8:22 To: Bill Stewart; cypherpunks at toad.com Cc: hallam at w3.org Subject: Re: Political Cleanup program [NOISE] >I happen to believe in freedom of speech, especially political speech, >and if you're not allowed to spend money broadcasting your speech or >printing your messages, you don't have much freedom of press or speech. It is very strange the way that "Libertarians" are so able to turn all rights into property rights. Thus freedom of speech become freedom to have influence on the politicial process in direct proportion to wealth. Not so strange really. All rights, correctly understood, *are* property rights. What most don't understand is that rights are protections from the initiation of force by others. What this means is that you (anyone) don't have the right to the property of others. You have the right to offer mutually satisfactory exchanges, or even solicit outright gifts, but what is yours is yours, and it shouldn't be subject to extortion or theft by others. This includes your time, cash, and any other tangible assets you may own. I began work on the web in '92 because I saw its potential as a political tool which did not have the bias of wealth. It has the potential to create a new kind of political dialogue. When the Web becomes as ubiquitous as the telephone we will still see inequalities of power, the homeless and the poor will still be underrepresented. But that situation must be judged against our own where the political process can be bought and traded as if it were any other form of comodity. The problem with the political process now is that the government and its beneficiaries (which includes both the large corporation and the welfare class) have over time arrogated to themselves the power to steal (via taxes and regulation) our lives and our livelihood from us. The poor and the rich will always be with us, but they shouldn't be special clients of the state at the expense of everyone else. It is not simply an issue of money, it is an issue of national security. If a foreigner were to control the majority of the media there would be a significant threat to the national interest. This threat has been realised in the UK with the comming to power of Rupert Murdoch. Fortunately his influence on the US political scene has thus far been minor. In his own country he has brought down the government more than once. The only reason foreign money might be a threat to us is again that the government arrogated to itself the power to regulate our lives. The reason and interest for lobbying the government, whether through the press or through other, more direct, efforts is that the government *can do something* about whatever happens to be at issue. Take away the ability of the government to act, and there won't be any money spent lobbying it. I submit we'd all be better off. >And as far as "prevent the political process from being owned by the rich" >goes, there have been brief exceptions over the last 5000 years in which >the less-rich have overthrown the rich, but campaign finance laws have almost >never kept the rich or the politicians from helping each other out. In UK politicis the influence of an individual's money is limited to influencing one party. Even that is done behind closed doors. The other major parties both limit the size of individual contributions to a constituency party to a relatively nominal sum. $5000 is a huge sum in UK politics. >I also don't believe freedom of speech should be limited by national >boundaries. Nor do I. But I only vote in one country. If we take the question outside the US it would not on the whole be a good thing if the Prime Minister of Tobago (say) were provided with a campaign contribution of $1M by a foreign company with an interest in strip mining the entire island. similarly it would be a bad thing if Columbian drug lords were to make massive contributions to politicians committed to continuing the prohibition on drugs. See my above comments. Only if the PM of Tobago could steal the land from its owners could he permit the island to be strip-mined. And only if the government has the power to prohibit drug possession would the Cali cartel be interested in making campaign contributions. No power to do something, no money offered to do it. Kurt [speaking only for myself, of course] Phill From cpunk at remail.ecafe.org Mon Dec 18 19:50:59 1995 From: cpunk at remail.ecafe.org (ECafe Anonymous Remailer) Date: Tue, 19 Dec 1995 11:50:59 +0800 Subject: No Subject Message-ID: <199512182157.VAA32380@pangaea.ang.ecafe.org> Submitted for your approval... The recent CryptoLib, offered by the nice folks at AT&T (Written by Jack Lacy and Don Mitchell), has a small problem: folks without RSA licenses are given a crippled version without functional RSA code. It sucks, but they must cover their collective asses. That small problem has now been rectified. Is CryptoLib available overseas yet? ================================CUT HERE=================================== *** - Sun Dec 17 20:05:50 1995 --- rsa.c Sun Dec 17 20:05:36 1995 *************** *** 411,421 **** #endif { BigInt result; ! fprintf(stderr, "RSA encryption not supported without license.\n"); ! result = bigInit(0); return result; } - #ifdef K_AND_R _TYPE( BigInt ) RSADecrypt(message, key) --- 411,420 ---- #endif { BigInt result; ! result = bigInit(0); ! bigPow(message, key->publicExponent, key->modulus, result); return result; } #ifdef K_AND_R _TYPE( BigInt ) RSADecrypt(message, key) *************** *** 427,434 **** #endif { BigInt result; ! fprintf(stderr, "RSA decryption not supported without license.\n"); ! result = bigInit(0); return result; } --- 426,433 ---- #endif { BigInt result; ! result = bigInit(0); ! chineseRemTheorem(message, key, result); return result; } From llurch at networking.stanford.edu Mon Dec 18 19:58:27 1995 From: llurch at networking.stanford.edu (Rich Graves) Date: Tue, 19 Dec 1995 11:58:27 +0800 Subject: (Fwd) SECURITY ALERT: Password protection bug in Netscape 2.0b In-Reply-To: <9512190026.AA15461@toad.com> Message-ID: Except for the bit about the file not being deleted after quitting Netscape (which is Bad), this is old news. This is why security-conscious sites like banking.wellsfargo.com ask for passwords in an SSL-encrypted form rather than via simple browser authentication. Even if Netscape did delete the "password cache," anyone with physical access to your machine could still recover it from disk. I believe that Microsoft Internet Explorer and other browsers derived from Mosaic do the same thing. Netscape et al know that simple browser authentication is of limited usefulness, which is why we keep trying to commit them to DCE. -rich From dklur at dttus.com Tue Dec 19 11:59:41 1995 From: dklur at dttus.com (David Klur) Date: Tue, 19 Dec 95 11:59:41 PST Subject: E-cash coin questions (Mark Twain / Digicash) Message-ID: <9511198194.AA819410227@cc2.dttus.com> 1. How many different coins (serial numbers) can the current Mark Twain/Digicash protocol support? 2. Does Mark Twain bank maintain 2 lists: 1 of all the ecash serial numbers for all coins ever produced, and 1 of all the ecash serial numbers for all coins that have been spent before? Or just 1 list of the spent coins (assuming that any coin that is signed w/MT's private key and does not appear on the "spent" list is still valid and is not counterfeit)? 3. The Digicash scheme allows each coin to be used only once and then destroyed. How many coins will it take before all possible coins are minted, used and destroyed thereby requiring banks to issue new coins with "recycled" serial numbers? Remember, each time a "transaction" takes place, an existing coin is destroyed and a new coin is minted. and a transaction can simply be Alice giving her friend Bob a dollar (not necessarily using the ecash for a purchase) 4. What is the probability of guessing a valid serial number, assuming there are 1 million, 1 billion or 1 trillion coins in circulation? 5. Suppose you have a very large number of cash coins signed by the same bank (say, Mark Twain) and you know the record layout of each coin (easy enough since you can decrypt it with the bank's public key), and for each coin the "bank name" field is the same (because it's the same bank!) -- then, would it be possible to hack the RSA encryption and recreate the bank's private key? -----BEGIN PBP SIGNATURE----- Version: 1.0.0, Copyright 1995, Pretty Bad Privacy David Klur dklur at dttus.com I am who I am because I say so. So there. -----END PBP SIGNATURE------- From mab at research.att.com Tue Dec 19 12:02:14 1995 From: mab at research.att.com (Matt Blaze) Date: Tue, 19 Dec 95 12:02:14 PST Subject: revised time quantization package (Unix & WIN32) available Message-ID: <199512192009.PAA17051@nsa.tempo.att.com> A revised version of my simple CPU time quantization package is now available for most Unix and, thanks to the efforts of Frank O'Dwyer (Rainbow Diamond Ltd), WIN32 platforms. The package provides a simple interface to encapsulate code blocks that must run in a multiple of a coarse-grained "quantized" amount of CPU time. It is useful in building various on-line cryptographic protocols in which an attacker could otherwise learn key information by observing the time the target takes to perform calculations that use the secret (c.f., Paul Kocher's recent attacks). The basic idea is that you can specify a "quantum" such that at the end of an encapsulated block the CPU will busy-wait until the next quantum multiple. Fine-grained (below the quantum) timing information is thereby denied to the observer (including unprivileged processes on the same machine). The code is quick-and-dirty and only runs on Unix-centric and WIN32-based platforms. Test and use at your own risk. There are (basically) no restrictions on the use or distribution of the (very simple) code. Get it from: ftp://research.att.com/dist/mab/quantize.shar The quantize package is also part of Jack Lacy's cryptolib package (watch this space for details). -matt From frantz at netcom.com Tue Dec 19 12:22:25 1995 From: frantz at netcom.com (Bill Frantz) Date: Tue, 19 Dec 95 12:22:25 PST Subject: Java and timing info - second attempt Message-ID: <199512192018.MAA27098@netcom23.netcom.com> >Jim Miller (jim_miller at bilbo.suite.com) writes: >Of course it would be a lot easier for the applet to just try to read the >secret key file, encrypt it with an embedded public key, and post it to >alt.anonymous.messages. If I understand Java security correctly, the applet can just send data back to the server it was loaded from, but can't read random files on the machine it runs on (even if the user running it can read them). Java is beginning to become cluefull about the idea that a program is not the same as the person running it, and should not have the same privileges. In this area, most OSs (inluding Unix) are totally clueless, which is why the Orange Book has mandatory security requirements at the "B" and above levels. ----------------------------------------------------------------- Bill Frantz Periwinkle -- Computer Consulting (408)356-8506 16345 Englewood Ave. frantz at netcom.com Los Gatos, CA 95032, USA From sinclai at ecf.toronto.edu Tue Dec 19 12:30:49 1995 From: sinclai at ecf.toronto.edu (SINCLAIR DOUGLAS N) Date: Tue, 19 Dec 95 12:30:49 PST Subject: DES modem Message-ID: <95Dec19.153022edt.1588@cannon.ecf.toronto.edu> I recently aquired a DES modem. It's a MESA432 made by Western Datacom. The writing on the front proclaims "9600 bps NBS DES ENCRYPTION MODEM". It has all of the usual front lights, plus one labled 'encrypt'. On the back it has jacks for leased-line and dial-up, an RS232 connector and an external speaker connector. Has anyone ever used one of these? Can anyone give me any information on it? I realize that without a second modem it's not much use. From bdavis at thepoint.net Mon Dec 18 20:58:49 1995 From: bdavis at thepoint.net (Brian Davis) Date: Tue, 19 Dec 1995 12:58:49 +0800 Subject: Political Cleanup program In-Reply-To: Message-ID: On Sun, 17 Dec 1995, jim bell wrote: > At 02:04 PM 12/17/95 -0800, Detweiler wrote: ........... > A giver could CLAIM to make any sort of donation at all; but if the system > were properly designed he could simply be lying to the officeholder. > > > moreover, other observers > >would not be aware of the relationship. > > Not IMMEDIATELY, perhaps, but eventually the books could be opened, perhaps > as much as years later. (Let's say, 3 months before the end of the term of > the politician. > > And the amounts donated could withheld, with only the total donated reported > every 3 months or so. (And perhaps only to 1 or 2 significant digits of > accuracy.) For example, a Senator will be told on January 1, 1996, that up > until that point he's received "about" $1.4 million dollars of donations. > He would not be able to link these donations with any particular claim. > Somebody could claim to have given him "$2000" of donation, which wouldn't > even show up to the accuracy of the amount told the politician. > I remain unsure of the crypto-relevance, but (just to play Devil's Advocate) have you guys heard of canceled checks? I get mine in my statement every month. Let's see, what could I do with one for $2,000 payable to Joe Sleazeball Politician, from whom I wanted a favor ..... EBD > Further techniques could be used to disguise the rate of giving. > > >why do you think this would be an improvement? > > Easy. It would remove much of the reason for a politician to treat one > citizen differently from another citizen. > > > >to the contrary our current system works hard to require > >the disclosure of who donated what to a candidate, so the candidate's potential > >hidden agendas and ulterior motives can be revealed. seems reasonable to > >me. > > _EVENTUAL_ public disclosure of such information is not inconsistent with > my idea. > ... From hallam at w3.org Tue Dec 19 12:58:49 1995 From: hallam at w3.org (hallam at w3.org) Date: Tue, 19 Dec 95 12:58:49 PST Subject: Antiterrorism Bill Dead In-Reply-To: <2.2b10.32.19951219163342.006753a4@panix.com> Message-ID: <9512192058.AA14733@zorch.w3.org> >Now if we could only convince the Fundies that the Klinton Admin was going >to use the Exxon amendment to outlaw religious speech on the nets on the >grounds of political indecency. But maybe the Telecoms bill will die too. >It did last time. Last I heard it was headed for a veto. Way too much pork for Republican contributors to get anywhere. Phill From tcmay at got.net Mon Dec 18 21:02:43 1995 From: tcmay at got.net (Timothy C. May) Date: Tue, 19 Dec 1995 13:02:43 +0800 Subject: What ever happened to... Cray Comp/NSA co-development Message-ID: At 6:15 PM 12/18/95, Derek Atkins wrote: >Correction of another detail: > >> > tcmay at got.net (Timothy C. May) writes: >> > When you've done this, and concluded that RSA-129 could be done in, say, X >> > minutes, then move on to RSA-384 (the BlackNet key cracked by the MIT >> > group), and on to the 1024- and 2048-bit keys. Tell us how many years or >> > centuries it will take. (Hint: Rivest and Schneier have done these > >RSA-129 is 129 decimal digits, not 129 bits. This computes to about >425 bits, which is actually more difficult than the 384-bit Blacknet >key. I'm not having much luck on this example, am I? The RSA-129 I remembered correctly as being 129 decimal digits, but I spaced out on the 384-bit key and mislabelled it as "RSA-384." It'll be _many_ years before a 384-decimal-digit number is factored, I suspect. Let alone a 600-digit modulus, with or without the mysterious "transphaser" technology mentioned by Anitro. --Tim May Views here are not the views of my Internet Service Provider or Government. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 | black markets, collapse of governments. "National borders are just speed bumps on the information superhighway." From fc at all.net Tue Dec 19 13:05:48 1995 From: fc at all.net (Dr. Frederick B. Cohen) Date: Tue, 19 Dec 95 13:05:48 PST Subject: Forged email to sway congress Message-ID: <9512192101.AA13974@all.net> It seems like a trivial thing to do, but if email to Congress works to sway opinion, it should be fairly easy to create thousands of email messages from different apparent sources each hour, all supporting a point of view, and to suppliment this effort with a small telephone room full of people to fill congressional switchboards with supportive phone calls. Interesting PM attack. -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From jimbell at pacifier.com Mon Dec 18 21:19:02 1995 From: jimbell at pacifier.com (jim bell) Date: Tue, 19 Dec 1995 13:19:02 +0800 Subject: Campaign Finance Reform Message-ID: At 10:41 AM 12/18/95 -0500, you wrote: >On Mon, 18 Dec 1995, Jon Lasser wrote: > >> On Sun, 17 Dec 1995, jim bell wrote: >... >> > It is absolutely true that you couldn't stop a person from communicating >> > claims of a donation to a politician. But what you COULD do is to ensure >> > that the donor couldn't PROVE that he made such a donation. In other words, >> > _I_ could claim that I gave $1K to Senator Sludgepump (a lie) and the good >> > senator would have no idea that I wasn't telling the truth. The people who >> > REALLY made such donations would be helpless. >> >> A tricky way around this, if it's done ALMOST properly, is to donate in >> odd amounts... ie "Senator Sludgepump, I am going to donate $469.23 to >> your campaign..." >> >> All this means is that the donations would have to be lumped in some way >> so that Senator Sludgepump can't find out the exact amounts donated by >> any individual. > >Cancelled checks. > >Or, hand check in addressed, stamped envelope to Senator Sludgepump and >ask him if he would mind sealing it and dropping it in a mailbox. > All of which raises numerous opportunities for sting operations against politicians, done by individuals by procedures provided for under law. Escrow (Okay, I know that's a dirty word around here, but...) an encrypted statement of how you intend to run the sting, to be opened by the escrow agent at some point in the future, explaining who you're going after and how. Make the contribution, keep evidence, and if you're successfull the congressman goes to jail for a few years. From vvallopp at eniac.seas.upenn.edu Tue Dec 19 13:19:07 1995 From: vvallopp at eniac.seas.upenn.edu (Vinod Valloppillil) Date: Tue, 19 Dec 95 13:19:07 PST Subject: cyphernomicon FTP site? Message-ID: <199512192118.QAA02590@red.seas.upenn.edu> Anyone know where I can FTP a full copy of the cyphernomicon? ------------------------------+----------------------------------------------- Vinod Valloppillil | LibertarianismTelecommunicationsFreeMarketEnvi Engineering/Wharton | ronmentalismTechnologyCryptographyElectronicCa University of Pennsylvania | shInteractiveTelevisionEconomicsPhilosophyDigi vvallopp at eniac.seas.upenn.edu | talPrivacyAnarchoCapitalismRuggedIndividualism ------------------------------+----------------------------------------------- From EALLENSMITH at ocelot.Rutgers.EDU Mon Dec 18 21:20:21 1995 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Tue, 19 Dec 1995 13:20:21 +0800 Subject: Political Cleanup program Message-ID: <01HYYIT21PW88Y51HJ@mbcl.rutgers.edu> From: "Vladimir Z. Nuri" >there seem to be a lot of people who suggest that merely because politics involves money, it is therefore corrupt. this is an awfully vague and nebulous line of thinking in my view. are we to suppose that any industry that involves money (all of them, of course) inevitably moves in the direction of corruption? perhaps some more "cynicalpunks" may have this view, but I don't share it. --------------------------------- I am admittedly uncertain whether to reply to this, but... one thing about capitalism is that money serves as a reward. Attempts to remove this (such as in the Soviet Union) have resulted in people no longer being motivated by things like bonuses. In other words, if we can remove the government from having influence on the markets, then politics by money is not really a problem. It's just another motivation for people to get more money. -Allen From adam at lighthouse.homeport.org Mon Dec 18 21:41:40 1995 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Tue, 19 Dec 1995 13:41:40 +0800 Subject: PGP's randpool() Message-ID: <199512190326.WAA20676@homeport.org> What does PGP do when it exhausts randpool? I've scanned the source, and found some useful tidbits, but RANDPOOLBITS seems limited to ~408 bytes. I can invoke commands that should exhaust PGP's randpool, but don't seem to. Doing "pgp +makerandom=4000000 foo" repeatedly seemingly would cause PGP to prompt me to type in some random stuff, but it doesn't. I'm trying to see how pgp reacts to me taking all its random bytes because I'm writing some shell scripts that use pgp to generate random passphrases. (This is a case where I don't think bunches of system data are enough.) (Note to reporters who might be listening: This is an fairly unusual invocation of PGP where a user would not interact with the program at all to supply new randomness. Its not an attack on PGP's security in any interesting or newsworthy sense.) random.c: * - Every time you run PGP, especially when responding to one of PGP's * prompts, PGP samples the keystrokes for use as random numbers. * It is a shame to throw this entropy (randomness) away just because * there is no need for it in the current invocation of PGP [... Further down...] /* * Performs an accumulation of random bits. As long as there are fewer bits * in the buffer than are needed (the number passed, plus pending bits), * prompt for more. [heavily cut] void trueRandAccum(unsigned count) /* Get this many random bits ready */ { LANG("\nWe need to generate %u random bits. This is done by measuring the\ \ntime intervals between your keystrokes. Please enter some random text\ \non your keyboard until you hear the beep:\n"), count-trueRandBits); -- "It is seldom that liberty of any kind is lost all at once." -Hume From cpunk at remail.ecafe.org Tue Dec 19 14:30:34 1995 From: cpunk at remail.ecafe.org (ECafe Anonymous Remailer) Date: Tue, 19 Dec 95 14:30:34 PST Subject: revised time quantization package (Unix & WIN32) available Message-ID: <199512192232.WAA18554@pangaea.ang.ecafe.org> AT&T Spokesman Matt Blaze writes: blah blah >There are (basically) no restrictions on the use or distribution >of the (very simple) code. This is simply untrue. Read the fine print in the file. Use this code and you owe them big. They'll "reach out and touch" you big time. If they were serious, they'd gpl it. >Get it from: > ftp://research.att.com/dist/mab/quantize.shar > >The quantize package is also part of Jack Lacy's cryptolib package >(watch this space for details). I don't understand why this group continues to tolerate these blatently commercial messages from att (and netscape.) (The message is really just an ad for the cryptolib product, as it says). I've also said this b4 but I'll say it again: why would anyone in their right mind trust binary code from att after the clipper fiasco. And why do we tolerate Jeff Weinstein and Mat Blaze calling themselves cypherpunks, when they are so clearly just working us for their corporate interests? I wonder how much they get paid to monitor this list? From a-kurtb at microsoft.com Tue Dec 19 14:40:11 1995 From: a-kurtb at microsoft.com (Kurt Buff (Volt Comp)) Date: Tue, 19 Dec 95 14:40:11 PST Subject: Political Cleanup program Message-ID: Ya won't have complete equity amongst lobbyists, until ya remove the power of bureaucrats to control people's lives. When laws can be used to deprive people of their livelihood, via either taxation or regulation, you will create situations where people can make money from it, and therefore unscrupulous people will take advantage. The only defensible argument for government at all is to protect people from depredation, either from fellow citizens or from external threats. When you prevent people from engaging in peaceful commerce, you open the floodgates to tyranny. Thus, the solution is less government, not to try to legislate human nature. Kurt [speaking for myself, of course] ---------- From: Richard Huddleston[SMTP:reh at wam.umd.edu] Sent: Monday, December 18, 1995 6:12 To: jimbell at pacifier.com; vznuri at netcom.com Cc: cypherpunks at toad.com Subject: Re: Political Cleanup program Detweiler wrote: * >JB: * >>Politics is traditionally corrupt, it appears, because donors to politicians * >>and political campaigns expect a quid pro quo for their donations. Various * >>unsatisfactory solutions include campaign spending limits, etc. * > * >I have an unusual view that I've never seen elsewhere: the problem with * >our government is not that money or PACs are involved, but that the system * >does not handle or resolve the conflicts between them very well. in other * >words, in contrary to the current view that all PACs are evil, I think the * >problem is not that we have PACs, but that our current system does not * >balance their demands in some sensible manner. the system is * >susceptible to corruption. it is conceivable however that there would be * >a system that involves money and politics but still avoids corruption. Not to sound like a dupe or anything, but every time I get discouraged at the rampant mealyism of our political system I go read the first couple of paragraphs of a text from GOVT 101. There, I get reminded that the way most political debate is handled elsewhere is with bullets. Personally, I welcome a complete equity between all lobbyists seeking to obtain a politico's ear. Take the money out of the equation, and let the merits of their causes, if any, stand on their own. Happy holidays, Richard From Bill.Humphries at msn.fullfeed.com Tue Dec 19 15:14:37 1995 From: Bill.Humphries at msn.fullfeed.com (Bill Humphries) Date: Tue, 19 Dec 95 15:14:37 PST Subject: Applescripts for monitoring Netscape Activity Message-ID: The recent Netscape beta bug mentioned here raised a technical question? Anyone here have a pointer to an applescript, frontier or macperl script for monitoring what programs do to your system folder and desktop? Otherwise, I'd better write one. It'd be a good way to learn more about the behavior of apps. Thanks and happy holidays, Bill Humphries Call your Representative and Senators and demand an end to attempts to censor the Internet. More info at http://www.vtw.org/ *** The answer to porn speech is free speech -- via Molly Ivins *** From jsw at netscape.com Mon Dec 18 23:39:38 1995 From: jsw at netscape.com (Jeff Weinstein) Date: Tue, 19 Dec 1995 15:39:38 +0800 Subject: Java and timing info - second attempt In-Reply-To: <9512190402.AA12992@bilbo.suite.com> Message-ID: <30D65C32.4500@netscape.com> Jim Miller wrote: > Would it be possible to create a Java applet that causes the client > machine to sign or encrypt something with their private key, and then send > back timing info? > > For the answer to be YES a few things need to be true. There needs to be > some sort of standard crypto API in use that can be accessed by a Java > script, and Java scripts need to be able to capture and send back timing > info. Does anyone on this list know enough about Java to know if it can > do any of these things? In Netscape Navigator 2.0 Java and JavaScript do not have access to crypto routines. At some point in the future this will probably change, but only after we understand the implications much better than we do today. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From hallam at w3.org Tue Dec 19 15:48:35 1995 From: hallam at w3.org (hallam at w3.org) Date: Tue, 19 Dec 95 15:48:35 PST Subject: Forged email to sway congress In-Reply-To: <9512192101.AA13974@all.net> Message-ID: <9512192345.AA15356@zorch.w3.org> It already happens with other media. The Christian Coalition have an army of letter writters at their call. They simply write a very large number of letters and post them. It is not difficult if you can afford it. Political staffers know all about this type of thing and can recognise spam. It would be usefull to have some mechanism for producing a one time use ID on the Web however. This would be configured such that each party can vote once but once only. There is stuff in the open meeting system that does this using an email callback loop (later used by First Virtual). Phill From perry at piermont.com Tue Dec 19 15:50:10 1995 From: perry at piermont.com (Perry E. Metzger) Date: Tue, 19 Dec 95 15:50:10 PST Subject: revised time quantization package (Unix & WIN32) available In-Reply-To: <199512192232.WAA18554@pangaea.ang.ecafe.org> Message-ID: <199512192349.SAA25296@jekyll.piermont.com> ECafe Anonymous Remailer writes: [Lots of garbage slandering Matt Blaze, who's about as close to being a dyed-in-the-DNA cypherpunk as you can get.] What I want to know is, why are you doing this? Are you trying to start a flame war? Are you just an asshole? Are you Detweiler? Whats the motive? .pm From a-kurtb at microsoft.com Tue Dec 19 16:00:09 1995 From: a-kurtb at microsoft.com (Kurt Buff (Volt Comp)) Date: Tue, 19 Dec 95 16:00:09 PST Subject: Political Cleanup program [NOISE] Message-ID: Let's try this again, shall we? My mailer didn't act the way I wanted it to... ___________________________________ >I happen to believe in freedom of speech, especially political speech, >and if you're not allowed to spend money broadcasting your speech or >printing your messages, you don't have much freedom of press or speech. It is very strange the way that "Libertarians" are so able to turn all rights into property rights. Thus freedom of speech become freedom to have influence on the politicial process in direct proportion to wealth. _____________________________________ Not so strange really. All rights, correctly understood, *are* property rights. What most don't understand is that rights are protections from the initiation of force by others. What this means is that you (anyone) don't have the right to the property of others. You have the right to offer mutually satisfactory exchanges, or even solicit outright gifts, but what is yours is yours, and it shouldn't be subject to extortion or theft by others. This includes your time, cash, and any other tangible assets you may own. _______________________________________________ I began work on the web in '92 because I saw its potential as a political tool which did not have the bias of wealth. It has the potential to create a new kind of political dialogue. When the Web becomes as ubiquitous as the telephone we will still see inequalities of power, the homeless and the poor will still be underrepresented. But that situation must be judged against our own where the political process can be bought and traded as if it were any other form of comodity. ________________________________________ The problem with the political process now is that the government and its beneficiaries (which includes both the large corporation and the welfare class) have over time arrogated to themselves the power to steal (via taxes and regulation) our lives and our livelihood from us. The poor and the rich will always be with us, but they shouldn't be special clients of the state at the expense of everyone else. _____________________________________ It is not simply an issue of money, it is an issue of national security. If a foreigner were to control the majority of the media there would be a significant threat to the national interest. This threat has been realised in the UK with the comming to power of Rupert Murdoch. Fortunately his influence on the US political scene has thus far been minor. In his own country he has brought down the government more than once. _____________________________________________ The only reason foreign money might be a threat to us is again that the government arrogated to itself the power to regulate our lives. The reason and interest for lobbying the government, whether through the press or through other, more direct, efforts is that the government *can do something* about whatever happens to be at issue. Take away the ability of the government to act, and there won't be any money spent lobbying it. I submit we'd all be better off. ________________________________________________ >And as far as "prevent the political process from being owned by the rich" >goes, there have been brief exceptions over the last 5000 years in which >the less-rich have overthrown the rich, but campaign finance laws have almost >never kept the rich or the politicians from helping each other out. In UK politicis the influence of an individual's money is limited to influencing one party. Even that is done behind closed doors. The other major parties both limit the size of individual contributions to a constituency party to a relatively nominal sum. $5000 is a huge sum in UK politics. >I also don't believe freedom of speech should be limited by national >boundaries. Nor do I. But I only vote in one country. If we take the question outside the US it would not on the whole be a good thing if the Prime Minister of Tobago (say) were provided with a campaign contribution of $1M by a foreign company with an interest in strip mining the entire island. similarly it would be a bad thing if Columbian drug lords were to make massive contributions to politicians committed to continuing the prohibition on drugs. _______________________________________ See my above comments. Only if the PM of Tobago could steal the land from its owners could he permit the island to be strip-mined. And only if the government has the power to prohibit drug possession would the Cali cartel be interested in making campaign contributions. No power to do something, no money offered to do it. ____________________ Phill Kurt [Speaking only for myself, of course] From mab at crypto.com Tue Dec 19 16:03:46 1995 From: mab at crypto.com (Matt Blaze) Date: Tue, 19 Dec 95 16:03:46 PST Subject: revised time quantization package (Unix & WIN32) available In-Reply-To: <199512192232.WAA18554@pangaea.ang.ecafe.org> Message-ID: <199512200009.TAA17192@crypto.com> I don't normally like to respond to anonymous kooks, but... cpunk at remail.ecafe.org (ECafe Anonymous Remailer) writes: > AT&T Spokesman Matt Blaze writes: > blah blah > >There are (basically) no restrictions on the use or distribution > >of the (very simple) code. > > This is simply untrue. Read the fine print in the file. Use this code > and you owe them big. They'll "reach out and touch" you big time. > If they were serious, they'd gpl it. > Since I don't understand what you're talking about, I can't really respond to it. The only restrictions on the use of this code are that you have to acknowledge where it came from and that it comes with no waranty. You also have to keep the notice in place on any copies you give to anyone else. Just like the GPL, only without the nutty requirement that you also give away your own source code. > >Get it from: > > ftp://research.att.com/dist/mab/quantize.shar > > > >The quantize package is also part of Jack Lacy's cryptolib package > >(watch this space for details). > > I don't understand why this group continues to tolerate these blatently > commercial messages from att (and netscape.) (The message is > really just an ad for the cryptolib product, as it says). I've also said > this b4 but I'll say it again: why would anyone in their right mind trust > binary code from att after the clipper fiasco. I think you're confused. AT&T Bell Labs Research (which is soon to be split into two parts, Bell Labs and AT&T Labs, owned by two different companies starting next year) is a research laboratory. A lot of very good cryptology and security people work here. While AT&T (the parent company) is in the products and services business, AT&T Bell Labs doesn't sell any products or services itself. Like most of the computer science researchers in Bell labs (and like those in universities and elsewhere), I publish the results of most the work that I do (modulo some consulting I do for the moneymaking part of the company in order to "pay the rent"). I (like many other researchers) also sometimes create software in the course of my work. When this might be of use to others, I prefer to give it away rather than let it sit idle on my disk. The quantization code (like CFS, swIPe and others) is an example. CryptoLib is another example; it was created by my colleague Jack Lacy. We give that away, too. Bell Labs doesn't advertise anything. We don't have retail customers. Our research software is unconnected with AT&T's commercial activities. We make it available because that's what members of the research community do. Its distribution is neither purely altruistic nor especially mercenary. If you really like our research software, I guess you can switch your long distance service to AT&T or buy an AT&T answering machine or something. But that part of the company is very remote from my food chain. I'm from the part of the company that _spends_ money. Other parts _make_ the money. > And why do we tolerate Jeff Weinstein and Mat Blaze calling themselves > cypherpunks, when they are so clearly just working us for their > corporate interests? Again, I think you're confused. Jeff Weinstein works for Netscape, not AT&T. I think there's a connection between AT&T and Netscape somewhere (like we bundle netscape with worldnet service), but I don't really know the details. > I wonder how much they get paid to monitor this list? I can't speak for Jeff Weinstein, but in my case, not nearly enough. -matt "I'm from The Phone Company and I'm here to help you." From anon-remailer at utopia.hacktic.nl Tue Dec 19 16:07:44 1995 From: anon-remailer at utopia.hacktic.nl (Anonymous) Date: Tue, 19 Dec 95 16:07:44 PST Subject: No Subject Message-ID: <199512200007.BAA29596@utopia.hacktic.nl> >I would think that ISPs (and even commercial online services) would >prefer that their customers use strong crypto because it's less for >them to worry about ("Are they really sending pornography or death >threats though our network?"). While most ISP's may not want to be responsible for monitoring transmissions, check out a portion of an agreement from mine. (I haven't and won't sign such an agreement, may therefore be terminated at month's end.) "4.1 PCIX may elect to electronically monitor any and all traffic which passes over our Wide Area Network. This monitoring may include public as well as private communications and data transfers from our Members and to our Members as well as any and all communications and data transfers to and from any other internet sites. .... The monitoring and disclosure activities of PCIX may negate the privacy protections which the Member would otherwise enjoy under federal and state law, including the Electronic Privacy Communications Act. Member specifically agrees that PCIX may do so and Member understands that he or she is giving up privacy rights which he or she would otherwise be entitled to under the law." Hope this isn't the start of a trend! groundfog at nym.gondolin.org From jimbell at pacifier.com Tue Dec 19 00:12:02 1995 From: jimbell at pacifier.com (jim bell) Date: Tue, 19 Dec 1995 16:12:02 +0800 Subject: Political Cleanup program Message-ID: At 03:09 PM 12/17/95 -0500, you wrote: >A much simpler solution might be to just force all politicians to give up >their campaign funds when they retire, or even better, immediately >following the elections. Today, whatever is left in their campaign funds >are given over to them when they retire or are forced out of office, on top >of their lucrative pensions. > For Congress, I think this changed a few years ago. Before a certain date, retiring Congressmen could convert unused campaign funds to their own money. At some point they changed the rules, and that is no longer the case. From jirib at sweeney.cs.monash.edu.au Tue Dec 19 16:27:58 1995 From: jirib at sweeney.cs.monash.edu.au (Jiri Baum) Date: Tue, 19 Dec 95 16:27:58 PST Subject: What ever happened to... Cray Comp/NSA co-development In-Reply-To: Message-ID: <199512200022.LAA28002@sweeney.cs.monash.edu.au> -----BEGIN PGP SIGNED MESSAGE----- Hello, tcmay wrote: ... > Prime Factoring? Primes are easy to factor, of course. (Hint: Every prime > has two factors.) ... Can someone enlighten me as to what the two factors are? With sensible definitions I've heard you either get one (just itself) or four (itself [p], both units [1,-1] and the co-whatsitsname [-p]). (Sorry to pick on tcmay, but usually when you factorise a number you *never* put it a "1*", for example: 6 = 2*3 9 = 3*3*3 and 7 = 7 not 7 = 1*7 , so I suspect the usual statement would be "Every prime has one factor.".) Or am I totally clueless? Jiri - -- If you want an answer, please mail to . On sweeney, I may delete without reading! PGP 463A14D5 (but it's at home so it'll take a day or two) PGP EF0607F9 (but it's at uni so don't rely on it too much) -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMNdXQyxV6mvvBgf5AQEaNwP/RB9ABUWWX20hChSFC5embOLwv7dhI4qU rJkz/VmOM8y746be87nAIKCih3hJCz7G4OqsqiVdtvhx2FqldqSuw6Jmp3Mx41ut l+OdwwHYH0K7OH1SIRr9nfpZ4IuZ3dsXVTTPl1H8Z3ktv5B4hFziLiIt3WPZTqVu k4nXVsirfuo= =X1zb -----END PGP SIGNATURE----- From futplex at pseudonym.com Tue Dec 19 00:43:51 1995 From: futplex at pseudonym.com (Futplex) Date: Tue, 19 Dec 1995 16:43:51 +0800 Subject: Java and timing info - second attempt In-Reply-To: <9512190402.AA12992@bilbo.suite.com> Message-ID: <199512190712.CAA21135@thor.cs.umass.edu> Jim Miller writes: > Combine this with some a standard crypto API for doing Web-based digital > signatures or authentication or encryption and you may begin to see some > possibilities. > > Would it be possible to create a Java applet that causes the client > machine to sign or encrypt something with their private key, and then send > back timing info? > > For the answer to be YES a few things need to be true. There needs to be > some sort of standard crypto API in use that can be accessed by a Java > script, and Java scripts need to be able to capture and send back timing > info. Does anyone on this list know enough about Java to know if it can > do any of these things? [I've read a bit more about Java since you last asked the question, coincidentally, but I don't know a huge amount about it yet.] I think this scenario is certainly possible, from a technical point of view. Crypto APIs in general should force the user to be aware of how she is using her key material. Ultimately you can't save people from themselves. (One of my favorite non sequiturs. ;) User education helps. But just as users are tricked by various social engineering methods into divulging their account passphrases, so they can be duped into encrypting or signing for a stranger's timing pleasure. However, one would certainly hope that the crypto Java interfaces that get written are designed to mask timing information in the wake of Kocher. In fact, this is precisely the sort of thing "we" should consider promulgating.... -Futplex From mab at crypto.com Tue Dec 19 16:45:46 1995 From: mab at crypto.com (Matt Blaze) Date: Tue, 19 Dec 95 16:45:46 PST Subject: revised time quantization package (Unix & WIN32) available In-Reply-To: <199512192349.SAA25296@jekyll.piermont.com> Message-ID: <199512200051.TAA17476@crypto.com> Perry wonders: > What I want to know is, why are you doing this? Are you trying to > start a flame war? Are you just an asshole? Are you Detweiler? Whats > the motive? I must admit I don't quite get it, although I think there are people who really can't distinguish between a person and a person's employer, and who believe that the entire world is a black-and-white battle between good and evil. Jeff Weinstein got treated rudely back during the feeding frenzy where everyone hated Netscape because he works for Netscape. Brian Davis got treated rudely when he first joined the list because he works for the government as a federal (?) prosecutor. I get treated rudely from time to time because I work for AT&T. It doesn't bother me, especially when it comes from an anonymous source who for all we know might earn his or her keep by advertising the joys of smoking cigarettes to small children or by testing the toxic effects of new cosmetics on cute, furry animals. I figure it all just comes with the turf. At least I don't get blood thrown on my by protestors the way people who work in animal testing labs do... -matt From weidai at eskimo.com Tue Dec 19 00:56:28 1995 From: weidai at eskimo.com (Wei Dai) Date: Tue, 19 Dec 1995 16:56:28 +0800 Subject: wish list for Crypto++? Message-ID: I am looking for suggestions for features to include in the next version of Crypto++ (current version is 1.1, you can find it at http://www.eskimo.com/~weidai/cryptlib.html). Major additions already planned/implemented include speed improvements, Safer (all the variations), and elliptic curve cryptosystems (over prime fields as well as fields of characteristic 2). There is also a good chance that RSA will be added back, but I'm still waiting for the final word from the RSADSI lawyer. What else do people want to see? Wei Dai From rah at shipwright.com Tue Dec 19 17:08:15 1995 From: rah at shipwright.com (Robert Hettinga) Date: Tue, 19 Dec 95 17:08:15 PST Subject: King Kong Does e$ Message-ID: -----BEGIN PGP SIGNED MESSAGE----- King Kong Does e$ A while back, when the Microsoft Network hype was at its height, I forwarded a bunch of articles to www-buyinfo entitled "Oh, No, there goes Tokyo", about how Godzilla, in the form of Microsoft's Microsoft Network, was going to stomp all over Tokyo, in the form of the net. This was before I found out that Netscape's codeword for their Navigator HTML Browser was "Mozilla". So, along comes the following on the DCSB list, courtesy of the esteemed Mr. Lethin: Wednesday, December 13, 1995 Refreshments 4:15 PM 4:30 - 6:00 PM Bartos Theater, E15-070 MIT Media Lab Ames Street, Cambridge, MA, USA Electronic Money Made Easy Dan Simon (dansimon at microsoft.com) Mac in hand, I went to a presentation at the Media Lab's basement auditorium, and proceed to transcribe his copious overheads, sans graphics, as fast as my fingers could fly... Which I present here in it's raw form, with a few corrections, his cryptic (ahem...) source citations, viz: (cf., MN 93), and the ocassional note I could cram in when he stopped flipping charts... Oh, no, there goes Zurich... - -------------------- Dan Simon Microsoft, now, Quantum Computing/crypto in Canada before... Characteristics of cash Portable Anonymous Confidential Easily and instantly transferrable Owned by those posessing it Hard to counterfiet Has multiple interchangeable forms. What isn't cash: e-credit Non-anonymous Severely limited confidentiality Complicated payment protocols two parties and both their respective banks involved Ownership determined by record-keeping credit/debit authority What isn't e-cash: offline e-cash One desirable feature of cash: transfer without an intermediary Problem: doublespending: restore prespending state, respend the same cash Tracing re-spent cash useless if it was stolen (cf. (cfnII 0091, Yac94, etc) Tamperproof hardware isn't (cf EGY83) Can broadcast small amounts over the net at a huge payoff. Result cash as secure cellphone codes (better not be worth much...) Offline Electronic "bills" don't work. Too big for offline Offline Electronic coins do work. Easy to counterfiet, not much profit. (He is interested in electronic banknotes, on-line bearer securities, in other words) What can we assume: Customers, merchants, banks may wish to transact via many different possible media: telephone, Internet, cable network, smartcard/terminal, etc. etc. If a customer wants a transaction to be anonymous, then an anonymous medium must be used (no callerid on the telephone, anonymous remailer, etc) A Modest Proposal On-line cash issued by banks owned by a possessor, Cryptographically hard to counterfiet Cash ownership transferred with bank's help aAnonymity of payer, payee based on anonymity of communication medium No individual account or prior trust relationship necessary to use a bank's cash (cf., MN 93) Formal Security E-cash schemes generally described as a set of individual protocols (payer-payee, payer-bank, etc.( with intuitively described goals) But formal proof of security really requires a model of a full network, to consider general attacks, and explicit, formal security goals Previous examples: (BEA91/MR/91) for computation (RS93) for anonymity, (BR93) for authentication What does it look like A bank issued banknote has a serial number,amount, and treasuer's signature It also has an associated "secret" which can be checked against the serial number, but can't be gotten from the serial number Its owner is whoever has the secret... ...but when the issuing bank gets the secret, the banknote is no longer valid. Publish the bank notes as broken, banknotes no longer valid. (spiffy graphic elided) Customer chooses secret s, serial number n, n=h(s) and amount. Customer pays bank (by any method) the amount of the desired banknote bank signs serial number and amount Transaction may be anonymous (physical cash purchase at bank) pick serial number, bank uses private signature to sign the serial number. (May's train-locker applies) How is change made: Customer generates secrets, serial numbers and amounts for smaller banknotes Customer gives bank the secret for the large banknote, and serial numbers and amounts for smaller ones Bank signs serial numbers and amounts, stores the secret for large now-invalid banknote Transaction can be completely anonymous. How is it used for payment Payer simply gives bank note to payee by handing over the secret payee immediately exchanges the banknote for new ones anonymously, if desired Old banknote is now invalid, since bank has its secret; hence payer can't respend it If the bank note is already invalid, bank rejcts exchange and informs payee. "In effect, these are disposable banknotes" "the simple way to get around exploding banknote numbers, issue it with an expiry date." Estimated outstanding certificates numbers would then be within the storage capacity of a bank. (per a crony in the Bank of Japan) Public key from the bank is needed to keep the bank honest. "miracle of one-way function" (shuts down clueless question...) Model Synchronous network of parties, some dishonest, one of them is the bank Parties can exchange messages anonymously Responder can always broadcast Parties and bank keep track of balances each round, a party receives instruction to deposit/withwdraw/ a unit value coin to/from the bank or pay a coin to another party (missed one point..) Security goals Correctness: if all parties are honest, then instructions result in correct new balances Integrity: parties cannot be ripped off Honest bank never accepts more coins than have been withdrawn Party can detect dishonest bank Anonymity: information available to any coalition should be indistinquishable for any sequence of instructions consistent with the starting and ending points of distinguised coins entering/leaving coalition Weak anonymity, contends that that's what we have with serial numbered physical notes anyway Can make stronger with subsequent anonymous change operations at a bank... (can also buy with cash at a desk, also on the net with another form of digital cash ;-) Efficiency: cost of security should grow slowly (polylog at worst) with size of network. Convenience Features Only payer, payee, issuing bank involved in transaction Each validation and transfer immediate Portable Easy to handle Expiry dates can be added. If anonymous withdrawl, then can get lost money back on expiry date, if coins weren't cashed. Security Digital signature makes cash unforgeable Online validation prevents double spending Secrecy of secret preserved even if serial number publically available Bank's *only* secret is its private signature key Digital signature publicly commits bank to redeeming its e-cash; hence customers need not have special trust relationship with bank. Audience Q: Borenstein's scenario. A: bad problem. someone can split bank private keys, for instance (No problem, strawman, what happens when someone breaks Ft. Knox?... --RAH ;-) Extra features Payee can have the e-cash non-anonymously deposited in bank account for easier handling and better security (bank as back up) Payer can include transaction details with payment package or hide them in the secret (to create transaction record to be archived by, for example, by the bank) helpful in dispute. "Secure payments" and E-cash "Don't send cash in the mail" even if it gets there, receiver need not admit it One solution: secure payment protocols (Microsoft/Visa STT) Non-anonymous: transaction details attached to payment mediated by payer's credit card issuer Payee can delay response and batch process transactions "Secure Payments" Protocol's basic idea: payer sends encrypted package to payee giving credit card number and transaction details, "payment instructions". Only acquirer can read it Valid credit card number plus payer's digital signature assure acquirer that payment is legitimate (missed one point) Secure ecash payments Payer substitutes ecash secrets for credit card number in payment instruction package payment desiring ecash settlement. Includes ecash serial numbers amounts when sending package to acquirer E-cash issuing bank bank checks validity of ecash payment and exchanges it for merchant as apprpriate by signing serial numbers, amounts Instant payment, no bad debt Questions Where is the communications cost/ security tradeoff? Solutions to dine and dash problem with dishonest bank (anonymity must broken to nark on the bank) (cf Cle85)? Efficient offline anonymous micropayments solutions? Implimentation pitfalls? - ------------------- So, there are my notes, such as they are... I walked away from this thinking that on-line cash covers a multitude of sins: You can stick any "secret" into digital cash as long as it's unique and you trust the bank to keep it. If bank signs the secret they've shared with you and reveal it before some expiry date, they can be put out of business, because they've blown their reputation. If they claim that you've not shared a secret, you expose the secret and their signature, same happens. If you put an expiry date on Simon's digital cash, you don't have to keep track of it all. If you have an expiry date on Simon's cash, if you loose it, you can tell the bank, and if it's not cashed by the expiry date they can give you your money back. There's a distinction between on-line "banknotes", which are valuable enough to forge, and off-line "coins", which are not. Simon has a system which has just enough anonymity to be economically useful, but not perfect enough to keep the truly paranoid happy. Must be something in the water in Redmond. Essentially, the bank becomes a quasi-anonymous "line" in what's normally a peer-to-peer transaction. Takes getting used to. He's got a web page with all of this in gory detail, I bet, and his e-mail address is at the top of this post. Speaking of micropayments, Mark Manasse, Ron Rivest, Adi Shamir, and Silvio Micali did another talk on Friday which touched on several cool micropayment schemes, and a much more cost-effective way to do key revocation. Though I got there exactly 6 minutes late, I missed one presentation, and didn't take any notes for the rest. Hope someone else here did. I saw lots of DCSB/Cypherpunks there... Any takers? Cheers, Bob Hettinga -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMNdbfvgyLN8bw6ZVAQH7qwP9GKSx7BegCr5lAOmG6lBo4OYgCPUO9j8N bqf89b46rTkYrTkSB2DDX7BG/wu4nv/pnf7rA7UBHJjydZuiAVG9KplzevUWFoaI xVeW8AoVPgKvkZsELK4VrrOayAXNxX9FBX7vGwsedl1SjQgyA3Qo62799GOIDrpQ xuXYtTtaTfw= =LQk+ -----END PGP SIGNATURE----- ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA (617) 958-3971 "Reality is not optional." --Thomas Sowell The NEW(!) e$ Home Page: http://thumper.vmeng.com/pub/rah/ >>>>Phree Phil: Email: zldf at clark.net http://www.netresponse.com/zldf <<<<< From rsalz at osf.org Tue Dec 19 17:28:54 1995 From: rsalz at osf.org (Rich Salz) Date: Tue, 19 Dec 95 17:28:54 PST Subject: King Kong Does e$ Message-ID: <9512200125.AA06259@sulphur.osf.org> >Speaking of micropayments, Mark Manasse, Ron Rivest, Adi Shamir, and >Silvio Micali did another talk on Friday which touched on several cool >micropayment schemes, and a much more cost-effective way to do key >revocation. Though I got there exactly 6 minutes late, I missed one >presentation, and didn't take any notes for the rest. Hope someone else >here did. I saw lots of DCSB/Cypherpunks there... Any takers? A reference for Mark's paper on Millicent is The Millicent Protocol for Inexpensive Electronic Commerce Of all the various payment protocols I've seen, this was one of the few that studied the available protocol bandwidth before designing a protocol. Folks with an engineering slant should appreciate the work here. I would be VERY interested in URL's and summaries of Micali's talk. (I really wanted to go but after spending most of the week at the WWW4 conference I had to commit serious time to being anchored to the office.) /r$ From hfinney at shell.portal.com Tue Dec 19 17:30:30 1995 From: hfinney at shell.portal.com (Hal) Date: Tue, 19 Dec 95 17:30:30 PST Subject: E-cash coin questions (Mark Twain / Digicash) Message-ID: <199512200128.RAA09801@jobe.shell.portal.com> From: "David Klur" > > 1. How many different coins (serial numbers) can the current Mark > Twain/Digicash protocol support? I don't know this offhand, but I assume it is at least 2^64. > 2. Does Mark Twain bank maintain 2 lists: 1 of all the ecash serial > numbers for all coins ever produced, and 1 of all the ecash serial > numbers for all coins that have been spent before? Or just 1 list of > the spent coins (assuming that any coin that is signed w/MT's private > key and does not appear on the "spent" list is still valid and is not > counterfeit)? It is not possible for the bank to have a list of the serial numbers on coins produced, since it doesn't know this information. Each coin is created by a user's client software, which chooses the serial number at random. When it is sent to the bank to be signed, the serial number is blinded by being multiplied by a random number, which is divided off after the client gets it back from the bank. So the bank never sees a coin's serial number until it is deposited. > 3. The Digicash scheme allows each coin to be used only once and then > destroyed. How many coins will it take before all possible coins are > minted, used and destroyed thereby requiring banks to issue new coins > with "recycled" serial numbers? Remember, each time a "transaction" > takes place, an existing coin is destroyed and a new coin is minted. > and a transaction can simply be Alice giving her friend Bob a dollar > (not necessarily using the ecash for a purchase) It is easy to make this number so large that it will take longer than the age of the universe for this to happen. It just takes a dozen or so bytes per coin. > 4. What is the probability of guessing a valid serial number, > assuming there are 1 million, 1 billion or 1 trillion coins in > circulation? Assuming the serial numbers are of the sizes I suggest above, this chance is so close to zero that your chances of being named King of the Earth next year (along with the assumption that we switch to a World Government and it is a monarchy) are much greater. > 5. Suppose you have a very large number of ecash coins signed by the > same bank (say, Mark Twain) and you know the record layout of each > coin (easy enough since you can decrypt it with the bank's public > key), and for each coin the "bank name" field is the same (because > it's the same bank!) -- then, would it be possible to hack the RSA > encryption and recreate the bank's private key? I don't fully understand what you are getting at, but there are several false assumptions here. The "coin" has several parts, one of which is an RSA signed portion with a number in it, for which I am accepting your terminology of it being a "serial number". This terminology is not quite right, as the coins are not numbered serially (that is, sequentially, 1, 2, 3, etc.), rather the numbers are random. But it does capture the essential idea that each coin's number is unique. You do know the record layout of each coin, but that is because it is documented and because your client creates coins, not because you could decrypt it with the bank's public key. The coin does not have the bank name field within the RSA signed part. There is other information which goes along with the coin, including an identifier for the bank, outside the RSA signed portion. For the general question of whether inspection of a lot of RSA-signed coins would allow you to deduce the private key, the answer is no, as far as is known. Actually the attack you can mount is stronger than this; you can get the bank to RSA sign any number. You could ask it to sign "1", for example, and you will get "1" back (so that's not very useful). I have tried to think of a way of getting some useful information from getting it to sign "2", since that is such a simple number. But it is raised to a very large power, and as far as I can see what you will get back is just a random looking number, with all hints about the exponent gone. Again, as far as anyone knows, there is no way to break RSA using these kinds of attacks, at least not any more cheaply than factoring the modulus. Hal From samman-ben at CS.YALE.EDU Tue Dec 19 17:44:21 1995 From: samman-ben at CS.YALE.EDU (Rev. Ben) Date: Tue, 19 Dec 95 17:44:21 PST Subject: What ever happened to... Cray Comp/NSA co-development In-Reply-To: <199512200022.LAA28002@sweeney.cs.monash.edu.au> Message-ID: On Wed, 20 Dec 1995, Jiri Baum wrote: ... > Can someone enlighten me as to what the two factors are? ... In this country, children are taught that prime numbers indeed have two factors: 1 and themselves. I suspect its a cultural difference. Ben. ____ Ben Samman..............................................samman at cs.yale.edu "If what Proust says is true, that happiness is the absence of fever, then I will never know happiness. For I am possessed by a fever for knowledge, experience, and creation." -Anais Nin PGP Encrypted Mail Welcomed Finger samman at powered.cs.yale.edu for key Want to give a soon-to-be college grad a job? Mail me for a resume From ncognito at gate.net Tue Dec 19 01:46:14 1995 From: ncognito at gate.net (Ben Holiday) Date: Tue, 19 Dec 1995 17:46:14 +0800 Subject: redirect of newsgroups In-Reply-To: <199512190221.VAA20286@homeport.org> Message-ID: > > | For those of us sitting behind a firewall that blocks out all of the > | alt, rec, etc.. newsgroups...is there another way to access these > | groups? For example, redirecting the contents of alt.2600 to, say, > | comp.2600 (because this firewall allows the comp.xxx groups through). > | Or any other hacks around this inconvenience? ( im gonna work this back onto topic.. just watch. :) ) There is a rather lengthy FAQ that explains about a zillion different ways to get your paws on whichever newsgroups you desire. Its called "How to Receive Banned News Groups FAQ" and you can find it at: http://www.cen.uiuc.edu/~jg11772/banned-groups-faq.html (here it comes..) In addition to covering topics relating to finding what you want in the way of usenet news, it also has a pretty well thought out anti-censorship rant towards the end, and gives pointers to some open NNTP servers, and freenets where you can obtain free access to usenet news. There is also a short list of mail to news gateways, which is useful if you would like to post to usenet via a remailer (or if your sysadmin censors which groups you have access to). (Ok.. maybe not totally on topic.. i tried.. blegh) have a day. From tcmay at got.net Tue Dec 19 01:47:04 1995 From: tcmay at got.net (Timothy C. May) Date: Tue, 19 Dec 1995 17:47:04 +0800 Subject: Campaign Finance Reform Message-ID: Sorry that I haven't been following this "Campaign finance reform" thread, but I did stop to read what Brian Davis said, and his point actually raises an important game-theoretic issue which we haven't talked about in a while (maybe because everyone has so internalized it as part of their gestalt that they see no need to mention it...which I doubt). At 7:55 PM 12/18/95, Brian Davis wrote: >On Mon, 18 Dec 1995, jim bell wrote: >> All of which raises numerous opportunities for sting operations against >> politicians, done by individuals by procedures provided for under law. >> Escrow (Okay, I know that's a dirty word around here, but...) an encrypted >> statement of how you intend to run the sting, to be opened by the escrow >> agent at some point in the future, explaining who you're going after and >> how. Make the contribution, keep evidence, and if you're successfull the >> congressman goes to jail for a few years. > > >The problem with the private investigation is that law enforcement may >not believe you were an "innocent" citizen conducting an investigation. >Remember the ABSCAM Congressman who contended he was conducting his own >investigation ... The "game-theoretic issue" is that of the "brilliant penny scam," well-known to grifters and con artists and cryptographers (and all good cryptographers should be aware of cons and scams, as cryptography protocols bear close resemblances to confidence games, or at least must cope with them). I claim that I have a "magic penny," or "brilliant penny," which can predict which way the price of Netscape stock will move on the next day. I deposit a sealed prediction of what my brilliant penny told me would happen, with a reputable escrow agent. I invite investors to cast their lot with me. On each day, I retrieve the sealed prediction and, voila!, it is confirmed to be the truth. Obviously, what I have done is to record predictions covering both outcomes--Netscape going up and going down--but have conveniently only retrieved the one I know matches the actual outcome. (Sure, it's possible to think of some ways to get around this. Left as an exercise for the student.) The connection with Jim Bell's idea is obvious. Anyone planning a crime, say, buying drugs (not a crime in my book, but that's another story), cooks up a strategy to claim he was "investigating how easily drugs may be bought on the streets of Minneapolis." He seals a letter to himself detailing how his "expose" is to be run. If caught, he smugly says, "But I'm just doing a story on how drugs may be bought. You'll find my description of my plans sealed in an envelope with my lawyer." Not very convincing. (The reason this is a variant of the brilliant penny scam is that the costs of making the claim are low, and the ability to selectively reveal forces the outcomes to match. Not convincing.) >Escrowing what you intend to do could be seen as blackmail ammunition if >the Congressman fails to produce. > >Unfortunately for the Cryptoanarchists (tm -- in more ways than one), >absent law enforcement running the "sting" you are taking a risk of being >stung yourself. "Escrowing" where the access key is controlled by the party intending to do something illegal--blackmail, drugs, etc.--falls into the category I just described. Though I'm not a lawyer, I rather suspect courts have looked askance at such "covers of convenience" intended to be used as protection. By the way, dramatically better protection is gotten--so I understand--if a "legitimate" reporting assignment is involved. Thus, if a reporter is assigned by her editor to try to buy a dime bag on the corner of 8th and Artesia, and she somewhow gets caught, adequate proof can be produced to ensure no prosecution occurs (this obviously depends on a lot of factors). On the issue of bribing officials, there are of course all sorts of ways to do this. Outright bribes will always be handled more carefully than "mere" campaign contributions, which are only quasi-bribes. --Tim May Views here are not the views of my Internet Service Provider or Government. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 | black markets, collapse of governments. "National borders are just speed bumps on the information superhighway." From jsw at netscape.com Tue Dec 19 01:49:16 1995 From: jsw at netscape.com (Jeff Weinstein) Date: Tue, 19 Dec 1995 17:49:16 +0800 Subject: (Fwd) SECURITY ALERT: Password protection bug in Netscape 2.0b In-Reply-To: <9512190026.AA15461@toad.com> Message-ID: <30D65A4B.7ED1@netscape.com> This report is mostly bogus. Netscape does not, and never has stored http auth passwords in files on your disk. However we do cache documents from servers that use http auth. In this case the user had their preferences set to check the host site for updated content "once per session". There is a bug, which we are fixing before 2.0 ships, that if the auth fails the document should be removed from the cache but was not. If the user had set their cache checking to "never", then if the document is in the cache, it will always be shown to the user, since no connection is made to the server. Content providers who don't want their web pages cached should use the 'Pragma: no-cache' http header. This will tell the navigator to not save the document in the disk cache. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From aleph1 at dfw.net Tue Dec 19 17:49:53 1995 From: aleph1 at dfw.net (Aleph One) Date: Tue, 19 Dec 95 17:49:53 PST Subject: revised time quantization package (Unix & WIN32) available In-Reply-To: <199512192232.WAA18554@pangaea.ang.ecafe.org> Message-ID: On Tue, 19 Dec 1995, ECafe Anonymous Remailer wrote: > I don't understand why this group continues to tolerate these blatently > commercial messages from att (and netscape.) (The message is > really just an ad for the cryptolib product, as it says). I've also said > this b4 but I'll say it again: why would anyone in their right mind trust > binary code from att after the clipper fiasco. > I don't understand why this group continues to tolerate these compleatly stupid messages from Mr. Anonymous (and other nuts.) (The message is really just a llame by Detweller (sp?), as it indicates). I've also said this b4 but I'll say it again: why would anyone in their right mind pay any attention to an anonymous idiot without enough face to get a nym. > And why do we tolerate Jeff Weinstein and Mat Blaze calling themselves > cypherpunks, when they are so clearly just working us for their > corporate interests? I wonder how much they get paid to monitor this > list? > > You might want to have a doctor help you take your head out of your ass. Aleph One / aleph1 at dfw.net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 From tcmay at got.net Tue Dec 19 18:30:57 1995 From: tcmay at got.net (Timothy C. May) Date: Tue, 19 Dec 95 18:30:57 PST Subject: What ever happened to... Cray Comp/NSA co-development Message-ID: At 12:22 AM 12/20/95, Jiri Baum wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >Hello, > >tcmay wrote: >... >> Prime Factoring? Primes are easy to factor, of course. (Hint: Every prime >> has two factors.) >... > >Can someone enlighten me as to what the two factors are? > >With sensible definitions I've heard you either get one (just itself) >or four (itself [p], both units [1,-1] and the co-whatsitsname [-p]). You're looking too deeply. My point was in response to the very common error people make in talking about "factoring a large prime number." A prime is actually easy to factor: itself and 1, which is the point I was making. (One can quibble about whether 1 is a factor...I include it, though 1 is admittedly not considered a prime. But this is a quibble, I think.) --Tim May Views here are not the views of my Internet Service Provider or Government. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 | black markets, collapse of governments. "National borders are just speed bumps on the information superhighway." From hua at chromatic.com Tue Dec 19 19:02:36 1995 From: hua at chromatic.com (Ernest Hua) Date: Tue, 19 Dec 95 19:02:36 PST Subject: Is ths legal?... In-Reply-To: Message-ID: <9512182021.AA23246@krypton.chromatic.com> > The answer to the "is this legal?" question is more complex than > simply "private versus public" university. There are fairly strict > federal anti-wiretapping laws. It is hardly clear that a private > university may eavesdrop on students' phone or computer conversations, > even if conducted over the university's network. Furthermore, many > states have their own anti-wiretap and anti-eavesdrop laws, which are > even stricter than federal standards. I don't have the time nor the > inclination to do research into Oklahoma law, but we did some research > into this area of state and federal law for the LaMacchia case and > concluded that in its investigation of David LaMacchia, MIT very well > might have violated federal laws. It is definitely legal for private entities to have strict control over their own resources. In particular, it is legal for a company to listen in on their phone conversations for quality control purposes if they announce this fact ahead of time (you may have heard such a disclaimer when you call tech support, for instance). Also, if a student signs such a waiver acknowledging that the situation at this school is not necessarily that of the "norm" or of potentially overriding state or federal law, there is a good chance the student has signed away their right/priviledge of absolute privacy. Unless there is serious violation of Constitutional rights or if the contract is constructed or negotiated in bad faith or in some illegal manner, the old saying applies: "a contract is a contract". Ern From frantz at netcom.com Tue Dec 19 03:06:45 1995 From: frantz at netcom.com (Bill Frantz) Date: Tue, 19 Dec 1995 19:06:45 +0800 Subject: Java and timing info - second attempt Message-ID: <199512190724.XAA10835@netcom22.netcom.com> At 22:31 12/18/95 -0800, Jeff Weinstein wrote: > In Netscape Navigator 2.0 Java and JavaScript do not have access >to crypto routines. At some point in the future this will probably >change, but only after we understand the implications much better >than we do today. More importantly for covert channel analysis, do they have access to good clocks? Access to a good clock could make a Java applet a good candidate for the receiver in a generalized covert channel attack. Access to both process time and real-world time can give a good indication of load on the processor, and might be needed for animation. A transmitter could send by using or not using the CPU. (Installing the transmitter is left as an excersize for the student. ;-) ) Who said that life was safe? ----------------------------------------------------------------- Bill Frantz Periwinkle -- Computer Consulting (408)356-8506 16345 Englewood Ave. frantz at netcom.com Los Gatos, CA 95032, USA From mhw at wittsend.com Tue Dec 19 19:36:57 1995 From: mhw at wittsend.com (Michael H. Warfield) Date: Tue, 19 Dec 95 19:36:57 PST Subject: revised time quantization package (Unix & WIN32) available In-Reply-To: <199512192349.SAA25296@jekyll.piermont.com> Message-ID: Perry E. Metzger enscribed thusly: > ECafe Anonymous Remailer writes: > [Lots of garbage slandering Matt Blaze, who's about as close to being > a dyed-in-the-DNA cypherpunk as you can get.] Yeah! Really! We're talking about Matt "Honey I broke the chip" Blaze here. Single handedly did more damage to the clipper chip than any other individual or group! > What I want to know is, why are you doing this? Are you trying to > start a flame war? Are you just an asshole? Are you Detweiler? Whats > the motive? Perry, I liked your reaction to the last chump like this much better. We should find out what drugs they are taking and where we can buy some! They are obviously VERY good considering that they no longer have any connection with reality. I'm just impressed that they can manage to find their keyboard with the halucinations they're having! > .pm Mike -- Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com (The Mad Wizard) | (770) 925-8248 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From llurch at networking.stanford.edu Tue Dec 19 20:07:51 1995 From: llurch at networking.stanford.edu (Rich Graves) Date: Tue, 19 Dec 95 20:07:51 PST Subject: Update on Microsoft .PWL and SMB Spin Control In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- I was thinking about copying this to Yves and Yusuf, but I figure it will get to them anyway. The WinNews #22 mass mailing (by the way, there seems to have been no #21) has this to say about the .PWL bug: NEW POSTINGS TO WINDOWS 95 WEB SITE AND FORUMS * Under "WINDOWS 95 SOFTWARE LIBRARY" * In "Windows 95 Updates" - "Enhanced Password Cache Security Update" - an enhanced security component that substantially strengthens the encryption used for the Microsoft Windows 95 password cache. The update comes with no ReadMe -- it's a self-contained installer only. No details on how it works appear to be available anywhere. There seems to be no way to ensure that you have received a patch without viruses or other modifications. I will not recommend or distribute this archive to anyone until these problems are fixed. I also just noticed how WinNews #19 was censored: Free Software "Updated Drivers for Windows 95 File and Printer Sharing" - has a single readme. The files are self-extracting executables located at: FreeSoftware|Windows 95 Updates The correct name for this page and patch is "Updated Drivers for Windows 95 File and Printer Sharing Security Issue." WinNews gave no indication what this patch did. A "WinNews Special Issue" with some details on the SMB bug (including incorrect information that has been quietly corrected, but not retracted on WinNews or elsewhere) was sent to at least some WinNews subscribers in late October. This "Special Issue" is not archived on Microsoft's Web site, however -- it's the only issue that isn't. One month, ten days after the Windows 95 Product Manager assured me that they would be made available "within two weeks," there are still no international versions of the SMB or C$ security patches available on Microsoft's Web site. All non-English copies of Win95 are still vulnerable. Most of the major PC magazines are going to carry something on the SMB and .PWL bugs next month. Windows Magazine's story is going to be unambiguously positive: In response to a posting on the Internet questioning the security of Windows 95's optional password caching feature, Microsoft immediately recommended that concerned users turn off password caching. Microsoft has now released a free update to Windows 95 that substantially increases security. - -rich -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMNeLII3DXUbM57SdAQErKQQA3WuAAnphzOt8zZQP/wwMoUL2qt9ZocDd 9ozHfKW8FBwnLktQXMGfCIXpNPFqWlM2NtPeci7pcN4DdcyR463aTeKSEEe60fJD tpnBJBztlGYSTOlMyxJiI+nFCBodkAG0NRA9GkHi6gAW9Rds3tZW9VTozvQq+2Ba 2F9BrVbwass= =co1m -----END PGP SIGNATURE----- From harmon at tenet.edu Tue Dec 19 20:28:21 1995 From: harmon at tenet.edu (Dan Harmon) Date: Tue, 19 Dec 95 20:28:21 PST Subject: revised time quantization package (Unix & WIN32) available In-Reply-To: <199512200051.TAA17476@crypto.com> Message-ID: Matt, It seems that .pm has to be paranoid since he doesn't recognize intergrity. May he is the famous net loon LD? However, keep up the good work. Dan On Tue, 19 Dec 1995, Matt Blaze wrote: > Perry wonders: > > > What I want to know is, why are you doing this? Are you trying to > > start a flame war? Are you just an asshole? Are you Detweiler? Whats > > the motive? > > I must admit I don't quite get it, although I think there are people > who really can't distinguish between a person and a person's employer, and > who believe that the entire world is a black-and-white battle between > good and evil. > > Jeff Weinstein got treated rudely back during the feeding frenzy > where everyone hated Netscape because he works for Netscape. > > Brian Davis got treated rudely when he first joined the list because > he works for the government as a federal (?) prosecutor. > > I get treated rudely from time to time because I work for AT&T. > > It doesn't bother me, especially when it comes from an anonymous source who > for all we know might earn his or her keep by advertising the joys of > smoking cigarettes to small children or by testing the toxic effects of > new cosmetics on cute, furry animals. I figure it all just comes with > the turf. At least I don't get blood thrown on my by protestors the way > people who work in animal testing labs do... > > -matt > > From jlasser at rwd.goucher.edu Tue Dec 19 20:41:51 1995 From: jlasser at rwd.goucher.edu (Jon Lasser) Date: Tue, 19 Dec 95 20:41:51 PST Subject: revised time quantization package (Unix & WIN32) available In-Reply-To: <199512192349.SAA25296@jekyll.piermont.com> Message-ID: On Tue, 19 Dec 1995, Perry E. Metzger wrote: > ECafe Anonymous Remailer writes: > [Lots of garbage slandering Matt Blaze, who's about as close to being > a dyed-in-the-DNA cypherpunk as you can get.] > > What I want to know is, why are you doing this? Are you trying to > start a flame war? Are you just an asshole? Are you Detweiler? Whats > the motive? What _I_ want to know is, is this a troll from the same person who posted the RSA patch for the cryptolib, and is now slandering it. (Re: the patch... it seemed to work on my copy, it passed the test... but NOTHING uses the damn library that I can just test it with) More 'anonymous' persons should choose to be pseudonymous... Jon ------------------------------------------------------------------------------ Jon Lasser (410)494-3072 Visit my home page at http://www.goucher.edu/~jlasser/ You have a friend at the NSA: Big Brother is watching. Finger for PGP key. From holovacs at styx.ios.com Tue Dec 19 04:50:38 1995 From: holovacs at styx.ios.com (Jay Holovacs) Date: Tue, 19 Dec 1995 20:50:38 +0800 Subject: Political Cleanup program [NOISE] In-Reply-To: <199512190442.UAA14637@ix3.ix.netcom.com> Message-ID: On Mon, 18 Dec 1995, Bill Stewart wrote: > I happen to believe in freedom of speech, especially political speech, > and if you're not allowed to spend money broadcasting your speech or > printing your messages, you don't have much freedom of press or speech. This has somewhat undemocratic aspects when applied to political free speech. A person has ONE vote regardless of his wealth and as far as access to the political process this same principle must be maintained otherwise democracy is lost. At times freedoms for corporate entities and freedoms for individuals are at cross purposes, freedom for individuals must always be held in the higher position. Jay Holovacs PGP Key fingerprint = AC 29 C8 7A E4 2D 07 27 AE CA 99 4A F6 59 87 90 (KEY id 1024/80E4AA05) email me for key From stewarts at ix.netcom.com Tue Dec 19 05:02:52 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Tue, 19 Dec 1995 21:02:52 +0800 Subject: Political Cleanup program [NOISE] Message-ID: <199512190442.UAA14637@ix3.ix.netcom.com> I was going to refrain from ranting on this one (for once:-) but a couple points with cypherpunks relevance have come up. One is that PACs are, in some sense, a donation-remailer. The purpose is to get the money to its destination while obfuscating the link between the donor and the candidate, while allowing the PACs to take the political heat for it, but giving them the out that "it's just being done on behalf of our fine upstanding donors." At 11:20 AM 12/18/95 -0500, Phill Hallam wrote (order rearranged somewhat): >The starting point for campaign reform has to be to cap the amount that can be >spent on a campaign. Most countries have such laws to prevent the political >process from being owned by the rich. Unfortunately this has happened in the US >with the effect that both parties are much further to the right than in any >other Western democracy. I happen to believe in freedom of speech, especially political speech, and if you're not allowed to spend money broadcasting your speech or printing your messages, you don't have much freedom of press or speech. In this case, technology is giving us the ability to not only support freedom of speech, but give it as little or as much visible linkage as desired, allow the money to be passed around privately, and also to coordinate publicity efforts of different groups in ways other than simply giving cash to a candidate's bagman to be spent on publicity. It's also significantly changing the costs, speed, and targetability of speech, allowing more people to get involved, and allowing low-cost efforts to have more impact by reaching the right people. And as far as "prevent the political process from being owned by the rich" goes, there have been brief exceptions over the last 5000 years in which the less-rich have overthrown the rich, but campaign finance laws have almost never kept the rich or the politicians from helping each other out. >The main problem with anonymous political donations is that it is easy enough to >create linkage if the recipient and the donor conspire together. That's a given; not much point in giving someone a bribe if they don't know what they're being bribed to do or who they're doing it for :-) >There are many other things that campaign laws are intended to achieve beyond >avoiding bribery. For example foreign nationals cannot make donations to US >parties. It would be a good thing if there were similar laws in the UK since at >the last election a foreign national with links to organised crime alledghedly >made a multi million donation to the Conservative party. I also don't believe freedom of speech should be limited by national boundaries. >Of course in the absence of full disclosure of details of party records > nobody can be sure. We are as voters entitled to consider the worst however. You can always agree not to vote for any candidate or party that doesn't provide full disclosure, though it's a little harder to deal with political publicity supporting a candidate provided directly by non-candidates. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # .... Heading back to The Big Phone Company From karn at qualcomm.com Tue Dec 19 05:03:07 1995 From: karn at qualcomm.com (Phil Karn) Date: Tue, 19 Dec 1995 21:03:07 +0800 Subject: New additions (12/18) for Karn vs State Dept Message-ID: <199512190443.UAA23762@servo.qualcomm.com> I've just received, HTMLized and added two new documents to the web page concerning my case against the State Dept. They are: http://www.qualcomm.com/people/pkarn/export/karnsf.html (Joint Statement of Facts Not In Dispute, 12/18/95) and http://www.qualcomm.com/people/pkarn/export/repmem.html (Reply Memorandum In Further Support of Defendants' Motion to Dismiss, Or In the Alternative, For Summary Judgment 12/18/95) As before, the base URL for the case is http://www.qualcomm.com/people/pkarn/export I'd like to thank the government's attorneys at the Department of Justice for this time providing an electronic copy of their filing to my attorneys. This made it easier for me to bring it to you on the web. Last time I scanned in the government's documents on an OCR system, the same one I used to scan in the 3DES code in Applied Cryptography to demonstrate the process as part of my declaration. However, I still had to convert the text files from WordPerfect to ASCII and then HTMLize them by hand. If you find any formatting errors, please let me know so I can fix them. --Phil From llurch at networking.stanford.edu Tue Dec 19 21:08:53 1995 From: llurch at networking.stanford.edu (Rich Graves) Date: Tue, 19 Dec 95 21:08:53 PST Subject: (fwd) Junk email address collection (from a junk emailer) Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Personally, I think anyone who uses dejanews as a way to grep Usenet is an idiot, but since this idiot actually did spend several hours doing so, and then sent unsolicited commercial email to several thousand people, it's worth listening to him. Of course he's wrong about DejaNews having anything to do with Stanford. Anyone know anyone there? This guy is obviously afraid of me. It's a pretty funny story, actually. Too bad I can't tell it to anyone. - -rich - ---------- Forwarded message ---------- From: Name Witheld by Request To: Rich Graves Subject: Important info for you Rich, There is one more point I would like to make to you. Since you have recently responded in a sincere way regarding everything I have asked you about, I would like to return the favor and suggest some things that might be of help to you and your cause. If you want to put a damper on some of the random unsolicited emailings to newsgroups members, I would like to tell you how. I have done extensive marketing research online, and I am very involved with Internet commerce and everthing that affects it. Just like you have your "circles" of associates, so do online business people. I have met a lot of business users online, and have learned the ins and outs of things related to Internet commerce and marketing. Anyway, in these "circles" of discussions, and seeing information and posts from some of these business people, I have learned many things that your group is most likely not exposed to. For example, there is a major resource where the majority of email names are stripped from, and I would like to reveal it to you, and give you the solution to putting an end to it. But only because I truly want to help, and show you that I am not your enemy. You may already know some of this. The "Deja News" Web service (at Stanford) is one of the major resources that some of these mailers use to get names. They attempt to do target marketing by doing searches for keywords related to their customers, or their own, advertising material that they wish to send. They simply do a search for several words like "resumes" if they have something to do with a resume service, etc. I'm sure you get the idea. After they do their search, they merely dump screen after screen of the search engine's findings and then strip the addresses using a FIND-CONTAINS "@" command in any database program. This is how they strip the names to create a mass email list. There is ONE way that could really screw over these mailers from using this resource. This is inside information that has been revealed to me (I have also seen references to it somewhere else). Don't ask who it was that was telling everyone about it, because I honestly couldn't tell you - I just know it is going around. Since you are there at Stanford, I am sure that you may be able to bring this information to someone working on this project so they can make some necessary changes. Here it is: When one of these mailers goes to do a search (and from what I hear, many of them do it on regular intervals to get new names) they cannot do a TERSE search. Why? Because it cuts off the email addresses if you notice the output. They cannot obtain addresses from this data. So what do they do? They do a VERBOSE search and this way the email addresses are completely listed. Make a change to this VERBOSE search option so that it will only list the partial email address, and you will eliminate THOUSANDS, if not millions of unwanted email messages on the Net. I guarantee if they made this change to the site it would make a HUGE difference. From what I hear, most newsreaders only list news post lists by "author" and not by email address, so these companies cannot easily strip names through regular newsgroup programs, and must use a service (like Deja News) to compile large email lists. Also, you and your buddies may want to look into a guy selling a software program called "Floodgate." Apparently this person is selling a program for about $300 that is designed to strip names from text files that are created from copying the output of other sources. Just thought I would donate some helpful information to make up for my offense. I don't mind if you should share this info with your contacts and if you tell them that it came from me, however, I would prefer if you would not post this information or statement publicly. I do not wish to get involved with a MAJOR uprising of business people that would murder me for revealing stuff like this. If I come across some other stuff which may be of interest to you, I will let you know. I think it is much better for us to work together instead of against one another. Let me know what you think, -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMNeZ3Y3DXUbM57SdAQE/5QP/cwqEiY7eX8fR/9JEPmSdhE63Ax+H+NCw Uac9VXlKKSH3e+JfI7c/+sWhYafLvWVFlz7Ikj1/uMilAmNJjJTUZfTHqdlYKN/+ kkmc+cCWfGAkl6PFcFqcvSdPKJvyVMsnUFufFBsl629Ot7Pb8yZJTXEq0vr8+BcG QOdMuhEZiXk= =Hq1v -----END PGP SIGNATURE----- From jim at SmallWorks.COM Tue Dec 19 21:23:45 1995 From: jim at SmallWorks.COM (Jim Thompson) Date: Tue, 19 Dec 95 21:23:45 PST Subject: revised time quantization package (Unix & WIN32) available Message-ID: <9512200523.AA24870@hosaka.smallworks.com> >AT&T Spokesman Matt Blaze writes: >blah blah >>There are (basically) no restrictions on the use or distribution >>of the (very simple) code. > >This is simply untrue. Read the fine print in the file. Use this code >and you owe them big. They'll "reach out and touch" you big time. You're wrong. Direct from the shar file: X/* X * Simple Unix time quantization package X * {mab,lacy}@research.att.com X * v1.0 - 12/95 X * X * WIN32 port v0.1 fod at brd.ie 12/95 X * X * TESTED ONLY UNDER SUNOS 4.x and BSDI 2.0. X * X * WIN32 port TESTED ONLY UNDER WINDOWS '95 X * (further testing recommended) X * Requires Winmm.lib X * X * This is unsupported software. Use at own risk. X * Test carefully on new platforms. X */ X/* X * The authors of this software are Matt Blaze and Jack Lacy X * Copyright (c) 1995 by AT&T Bell Laboratories. X * X * WIN32 port by Frank O'Dwyer X * Copyright (c) 1995 by Rainbow Diamond Limited X * X * Permission to use, copy, and modify this software without fee is X * hereby granted, provided that this entire notice is included in all X * copies of any software which is or includes a copy or modification X * of this software and in all copies of the supporting documentation X * for such software. X * X * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR X * IMPLIED WARRANTY. IN PARTICULAR, NEITHER THE AUTHORS NOR AT&T X * NOR RAINBOW DIAMOND LIMITED MAKE ANY REPRESENTATION OR WARRANTY X * OF ANY KIND CONCERNING THE MERCHANTABILITY OF THIS SOFTWARE OR X * ITS FITNESS FOR ANY PARTICULAR PURPOSE. X */ Nothing, but nothing in there restricts you from doing anything you like with the software, as long as you provide attributation. >If they were serious, they'd gpl it. Maybe they don't like the terms of the gpl? Maybe they don't want to restrict *you* to having to give it away? (And before you jump my ass for being anti-gnu, go check the various GNU sources for work I've submitted in the past.) >I don't understand why this group continues to tolerate these blatently >commercial messages from att (and netscape.) (The message is >really just an ad for the cryptolib product, as it says). I've also said >this b4 but I'll say it again: why would anyone in their right mind trust >binary code from att after the clipper fiasco. Is this where we point out that it was Young Master Blaze who pointed out the technical failure in Clipper? >And why do we tolerate Jeff Weinstein and Mat Blaze calling themselves >cypherpunks, when they are so clearly just working us for their >corporate interests? I wonder how much they get paid to monitor this >list? "Cypherpunks write code." (Where is yours?) Jim From sameer at c2.org Tue Dec 19 21:50:23 1995 From: sameer at c2.org (sameer) Date: Tue, 19 Dec 95 21:50:23 PST Subject: COMMUNITY CONNEXION PIONEERS PRIVATE ELECTRONIC COMMERCE Message-ID: <199512200544.VAA16051@infinity.c2.org> For Immediate Release - December 20, 1995 Contact: Sameer Parekh sameer at c2.org 510-601-9777 COMMUNITY CONNEXION PIONEERS PRIVATE ELECTRONIC COMMERCE Community ConneXion today announced a new service for its customers which will make secure, private electronic commerce more accessible to all merchants, from the small single-person business to large corporations trying to sell goods and services over the world-wide-web. The new service allows its customers to accept ecash, an anonymous, secure electronic payment system, developed by DigiCash bv, of Amsterdam, Holland and implemented with US Dollars by Mark Twain Bank, of St. Louis, Missouri. Customers can setup web pages on their web sites and charge websurfers from pennies to dollars per page when viewing their sites. The technology allows anyone on the Internet to become a merchant, selling goods and services electronically. Community ConneXion's President, Sameer Parekh, commented on the new development, "Before we unveiled this service, it was rather difficult for a merchant to offer content on the web in exchange for private, secure payment. Our system allows our customers to add simple configuration directives to their web pages in order to start charging for them." Information about Community ConneXion's ecash merchant support is available on their webserver at http://www.c2.org/ecash/. Ecash is the only strongly private payment system available on the net today. "All other consumer payment systems on the net are strongly linked with the old-fashioned and outdated credit card system," said Parekh. Ecash provides full payor anonymity and protects against fraud using strong cryptographic protocols developed by David Chaum, Managing Director of DigiCash. "Community ConneXion continues to lead the world toward a more efficient model of commerce on the Internet" said Frank Trotter, III, Mark Twain Bank International Markets Division Director and Ecash project leader. "Integration of an Ecash payment mechanism into the site is a giant step toward allowing business and research to function and support itself efficiently. We look forward to the continued leadership in innovation from Community ConneXion." Community ConneXion has been a supporter of ecash since its inception in October of 1995, becoming the first internet provider in the world to start accepting ecash as payment for services, less than one month after the payment system was announced. Community ConneXion, founded in June of 1994, is the leading provider of privacy on the Internet. They provide anonymous and pseudonymous internet access and web pages in addition to powerful web services, virtual hosts, and web design consultation. Information is available from their web pages at http://www.c2.org/. Information about the Mark Twain Bank ecash release is available from http://www.marktwain.com/ecash.html. DigiCash and ecash are trademarks of DigiCash bv. Mark Twain Bank is a trademark of Mark Twain Bancshares. From jimbell at pacifier.com Tue Dec 19 22:00:54 1995 From: jimbell at pacifier.com (jim bell) Date: Tue, 19 Dec 95 22:00:54 PST Subject: cyphernomicon FTP site? Message-ID: At 04:18 PM 12/19/95 -0500, you wrote: >Anyone know where I can FTP a full copy of the cyphernomicon? > >------------------------------+----------------------------------------------- >Vinod Valloppillil | LibertarianismTelecommunicationsFreeMarketEnvi >Engineering/Wharton | ronmentalismTechnologyCryptographyElectronicCa >University of Pennsylvania | shInteractiveTelevisionEconomicsPhilosophyDigi >vvallopp at eniac.seas.upenn.edu | talPrivacyAnarchoCapitalismRuggedIndividualism >------------------------------+----------------------------------------------- I'm interested in this too. I really HATE those silly HTML documents that can't (or, at least, I haven't yet figured out how) be downloaded in one swell foop. From gates_r at maths.su.oz.au Tue Dec 19 22:10:10 1995 From: gates_r at maths.su.oz.au (Robbie Gates) Date: Tue, 19 Dec 95 22:10:10 PST Subject: Bit Commitment Query Message-ID: <30D7A993.3F54@maths.su.oz.au> I am confused about bit commitment via one way hashing as described in Schneier (1st ed, p 73) h is a one way hash function. This description from Schneier, except that variables are changed so i don't need subscripts: 1. Alice has a bit b she wants to commit to. She picks random bit strings R and S, and sends Bob h(R,S,b),R 2. To verify commitment, she tells Bob S and b so he can verify the hash. What i don't get is Schneier's claim: ``If Alice didn't send Bob R, then she could change the value of S and then the value of the bit. The fact that Bob already knows R prevents her from doing this.'' Can someone explain exactly how Alice cheats if Bob doesn't know R. I can't see how she can alter R and S and b at all without being able to produce hash collisions. In essence, why doesn't the following work: 1. Alice has a bit b. She picks a random bit string R and sends Bob h(R,b) 2. To verify, she tells Bob R and b. Assuming Bob knows b is a single bit, how does Alice cheat without needing to produce hash collisions for h. thanks in advance for any help, - robbie -- ---------------------------------------------------------------------- robbie gates | it's not a religion, it's just a technique. apprentice algebraist | it's just a way of making you speak. pgp key available | - "destination", the church. From liberty at gate.net Tue Dec 19 22:37:28 1995 From: liberty at gate.net (Jim Ray) Date: Tue, 19 Dec 95 22:37:28 PST Subject: Political Cleanup program [NOISE] Message-ID: <199512200638.BAA34608@osceola.gate.net> -----BEGIN PGP SIGNED MESSAGE----- Phill wrote: >It is very strange the way that "Libertarians" are so able to turn all >rights into property rights. Thus freedom of speech become freedom to have >influence on the politicial process in direct proportion to wealth. And what do you propose? Speech in proportion to ability to bitch??? >When the Web becomes as ubiquitous as the telephone we >will still see inequalities of power, the homeless and the poor will still >be underrepresented. Let me guess, somehow the government can cure this? >But that situation must be judged against our own where the >political process can be bought and traded as if it were any other form of >comodity. > >It is not simply an issue of money, it is an issue of national security. If a >foreigner were to control the majority of the media there would be a significant >threat to the national interest. This threat has been realised in the UK with >the comming to power of Rupert Murdoch. Fortunately his influence on the US >political scene has thus far been minor. In his own country he has brought down >the government more than once. So what??? He gives us "The Simpsons" and "Married, With Children!" [IMO] Rupert has done more for humor than any humor-impaired liberal has ever done! >>And as far as "prevent the political process from being owned by the rich" >>goes, there have been brief exceptions over the last 5000 years in which >>the less-rich have overthrown the rich, but campaign finance laws have >>almost never kept the rich or the politicians from helping each other out. So??? I'm fighting them, are you??? >In UK politicis the influence of an individual's money is limited to influencing >one party. Even that is done behind closed doors. The other major parties both >limit the size of individual contributions to a constituency party to a >relatively nominal sum. $5000 is a huge sum in UK politics. They probably bribe in accordance with the marketplace. Big deal. >>I also don't believe freedom of speech should be limited by national >>boundaries. > >Nor do I. But I only vote in one country. If we take the question outside >the US >it would not on the whole be a good thing if the Prime Minister of Tobago (say) >were provided with a campaign contribution of $1M by a foreign company with >an >interest in strip mining the entire island. similarly it would be a bad >thing if >Columbian drug lords were to make massive contributions to politicians >committed >to continuing the prohibition on drugs. They do, right now. Do you think the Libertarians have gotten any contributions from the drug-smugglers??? If so, please tell me what you are on and where I can get some. Otherwise, kwitcherbitchin. JMR -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Freedom isn't Freeh. iQCVAwUBMNesZ21lp8bpvW01AQGxjgQAscGA5sMXQWaXSqGrGMEhFlnYXUYUzoQH YsivCtTZTaIZYUfRoo4Myjx7B8MVpgykMOJC0PHLA+zWurW6AQ2W45ywLUceoQbF 0UF/JXZi2mhHI0xLwKV6E+GaWdaiuAdh6uKwLyND2S07bBGiPZ4hBG05+Xkm5s/d OJ6QcCwtsuM= =iPRn -----END PGP SIGNATURE----- ---------------------------------------------------------------------- Regards, Jim Ray http://www.shopmiami.com/prs/jimray "Thank God we don't get all the government we pay for." -- Will Rogers [Back when we paid for (and got) a _lot_ less government.] ----------------------------------------------------------------------- PGP key Fingerprint 51 5D A2 C3 92 2C 56 BE 53 2D 9C A1 B3 50 C9 C8 Public Key id. # E9BD6D35 IANAL ----------------------------------------------------------------------- Help Phil! e-mail zldf at clark.net or http://www.netresponse.com/zldf _______________________________________________________________________ From tcmay at got.net Tue Dec 19 23:34:39 1995 From: tcmay at got.net (Timothy C. May) Date: Tue, 19 Dec 95 23:34:39 PST Subject: cyphernomicon FTP site? Message-ID: At 9:18 PM 12/19/95, Vinod Valloppillil wrote: >Anyone know where I can FTP a full copy of the cyphernomicon? It would help if you said what you'd tried. For example, have you tried ftp.netcom.com in the directory pub/tc/tcmay? There you will find several versions, including compressed versions. This can be hard to access, due to crowding, but can eventually be gotten to. It has also been placed at other locations, according to reports here. Check the archives. Personally, I hear that even the author prefers the HTML version at http://www.oberlin.edu/~brchkind/cyphernomicon/. Anybody who plans to download the entire linear file and then print it out must be missing a bits in his shift register. --Tim May Views here are not the views of my Internet Service Provider or Government. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 | black markets, collapse of governments. "National borders are just speed bumps on the information superhighway." From rah at shipwright.com Tue Dec 19 08:30:33 1995 From: rah at shipwright.com (Robert Hettinga) Date: Wed, 20 Dec 1995 00:30:33 +0800 Subject: (fwd) Economics of Digital Money. (part 2) Message-ID: --- begin forwarded text Date: Tue, 19 Dec 1995 13:42:20 +0700 (GMT+0700) From: Patiwat Panurach To: ecash at digicash.com Subject: Economics of Digital Money. (part 2) MIME-Version: 1.0 Sender: owner-ecash at digicash.com Precedence: bulk Reply-To: ecash at digicash.com The Economics of Digital Commerce: An analysis of Digital Cash, ElectronicFund Transfers, and eCash (the second part wasn't included for some reason) The advantages of Electronic Checking over paper checks include � Savings of time. The instantaneous updating of account balances allows all the financial players a greater deal of financial flexibility. There is no clearing period for transactions to be finished. This allows large cost reductions and more opportunities in cases of large-sum arbitration, and allows even pedestrian players to have a great deal of financial freedom. Also considerable is the savings in time. Checks no longer have to be cashed and purchased at bank branches. � Reduction in paper handling costs2. Universities are not overwhelmed with paper checks at the beginning of each term; banks aren't faced with unmanageable lines of people at every payday; governments don't need large check printing and mailing facilities; fewer trees are sacrificed. � No bounced checks. Being simultaneous, the receiving of the certification and the debiting and crediting of the accounts assures that no certification can be made without having funds to back it up. This could be done through an automatic check of account status before the certification is issued. This is similar to the checking of the credit limit before credit card transactions are finalized. � Flexibility. Electronic checking is an extremely broad and generic field. It is used, in some form or the other, worldwide. Nearly all types of transactions can be conducted by using electronic checking. Electronic checking bypasses the physical weaknesses of physical checks. But it is still, in its essence, a check. A critical weakness of this is privacy. All transactions must pass through the banking system3. Furthermore, the banking system is obligated to document the details of every transaction that passes through it. What is to prevent the bank from selling or leaking such information to others? This precludes a possible infraction of personal civil liberties. Such was the case of Winai La-onsuwan, the man who was formally known as the monk Yantra. His illicit adventures in an Australian brothel were documented via American Express receipts4, and such evidence was critical in defrocking him. An even more frightening scenario would be if governments would demand access or control over the electronic checking, or over electronic checking records. What would permit them from instantly forbidding, say, a pregnant woman from buying cigarettes? Electronic checking systems could conceivably be a tool of "Big Brother" in gaining control over individual lives. As payment systems using electronic checking become more pervasive, is it necessary sacrifice the privacy and undocumentability of Cash? Many feel5 that cash also has a role as an electronic payments system. Such a "digital cash" (as it is called by many adherents) would have to have the essential characteristics6 of cash from the consumers perspective: � Anonymity. The buyer pays the seller. Nobody, except the seller knows the identity of the buyer or the details of the transaction. In cases were the buyer uses a sufficiently sophisticated pseudonym system, not even the seller knows the identity of the buyer. Besides those of the 2 agents, there is no record of the transaction taking place. The certification of payment is the payment. There is no transfer between accounts that banks could analyze to discern the exact flow of funds. � Liquidity. Digital Cash must potentially be accepted by all concerned economic agents as a method of payments. For example, in the Global Internet, the largest meta-network in existence, this would involve a significant proportion of internet merchants accepting a digital cash, if it is to be more than an �electronic play-money�. In many pilot projects, there must be a large threshold of affiliated merchants that are willing to participate in accepting digital payment for the system to be successful. On the institutional side, digital cash holds many advantages over existing fiat money (cash). These mainly involve the physical weaknesses of cash. First, Cash is highly risky to robbers. Cash must be kept in secure vaults and be guarded by security guards. The more cash is held, the greater the potential risk is. Secondly, cash has high transport costs. Because physical mass is proportional with the amount of cash held, large amounts of cash are difficult to store. It has been estimated that money handling costs of transporting cash in the US amount to over 60 billion US$ a year7. Lastly, the advent of high- quality color copiers and counterfeiting methods8 make government stores of cash insecure. It has been rumored that the United States Government waged economic warfare against Iraq during the Persian Gulf War by flooding the country with expertly counterfeited cash9. Digital Cash could conceivably have many forms. These might include: � Prepaid Cards. Buyers could buy prepaid cards that will be accepted by special sellers. For example, phone cards act as surrogates for coins in the payment of public phones. The weakness of phone cards as digital cash is in the liquidity of the medium: no one would accept a 100 Baht phone card for the payment of a meal. Electronic road toll payment systems also suffer from the same weakness. Recent pilot projects conducted in Australia by VISA show more promise. Prepaid and rechargeable cards are accepted at the point-of-sale of a variety of merchants. Furthermore, to increase the system�s acceptability, the cost of point of sale terminals is subsidized by VISA. It is now possible to pay for a beer at the bar and a hotel bill with the same card10. Proposals for incorporating cash functions into multipurpose �smart cards� have been announced by the EMV (Europay, Mastercard, Visa) consortium11. This would allow many functions like SIMM, ATM, encryption/decryption, and digital cash to be fitted onto a single card. � Purely Electronic Systems. Purely electronic digital cash would be devoid of physical form. This would make it useful for network and internetwork transactions where the buyer and seller are physically apart. The payment would take place by electronically deduction of digital cash from the buyer and sending it to the seller. The actual transfer of digital is usually encrypted so that only the intended recipient (the seller) could make use of the cash. However, methods of anonymity and security must be in place, as to not turn fully electronic systems into electronic checkings systems. In all its forms, digital cash is not always cash. If, say, a financial institution were to issue the digital cash, the creation of digital cash could simply be considered a withdrawal from that financial institution. Similarly, the financial institution would be obliged to credit user accounts for deposits of digital cash. The digital cash would not have to have any real funds to back it, other than any legal reserve limit for the original deposits. Digital cash could just be considered as �cash� on calculations of money supply. M1= 1+ Currency/Deposits X MB LRR+ (Currency/Deposits) + (Excess reserves/Deposits) when Currency encapsulates cash, coins, and digital cash. Withdrawing digital cash reduces the amount of deposits that the financial institution could use to extend loans, thus reducing any dynamic effects money creation effects upon M1. If, on the other hand, a non-financial firm were to issue digital cash, it would simply be a purchase of 1 unit of digital-cash with 1 unit of physical-cash. It could only be backed up by the willingness of merchants in accepting digital cash as a unit of payments. This second type of digital cash is inherently riskier for the consumer than the former. It is actually more analogous with �coupons� than with �cash�. Furthermore, redeeming paper cash for privately issued digital cash does not effect any transformation upon the monetary conditions of the economy. Buying this type of digital cash does not affect the money creation process; there is no decrease in the economy�s loan creation capacity. After considering the conceptual and theoretical aspects of electronic checking and cash, it is now time to look at a real world example of electronic payments: eCash is an open standard12 electronic payments system developed by the Digicash Company and currently the being implemented by the Mark Twain Bank of Missouri, USA. Conceptually, eCash is a type of �digital cash�, offering high levels of privacy and security. Its current implementation by the Mark Twain Bank is not exclusive - any bank licensing Digicash�s eCash protocol could become an intermediary in the eCash scheme. To undertake transactions13, both buyer and seller would have to have deposits in the �WorldCurrency Access� accounts of the Mark Twain Bank. �WorldCurrency Access� accounts are claimed to be conventional money market accounts14; however, they do not pay interest nor have a fixed maturity period but are insured by the FDIC. The buyer must instruct the Mark Twain Bank to transfer funds from his �WorldCurrency Access� account into his �eCash Mint�. This Mint is a personal buffer account. Funds in the Mint are no longer deposits of the bank, and they are not insured. At any time, the buyer can order his computer to remotely interface with his Mint and withdraw funds from the Mint into the buyers hard disk drive on the buyers personal computer. The format of the funds is now completely electronic: a series of zeros and ones that is cryptographically secure and unique. It might be useful to consider the funds in the Mint and in the buyers hard disk as being electronic in an �electronic wallet�. To make the payment, the buyer encrypts the appropriate amount of eCash with a suitably secure encryption protocol15 and sends the eCash to the seller. The eCash can be sent to the seller by any data communications medium, e.g., email, ftp, shttp. Ironically, eCash can even be saved onto a disk, and the disk sent to the seller. Or it can be printed out onto paper, and the printed copy sent to the seller. The seller receives the eCash and after decryptizing it, stores it into his computer. This can then be sent to the Mint, and transferred into the seller�s �WorldCurrency Access� account. The net result is a decrease in the buyer�s funds and an increase in the seller�s. eCash is private: although the Mark Twain Bank will have records for each eCash withdrawal and deposit16, it is impossible (mathematically impossible17, not just computationally difficult or improbable) to trace any subsequent uses of that eCash. If the user�s hard disk drive should �crash�, the eCash is lost forever18. But although eCash is purely electronic, and can easily be copied, it is impossible (again, mathematically impossible, by the explicit design of the eCash protocol specification) to use any eCash twice19. Given its nature, eCash must be considered to be cash from the monetary standpoint. eCash withdrawals from the user�s account are leakages from the money creation process, in the same way that cash withdrawals are. If a user�s WorldCurrency Access account had $100 in it, and $50 was withdrawn as eCash, only $50 (minus any legal reserve limit and excess reserve) could be lent out to others. Conversely, a $50 eCash deposit would give the Mark Twain Bank $50 (again, minus any legal reserve limit and excess reserves) to lend out. Now let us examine some common tendencies of all types of electronic payment. First is the long term trend to increase velocity of money flow in the economy. As the growth of the credit card industry (actually a subset of electronic funds transfer) has shown us, increased convenience of payment is a large factor in increasing the number of payments made. As electronic payments become more widespread for the consumer, we might expect a similar long term trends of increased price level and output through velocity. Also, the disembodiment of cash also tends to give illusions as to its value. Transforming money from bills in your wallet into charged electrons in you hard disk is probably a greater abstractative leap than the transformation from gold coins to fiat currency. As another evolutionary step in the development of money, we might expect consumers to reexamine there conceptions of money, cash, and value. Another significant impact has stemmed out of research into the root of interest gaps in the money market. Citicorp has claimed that around 2/5 of the interest charged on a consumer finance loan is in branch delivery and management costs. This cost could be reduced substantially with increased adoption of electronic means of payments. It has been estimated that the interest differentials in the money market could be drastically reduced with adoption. After examining these three electronic payments systems and there impacts, it should be noted that no single system is �best�. Which system is adopted depends largely on the needs of the transaction and the agents. On the consumer�s side, survey data20 shows that the single most important factor is wide acceptance of the system. Thus it may be that any system, whether it is formally standardized and secured or not, could gain market dominance and remain in that position by virtue of its ad-hoc standard. Sellers would use it because most customers use it; customers would use it because most sellers use it. The main channel for competition would not be in price of the system, but in gaining exclusive rights to the point of sale of a large number of merchants. This environment would make electronic payments widely available in a relatively short time span, but is not exactly conductive to diversity or technological advancement. This would be analogous with the entrenched tri- opoly of Visa, Mastercard, and American Express in the credit card market. An alternative to this situation might be the wide adoption of an open standard electronic payment system. In this case, any intermediary would jointly adopt an inter-operatable system, whereby the client of one system could transparently conduct transactions with any other seller who�s intermediary uses the same system. This would be similar to the openness and competition in Thailand's ATM system, where the 2 main ATM consortiums (ATM Pool and BankNet) support an open system. The holder of a Bangkok Bank ATM card can withdraw money from, say, a Thai Farmers Bank ATM. Such an open electronic payment system would have several advantages over a proprietary electronic payment system. � Choice. Users could be given better choice and services. Since there could be several intermediaries vying for the same open market, they would have to use a policy of differentiation. Such a structure would bring about a monopolistic competition type market, the "market" being the market for open-standard electronic payments. Hopefully, this differentiation would be for the benefit of users. � Policy. Government policy implementation would be less ambiguous. Generally, the fewer heterogeneous systems there are to regulate, the more effective government policy would be on each system. This is because each system would need a specific interpretation of the applicable laws. Since in most nations, the legislative process can't enact new laws with high speed, the "applicable laws" tend to be arcane and controversial. Combined with the constrained capacity of the state, this might cause an ambiguous period of years before systems can be finalized. The ambiguity during this period can kill of enthusiasm for new systems, leading confused agents to return to conventional paper methods of payment. It could also lead to market distortions, as misguided governments could give anti- competition concessions to single firms. � Simplicity. Open standard electronic payments systems would provide a consistency in payments from the users side. It is a general design principle in computer-human interaction engineering that consistent interfaces are synonymous with the efficiency of the system. Survey data21 has shown that simplicity is the second most important aspect that is looked for in an electronic payments system. Thus the consistency of an open standard would contribute to its wide adoption. Despite the advantages of open standard electronic payments systems, it is also likely that a variety of standards could simultaneously gain market acceptance. This would not be through conventional price competition, but rather by seeking niches in the market. For example, it is highly likely that some form of electronic cash system will gain a market niche due to its strong point of unquestionable privacy. Besides the easily targetable markets of "socially deviant" products like pornography (one of the most popular products of the Global Internet) or weapons design (the users of which tend to be very paranoid), it would also gain acceptance from users who are uneasy with the fact that each and every one of there transactions would be documented by the banking system. Fear of such information getting into the hands of the few (or the hands of the state) will most probably cause users to move to a more private system. Such concerns for privacy and fear of powerful corporations have crystallized into the cypherpunk and cyberpunk movements, small but vocal special interest groups who are often listened to by governments22. Other niches might include government subsidized ones for the payment of various state benefits. The United States Department of Nutrition has already implemented an advanced �Virtual Food Stamp� system in New York City23. Groceries with a large portion of low-income customers are required to install electronic payment systems at the point of sale. Customers can buy there groceries without using cash, there being an automatic transfer of funds from their food stamp account to the groceries account. This system reduces long lines at government offices, eliminates the black market in redeeming food stamps for cash, and significantly reduces the shuffling of paper of all parties. This system is used by 500,000 people and is favored over the old system by 94% of them. Like any new technology, it would be impractical to think of the status of electronic payments as clearly defined. Although the technology has existed for decades to implement many systems, they have just begun to permeate into the everyday consumer�s lives. The number of merchants accepting eCash numbers less than a hundred. Card based electronic cash systems have only been implemented in pilot projects in a handful of cities over the globe. Never the less, the trends of modern commerce, driven by the weaknesses of traditional payments systems, point to the eventual rise of electronic payments. It is just a matter or time and spirit. Footnotes 1 from J. C. Wood and D. S. Smith �Electronic Transfer of Government Benifits� Federal Reserve Bulletin V.77 N.4 April 1991 2 D. Gleason as quoted by S. Levy �E-Money (That's what I want)� Wired V.2 N.12 as archived in http://www.hotwired.com/wired/2.12/features/ emoney.html on the internet 3 via Regulation E implementing the Electronic Funds Transfer Act of 1979 (15 U.S.C. 1693) as quoted in J. C. Wood and D. S. Smith, op. cit. 4 from the news group soc.culture.thai 5 As can be seen from the atmosphere of various sites on the internet. Most explicit is the cypherpunks mailing list at cypherpunks at toad.com 6 These characteristics, and the mathematical theories that underpin them were developed over several years in the cypherpunks mailing list and the future culture mailing list at futurec at uafsysb.uark.edu 7 S. Levy op. cit. 8 S. Levy op. cit. 9 heard from the future culture mailing list, op. cit. 10 S. Levy �The End of Money?� Time 6 Nov 1995 P.38-44 11 announced in the cypherpunks mailing list 12 details of the protocol and messaging system were publicized in the internet at http://www.digicash.com/ecash/protpublish.html 13 described in the eCash/Mark Twain Bank FAQ at http://www.marktwain.com/digifaq.html and the eCash FAQ at http://www.digicash.com/ecash/faq.html 14 This is claimed in the eCash/Mark Twain Bank FAQ. But the same document also states that WorldCurrency Access accounts do not earn interest and have no fixed time periods. 15 PGP public key encryption is a highly popular defacto standard due to its high security and its zero price. 16 This is to conform with conventional banking laws concerning the documentation of transactions. 17 D. Chaum �Showing credentials without identification: transferring signatures between unconditionally unlikely pseudonyms� (Springer-Verlig, Berlin) p.946-64 (Conference: Advances in Cryptology-AUSCRYPT '90 International Conference on Cryptology. Proceedings, Sydney 8-11 January 1990) 18 Just another incentive to backup data 19 the eCash protocol specification at http://www.digicash.com/ecash/ protpublish.html 20 from the internet money survey conducted by the Management School at Imperial College. Archived at http://www.tu.ac.th/thammasat/pati/money.survey.results 21 See fn. 20 22 The Electronic Frontier Foundation has had close links with the Clinton Administration. The Cypherpunks mailing list catalyzed public protest that eventually brought down the government supported Clipper Chip 23 See J. C. Wood and D. S. Smith, op. cit. ------------------------------------------------------------------------------- Patiwat Panurach Whatever you can do, or dream you can, begin it. eMAIL: pati at ipied.tu.ac.th Boldness has genius, power and magic in it. m/18 junior Fac of Economics -Johann W.Von Goethe ------------------------------------------------------------------------------- --- end forwarded text ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA (617) 958-3971 "Reality is not optional." --Thomas Sowell The NEW(!) e$ Home Page: http://thumper.vmeng.com/pub/rah/ >>>>Phree Phil: Email: zldf at clark.net http://www.netresponse.com/zldf <<<<< From vznuri at netcom.com Wed Dec 20 00:47:20 1995 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Wed, 20 Dec 95 00:47:20 PST Subject: on web standards: sent to Markoff Message-ID: <199512200844.AAA24193@netcom6.netcom.com> here's a quickie rant about software standards sent to Markoff, precipitated by his recent column on Berners Lee & the Web. please help kill the urban legend I refer to in this letter. ------- Forwarded Message Subject: tim berners lee etc. Date: Wed, 20 Dec 95 00:39:44 -0800 From: "Vladimir Z. Nuri" I read your recent article on Tim Berners Lee. there is a misconception in the article that annoys me and that I have seen you/others repeat elsewhere. the following myth is: COMPANIES SET STANDARDS. this is not really true. in the short term, companies can set whatever "standards" they like. but in the long term, the *market* decides what standards are acceptable. an example of this was IBM: they set various standards until the market decided that the "standards" they were setting were not acceptable. they became their own worst enemy. no amount of shovelling their ideas down consumer's throats via million dollar ad campaigns or sales pressure changed the basic reality of what the market wanted. even though "microchannel" may have been technically superior, consumers consistently decided the proprietary price of the architecture was not worth the extra economic burden to obtain it. you and others are continually reiterating and reinforcing this myth in regards to web software in your writing. you talk about various companies as if they could somehow seize various standards for their own and exclude other companies (Netscape's supposed proprietary web "standards" are an example). this is fallacious for the reason I outlined above. the market may not tolerate this exclusivity, and particularly in the area of computer software and hardware this has been shown emphatically so. furthermore, the idea that companies can legislate their own web standards is particularly ludicrous. it is true that netscape has added their own "extensions" that their own browser understands and other browsers initially do not. but nothing prevents other companies from immediately incorporating these "enhancements" so that they are recognized by their own software. in fact this is trivial to do so in many cases (e.g. one of these so-called "enhancements" is blinking text in web pages). so the idea that a single web company can somehow monkeywrench the standards process by introducing new ideas is absurd and completely ignorant of reality. in fact this rapid "standard" fluctation is the heart of innovation. it is true that the web standard is fluctuating very rapidly right now, but that is not evidence of companies trying to seize the standard for their own: instead it is the chief sign of dynamic and rapid innovation. I urge you to read Bill Gate's recent book. he addresses this continual myth that people yammer about, namely the idea that individual companies can set exclusive or proprietary standards. a company standard is in fact a sort of temporary whirlpool in time: it will exist only so long as the forces surrounding it support it. a single company can temporarily create an illusion that their standards are the only ones available, but the market may eventually decide that their standard is not appropriate. Microsoft would crumble in a short amount of time if they failed to deliver what the market demands, and Gates reiterates this theme. it is tempting to think of Microsoft or Netscape as large behemoths that "drive the market". this is true in the short term but in truth over the long term the market drives these companies, and they lose market share if they become irrelevant. it is useful to look at one company as a focus of market forces, not the determinant of them. in my opinion the idea that various companies are in control of the market is not only erroneous but highly dangerous. it leads to the view that the government has to step in to promote "fair competition" or "legislate standards". these approaches are usually total failures because they completely neglect the true nature of the innovation of ideas, something that is expressed quite tangibly and viscerally in software development, but this simple point various people still utterly fail to grasp. its quite dramatic to write about single companies such as Microsoft or Netscape as if they have tremendous power and influence over the industry. various companies have found however that this influence is highly fleeting if they are not in tune with market currents. companies are subservient to the market, not vice versa. please strive to recognize this basic fact in your future writing. p.s. I am willing to work this into a letter to the editor if you are willing to publish it. From postmaster at interserv.com Tue Dec 19 08:56:00 1995 From: postmaster at interserv.com (Interserv Operations) Date: Wed, 20 Dec 1995 00:56:00 +0800 Subject: Mailbox soft limit exceeded Message-ID: <199512191618.IAA28242@m1.interserv.com> Your mailbox has exceeded the soft size limit of 8MB. Mail will continue to be delivered to your mailbox until it reaches the hard size limit of 15MB. please removed unecessary messages from you mailbox. Additionally, if you're using CompuServe/Spry AirMail you may choose the local inbox option which will download the mail from your remote inbox to your local system inbox before allowing you to read it. PLEASE NOTE: Use of the local inbox option will preclude accessing the downloaded mail messages except from the system on which the messages were downloaded. -- Interserv Network Operations Center Postmaster at interserv.com 2001 6th Ave. Suite 3025B noc at interserv.net Seattle, WA. 95121 CompuServe/Internet Division From bart at netcom.com Wed Dec 20 01:01:24 1995 From: bart at netcom.com (Harry Bartholomew) Date: Wed, 20 Dec 95 01:01:24 PST Subject: cyphernomicon FTP site? In-Reply-To: Message-ID: <199512200858.AAA26214@netcom23.netcom.com> > > At 04:18 PM 12/19/95 -0500, you wrote: > >Anyone know where I can FTP a full copy of the cyphernomicon? > > > > I'm interested in this too. I really HATE those silly HTML documents that > can't (or, at least, I haven't yet figured out how) be downloaded in one > swell foop. > When using lynx from my shell account, I like to grab the whole thing at once at net speed. Just now this took 65 seconds for the 1.28 Mb with obvious pauses ( I've seen it twice as fast). http://www.swiss.ai.mit.edu/6095/articles/cyphernomicon/CP-FAQ From rah at shipwright.com Tue Dec 19 09:05:52 1995 From: rah at shipwright.com (Robert Hettinga) Date: Wed, 20 Dec 1995 01:05:52 +0800 Subject: (fwd) Economics of Digital Money. Message-ID: --- begin forwarded text Date: Tue, 19 Dec 1995 12:42:23 +0700 (GMT+0700) From: Patiwat Panurach To: ecash at digicash.com Subject: Economics of Digital Money. MIME-Version: 1.0 Sender: owner-ecash at digicash.com Precedence: bulk Reply-To: ecash at digicash.com The Economics of Digital Commerce: An analysis of Digital Cash, ElectronicFund Transfers, and eCash By: Patiwat Panurach Faculty of Economics Thammasat University Bangkok, Thailand The extraordinary growth of international interconnected computer networks and the pervasive trend of commerce to utilize these networks as a new field for there operations has catalyzed the demand for new methods of payments. These new methods must attain unprecedented levels of security, speed, privacy, decentralization, and internationalization for �digital commerce� to be accepted by both consumers and entrepreneurs. This paper seeks to analyze 3 such methods of electronic payments. First shall be the generic type of electronic fund transfer that is widely in use. Second, the ongoing proposals for an open �digital cash� standard. Lastly is a real world technology currently in implementation called eCash. These 3 methods are examined in terms of the dynamics of transaction clearance, the effects on money supply and the macroeconomy, there classification in terms of �money� or �cash�, and the comparative viewpoints of monetary authorities, financial institutions, and consumers. This paper will not attempt to go into detail on the myriad of encryption systems, protocols, algorithms and other technical matters concerning the new systems. These are all secondary aspects of electronic payment. As there basis, electronic payment systems are simply logical evolutionary steps that began with the realization of the limits of barter. The need to pay for transactions is the root of all electronic payment systems. The first method of electronic payments that shall be examined has been in use for a relatively long time. It is the �electronic checking system�. For many, �Electronic Checking� and �Electronic Payment� are the same thing, although this is not always so. Electronic Checking simply uses the existing banking structure to its fullest potential by eliminating paper checks. Electronic Checking is an extremely varied system. Some examples of it include � paying for university fees via ATM card � paying telephone bills via monthly bank account deductions � large value overseas fund transfers Conceptually, Electronic Checking, and almost all Electronic Payments, involves 3 agents1: 1. buyer 2. seller 3. intermediary The buyer initiates a transaction with the seller and the seller demands payment. The buyer then obtains a unique certification of payment (physically called a check) from the intermediary. This debits the buyer's account with the intermediary The buyer then gives the certification to the seller and the seller gives the certification to the intermediary. This credits the seller's account with the intermediary. Schematically, this is a �conventional� checking transaction. But when it is conducted electronically, the certification is an electronic flow that is documented by the intermediary. Most important, the attainment of the certification, the transfer of the certification, and the debiting and crediting of the accounts occurs instantaneously. If the buyer and seller don't use the same intermediary, some standardized clearing house system between intermediaries is usually used. Since electronic checking is essentially checking, it can be analyzed as checking. Payments made via electronic checking would be conducted outside of cash and paper. Instead of sending a check or paying at a counter, the buyer would initiate an electronic checking certification. If this is done as a substitute for paying in cash, electronic checking could susbstantually reduce the transactions demand for money. In essence, this is not electronic checking but electronic cash. But if it is a substitute for conventional checking, it would just increase the speed of the transaction. From the economic standpoint, there is no difference in the dynamics of the checking process from normal checks --- end forwarded text ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA (617) 958-3971 "Reality is not optional." --Thomas Sowell The NEW(!) e$ Home Page: http://thumper.vmeng.com/pub/rah/ >>>>Phree Phil: Email: zldf at clark.net http://www.netresponse.com/zldf <<<<< From futplex at pseudonym.com Wed Dec 20 01:27:32 1995 From: futplex at pseudonym.com (Futplex) Date: Wed, 20 Dec 95 01:27:32 PST Subject: Bit Commitment Query In-Reply-To: <30D7A993.3F54@maths.su.oz.au> Message-ID: <199512200927.EAA27328@thor.cs.umass.edu> robbie gates, apprentice algebraist writes: > In essence, why doesn't the following work: > > 1. Alice has a bit b. She picks a random bit string R and sends Bob > h(R,b) > > 2. To verify, she tells Bob R and b. > > Assuming Bob knows b is a single bit, how does Alice cheat without needing > to produce hash collisions for h. Hmmm. I can't see anything wrong with your reasoning, and I too am puzzled by Schneier's comment about Alice needing to send R_1 to Bob initially. I hope someone else will give a more authoritative answer. Your question prompted me to study the other bit commitment protocols in _AC_ a bit more closely (pun not intended). Schneier observes that the b.c. with hash function protocol you cited has an advantage over the b.c. protocol with symmetric encryption he describes (v.1,pg.72). Namely, the hashing b.c. protocol only needs one-way communication after the protocol negotiation. It seems to me that the encryption b.c. protocol he gives can easily be modified to require only one-way communication (Alice-->Bob). The modified protocol goes like this: [0] Alice has a bit b, and generates a secret key K and a random string R. [1] Alice --- E_K(R, b), R --> Bob [2] Alice wants to reveal her committed bit. [3] Alice --- K --> Bob [4] Bob computes D_K(E_K(R, b)) = (R, b) and checks the value of b (or cries foul if R has the wrong value) This can't possibly be a new idea, but I don't know the literature well enough to give a reference. Of course, the other possibility is that this protocol is broken. :} If E is a good encryption algorithm, it should be hard for Alice to find K_2 s.t. D_K_2(E_K(R, b)) = (R, 1-b), even though she gets to choose R. Comments ? Why might we prefer to use the encryption b.c. protocol in Schneier to something like the above ? -Futplex R.I.P. Brian Jones (apprentice cryptographer) From aba at dcs.exeter.ac.uk Wed Dec 20 01:58:46 1995 From: aba at dcs.exeter.ac.uk (aba at dcs.exeter.ac.uk) Date: Wed, 20 Dec 95 01:58:46 PST Subject: [even more NOISE] BIO-MUNITION: gifs of perl-RSA tattoo Message-ID: <22479.9512200957@exe.dcs.exeter.ac.uk> Alan Olsen writes: > [Much noise on Perl-RSA tatoo and compile problems deleted] > > The only thought that came to mind on this thread was how closely > the tatoo artist spellchecked that tatoo. It would be pretty funny > to have a "munitions violation" that was non-functional due to > tatooing errors. Funny you should say that... I thought I'd better check (before you mentioned this btw) by transcribing from the (slightly grainy) gif, and Richard did miss one char, fortunately in an easily correctable position. I'd guess his wife has probably tattooed the missing ` by now. (The ` was missing from the line: $m=unpack(H.$w,$m."\0"x$w),$_=`echo "16do$w 2+4Oi0$d*-^1[d2%Sa but there was a bit of white space between the = and the e -- plenty enough for a ` -- phew that was close! While I'm here generating noise, someone just sent me this: #!/usr/local/bin/perl -s-- -export-a-crypto-system-sig -RSA-5-lines-PERL do 'bigint.pl';($_,$n)=@ARGV;s/^.(..)*$/0$&/;($k=unpack('B*',pack('H*',$_)))=~ s/^0*//;$x=0;$z=$n=~s/./$x=&badd(&bmul($x,16),hex$&)/ge;while(read(STDIN,$_,$w =((2*$d-1+$z)&~1)/2)){$r=1;$_=substr($_."\0"x$w,$c=0,$w);s/.|\n/$c=&badd(&bmul ($c,256),ord$&)/ge;$_=$k;s/./$r=&bmod(&bmul($r,$r),$x),$&?$r=&bmod(&bmul($r,$c ),$x):0,""/ge;($r,$t)=&bdiv($r,256),$_=pack(C,$t).$_ while$w--+1-2*$d;print} Significance? It's in pure perl -- no use of dc. I was *very* impressed. It's a fair bit slower unfortunately, but some people objected to the other one on the grounds that it was cheating to use an external program (dc). Also that will work on PCs without mods. Adam From hallam at w3.org Tue Dec 19 10:57:02 1995 From: hallam at w3.org (hallam at w3.org) Date: Wed, 20 Dec 1995 02:57:02 +0800 Subject: Political Cleanup program [NOISE] In-Reply-To: <199512190442.UAA14637@ix3.ix.netcom.com> Message-ID: <9512191622.AA13870@zorch.w3.org> >I happen to believe in freedom of speech, especially political speech, >and if you're not allowed to spend money broadcasting your speech or >printing your messages, you don't have much freedom of press or speech. It is very strange the way that "Libertarians" are so able to turn all rights into property rights. Thus freedom of speech become freedom to have influence on the politicial process in direct proportion to wealth. I began work on the web in '92 because I saw its potential as a political tool which did not have the bias of wealth. It has the potential to create a new kind of political dialogue. When the Web becomes as ubiquitous as the telephone we will still see inequalities of power, the homeless and the poor will still be underrepresented. But that situation must be judged against our own where the political process can be bought and traded as if it were any other form of comodity. It is not simply an issue of money, it is an issue of national security. If a foreigner were to control the majority of the media there would be a significant threat to the national interest. This threat has been realised in the UK with the comming to power of Rupert Murdoch. Fortunately his influence on the US political scene has thus far been minor. In his own country he has brought down the government more than once. >And as far as "prevent the political process from being owned by the rich" >goes, there have been brief exceptions over the last 5000 years in which >the less-rich have overthrown the rich, but campaign finance laws have almost >never kept the rich or the politicians from helping each other out. In UK politicis the influence of an individual's money is limited to influencing one party. Even that is done behind closed doors. The other major parties both limit the size of individual contributions to a constituency party to a relatively nominal sum. $5000 is a huge sum in UK politics. >I also don't believe freedom of speech should be limited by national >boundaries. Nor do I. But I only vote in one country. If we take the question outside the US it would not on the whole be a good thing if the Prime Minister of Tobago (say) were provided with a campaign contribution of $1M by a foreign company with an interest in strip mining the entire island. similarly it would be a bad thing if Columbian drug lords were to make massive contributions to politicians committed to continuing the prohibition on drugs. Phill From karl at cosmos.cosmos.att.com Wed Dec 20 03:57:41 1995 From: karl at cosmos.cosmos.att.com (Karl A. Siil) Date: Wed, 20 Dec 95 03:57:41 PST Subject: (Fwd) SECURITY ALERT: Password protection bug in Netscape 2.0b Message-ID: <2.2b9.32.19951220115525.0069303c@cosmos.cosmos.att.com> At 05:46 PM 12/18/95 -0800, Rich Graves wrote: >Except for the bit about the file not being deleted after quitting >Netscape (which is Bad), this is old news. This is why security-conscious >sites like banking.wellsfargo.com ask for passwords in an SSL-encrypted >form rather than via simple browser authentication. On a related note, how does Netscape (or HTTP in general) authenticate using the password? My best guess, without a sniffer, is (making up error codes as I go along, but you get the point): Browser Sends: GET ... Server Replies: 4xx (3xx? 2xx?) Sorry. I need authentication. Browser (after querying user): GET along with user-name/password Server: ...whatever the page is... Given that, what allows me to go on and see other (protected) pages on the same server without being re-prompted? Is it a similar conversation to the one above or does the browser broadcast the password on every subsequent request? I cannot ascertain the behavior by going to another site protected by a different password. Either one is possible. What I'm hoping happens with multiple sites is: Browser Sends: GET ... Server Replies: 4xx (3xx? 2xx?) Sorry. I need authentication. Browser (after querying user): GET along with user-name/password Server: ...whatever the page is... (1)Browser (to a different server): GET ... Server2: 4xx (3xx? 2xx?) Sorry. I need authentication. Browser: user-name/password cached from before Server2: 4xx (3xx? 2xx?) Sorry. That's not it. I need authentication. (2)Browser (after re-querying user): GET user-name2/password2 Server: ...whatever the page is... The broadcast option would change (1) to (2) above to: (1)Browser (to a different server): GET along with user-name/password Server2: 4xx (3xx? 2xx?) Sorry. (That's not it?) I need authentication. (2)Browser (after re-querying user): GET user-name2/password2 Admittedly, the second one is more optimal, but does this mean it would broadcast the user/passwd to every site? Even the first option winds up sending wrong passwords to other servers. Does the browser re-prompt if it detects a new IP address or a different sub-tree of the same server? Anyway, lots of conjecture (sp?) here. Does anyone know how it really works or can point me at a reference? Thanks. Karl From karl at cosmos.cosmos.att.com Wed Dec 20 04:23:47 1995 From: karl at cosmos.cosmos.att.com (Karl A. Siil) Date: Wed, 20 Dec 95 04:23:47 PST Subject: revised time quantization package (Unix & WIN32) available Message-ID: <2.2b9.32.19951220122140.00684794@cosmos.cosmos.att.com> At 10:32 PM 12/19/95 GMT, ECafe Anonymous Remailer wrote: > >And why do we tolerate Jeff Weinstein and Mat Blaze calling themselves >cypherpunks, when they are so clearly just working us for their >corporate interests? I wonder how much they get paid to monitor this >list? Matt, if you're getting paid to read this list, I want a new contract. Karl A. Siil AT&T BCS Advanced Projects 908-949-4037 908-949-8978 (FAX) karl at cosmos.cosmos.att.com !karlsiil From visentin at imdwd01.milano.italtel.it Wed Dec 20 05:35:17 1995 From: visentin at imdwd01.milano.italtel.it (visentin at imdwd01.milano.italtel.it) Date: Wed, 20 Dec 95 05:35:17 PST Subject: Which countries don't allow encryption ? Message-ID: <9512201335.AA01573@imdwd01> Hi all, Apologies in advance if anyone feels this is off topic... I'm trying to address the following issue: people at my company need to exchange sensitive information with their colleagues abroad (e.g. East Europe, or Southern America). Of course, the most obvious way to protect our data is to encrypt everything, regardless how we communicate (either via e-mail or sending magnetic media). So we should use PGPi, but...it seems to me there is a _problem_. I read somewhere that Russian law forbids the use on encryption: is this correct ? Let me generalize this first question: which countries in the world don't allow encryption usage, or encrypted traffic inside their boundaries ? or allow, but provided certain conditions are satisfied ? 2nd question: which way(s) could we meet the laws in, let me say, East Europe while protecting our info ? (I'd like to avoid giving away our keys, as I'd requested -possibly- in France, so maybe encryption is not suitable). Please e-mail directly to me, since I'm not a subscriber of this list (I tried it, but it is a too high volume and specialization level for me). Thanks in advance, Franco Visentin ( visentin at milano.italtel.it ) From E.J.Koops at kub.nl Wed Dec 20 06:16:23 1995 From: E.J.Koops at kub.nl (Bert-Jaap Koops) Date: Wed, 20 Dec 95 06:16:23 PST Subject: Which countries don't allow encryption ? Message-ID: <1DBA4168EA@frw3.kub.nl> > Let me generalize this first question: which countries > in the world don't allow encryption usage, or encrypted > traffic inside their boundaries ? or allow, but provided > certain conditions are satisfied ? See my Crypto Law Survey. NOTE: the URL has changed. Please reset your pointers to: http://cwis.kub.nl/~frw/CRI/projects/bjk/lawsurvy.html I shall update it in the first week of January and provide some more pointers to online information. Regards, Bert-Jaap ---------------------------------------------------------------------- Bert-Jaap Koops tel +31 13 466 8101 Center for Law and Informatization facs +31 13 466 8102 Tilburg University e-mail E.J.Koops at kub.nl -------------------------------------------------- Postbus 90153 | This world's just mad enough to have been made | 5000 LE Tilburg | by the Being his beings into being prayed. | The Netherlands | (Howard Nemerov) | --------------------------------------------------------------------- http://www.kub.nl:2080/FRW/CRI/people/bertjaap.htm --------------------------------------------------------------------- From jeffb at sware.com Wed Dec 20 06:24:48 1995 From: jeffb at sware.com (Jeff Barber) Date: Wed, 20 Dec 95 06:24:48 PST Subject: (Fwd) SECURITY ALERT: Password protection bug in Netscape In-Reply-To: <2.2b9.32.19951220115525.0069303c@cosmos.cosmos.att.com> Message-ID: <199512201501.KAA28003@jafar.sware.com> Karl A. Siil writes: > On a related note, how does Netscape (or HTTP in general) authenticate using > the password? My best guess, without a sniffer, is (making up error codes as > I go along, but you get the point): > Anyway, lots of conjecture (sp?) here. Does anyone know how it really works > or can point me at a reference? Thanks. http://www.w3.org/hypertext/WWW/Protocols/HTTP1.0/draft-ietf-http-spec.html#AA -- Jeff From rsalz at osf.org Tue Dec 19 15:05:18 1995 From: rsalz at osf.org (Rich Salz) Date: Wed, 20 Dec 1995 07:05:18 +0800 Subject: Please help Message-ID: <9512191501.AA05363@sulphur.osf.org> Please help. Somehow, someone signed up the "cypherpunks" mailing list to your "ZD Net Update" electronic newsletter. Our mailing list, with over a thousand members, is for the discussion of cryptography and technical means of achieving privacy and anonymity in the emergent digital world. There is some overlap between your publication and our mailing list, which is why some well-meaning individual "signed us up." It's pretty slight, however, and interested parties can sign up individually. So, please remove cypherpunks at toad.com from your mailing list. As always, if you ahve questions about the propriety of this, you can follow the internet conventions of writing to postmaster at toad.com to double-check. Thanks. /r$ From anonymous-remailer at shell.portal.com Tue Dec 19 15:06:44 1995 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Wed, 20 Dec 1995 07:06:44 +0800 Subject: PAY-OFF TIME FOR BUG-BUSTERS, NETSCAPE PLEDGES "DOGFIGHT" Message-ID: <199512191557.HAA10769@jobe.shell.portal.com> On 18 Dec 1995, Ian Goldberg wrote: > In article <199512151800.KAA11304 at jobe.shell.portal.com>, > wrote: > >On Mon, 11 Dec 1995, Michael Coates wrote: > > > >> PAY-OFF TIME FOR BUG-BUSTERS, NETSCAPE PLEDGES "DOGFIGHT" > >> Netscape Communications has awarded two software sleuths $1,000 each > >> for finding security gaps in its Netscape Navigator 2.0 software. The > >> company also awarded gifts to 50 other contestants in its "Bugs Bounty" > >> program for identifying non-security problems. (Wall Street Journal > >> 11 Dec 95 B7) > > > >Can anyone tell me whether Ian Goldberg and David Wagner got their $25,000 > >from Netscape for finding the HUGE security flaws in Netscape's existing > >product line?? > > > >I can't remember whether they got anything or not ... > > That would be no (well, except for the nifty T-shirt from Sameer; Thanks!). Not anything?? That's shameful ... where on earth are the values in America, today? AT&T and Netscape have jointly made a small fortune distributing this product, and yet NEITHER company feels that the software engineers who "voluntarily" made a difference -- a couple of students -- deserve even a wooden nickel for the ideas which were used. It's absolutely shameful. But then, I guess that AT&T and Netscape have no shame at all. They just steal "intellectual property" from students, and don't even pay a token amount. And people wonder what's wrong with Aemrica? > - Ian "There's a reason people talk about `starving grad students'..." > From dlv at bwalk.dm.com Wed Dec 20 07:44:48 1995 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Wed, 20 Dec 95 07:44:48 PST Subject: revised time quantization package (Unix & WIN32) available In-Reply-To: <2.2b9.32.19951220122140.00684794@cosmos.cosmos.att.com> Message-ID: "Karl A. Siil" writes: > At 10:32 PM 12/19/95 GMT, ECafe Anonymous Remailer wrote: > > > >And why do we tolerate Jeff Weinstein and Mat Blaze calling themselves > >cypherpunks, when they are so clearly just working us for their > >corporate interests? I wonder how much they get paid to monitor this > >list? > > Matt, if you're getting paid to read this list, I want a new contract. Karl, are you an unpaid volunteer at AT&T, or do you quit your job every time you read your e-mail? --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From E.J.Koops at kub.nl Wed Dec 20 07:53:44 1995 From: E.J.Koops at kub.nl (Bert-Jaap Koops) Date: Wed, 20 Dec 95 07:53:44 PST Subject: Correct URL Crypto Law Survey Message-ID: <1F59210729@frw3.kub.nl> >http://cwis.kub.nl/~frw/CRI/projects/bjk/lawsurvy.html Sorry, the URL should be: http://cwis.kub.nl/~frw/CRI/projects/bjk/lawsurvy.htm Bert-Jaap. From dlv at bwalk.dm.com Wed Dec 20 08:11:18 1995 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Wed, 20 Dec 95 08:11:18 PST Subject: Which countries don't allow encryption ? In-Reply-To: <9512201335.AA01573@imdwd01> Message-ID: <75ZegD4w165w@bwalk.dm.com> visentin at imdwd01.milano.italtel.it writes: > I'm trying to address the following issue: people at > my company need to exchange sensitive information with > their colleagues abroad (e.g. East Europe, or Southern > America). ... > I read somewhere that Russian law forbids the use on > encryption: is this correct ? More or less. President Yeltsin's edict of April 3, 1995, prohibits the use of encryption without a licence from FAPSI. I've been told that "everybody" continues to use PGP and no one's had any trouble yet. However in today's climate I can imagine a Western business blatantly violating the edict, being threatened with prosecution, and being shaken down for a bribe... For a peace of mind, why don't your correspondents go to FASPI and simply ask for a licence. They're nice people. You might have more of a problem in France, where, as far as I know, you must deposit your cryptographic keys with the government, so it may read your correspondence. Soon this may be required in the U.S. as well. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From alano at teleport.com Wed Dec 20 09:06:26 1995 From: alano at teleport.com (Alan Olsen) Date: Wed, 20 Dec 95 09:06:26 PST Subject: cyphernomicon FTP site? Message-ID: <2.2b7.32.19951220170717.008dcd74@mail.teleport.com> At 12:59 AM 12/20/95 -0800, you wrote: >At 9:18 PM 12/19/95, Vinod Valloppillil wrote: >>Anyone know where I can FTP a full copy of the cyphernomicon? [Much deleted] >Anybody who plans to download the entire linear file and then print it out >must be missing a bits in his shift register. There are reasons to want a non-html version. The best being uploading to your favorite text-oriented BBSes. (Or crypto-oriented BBSes.) Not everyone has access to the web. (Yes, I know it is blasphemy...) | Remember: Life is not always champagne. Sometimes it is REAL pain. | |"The moral PGP Diffie taught Zimmerman unites all| Disclaimer: | | mankind free in one-key-steganography-privacy!" | Ignore the man | |`finger -l alano at teleport.com` for PGP 2.6.2 key | behind the keyboard.| | http://www.teleport.com/~alano/ | alano at teleport.com | From hfinney at shell.portal.com Wed Dec 20 09:21:19 1995 From: hfinney at shell.portal.com (Hal) Date: Wed, 20 Dec 95 09:21:19 PST Subject: King Kong Does e$ Message-ID: <199512201719.JAA12291@jobe.shell.portal.com> Thanks to Bob Hettinga for typing that long message about the Microsoft "ecash" scheme. That is some nimble note-taking. I have a few comments on the scheme as Bob presented it, and as it compares to Digicash. I will follow up with some commentary about the politics involved. > Customer chooses secret s, serial number n, n=h(s) and amount. > Customer pays bank (by any method) the amount of the desired banknote > bank signs serial number and amount > Transaction may be anonymous (physical cash purchase at bank) pick > serial number, bank uses private signature to sign the serial number. >[...] > How is it used for payment > Payer simply gives bank note to payee by handing over the secret > payee immediately exchanges the banknote for new ones anonymously, if > desired > Old banknote is now invalid, since bank has its secret; hence payer > can't respend it > If the bank note is already invalid, bank rejcts exchange and informs > payee. > "In effect, these are disposable banknotes" The withdrawal protocol has some similarities to online Digicash ecash. In that system, you choose a random number s, calculate a one way function h(s), and get that signed by the bank. Unlike in the Microsoft scheme, blinding is used for the signature. I imagine Microsoft avoids blinding because of the patent situation, and possibly due to legal concerns about anonymity (more on this below). With Digicash, the coin is then the pair s, SIGN(h(s)). This is then given to the shop as payment. It can check the bank's signature, but that is not enough; being an online scheme, it must also turn the coin in at the bank to prevent double spending. The bank checks the signature and that the coin is well formed to accept it. The Microsoft scheme is like an unblinded version of this. The bank simply signs h(s) and gives that to the customer. This allows a simplification in the spending. Instead of passing s, SIGN(h(s)), it is enough just to pass s. The payee gives this to the bank (since this is an online system), which given s can calculate h(s) and check this against a list of all valid coins. It knows the valid coin numbers because it saw them when it signed them (unlike with Digicash). So there is a slight space savings in the spending protocol. It is also not necessary for the messages to and from the bank to be encrypted during the withdrawal protocol; neither knowing h(s) nor SIGN(h(s)) will allow an attacker to spend the coin, since he doesn't know s. A similar thing is true of DigiCash, though, where the blinded pre-signed or signed coins are useless to an attacker since he doesn't know the blinding factor. The big problem then with the Microsoft system is that it is not anonymous. As a result, it is technically not electronic cash, at least as the word is used in the literature. However we are seeing so many proposals like this, all of them wanting to capitalize on this magic word "cash", that I suppose the definition has to be considered to be shifting. In the new usage, virtually any payment system can be called cash if there is some way that users can be anonymous in using it. And since by allowing anonymous accounts virtually any payment system can do this, the word is becoming meaningless. The problem I see in practice with using their cash anonymously is how to buy it. If I have an account with the Bank of Microsoft, and I withdraw some "mcash", deducting it from my account balance, that mcash will be linkable to my account when I spend it. In order to be anonymous I have to buy the cash anonymously. I can walk into the local bank with a floppy and some dollar bills, but that is not practical in general. I could use mcash to buy some more mcash, but even if the second transaction is anonymous, the bank knows that I was the one who withdrew the first set of mcash, so it can link me to the second set when it is spent. The only good solution I can see is to use Digicash ecash to anonymously buy Microsoft mcash, but I doubt that that is what they had in mind! Frankly, what I see in this message is another example of something which is starting to become common: marketing to cypherpunks. In a way it is a very positive sign, that our views and concerns are becoming so well known and widespread that companies like Microsoft and Netscape are doing their best to keep on the good side of people like us, who are concerned about strong privacy and security. In some ways our attitudes are becoming dominant on the net, thanks to the many excellent writers here, as well as magazines like Wired, and groups like the EFF and other interest groups. But this influence is making us a target of companies who know that gaining our approval, or at least avoiding our criticism, is important for success on the net. In many cases, such as the recent flap over Netscape's attitudes towards key escrow, I detect a whiff of two sidedness, in which one attitude is presented for the benefit of government and law enforcement interests, while another posture, more acceptable to cypherpunks, is adopted on the net. With Microsoft, they use the magic word "cash" a great deal, in my view hoping that we will line up in favor of the idea. But as I have explained it is not really anonymous, no more so than any other payment system. And it is not at all clear that the kinds of anonymous accounts that would be necessary to really make it anonymous will be allowed. In that case, Microsoft can just shrug and say, "well, we tried." They get the best of both worlds. They make the government happy by providing a traceable payment system, while they look good on the net by pushing "electronic cash". I don't have any proof that this is exactly what is going on. But it is possible, and I think we have to be skeptical and at least open to the possibility that this kind of manipulation is occuring, no matter how many assurances we get from the companies involved that they are really on our side. Finance is a high stakes business and there is a lot of government regulation involved. Where our interests and the government's diverge, we need to watch closely to see whether the companies' actions match their words. This kind of marketing is going to continue to increase, I expect. Hal Finney From jya at pipeline.com Wed Dec 20 09:37:17 1995 From: jya at pipeline.com (John Young) Date: Wed, 20 Dec 95 09:37:17 PST Subject: KOD Message-ID: <199512201737.MAA29878@pipe6.nyc.pipeline.com> Congratulations to the cypherpunks named Newsweek's "Big Thinkers of tomorrow -- the list of 50 People Who Matter Most on the Internet." In the December 25 issue. And, sympathy for the Kiss of Death envynescent celebrity. From usura at berserk.com Wed Dec 20 11:15:06 1995 From: usura at berserk.com (Alex de Joode) Date: Wed, 20 Dec 95 11:15:06 PST Subject: CFS and Linux Message-ID: <199512201915.UAA00215@asylum.berserk.com> Is there anyone out there that has CFS running with Linux ? It installs fine on BSDi 2.0 but I'm unable to install it under Linux, I would appreciate it if some one would help me out. -AJ- From attila at primenet.com Wed Dec 20 11:16:39 1995 From: attila at primenet.com (attila) Date: Wed, 20 Dec 95 11:16:39 PST Subject: (fwd) Junk email address collection (from a junk emailer) In-Reply-To: Message-ID: On Tue, 19 Dec 1995, Rich Graves wrote: > Personally, I think anyone who uses dejanews as a way to grep Usenet is > an idiot, but since this idiot actually did spend several hours doing so, > and then sent unsolicited commercial email to several thousand people, > it's worth listening to him. > [snip] [START] "forcing" a change on DejaNews to strip addresses would defeat the "redeeming" value of such a database. Since I, like many, occasionally fall into the trap of opening my response before clutching in my brain, I used DejaNews to "count" the gaffes! Fortunely, none on that search, just the usual sloppy keyboard entry. and, coming down on DejaNews just puts the fire out in just one room of a conflagration. [CONTINUE] > Here it is: > > When one of these mailers goes to do a search (and from what I hear, many > of them do it on regular intervals to get new names) they cannot do a TERSE > search. Why? Because it cuts off the email addresses if you notice the > output. They cannot obtain addresses from this data. > > So what do they do? They do a VERBOSE search and this way the email > addresses are completely listed. > > Make a change to this VERBOSE search option so that it will only list the > partial email address, and you will eliminate THOUSANDS, if not millions of > unwanted email messages on the Net. > > I guarantee if they made this change to the site it would make a HUGE > difference. From what I hear, most newsreaders only list news post lists > by "author" and not by email address, so these companies cannot easily > strip names through regular newsgroup programs, and must use a service > (like Deja News) to compile large email lists. > [snip] [START] Searching with a news reader message by message would be more than painful! all they need to do to obtain names from any newsgroup is to scan the entire news base, or groups of interest. It took me less than a minute to strip names from the alt.religion tree. I dont think the spammers are too worried about adding a few names when groups are sorted by interest anyway. for amusement, I have started to code a simple program which takes a feed from procmail where known spammers are listed and it prepends a message about spamming and send 1 - n copies to the offenders' PostMaster. ...and, I will send them from my own address as a token of my affection.... The only aggravation is adding offender to procmail after finding the source as many are using remailers. If they have 800 numbers, there are always auto-dialers with a message.. .. I hate to waste the bandwidth, but the spammers are getting out of hand and procmail -> /dev/null is less than satisfying! [END] From jk at jaramillo.digit.ee Wed Dec 20 11:27:32 1995 From: jk at jaramillo.digit.ee (Jyri Kaljundi) Date: Wed, 20 Dec 95 11:27:32 PST Subject: FTC Privacy Initiative (fwd) Message-ID: ---------- Forwarded message ---------- Date: Wed, 20 Dec 1995 09:22:11 -0800 From: Internet Marketing Discussion List To: internet-marketing at popco.com Subject: FTC Privacy Initiative From: Lewis Rose The US Federal Trade Commission has launched a "Privacy Initiative" to investigate whether the information collected at websites (either that affirmatively submitted by a visitor via a form or information collected based upon a visitor's selection of pages at a site to reflect personal interests) should be the subject of regulation by the FTC. To get background on this effort, you may want to read a speech by FTC Commissioner Varney on Electronic Commerce and Privacy which is available at the FTC's site under speeches (www.ftc.gov) or the Advertising Law Internet Site (www.webcom.com/~lewrose/home.html) under speeches. This week the staff of the FTC established a mailing list to allow interested parties to discuss the issues surrounding the privacy interests of consumers visiting web sites. To subscribe, send the message "subscribe" (without the quotes) to privacy-request at ftc.gov I suspect most of the participants will not represent the internet marketing community and urge interested members of this list to subscribe and participate. So far, there have been only two posts-- one by me yesterday wondering why marketers on the internet should be treated any differently than marketers using more traditional media, followed by one post simply asserting that internet marketing privacy issues are completely different from those raised by traditional media. Lew Lewis Rose 202-857-6012 (voice) Arent Fox Kintner Plotkin & Kahn 202-857-6395 (fax) 1050 Connecticut Avenue, NW lewrose at arentfox.com (email) Washington DC 20036 Advertising and Marketing Law Advertising Law Internet Site http://www.webcom.com/~lewrose/home.html Net-Lawyers Mailing List: net-lawyers at lawlib.wuacc.edu From karl at cosmos.cosmos.att.com Wed Dec 20 11:34:36 1995 From: karl at cosmos.cosmos.att.com (Karl A. Siil) Date: Wed, 20 Dec 95 11:34:36 PST Subject: revised time quantization package (Unix & WIN32) available Message-ID: <2.2b9.32.19951220193213.006bd414@cosmos.cosmos.att.com> At 09:14 AM 12/20/95 EST, Dr. Dimitri Vulis wrote: ... >> Matt, if you're getting paid to read this list, I want a new contract. > >Karl, are you an unpaid volunteer at AT&T, or do you quit your job every >time you read your e-mail? Actually, AT&T has us record our time down to 15 minute intervals, which I obey religiously*. In this case, I'm writing my CP activity off to "People who can't see a joke without a :-)." * Note there should be a :-) here, too. Not speaking for the company... Karl From harmon at tenet.edu Wed Dec 20 11:37:37 1995 From: harmon at tenet.edu (Dan Harmon) Date: Wed, 20 Dec 95 11:37:37 PST Subject: revised time quantization package (Unix & WIN32) available In-Reply-To: <199512201858.NAA28293@jekyll.piermont.com> Message-ID: Perry, the only crypto code you seem to do is the unintelligble postings that you send to the list. .d On Wed, 20 Dec 1995, Perry E. Metzger wrote: > > Dan Harmon writes: > > If this is what you consider contributing them you seem to have some > > deep problems that cannot be solved here. You may have to seek professional > > help. Your continued and at times seemingly uncontrollable use of vulgar > > language may indicate a neurobiological disorder such as Tourette's > > syndrome. You really should have it checked out before you harm yourself > > and possibily others. > > Thank you for the pseudopsychology, but really, all you've done is > further confirm my diagnosis of "non-contributing asshole". > > When was the last time you did anything to actually help spread > cryptography, eh? > > If you'll pardon me, I have crypto code to get back to. > > .pm > From fricke at mae.engr.ucdavis.edu Wed Dec 20 11:40:53 1995 From: fricke at mae.engr.ucdavis.edu (Light Ray) Date: Wed, 20 Dec 95 11:40:53 PST Subject: What ever happened to... Cray Comp/NSA co-development In-Reply-To: <199512200022.LAA28002@sweeney.cs.monash.edu.au> Message-ID: On Wed, 20 Dec 1995, Jiri Baum wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > Hello, > > tcmay wrote: > ... > > Prime Factoring? Primes are easy to factor, of course. (Hint: Every prime > > has two factors.) > ... > > Can someone enlighten me as to what the two factors are? > The two factors of a prime number are itself and one. However, prime factoring usually refers to (?) factoring a number out into it's component prime numbers. Tobin Fricke From mrose at stsci.edu Wed Dec 20 11:52:20 1995 From: mrose at stsci.edu (Mike Rose) Date: Wed, 20 Dec 95 11:52:20 PST Subject: Motorola Secure Phone Message-ID: <9512201951.AA25492@MARIAN.SOGS.STSCI.EDU> >I saw a new cordless phone made by Motorola in a retail outlet today >that is supposedly "Secure from eavesdroppers." I asked the >salespeople for more technical info, but they weren't very helpful. >Does anyone have any information on this? I have one of these, it's a good phone. I think the security will stop only an off-the shelf scanner. My understanding is that the signal is not encrypted, but only phase-inverted or otherwise shifted. Mike From cpunk at remail.ecafe.org Wed Dec 20 12:16:19 1995 From: cpunk at remail.ecafe.org (ECafe Anonymous Remailer) Date: Wed, 20 Dec 95 12:16:19 PST Subject: The Problem With Blaze And Weinstein Message-ID: <199512202018.UAA02824@pangaea.ang.ecafe.org> I'm not trying to start a flame war. I'm sure these people are very smart and have written lots of good code. I'm sure they're very nice and never kick their dogs. I'm just tired of people defending them as cypherpunks. They aren't cypherpunks. Neither has come out against GAK. They both carefully avoid commiting to any statement. They want us to think they're "one of us" but they don't want to be pinned down because they are double dipping on both sides of the fence. Blaze even does "research" on GAK. See his web page for evidence. Also the TIS report. The fact that he found a bug in clipper doesn't change this. It proves it. He works for the government, via att. Weinstein is actively promoting GAK by working at the company that the government has chosen to bring it to you now that att has failed. WHY IS EVERYONE SO QUICK TO DEFEND THESE PEOPLE? DO THEY HAVE YOU ALL SO IMPRESSED WITH THEIR MASTERS DEGREES THAT YOUR AFRAID TO LOOK CLOSELY? No, I did not post the RSA patch. I wouldn't touch any of that code with a 5 meter pole. To the guy who says write code: I've written plenty of code. Clue: your probably running some of it right now. I'm anonymous because I've seen FIRST HAND what the att lawyers do to people who tell the wrong kind of truth. Want me to be a 'nym. OK. s/ Bill Gates (he has good lawyers that can handle att and netscape) From zinc at zifi.genetics.utah.edu Wed Dec 20 12:22:01 1995 From: zinc at zifi.genetics.utah.edu (zinc) Date: Wed, 20 Dec 95 12:22:01 PST Subject: CFS and Linux In-Reply-To: <199512201915.UAA00215@asylum.berserk.com> Message-ID: On Wed, 20 Dec 1995, Alex de Joode wrote: > Date: Wed, 20 Dec 1995 20:15:14 +0100 (MET) > From: Alex de Joode > To: cypherpunks at toad.com > Subject: CFS and Linux > > > Is there anyone out there that has CFS running with Linux ? > > It installs fine on BSDi 2.0 but I'm unable to install it > under Linux, I would appreciate it if some one would help > me out. i don't think i can help you at all but i do have it running on my linux box. i compiled it as ELF with gcc 2.7.0 and libc 5.0.9. unfortunately, i just tried to compile it again and it didn't work. i'm not sure what i've changed since then but i have updated some libraries and bin-utils so who knows. anyway, i know other people have it running too, it just seems really touchy to me. sorry for the lack of info/help, -pjf patrick finerty = zinc at zifi.genetics.utah.edu = pfinerty at nyx.cs.du.edu U of Utah biochem grad student in the Bass lab - zinc fingers + dsRNA! ** FINGER zinc-pgp at zifi.genetics.utah.edu for pgp public key - CRYPTO! zifi runs LINUX 1.2.11 -=-=-=WEB=-=-=-> http://zifi.genetics.utah.edu From attila at primenet.com Wed Dec 20 12:27:29 1995 From: attila at primenet.com (attila) Date: Wed, 20 Dec 95 12:27:29 PST Subject: on web standards: sent to Markoff In-Reply-To: <199512200844.AAA24193@netcom6.netcom.com> Message-ID: Markoff is not the best on criticism. write the editor direct. ---------------------------------- Microsoft particularly does seem to place a death grip on things, but more industry consortiums are forming and Billy has been required to accept the heat; Java is one, except Billy always finds a way to subvert the process. Billy is like Karl Marx' premise: "sign all treaties; break them when it is convenient." The conundrum is trying to decide "when" a particular company is a monopoly by either the classic definition of the Sherman and Clayton Acts or an effective monopoly, or "bad" player as defined in the Robinson-Patman act. Bill Gates more than satisfies the requirements of defining a monopoly in Sherman and Clayton with 85% of the desktop locked in and an assualt with "almost" standards on the open-system server market. NT is already garnering more than 25% of server installations in business --big business, since it will be "guaranteed" compatible with their desktop 95s. The rest of us, stay with the real thing. Add to MS' virtually absolute domination of the desktop and its impending domination of the commercial servers the fact that MS has 95% of the front line office products --WP, Spreadsheet, Database, and mail with the last be non-standard to long established rules and you do have a problem to be considered. Will the market correct itself? Very questionable since MS rode to its position on IBM's back and capitalized on IBM's failure to recognize what they had stumbled into. IBM did not fall by the market rejecting IBM --the market exploded with the PC for price and diversity reasons: you can not compare direct entry, full screen aplications and transportability of a PC against a looped, expensive main-frame connection, if the boss even approves the cost. However, Bill Gates' more serious offense involves the fair trade provisions of the Robinson-Patman act and the subsequent fine-tuning of the Federal Trade Commission (FTC) which has its own courts. Bill Gates has used his operating system dominance to force hardware vendors to ship MS products on _every_ machine, or pay substantial penalties in rates 2 and 3 times larger for all MS products --cheap only if it is universal. Under these conditions, why would they ship OS/2 or UNIX? Add a few more of his contractural items and Anne Bingaman was correct in charging Bill with restraint of trade. The real issue in DOJ v. MS was that although Bill complied with a consent decree, he _immediatley_ found other ways to apply the screw, and many of these newer terms are even worse, but more subtle. And, there is no question the verbal threats have been significantly worse. To software vendors it is the threat of denial of technical information on GUIs and APIs, to hardware manufacturers it is threats of ecomnomic sanctions, including publishing decertification of the platform for various WIN95 and NT compliant stickers, etc. Bill Gates is NOT an ethical businessman. If the fact was that Bill was able to garner his position from hard work, a better product, and a well-greased advertising and marketing organization would not justify the application of the classic Sherman and Clayton anti-trust rules; the market will either continue to accept them or not. However, Bill has used his position of 85% in OSs not only to dictate OS considerations, as bad as they are with DOS nothing more than a boot sector virus and Windows a pretty program loader, but he has used this position to dominate the applications market by bundling and forcing machine integrators to include the MicroSoft applications in return for the OEM discount on the operating systems. Preloading the market by those means is _not_ ethical or good business. Bill Gates _clearly_ violates the FTC provisons on ethical conduct and restraint of trade by a monopoly or quasi-monopoly position. Why were nearly 30 OEMs represented anonymously in "friend of the court" briefs? --and the first thing Billy's (hired virtually every high end firm in SF) attorneys' did was subpoena the _names_ of the consortium under the rules of evidence --welcome to the "Kiss of Death." Personally, I think it is time to dismember Bill Gates --give him a choice of his OS group or his applications group and literally force him to sell all direct or indirect interest in the one he does not choose, plus forego any involvement. An example of the "ill" is Gate's clear announcement that _all_ MS programs would now be geared to direct interface to the internet --again initially only the Microsft Network with proprietary standards. This may be commendable on the intended results of better integration to the world, but not in terms of free trade as _everything_ MS does is proprietary, or they do not release _correct_ API information until they have taken a commanding lead in the market (witness Compu$erve and the rest on no access to Win95 --IBM put their network and a button for other networks, with a working PPP interfacein the same folder). Anyone who thinks Bill Gates or Microsoft is a benevolent 800 pound gorilla has not paid attention in history classes: power corrupts absolute power corrupts absolutely. he who fails to heed history, is doomed to repeat it. (which is mankind's normal path) ATTILA From perry at piermont.com Wed Dec 20 12:27:31 1995 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 20 Dec 95 12:27:31 PST Subject: revised time quantization package (Unix & WIN32) available In-Reply-To: Message-ID: <199512202027.PAA28498@jekyll.piermont.com> Dan Harmon writes: > Perry, If my memory is correct, you are the one who has a history of being > a jerk. You know, Mr. Harmon, you can just keep posting my private mail to you all day, but you WILL start to annoy others after a while. [Just to be clear to others, this is the first of the several messages on the topic I've posted -- Mr. Harmon has been forwarding my private replies to the list. I think it all makes him look bad, but some people have no sense.] Perry From dmandl at bear.com Wed Dec 20 13:05:11 1995 From: dmandl at bear.com (David Mandl) Date: Wed, 20 Dec 95 13:05:11 PST Subject: KOD In-Reply-To: <199512201737.MAA29878@pipe6.nyc.pipeline.com> Message-ID: On Wed, 20 Dec 1995, John Young wrote: > Congratulations to the cypherpunks named Newsweek's "Big > Thinkers of tomorrow -- the list of 50 People Who Matter Most > on the Internet." In the December 25 issue. Can you reveal who they are? No way am I going to buy Newsweek to find out. --Dave. -- David Mandl Bear, Stearns & Co. Inc. Phone: (212) 272-3888 Email: dmandl at bear.com -- ******************************************************************************* Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. ******************************************************************************* From perry at piermont.com Wed Dec 20 13:18:16 1995 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 20 Dec 95 13:18:16 PST Subject: The Problem With Blaze And Weinstein In-Reply-To: <199512202018.UAA02824@pangaea.ang.ecafe.org> Message-ID: <199512202117.QAA28656@jekyll.piermont.com> ECafe Anonymous Remailer writes: > I'm not trying to start a flame war. Really? > They aren't cypherpunks. > > Neither has come out against GAK. You obviously have never spoken to Matt. > Blaze even does "research" on GAK. No, he does research on private escrow. Thats not the same thing as GAK. Private escrow is sensible -- you don't want just one person with the keys to, say, the personel records. What happens if they get hit by a car? > DO THEY HAVE YOU ALL SO IMPRESSED WITH THEIR MASTERS DEGREES THAT > YOUR AFRAID TO LOOK CLOSELY? Actually, Matt has a Ph.D. from Princeton. > WHY IS EVERYONE SO QUICK TO DEFEND THESE PEOPLE? Maybe I defend Matt because I think I know him pretty well -- we met when he showed up at the Columbia U. computer science department in the mid 1980s, and among other things we shared an office at Bellcore for a year or two, and he's about as cryptography and privacy friendly a person as you can find. Maybe I defend him because you are likely an idiot who's never so much as chatted with him. Maybe I'm bored. Who knows. Perry From jsimmons at goblin.punk.net Wed Dec 20 13:46:32 1995 From: jsimmons at goblin.punk.net (Jeff Simmons) Date: Wed, 20 Dec 95 13:46:32 PST Subject: Text version of Cyphernomicon Message-ID: <199512202145.NAA05944@goblin.punk.net> -----BEGIN PGP SIGNED MESSAGE----- ftp.goblin.punk.net/pub/docs/cypherfq.zip or cypherpunk.faq.gz - -- Jeff Simmons jsimmons at goblin.punk.net -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMNiECeL8IP70uJJBAQGiRQQAlIXYZkpMy4OSD+2DNgSEdGRsFaPgEk6/ vckQsT8Wa3Kl1uhIvFo/c/FDnbH/1W+LtzfV28zve6UkauSdhe6kD4S6QI7itbRa PgbOgLEsFh9WxFOgTANozPQdumj1gnj/qoKxGKb5hBTT4O0jaPvA5bZY9LtPtl2E UjGdr5ap0Mo= =Kd54 -----END PGP SIGNATURE----- From jamesd at echeque.com Wed Dec 20 13:47:54 1995 From: jamesd at echeque.com (James A. Donald) Date: Wed, 20 Dec 95 13:47:54 PST Subject: Political Cleanup program [NOISE] Message-ID: <199512202147.NAA00522@blob.best.net> Phill wrote: >>It is not simply an issue of money, it is an issue of national security. If a >>foreigner were to control the majority of the media there would be a significant >>threat to the national interest. This threat has been realised in the UK with >>the comming to power of Rupert Murdoch. Fortunately his influence on the US >>political scene has thus far been minor. In his own country he has brought down >>the government more than once. At 01:37 AM 12/20/95 -0500, Jim Ray wrote: >So what??? He gives us "The Simpsons" and "Married, With Children!" >[IMO] Rupert has done more for humor than any humor-impaired liberal >has ever done! Murdoch is bitterly hated by our elites, because things are speakable on his networks that are unspeakable on other networks. Hence their perfectly true claim that he has overthrown several governments. I hope he overthrows some more. I especially love the political humor on "married with children" Cypherpunk relevance: Murdoch got in deep shit because of his famous speech that the communication revolution would profoundly undermine the power of oppressive governments. Murdoch sometimes calls himself a libertarian, but he is more a conservative with bombs. Still, I am strongly in favor of bombs. It seems clear to me that Murdoch, whatever his political beliefs may be, has done much for liberty. He has been a powerful disruptive influence. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From jrober39 at borg.com Tue Dec 19 21:59:14 1995 From: jrober39 at borg.com (JerelRobertson) Date: Wed, 20 Dec 1995 13:59:14 +0800 Subject: mailing list Message-ID: <199512150614.BAA05472@mail.borg.com> Hey I want to get on this list. How do I do it? From llurch at networking.stanford.edu Tue Dec 19 22:04:14 1995 From: llurch at networking.stanford.edu (Rich Graves) Date: Wed, 20 Dec 1995 14:04:14 +0800 Subject: ANNOUNCE: Windows 95 .PWL Security "Functionality Enhancement" Message-ID: -----BEGIN PGP SIGNED MESSAGE----- I have been instructed that it is not a bug fix; it is a "Functionality Enhancement." Please note headers before replying -- you're probably in a Bcc field. The patch for the problem we started discussing on November 1st is dated yesterday, but no one outside Microsoft appears to have seen it until today. pr/password.htm started forwarding to the patch distribution page some time between 2PM and 7:30PM Pacific Time today (yes, I had hit "reload"). http://www.microsoft.com/windows/software/mspwlupd.htm http://www.windows.microsoft.com/software/mspwlupd.htm Anyone who uses passwords for just about anything -- network servers, dialup networking, remote registry services -- should get this patch. For a rough start at a technical discussion of the problem that this patch is supposed to solve, see http://www.c2.org/hackmsoft/ or the gopher list archive below. The Web page says it uses a 128-bit key. Intriguing. Anyone seen the CJR, or is Microsoft exempt? Microsoft had told various people that the new security algorithm would be published in advance and reviewed by outside security experts, but I have not been able to verify this. This was supposed to affect Windows for Workgroups as well; anyone know anything about that? - -rich owner-win95netbugs at lists.stanford.edu ftp://ftp.stanford.edu/pub/mailing-lists/win95netbugs/ gopher://quixote.stanford.edu/1m/win95netbugs http://www-leland.stanford.edu/~llurch/win95netbugs/faq.html -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMNENt43DXUbM57SdAQG4xwP9EqXu5wXBOfpThtEUikqngrQNpe7RGKSv FqNSlZnh6GKJff6zQnZ3GyH0lYU8Mg+ApJVmSeSxq3ApA5Oc+jTUW6B4RNm+bxfT YBSThGmGbNNt948E/7oyXJdYVtWhuAleQtU7LxKNJfXoQlO/R05cc8O0zj7EiBR+ 777AbiM201s= =K2IQ -----END PGP SIGNATURE----- From jpp at software.net Wed Dec 20 14:19:36 1995 From: jpp at software.net (John Pettitt) Date: Wed, 20 Dec 95 14:19:36 PST Subject: 900mhz digital phones - how much to trust ? Message-ID: <199512202219.OAA26567@software.net> Whats the current thinking on the security level of 900Mhz digital spread sectrum cordless phones? Clearly it's not a basic scanner job but how much more equipment is needed to monitor one ? John Pettitt, jpp at software.net VP Engineering, CyberSource Corporation, 415 473 3065 Favorite quote: "Security is mostly a superstition. It does not exist in nature, nor do the children of man as a whole experience it. Avoiding danger is no safer in the long run than outright exposure. Life is either a daring adventure, or nothing." - Helen Keller From jya at pipeline.com Wed Dec 20 14:23:30 1995 From: jya at pipeline.com (John Young) Date: Wed, 20 Dec 95 14:23:30 PST Subject: DCI_kgb Message-ID: <199512202222.RAA09658@pipe2.nyc.pipeline.com> The 12-20-95 WPost reports the Deutch/Perry move to kremlinize finance of the 13 spy agencies under the DCI -- to transform the "vaguely associated medieval guilds into a modern corporate team" -- and palmly slather $29 billion IC grease: National Forward Intelligence Program (CIA, NSA, DIA, NRO, parts of three G2s, DOE and FBI): $16bn. Tactical and Related Activities (warfighting support): $10bn. Joint Military Intelligence (cryptology, aerial recon, counter-narc and mapping): "Several billion." DCI_kgb (6 kgb) From sameer at c2.org Wed Dec 20 14:56:58 1995 From: sameer at c2.org (sameer) Date: Wed, 20 Dec 95 14:56:58 PST Subject: KOD In-Reply-To: Message-ID: <199512202251.OAA27128@infinity.c2.org> Rumor has it that I was listed there ... I haven't seen it though. > > On Wed, 20 Dec 1995, John Young wrote: > > > Congratulations to the cypherpunks named Newsweek's "Big > > Thinkers of tomorrow -- the list of 50 People Who Matter Most > > on the Internet." In the December 25 issue. > > Can you reveal who they are? No way am I going to buy Newsweek to > find out. > > --Dave. > > -- > David Mandl > Bear, Stearns & Co. Inc. > Phone: (212) 272-3888 > Email: dmandl at bear.com > > -- > ******************************************************************************* > Bear Stearns is not responsible for any recommendation, solicitation, offer or > agreement or any information about any transaction, customer account or account > activity contained in this communication. > ******************************************************************************* > -- sameer Voice: 510-601-9777 Community ConneXion FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From jya at pipeline.com Wed Dec 20 14:58:22 1995 From: jya at pipeline.com (John Young) Date: Wed, 20 Dec 95 14:58:22 PST Subject: KOD Message-ID: <199512202258.RAA13656@pipe2.nyc.pipeline.com> Responding to msg by dmandl at bear.com (David Mandl) on Wed, 20 Dec 4:3 PM >Can you reveal who they are? No way am I going to buy >Newsweek to find out. Anyone out of Newsweek's range, return this msg, empty, to me to get the 50 mugshots, then ... sort out the living from the dead. Best not to cypherdunk the already nym-shot victims. Privacy is paramount, bellows this list, no? From hua at chromatic.com Wed Dec 20 15:03:30 1995 From: hua at chromatic.com (Ernest Hua) Date: Wed, 20 Dec 95 15:03:30 PST Subject: Please cut the "tude"! Message-ID: <199512202303.PAA02038@ohio.chromatic.com> The "tude" level is getting a bit out of hand. Please take your personal attacks elsewhere. Moderator, please beat them silly with a banana until they stop! Thanks! Ern From andr0id at midwest.net Wed Dec 20 15:18:01 1995 From: andr0id at midwest.net (Jason Rentz) Date: Wed, 20 Dec 95 15:18:01 PST Subject: ex encrypted script Message-ID: <199512202339.RAA05220@cdale1.midwest.net> Forgive me if this is a stupid question. I'm using AT&T unix Version 5 release 3.2.2 ( UNIX System V/386 Release 3.2) I have several simple scripts that are simple yet handle important realtime call proccessing tasks and remote control operations. These programs are my programs but are running on a system that is dialed into by the vendor once in a while. Is there a way to encrypt a script yet still allow it to be runnable? I know that the simple answer is to write it in C and compile it but I don't have the means of doing that at the moment. (i.e. there is not compiler on the system) I thought of a few simple protections but they all involve decrypting before running. Dr0id ( Computer Consulting & Management ) (P.O. Box 421 Cambria, IL 62915-0421) -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQENAzCsIi4AAAEH/1hb5+tO/n99Nbppf0ImLJ6AaVZ3NlZP0ZHwRQor00uA129i d4zWixNXxc8t2auaqN+asV99LpIip3/nQzBnjydiumeBdGLF2PR9+6X8X/RrqKa1 dVIukxM5Agg2eM6ih+0J38hgKJ3qzKXSz6sjYmpaxvbXZoHHOLUk/ZtHUKvvEyPw hnJEYnut8NUnIeK56lqeqRw86yoeRKymbfCdjdpgeY2aRwK2FJts8sbb7Fs10s4y jgxWIxIipBznbGUTh1hb2XrLGPENwk3E/qqXQJEsrySbtwdl6VgTVQjhDDEJMitL DYeiQ3W5EgxfcdbM1j2FwYu3P/dM6Y0I8xLMYT0ABRG0NmFuZHIwaWRAb2ljdTgx Mi5jb20gKG9pY3U4MTIuY29tIHN5c3RlbSBhZG1pbmlzdHJhdG9yKYkBFQMFEDCs LO90C7R/GkJcSQEB01cH/0KC3sd+u4OxMku5378SJktoN6QIQYLJ7uVbuV4S51yK NAotCGf4Wl6wwjynzZvXKU0H87oDuMiq7FybgMNL2n+4bQIZi0iz0lIuzwoMDu63 NrHUW9Kz42pOnhrEhrdkHhHL9O5GgD1yc40fJ3qw5h7LQEjDxgypyw0IFILFc34u LeRLliNibxKp8JwAxXNHWSgxu28TQvmnkHi0AHP6tJ/uZYe+4dqJtrMMsYFjzZaz DPmxD+dzbTwlQKtJaP1ZkDI0Sr072wrZDv+G86GyGBMX2lpSafpRitnxuUttjU9o wsQ9Qo5xiH1nZRCs/bDzJe/gng+GHzevixDIITurtNA= =SgPT -----END PGP PUBLIC KEY BLOCK----- From futplex at pseudonym.com Wed Dec 20 15:28:01 1995 From: futplex at pseudonym.com (Futplex) Date: Wed, 20 Dec 95 15:28:01 PST Subject: [NOISE] revised time quantization package (Unix & WIN32) available In-Reply-To: Message-ID: <199512202327.SAA10742@thor.cs.umass.edu> Dan Harmon writes: > Perry, > > the only crypto code you seem to do is the unintelligble postings > that you send to the list. Keep this irrelevant crap off cypherpunks. -Futplex From futplex at pseudonym.com Wed Dec 20 15:37:18 1995 From: futplex at pseudonym.com (Futplex) Date: Wed, 20 Dec 95 15:37:18 PST Subject: The Problem With Blaze And Weinstein In-Reply-To: <199512202018.UAA02824@pangaea.ang.ecafe.org> Message-ID: <199512202337.SAA10846@thor.cs.umass.edu> Anonymous "Bill Gates" writes: > I'm not trying to start a flame war. Bullshit. [inconsequential prattle elided] This thread is completely off-topic. Besides, we've gone through all this on the list before. Let's not continue it. We all have more productive things to do with our time. -Futplex From EALLENSMITH at mbcl.rutgers.edu Wed Dec 20 15:45:25 1995 From: EALLENSMITH at mbcl.rutgers.edu (E. ALLEN SMITH) Date: Wed, 20 Dec 95 15:45:25 PST Subject: NTT & electronic "cash" Message-ID: <01HZ1GUUJERK8Y52ZW@mbcl.rutgers.edu> This qualifies as one of the most uninformative news items I've seen from Reuters. Anyone know any substantive info on their process? -Allen --------------------- Reuters New Media _ Wednesday December 20 2:04 PM EST _ NTT Says Develops Secure Electronic Cash System TOKYO- Nippon Telegraph and Telephone said today that it has developed a secure electronic cash system which can be used for settling transactions on the Internet and in daily life using smart cards. "The system has very secure algorithms, and that makes fraudulent uses of the system very difficult," NTT researcher Mikio Suzuki told Reuters. From mpj at netcom.com Wed Dec 20 15:48:44 1995 From: mpj at netcom.com (Michael Paul Johnson) Date: Wed, 20 Dec 95 15:48:44 PST Subject: Ruby Block Cipher Message-ID: -----BEGIN PGP SIGNED MESSAGE----- The Ruby Block Cipher has just been published. It is not a general block cipher in that it cannot be used in Electronic Codebook (ECB) mode. It is more like a cryptographic hash function with a block size of only 64 bits. Of course, 64 bits is too short for a cryptographic hash function intended for digital signature use, but it is just fine for a quick block cipher. This may be a good reference for those folks who want a quick & easy encryption algorithm that need not withstand nuclear attack but can provide something better than common weak encryption methods in use in the software industry. Your comments and suggestions on this rather strange little cipher are welcome. Information on the Ruby Block Cipher is available as ftp://ftp.csn.net/mpj/public/ruby_m4.ps and, if you are in the USA or Canada, a reference implementation is in ftp://ftp.csn.net/mpj/I_will_not_export/crypto_???????/mpj/rubycode.zip where the ??????? is revealed in ftp://ftp.csn.net/mpj/README rubycode.zip is also available on the Colorado Catacombs BBS at 303-772-1062. Note: this is not a product for sale (it is free and probably worth at least as much as you pay for it). It is also not a prepublication (it is THE publication in electronic form with no paper publication anticpated in the near future). ___________________________________________________________ | | |\ /| | | Michael Paul Johnson Colorado Catacombs BBS 303-772-1062 | | \/ |o| | PO Box 1151, Longmont CO 80502-1151 USA Jesus is alive! | | | | / _ | mpj at csn.net aka mpj at netcom.com m.p.johnson at ieee.org | | |||/ /_\ | ftp://ftp.csn.net/mpj/README.MPJ CIS: 71331,2332 | | |||\ ( | http://www.csn.net/~mpj -. --- ----- .... | | ||| \ \_/ | PGPprint=F2 5E A1 C1 A6 CF EF 71 12 1F 91 92 6A ED AE A9 | |___________________________________________________________| -----BEGIN PGP SIGNATURE----- Version: 2.7.1 iQCVAgUBMNiaP/X0zg8FAL9FAQHe0AP+N+tBxoaIdny3CEgxdA8LO9+5VyYiOety qYBc9aCrCbw4TpsFTcsg5bosPlkm3H+VwpWVGOshfl5p69J893jrma07xRamEvM0 /1Mro3X/Ga4SQ7rjHPSdPCBR3YxSA7UoIx27gldTBty2k8WAAeH0BTbn/5s1bGrf ej9ab/rd7Jc= =QRjc -----END PGP SIGNATURE----- P. S. -- I don't normally read this list, so please send a copy of follow-ups directly to me. Thanks! From hallam at w3.org Wed Dec 20 16:12:29 1995 From: hallam at w3.org (hallam at w3.org) Date: Wed, 20 Dec 95 16:12:29 PST Subject: The Problem With Blaze And Weinstein In-Reply-To: <199512202018.UAA02824@pangaea.ang.ecafe.org> Message-ID: <9512210012.AA19612@zorch.w3.org> I think this conversation is getting silly even by net.standards. On the one hand we have the screaming libertarians with a bunch of wedged political notions about property. On the other we have what appear to be arch anti-capitalists claiming that nobody who earns a living out of crypto can be a cypherpunk. What is really strange is that these appear to be the _same_ people. Now I'm not one for supporting corporativism but consider this, most if not all of the technical contributors to this list who can earn money from their crypto knowledge do so. Matt and Jeff are not alone in being paid for their abilities. Another thing is that many of us are also into government contract work up to their necks. The Web consortium is funded partly through an ARPA grant. MIT is practically floating on government subsidies. Yes this is where your tax dollars go, learn to love it or die bitching. The point is that the tourist element who gripe on about nothing other than their political views and never contribute any technical input are not the people that make the list work. People like Matt and Jeff are the people who make the list worthwhile. Phill From adam at homeport.org Wed Dec 20 16:35:58 1995 From: adam at homeport.org (Adam Shostack) Date: Wed, 20 Dec 95 16:35:58 PST Subject: ex encrypted script In-Reply-To: <199512202339.RAA05220@cdale1.midwest.net> Message-ID: <199512210039.TAA24305@homeport.org> Jason Rentz wrote: | Forgive me if this is a stupid question. Hmmm. Will you pay us? | I'm using AT&T unix Version 5 release 3.2.2 ( UNIX System V/386 Release 3.2) [...] | Is there a way to encrypt a script yet still allow it to be runnable? I | know that the simple answer is to write it in C and compile it but I don't | have the means of doing that at the moment. (i.e. there is not compiler on | the system) | | I thought of a few simple protections but they all involve decrypting before | running. Ever hear of chmod? chown? Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From anon-remailer at utopia.hacktic.nl Wed Dec 20 16:55:57 1995 From: anon-remailer at utopia.hacktic.nl (Anonymous) Date: Wed, 20 Dec 95 16:55:57 PST Subject: What ever happened to... Cray Comp/NSA co-development Message-ID: <199512210053.TAA11344@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- First, thanks for the obvious 'kind' thoughts Tim... It's heartening that you took the time to add some substantial info to the thread. However... > On 12/18/95 At 12:36 AM -0500, Timothy C. May wrote: > >What caught my attention was the architecture. > > > >A "hybrid design linking two supercomputer processors with an > >array of HALF A MILLION inexpensive processors" that were > >designed by the U.S. government laboratory affiliated with the > >NSA. The same chip house that brought us Clipper. > First, half a million chips is not that big a deal...the Connection Machine > had up to 64,000. Very few cryptographic problems of interest to us will be > affected by a mere factor of a million or so. O.K. Just a factor of 16 increase over the CM architecture right? Not knowing the computational capabilities of the individual processors, it might be difficult to say what the machine is capable of. Wouldn't that have some bearing? > Second, there was work on a "processor-in-memory" architecture, in > conjunction with a Bowie, Maryland spook-connected company. Perhaps this is > what you are thinking of? I didn't mention a 'processor-in-memory' architecture and neither did the NYT article. Don't know about any other company involvement, just CCC and NSA. > Third, all avenues of continued funding having fallen through, Cray > Computer (not Cray Research, of course) was shut down and assets > liquidated. I haven't heard what's become of Seymour, though. (He is > undoubtedly an asset, buy I doubt the Agency would have him liquidated.) You mean the avenues that are of PUBLIC record. The possibility could always exist that the development continues 'in-house'. It wouldn't be the first time that sort of move has been played. > >I've not kept up with the "ultimate" demise that eventually > >befell Cray Computer Company, but the October 16 FBI filing > >on capacity for Digital Telephony got me thinking back to this > >article. 1% seems like a rather huge need for horsepower. And > >what if GAK doesn't fly? And the widespread use of hard crypto > >just keeps increasing? > The tightly-coupled supercomputers are hardly needed for these sorts of > problems. You mean the problem of data collection? Well, it's true that this would be a misuse of a supercomputer's specialized talents. > >This kind of machine could, in theory: > > > >1) Implement ALL Clipper(II) based Key Escrow functionality in > > silicon (the easy part) AND allow for simultaneous decrypt and > > surveil of 'who knows how many' Clipper based data streams. > Huh? First, what evidence do you have for this claim? Second, who cares? > Implementing Clipper in a Cray Computer machine--why bother? [Rant mode on] Speculation Tim... I'm SPECULATING. Could, in theory... AND my kind of theory probably has holes you could drive a FLEET of Mack trucks through. I have NO evidence. I'm not sure WHO would care. I'M A PARANOID DILLUSIONAL PSYCHOPATH! O.K. well maybe not that last part... but I'm asking the questions, remember? I said I'm new here, so if your going to blow holes in my pet theories, then do me the 'kindness' of using an accurate weapon... that's why I posted... > As to the claim that a million-processor machine could do this, you need to > work out the math. (If a backdoor exists, or the LEAF has been gotten, a > supercomputer is not needed....) Again... I claimed NOTHING! SPECULATED MUCH! Now it's your turn... Why would YOU build a machine like this? What could POSSIBLY be it's capabilities? Speculate with me for a moment... *_take a chance_*. > >2) Implement general RSA based Prime Factoring functionality in > > silicon (the not so easy part) AND allow massively parallel > > decrypt and surveil of 'who knows how many' RSA/etc. based > > data streams. > Prime Factoring? Primes are easy to factor, of course. (Hint: Every prime > has two factors.) Yes, my terminology sucks! But you get the drift don't you? Math is not a strength of mine, I only know in very general terms what is involved (why, then, am I even bothering to bring this up?). Because I AM however, VERY concerned in the continual erosion of privacy rights in all forms communications, electronic and otherwise. [Rant mode off] > If you mean using supercomputers to brute force the general factoring of an > RSA modulus, this is nonsense. While there may be math shortcuts we don't > yet publically know about which make factoring easier than we currently > think it is, a mere million or even a billion processors will not make a > dent in the factoring of, say, a 700-digit modulus. See the tables in > Schneier and elsewhere for some estimates of factoring efforts needed. Nonsense? Is that 700 decimal digits or 700 binary digits? I don't have the tables that you refer to. Where may I find them? (LOL) > >3) Implement it all, AND 'on-line' transaction based surveillance > > via the FBI's 1% capacity infrastructure. > Let's see some numbers. (On second thought, let's not.) No, I've already said that math is not a strength I possess. I've wondered about the ability of the FBI to count on ten fingers and ten toes given some of the justification that I've read for this capacity figure... > >Chilling... Who needs key escrow (or RSA private keys) when > >you've got a massively parallel prime factoring machine. What if > >GAK was to become a 'non-issue'? How fast do you think a machine > >such as this could factor RSA 129? > Well, do the math. The MIPS-years for the RSA-129 crack were publicized, so > the computation for a million SPARC-equivalent (or even > UltraSPARC-equivalent) can be done. Sorry... I asked the question... and your speculation is (I would hope) MUCH more accurate than mine. Again, math is not a strength of mine. > When you've done this, and concluded that RSA-129 could be done in, say, X > minutes, then move on to RSA-384 (the BlackNet key cracked by the MIT > group), and on to the 1024- and 2048-bit keys. Tell us how many years or > centuries it will take. (Hint: Rivest and Schneier have done these > calculations....) Yes, I believe that I've read Rivest's paper on the statistical probabilities. I've never really believed in statistics, AND I'm sure you don't have the time to convince me Tim (I'm sorry if I've been less than reverencial about this, but I'm from Illinois which is right next door to Missouri). > --Tim May, who fears that he's just been trolled by Derek Atkins No Tim, you have not... but on another note... > It'll be _many_ years before a 384-decimal-digit number is factored, I > suspect. Let alone a 600-digit modulus, with or without the mysterious > "transphaser" technology mentioned by Anitro. The "transphaser" is an optical equivalent to the transistor. It is a quantum threshold optical switch, but it is not a 'mystery'. You should read Scientific American more often ;> O.K. I'm done with this line of discussion, you may however, continue to elaborate as I will, no doubt, continue to read... Anitro "I have a little shadow that goes in and out with me, And what can be the use of him is more than I can see" R. L. Stevenson - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMNiv8SoZzwIn1bdtAQHyewF+OXlM8KueHrCynKGhjqXy8eHLSonn12Df vcAdDoaajoi5t7CfY9lP/+FNeO2JKE+v =SIKC -----END PGP SIGNATURE----- From cpunk at remail.ecafe.org Wed Dec 20 17:10:00 1995 From: cpunk at remail.ecafe.org (ECafe Anonymous Remailer) Date: Wed, 20 Dec 95 17:10:00 PST Subject: The Problem With Blaze And Weinstein Message-ID: <199512210112.BAA05503@pangaea.ang.ecafe.org> I'm not trying to start a flame war, just telling people what's REALLY happening. ATT and Netscape are both tools of the CIA/NSA. Blaze and Weinstein are in on the plot to force GAK upon us. Neither one says enough about the evils of GAK on their web page, so they're obviously for GAK and only pretending to be against it to fool the cypherpunks and curry favor with their NSA masters. Evidently the cypherpunks are all too impressed with Blaze and Weinstein's master degrees to see what's really happening. Only true visionaries like myself and Dr. Frederic B Cohen are telling it like it is; everyone else has had the wool pulled over their eyes by the NSA/ATT/Netscape axis. It's amazing how clear everything becomes once one stops taking the medication that THEY prescribed. s/ Bill Gates From die at pig.die.com Wed Dec 20 17:35:00 1995 From: die at pig.die.com (Dave Emery) Date: Wed, 20 Dec 95 17:35:00 PST Subject: 900mhz digital phones - how much to trust ? In-Reply-To: <199512202219.OAA26567@software.net> Message-ID: <9512210134.AA05683@pig.die.com> > John Pettitt, jpp at software.net writes: > > > Whats the current thinking on the security level of 900Mhz digital spread > sectrum cordless phones? Clearly it's not a basic scanner job but how much > more equipment is needed to monitor one ? The easiest way to do this is to simply buy a similar phone which has all the required signal processing hardware for that particular type of spread spectrum and modify it to receive promiscuously and not transmit while doing so, As far as I know, essentially no cordless phones use any kind of actual secure encryption of the digital bit stream, so all you have to do is ensure that your shadow phone is primed with the correct spreading sequence or hopping sequence and is tuned to the right center frequency. Typically choices for these are very limited (maybe 20 channels) and modifying the micro firmware in a phone or base unit to search all possiblities is realistic, especially with the help of an external PC as controller. The digital 900 mhz phones all use different proprietary modulation schemes, but many of them simply transmit a FSK or BPSK rf carrier digitally modulated by the output bitstream of a codec chip (CVSD or regular u-law PCM) on one of several randomly selected channels, perhaps slowly hopping from channel to channel in a fixed sequence. Even the phones that use direct sequence spreading are effectively just transmitting a fast BPSK signal modulated at the chip rate. Receivers and signal processing boxes capable of dealing with this kind of digital modulation are a standard commodity item in the spook world (made by Condor Systems and Watkins Johnson and the like) and even sometimes show up on the high tech surplus market (and are collected by some of us who collect high tech spook hardware as a hobby) - they are however very expensive compared with simply modifying a couple of real phones to do the job. The digital modulation and "spread spectrum" features of 900 mhz phones are primarily intended to allow them to share the 902-928 mhz band with all the other users (other phones, truck tracking systems short range wireless video cameras and video distribution, various industrial users, wireless LANs of several types, ham radio operators, and several other types of unlicensed uncoordinated devices radiating up to 1 watt of power) without suffering the kind of interference that has plagued the older 46/49 mhz FM type. The FCC in fact requires some level of spectrum spreading for this purpose but leaves the actual choice up to the implementor rather than establishing a standard method. Obviously only a secure form of encryption with randomly chosen and wide enough keys would really make intercepting a digital cordless phone difficult for someone determined to do so, especially if they were targeting one particular phone. I believe almost all of the manufacturers have chickened out in the face of NSA and ITAR and not even implemented toy encryption with random keys - they are simply assuming that Joe Sixpack or his 14 year old son won't be able to pick them up on a commercially available scanner and that the federal law banning sale of scanners capable of intercepting digital transmissions and converting them to analog listenable audio will keep the scanner companies from marketing such and keep customers from complaining about nosey neighbors listening to their calls. But don't assume that if someone really has some serious reason to want to intercept one they won't be able to - and it is almost certain that expensive ($5-$20K) DSP based systems capable of intercepting several common types are already for sale to the usual suspects. And finally one should not forget that unless one has an ISDN line, intercepting calls on regular analog subscriber loops (normal telephone lines) by virtually undetectable simple alligator clip class wiretaps or bugs is something that any bright 12 year old can pull off (and many do before they grow up) - so if you have something to hide you shouldn't trust the phone at all. Dave Emery die at die.com From blancw at accessone.com Wed Dec 20 17:44:09 1995 From: blancw at accessone.com (blancw at accessone.com) Date: Wed, 20 Dec 95 17:44:09 PST Subject: FTC Privacy Initiative (fwd) Message-ID: <9512210144.AA04101@pulm1.accessone.com> From: Jyri Kaljundi From: Internet Marketing Discussion List The US Federal Trade Commission has launched a "Privacy Initiative" to investigate whether the information collected at websites (either that affirmatively submitted by a visitor via a form or information collected based upon a visitor's selection of pages at a site to reflect personal interests) should be the subject of regulation by the FTC. ............................................... "Hey, we can't just stand around here with nothing to do. Give us something to regulate - anything, pro or con; we must regulate something." Dang! .. Blanc From attila at primenet.com Wed Dec 20 17:45:29 1995 From: attila at primenet.com (attila) Date: Wed, 20 Dec 95 17:45:29 PST Subject: revised time quantization package (Unix & WIN32) available In-Reply-To: Message-ID: Harmon: Have you forgotten polite society? Have you forgotten what your mother (should have) told you? "If you can not say something nice, don't say it." --in particular refrain from personal attacks. It is one thing to criticize, but it is another to blather unintelligibly without any knowledge than your own bias --and maybe your own intellectual ignorance and bigotry. if you have not walked in the other's shoes, keep silent. now, if you will please excuse us, Perry has code to write --and I have code to write. lastly, if you can not onserve reasonable decorum, sign for alt.christian and post heretical ravings, and if you are desparate for attention or your name in lights, join alt.flame and have at it. ATTILA On Wed, 20 Dec 1995, Dan Harmon wrote: > > Perry, > > the only crypto code you seem to do is the unintelligble postings > that you send to the list. > > .d > > On Wed, 20 Dec 1995, Perry E. Metzger wrote: > > > > > Dan Harmon writes: > > > If this is what you consider contributing them you seem to have some > > > deep problems that cannot be solved here. You may have to seek professional > > > help. Your continued and at times seemingly uncontrollable use of vulgar > > > language may indicate a neurobiological disorder such as Tourette's > > > syndrome. You really should have it checked out before you harm yourself > > > and possibily others. > > > > Thank you for the pseudopsychology, but really, all you've done is > > further confirm my diagnosis of "non-contributing asshole". > > > > When was the last time you did anything to actually help spread > > cryptography, eh? > > > > If you'll pardon me, I have crypto code to get back to. > > > > .pm > > > From rsalz at osf.org Wed Dec 20 18:01:40 1995 From: rsalz at osf.org (Rich Salz) Date: Wed, 20 Dec 95 18:01:40 PST Subject: ex encrypted script Message-ID: <9512210158.AA07882@sulphur.osf.org> >Is there a way to encrypt a script yet still allow it to be runnable? I >know that the simple answer is to write it in C and compile it but I don't >have the means of doing that at the moment. (i.e. there is not compiler on >the system) Given your constraints: no. /r$ From rsalz at osf.org Wed Dec 20 18:03:07 1995 From: rsalz at osf.org (Rich Salz) Date: Wed, 20 Dec 95 18:03:07 PST Subject: The Problem With Blaze And Weinstein Message-ID: <9512210200.AA07896@sulphur.osf.org> > MIT is practically floating on government subsidies. Actually, if you discount Lincoln Labs, not really. /r$ From alano at teleport.com Wed Dec 20 18:06:40 1995 From: alano at teleport.com (Alan Olsen) Date: Wed, 20 Dec 95 18:06:40 PST Subject: Surprise telecommunications bill? Message-ID: <2.2b7.32.19951221020731.008be6d4@mail.teleport.com> While watching the national news (NBC, I think) they mentioned that there had been a "surprising agreement on a telecommunications bill". From the sparse description, it sounded pretty nasty. Does anyone have any additional information on this? | Remember: Life is not always champagne. Sometimes it is REAL pain. | |"The moral PGP Diffie taught Zimmerman unites all| Disclaimer: | | mankind free in one-key-steganography-privacy!" | Ignore the man | |`finger -l alano at teleport.com` for PGP 2.6.2 key | behind the keyboard.| | http://www.teleport.com/~alano/ | alano at teleport.com | From vznuri at netcom.com Wed Dec 20 18:08:21 1995 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Wed, 20 Dec 95 18:08:21 PST Subject: on web standards: sent to Markoff In-Reply-To: Message-ID: <199512210204.SAA26757@netcom20.netcom.com> there's been MS flamewars on this list before, but Attila repeats various snippets that I find highly objectionable. cpunk relevance: operation of the free market Gates' conquests can either be made out to be a failure of the free enterprise system or a success from it. the more I read whining complaints about MS's dominance, the more I prefer the latter interpretation. perhaps power corrupts, but on the other hand failure clearly promotes whining. "you cannot grow taller by chopping off the heads of others". I've seen so many people try to smear MS with innuendo, as if "enough people being unhappy" at a company is ample evidence that there is "unfairness". the marketplace is *not* fair. it rewards people who are in tune with it disproportionately!! sometimes, *dramatically*so* as in the case with Gates. consider this anecdote. a market for [x] gizmos does not even exist. a brilliant person says, " I think people really need [x] gizmos. I'm going to make and sell them. I'm going to find people who will help me, but if I can't find any I'm going to do it all myself". Gates is such a person and did it with PC OS'es and various windows applications (Excel, Word Perfect, etc.). he bet his entire future on the idea that he knew what people wanted even when other companies disagreed. all companies had a chance to get on the windows bandwagon and write decent software when he created this OS-- he was going around and virtually begging companies. what did they say? "no, we aren't going to take our chance with you. we don't think people really want your @#$$%^&* gizmos". they snickered and sneered at him. Gates succeeds, and sells a bazillion gizmos. he *creates* a market that was not even in existence. or rather, he anticipates what people really want, and the related markets begins to respond to him in a "positive feedback loop". suddenly all these companies cry foul in the greatest of hypocrisy. "Gates has cornered the gizmo market!! he has 95% of it!!! why weren't we notified!! no one should have such power!!" the truth is that the playing field has always been level, but because Gates is such a brilliant genius, market anticipator, and gizmo producer, he succeeds far beyond his or anyone else's wildest dreams. "well, all things should be equal in the competition, unless someone is succeeding more than somebody else, in which case we should penalize them to make things more even" say his competitors. the market has *given* bill gates his dominance. all the arguments about him being "unfair" are absolutely bogus that I have seen. they amount to, "Bill Gates is using tactics to sell more of his software than his competitors. therefore, he's not being fair to everyone else who wants to sell their software as well." hee, hee. I really love the free market. it's a delight that Gates has put his money where his brain is, and in only 20 years built one of the most successful companies in the entire history of business. it's a tribute to the intelligence of the market and people who have the sense to listen to it. MS has gained its dominance through the utmost of hard work, and consuers vote with their $$$. whoever denies that consumers know what they *really* want is an awfully pretentious and deluded person, IMHO. >The conundrum is trying to decide "when" a particular company is a >monopoly by either the classic definition of the Sherman and Clayton Acts >or an effective monopoly, or "bad" player as defined in the >Robinson-Patman act. pioneers are the ones with the arrows in their back. when they fail, everyone sneers at them. when they succeed, everyone sneers at them and says they succeeded through skullduggery. and then competitors refer to this *market* they had no hand in *creating* (the *hard* work is creating a market, *anyone* can capitalize on one once created) as if they have some "right" to it. Gates is the biggest teddybear on the planet. those who are afraid of him only show they are afraid to think as focused and seriously as he does all day. "gosh, we shouldn't have to compete against someone who understands the market so well. what about us? we are competition challenged!! we need a level playing field." > Bill Gates more than satisfies the requirements of defining a monopoly >in Sherman and Clayton with 85% of the desktop locked in and an assualt >with "almost" standards on the open-system server market. NT is already >garnering more than 25% of server installations in business --big >business, since it will be "guaranteed" compatible with their desktop 95s. >The rest of us, stay with the real thing. "no fair!!! Bill Gates has a monopoly on the gizmo market!!! he should be stopped!!! restrained!! otherwise, no other gizmo companies will succeed!!" you have a very short memory. only several years ago most of the population of the planet was in total skepticism about the success of windows. now that it has succeeded, everyone believes that this market should be carved up to everyone that wants a piece of the pie. well, Gates helped "create" the pie in the first place. > Add to MS' virtually absolute domination of the desktop and its >impending domination of the commercial servers the fact that MS has 95% >of the front line office products --WP, Spreadsheet, Database, and mail >with the last be non-standard to long established rules and you do have a >problem to be considered. is anyone twisting people's arms to buy his software? are there a lack of choices because other companies are simply choosing not to compete with MS? if MS is giving customers what they want better than anyone else, (which is proven viscerally by *cash*, people invariably put their money where their mouths are) why is this "a problem to be considered"? > Will the market correct itself? why is MS dominance require "correction"? the fact that you consider it an anomaly shows how naive and ridiculous your position is. MS dominance is absolutely no accident, and anyone who claims it was achieved through anything less than honest competition is in my opinion a whining nonthinker who is afraid of a true, free market realized. > Very questionable since MS rode to >its position on IBM's back and capitalized on IBM's failure to recognize >what they had stumbled into. beautiful, isn't it? one man can "capitalize" on the idiocy of others. oh, poor IBM. they didn't *get*it* even after half a decade, perhaps an entire decade. the big bad Gates Wolf sunk his fangs into IBM. yes, Gates is a dracula. hee, hee. perhaps you would like to start a government program to help poor companies that don't have the brains to understand a market when it is screaming at them in their faces? lets call it the "dog eat dog" welfare fund. > IBM did not fall by the market rejecting IBM >--the market exploded with the PC for price and diversity reasons: you >can not compare direct entry, full screen aplications and >transportability of a PC against a looped, expensive main-frame >connection, if the boss even approves the cost. IBM failed because they had no brain to recognize what was happening around them. Gates did, and his success proves the correctness of his vision. the market is the force that will use or throw away companies as it sees fit. it doesn't care about loyalty to a company that has lost the edge. > Bill Gates >has used his operating system dominance to force hardware vendors to ship >MS products on _every_ machine, or pay substantial penalties in rates 2 >and 3 times larger for all MS products --cheap only if it is universal. Gates is free to demand as much payment for his products and services that the market will bear. if the market decides it's highway robbery, Gates will go the way of the dodo bird. perhaps you think that the government should now subsidize purchase of windows 95 so that everyone can get their copy? > The real issue in DOJ v. MS was that although Bill complied with a >consent decree, he _immediatley_ found other ways to apply the screw, and >many of these newer terms are even worse, but more subtle. And, there is >no question the verbal threats have been significantly worse. all far less than the slimy tactics used by his detractors to limit his ability to compete freely in the market, such as all the "antitrust" laws supposedly relevant to his situation. > To software >vendors it is the threat of denial of technical information on GUIs and >APIs, to hardware manufacturers it is threats of ecomnomic sanctions, >including publishing decertification of the platform for various WIN95 >and NT compliant stickers, etc. why should Bill be forced to do business with people who would love to slit his throat? answer: he doesn't have to. he can flick his finger at them. and if they misunderstand his right to do this, they misunderstand the essence of America. > Bill Gates is NOT an ethical businessman. If the fact was that Bill >was able to garner his position from hard work, a better product, and a >well-greased advertising and marketing organization would not justify the >application of the classic Sherman and Clayton anti-trust rules; the >market will either continue to accept them or not. that's absolutely what he has done, and none of your hocus-pocus flimflamery can rebut this truth. > However, Bill has used his position of 85% in OSs not only to dictate >OS considerations, as bad as they are with DOS nothing more than a boot >sector virus and Windows a pretty program loader, but he has used this >position to dominate the applications market by bundling and forcing >machine integrators to include the MicroSoft applications in return for >the OEM discount on the operating systems. horrors!! you mean that if someone is successful, they have more influence on the market?? *gasp* > Preloading the market by those means is _not_ ethical or good >business. Gates is free to do whatever he likes. the market decides what is appropriate by where it spends its money. so far, it support him. are you going to argue with everyone who spent money on MS products and say, "no, that's not really what you wanted!!" whose business of it is yours to limit the freedom of consumer choice? > Bill Gates _clearly_ violates the FTC provisons on ethical >conduct and restraint of trade by a monopoly or quasi-monopoly position. "Gates is selling all the widgets and gizmos!!! no fair!!!" >Why were nearly 30 OEMs represented anonymously in "friend of the court" >briefs? --and the first thing Billy's (hired virtually every high end firm >in SF) attorneys' did was subpoena the _names_ of the consortium under the >rules of evidence --welcome to the "Kiss of Death." *gasp* -- finding out who is out to slit your throat. yes, it should be mandatory that people can anonymously attack him (as you are doing) without any possibility of consequence. let's just put a bag over his head and let everyone take free punches. that would be appropriate, don't you think? > Personally, I think it is time to dismember Bill Gates --give him a >choice of his OS group or his applications group and literally force him >to sell all direct or indirect interest in the one he does not choose, >plus forego any involvement. unfortunately, your puffhead arguments, falsehoods, innuendoes and hallucinations are beginning to grip people who matter. in fact it is becoming quite trendy to besmirch MS. >Anyone who thinks Bill Gates or Microsoft is a benevolent 800 pound >gorilla has not paid attention in history classes: anyone who thinks that business involves charity for the intellectually challenged has not paid attention to reality of the free market. > power corrupts > absolute power corrupts absolutely. funny how this statement is always assumed to apply to microsoft, not to the companies that are trying to anonymously slash his throat in courts as a desperate resort when they have failed the egalitarian test of the marketplace. From harmon at tenet.edu Wed Dec 20 19:10:00 1995 From: harmon at tenet.edu (Dan Harmon) Date: Wed, 20 Dec 95 19:10:00 PST Subject: An Apology to Mr. Merzger In-Reply-To: <199512202359.SAA29012@jekyll.piermont.com> Message-ID: Perry and members of this list, I want to publicly apologize to Mr. Metzger. On reviewing the events of the day, it seems that I misunderstood a post by Perry. It seems that I was missing a previous post that was being referenced. As to the misunderstood message, I have to now agree with Perry and his reponse. Please accept this apology. Dan From attila at primenet.com Wed Dec 20 19:15:28 1995 From: attila at primenet.com (attila) Date: Wed, 20 Dec 95 19:15:28 PST Subject: The Problem With Blaze And Weinstein In-Reply-To: <199512202018.UAA02824@pangaea.ang.ecafe.org> Message-ID: OK, you're afraid of AT&T's lawyers. give me a break --who's chicken? they are not the government, they can not put you in jail and charges would never stick. both Blaze and Weinstein are bound by their employment contracts from discussing political hot-potatoes. Weinstein did state rather emphatically the opinions of the crew at Netscape did not conform to the apparently misguided statements of the dupe of government. blaze has sent plenty of code our way --even obtaining permission from at&t which is a real big brother. Have you been arrested and charged for crypto (non-export)? - I have. Have you been arrested and charged for technology export? - I have. Have you been raided more than once by the Feds? - I have. Have you been excluded from at&t machines except murray hill and other labs because system managers don't like programmers knowledgable in crypto and kernels ? - I have. Did I ever break into systems or alter data --no, that's not ethical. Could I? -yes, presumably some. "Membership" in Cypherpunks is not predicated on supporting _your_ political agenda or beliefs. In fact, too much bandwidth is expended on arguing about political policy. I agree with Perry that postings should be crypto design and implementation. I have suggested that even announcements of crypto political activities should be put up like John Young posts: one paragraph synopsis and a reference to get the whole thing, but no discussion --take it elsewhere. As for the attacks on Perry, they are inexcusable. You obviously have no idea what crypto Perry codes. I have not published crypto code for a long time. I am wrapping up, after a _long_ hiatus, one which will really take their socks off --with their shoes still on. I'd love to release it to public domain, but____ What am I going to do with it? dunno, probably put the tape on the shelf; I escaped the hard hand of justice, a poor man, the last time when I tried to enter the code in evidence. Now I am "20 years older and deeper in debt" [Tennessee Ernie style]; is it worth it? I've done my time, and code has a signature. I think I would prefer to enjoy my five children and a few grandchildren. But it has been a good exercise.... No, Mr. ECafe Anonymous _chicken_, you're the despicable party. Put your imprint on your attacks and accusations: the Constitution says you are entitled to _face_ your accusers. If you want to argue about constitutional or God given rights --do it in other forums. If you want to denigrate blaze, weinstein, perry, and maybe even tcmay, just drop yourself off the cpunk mailing list. meanwhile, get out of our collective faces and let us do a little code, I intend to finish my work, and then I can have a depression trying to decide whether I want to go the round, again. ATTILA ============================== On Wed, 20 Dec 1995, ECafe Anonymous Remailer wrote: > I'm not trying to start a flame war. I'm > sure these people are very smart and have > written lots of good code. I'm sure they're > very nice and never kick their dogs. I'm > just tired of people defending them as > cypherpunks. > > They aren't cypherpunks. > > Neither has come out against GAK. They > both carefully avoid commiting to any > statement. They want us to think they're > "one of us" but they don't want to be > pinned down because they are double dipping > on both sides of the fence. > > Blaze even does "research" on GAK. See > his web page for evidence. Also the TIS > report. The fact that he found a bug in > clipper doesn't change this. It proves > it. He works for the government, via att. > > Weinstein is actively promoting GAK by > working at the company that the government > has chosen to bring it to you now that > att has failed. > > WHY IS EVERYONE SO QUICK TO DEFEND THESE > PEOPLE? DO THEY HAVE YOU ALL SO IMPRESSED > WITH THEIR MASTERS DEGREES THAT YOUR AFRAID > TO LOOK CLOSELY? > > No, I did not post the RSA patch. I wouldn't > touch any of that code with a 5 meter pole. > > To the guy who says write code: I've > written plenty of code. Clue: your probably > running some of it right now. > > I'm anonymous because I've seen FIRST HAND > what the att lawyers do to people who > tell the wrong kind of truth. > > Want me to be a 'nym. OK. > > s/ Bill Gates (he has good lawyers that > can handle att and netscape) > From jya at pipeline.com Wed Dec 20 19:33:08 1995 From: jya at pipeline.com (John Young) Date: Wed, 20 Dec 95 19:33:08 PST Subject: QCF_dec Message-ID: <199512210332.WAA11993@pipe1.nyc.pipeline.com> Science, 8 December 1995 Quantum Computers, Factoring, and Decoherence I. L. Chuang, R. Laflamme, P. W. Shor, W. H. Zurek [First paragraph] The uniqueness of the prime factorization of a positive integer is the Fundamental Theorem of Arithmetic. In practice, the determination of the prime factors of a given number can be an exceedingly difficult problem, even though verification is trivial. This asymmetry is the basis for modern cryptography and provides secret codes used not only on your own bank card but also to transfer diplomatic messages between embassies. [Precis] It is known that quantum computers can dramatically speed up the task of finding factors of large numbers, a problem of practical significance for cryptographic applications. Factors of an L-digit number can be found in ~L^2 time [compared to ~exp(L^1/3) time] by a quantum computer, which simultaneously follows all paths corresponding to distinct classical inputs, obtaining the solution from the coherent quantum interference of the alternatives. Here it is shown how the decoherence process degrades the interference pattern that emerges from the quantum factoring algorithm. For a quantum computer performing logical operations, an exponential decay of quantum coherence is inevitable. However, even in the presence of exponential decoherence, quantum computation can be useful as long as a sufficiently low decoherence rate can be achieved to allow meaningful results to be extracted from the calculation. I. L. Chuang, Stanford University. R. Laflamme and W. H. Zurek, Los Alamos National Laboratory. P. W. Shor, AT&T Bell Labs. ---------- QCF_dec (18 kb) Sent with compressed qcf1.jpg of 14 equations and 2 figures (31 kb) From declan+ at CMU.EDU Wed Dec 20 19:37:24 1995 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Wed, 20 Dec 95 19:37:24 PST Subject: Surprise telecommunications bill? In-Reply-To: <2.2b7.32.19951221020731.008be6d4@mail.teleport.com> Message-ID: Excerpts from internet.cypherpunks: 20-Dec-95 Surprise telecommunications.. by Alan Olsen at teleport.com > While watching the national news (NBC, I think) they mentioned that there > had been a "surprising agreement on a telecommunications bill". From the > sparse description, it sounded pretty nasty. > > Does anyone have any additional information on this? Yes, and it's not good. This telecom bill is going to be law real, real soon. -Declan --- DOW JONES NEWS 12-20-95 6:29 PM WASHINGTON -AP- Negotiators resolved a dispute over media ownership, removing the last major hurdle to an overhaul of laws governing the nation's communications industry. Once approved by Congress, the White House pledged to sign the legislation into law. ''This is an extremely positive development for the U.S. economy, for individuals and for consumers alike,'' Vice President Al Gore said during an interview in his office. President Clinton, who had threatened to veto earlier provisions of the measure, will sign what Gore called ''a centrist bill for the 21st century.'' From grafolog at netcom.com Wed Dec 20 20:01:37 1995 From: grafolog at netcom.com (Jonathan Blake) Date: Wed, 20 Dec 95 20:01:37 PST Subject: (fwd) Junk email address collection (from a junk emailer) In-Reply-To: Message-ID: On Wed, 20 Dec 1995, attila wrote: > and, coming down on DejaNews just puts the fire out in just one > room of a conflagration. Especially since DejaNews is neither the first, or most thuro in archiving usenet messages. I still want to know who is feeding netcom.shell.* to he outside world, so that excite can document every whisper there. > for amusement, I have started to code a simple program which > takes a feed from procmail where known spammers are listed and it I want a copy of that program. xan jonathon grafolog at netcom.com **************************************************************** Opinions represented are not necessarilly mine. OTOH, they are not representations of any organization I am affiliated with, either. WebPage: ftp://ftp.netcom.com/gr/graphology/home.html For a good prime, call 391581 * 2^216193 - 1 ********************************************************************** From mab at crypto.com Wed Dec 20 20:34:57 1995 From: mab at crypto.com (Matt Blaze) Date: Wed, 20 Dec 95 20:34:57 PST Subject: CFS and Linux In-Reply-To: <199512201915.UAA00215@asylum.berserk.com> Message-ID: <199512210440.XAA28196@crypto.com> > > Is there anyone out there that has CFS running with Linux ? > > It installs fine on BSDi 2.0 but I'm unable to install it > under Linux, I would appreciate it if some one would help > me out. > > -AJ- I don't run Linux, and every time I open my mouth it seems to provoke a flame-fest, but I'll risk responding anyway. I'm told that all version of CFS since 1.0.4 (the latest is 1.3.1) do work out-of-the-box under *some* releases of Linux and with some coaxing on the others. I'm not sure exactly what problem you're having, but the most common CFS-Linux problem that people complain about has to do with the rpcgen output not being in the format expected by the rest of CFS. There seem to be two things you can do about this: get a version of rpcgen that generates the "standard" (original Sun) names for the functions it generates, or just grab the rpcgen output from the cfs-users mailing list archive ("echo help | mail cfs-users-request at research att.com" for details). Or are you able to compile it but not get it installed? I've not heard of any problems here. If so, you might try the cfs-users at research.att.com mailing list and see if someone there can help out. -matt NB to "Bill Gates" and friends: To save you the trouble of pointing it out, I hereby admit that I'm a commie-fascist brainwashed sold out member of the military-industrial complex who has been programmed by his masters to infiltrate the cypherpunks in order to sap and impurify their precious bodily fluids. From attila at primenet.com Wed Dec 20 20:49:27 1995 From: attila at primenet.com (attila) Date: Wed, 20 Dec 95 20:49:27 PST Subject: Vladimir Z. Nuri's fallacious defense of MS In-Reply-To: <199512210204.SAA26757@netcom20.netcom.com> Message-ID: Without forcing everybody to search the interline comments. 1) you obviously have no concept of anti-trust or anti-competitive law, practice or the public interest it represents. I wrote my thesis on government regulation of monopoly v. monopoly franchises such as utilities. 2) market domination can, and generally does, stifle competition, but it also kills innovation of alternatives. Software companies are too busy kissing arse with Bill, and threatened by Bill, to release software on other systems say unix or os/2. a perfect example is Corel. Corel was _very_ enthusiastic to release for OS/2, in fact they were ported to OS/2 before W95 released. Shortly after the announcement, the honcho reversed positions and canceled Rev 6 for OS/2 stating that Rev 2.5 which has existed for some time, was "adequate" for OS/2. I am not going to expose my inside source, as their will be retribution. 3) you are totally ignoring the comments on anti-thrust and restraint of trade. In general market terms, anti-thrust is less important than restraint of trade --Bill _clearly_ violates the rules on restraint of trade, and therefore should be dismembered to avoid lack of innovation as in #2 above. 4) you clearly have no concept of American free market policy. Yes, you may be very successful, even filthy rich, but when you stretch your rights to clearly offend the public interest, then anti-trust and restraint of trade laws serve the _needs_ of a free and _competitive/innovative_ market. America does not serve dinner to merchants who rape, pillage, and burn --as Bill Gates has crushed his opponents; the barbarians are punished. There are grounds for criminal charges in Bill's actions. 5) you are incorrect in your assumptions that Gates was sued anonymously. In the initial action by the DOJ, competitors were _asked_, by subpoena, for factual information by the DOJ. The _DOJ_ provided the shield in so much as Bill's barbarian actions were of sufficient interest that evidence providers desired and were given protection --not much different than the Federal Witness Protection program. when CI$ and the rest banded together to protest Bill's obvious restraint of trade and stonewalling on hooks to Win95 for three months after Win95 released, they did not, and _could_ not, do so anonymously. 6) how much is Bill paying _you_ for your efforts? You obviously have too much of an interest in the commercial outcome to be so ignorant. 7) Your beliefs are one thing --state 'em, but don't speak for America until you know the definition of the "public interest" and have some concept of anti-trust and restraint-of-trade legislation and court rulings which have set the guidelines. clutch it in, _after_ your brain is in gear. 8) no, I am not a liberal by any means. I am somewhere to the right of the Libertarians, but definitely not an anarchist either. ANY FURTHER COMMENTS --FORWARD TO ALT.FLAME From attila at primenet.com Wed Dec 20 21:20:30 1995 From: attila at primenet.com (attila) Date: Wed, 20 Dec 95 21:20:30 PST Subject: An Apology to Mr. Merzger In-Reply-To: Message-ID: congratulations, Dan. It takes a strong man to admit mistakes, and courage to apologize! attila On Wed, 20 Dec 1995, Dan Harmon wrote: > > Perry and members of this list, > > I want to publicly apologize to Mr. Metzger. On reviewing the events of the > day, it seems that I misunderstood a post by Perry. It seems that I was > missing a previous post that was being referenced. As to the > misunderstood message, I have to now agree with Perry and his reponse. > > Please accept this apology. > > Dan > > From roy at cybrspc.mn.org Wed Dec 20 21:21:54 1995 From: roy at cybrspc.mn.org (Roy M. Silvernail) Date: Wed, 20 Dec 95 21:21:54 PST Subject: The Problem With Blaze And Weinstein In-Reply-To: <199512210112.BAA05503@pangaea.ang.ecafe.org> Message-ID: <951220.231202.6s3.rnr.w165w@cybrspc.mn.org> -----BEGIN PGP SIGNED MESSAGE----- Hey, "Bill Gates"... I agree completely that the both you and Dr. Frederic B. Cohen are of equal value in your contributions to the cypherpunks list. alpha.c2.org offers 'nym accounts for free. PLEASE get and use one, so I can put you in my killfile, next to Dr. Frederic B. Cohen. - -- Roy M. Silvernail -- roy at cybrspc.mn.org "I used to be disgusted, but now I'm just amused." -- from an old T-shirt(ca. 1975), not an Elvis Costello lyric -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMNjtZhvikii9febJAQEDMQP/fTurXMuhXRaNZYRicFOwMebofxkWgYqc DSa1HlzovcEJLlsxcpZ8J35VrW/q/pdPJhrl0if/kdA1euO4+H/riG44tuwRT70e kZ7jRMxj3bRRT5HyVhaRsiDmN4COOORfuD9sTzqiGNNrTAS7CVZC2UOU6wSWBIrG cCoER8/HBEw= =TVG/ -----END PGP SIGNATURE----- From tcmay at got.net Wed Dec 20 21:54:35 1995 From: tcmay at got.net (Timothy C. May) Date: Wed, 20 Dec 95 21:54:35 PST Subject: What ever happened to... Cray Comp/NSA co-development Message-ID: Anitro wrote: >O.K. Just a factor of 16 increase over the CM architecture right? Not knowing >the computational capabilities of the individual processors, it might be >difficult to say what the machine is capable of. Wouldn't that have some >bearing? Not in cracking "truly large" problems by brute force. Even if each of the million processors is capable of 100 MIPS (which is unlikely, given the PIM approach and the fine-granularity, few-bit-or-less word size, etc.), this is only 10^8 MIPS. For problems that (for instance) 10^75 machines would have to spend 10^10 years on, not even a drop in an ocean. The point is that no existing machines are going to make a dent in these calculations, though algorithmic cleverness _might_ make factoring much easier (personally, I doubt it). >> Second, there was work on a "processor-in-memory" architecture, in >> conjunction with a Bowie, Maryland spook-connected company. Perhaps this is >> what you are thinking of? > >I didn't mention a 'processor-in-memory' architecture and neither did the NYT >article. Don't know about any other company involvement, just CCC and NSA. I wrote my response before seeing the other response someone else (Thaddeus J. Beier) gave the name of the company. Thad's details match what I recall about this Bowie company. The archives should have articles on this, dating back about a year or so ago. As I recall, someone on the list knew people working at the Supercomputer Research outfit. >> Third, all avenues of continued funding having fallen through, Cray >> Computer (not Cray Research, of course) was shut down and assets >> liquidated. I haven't heard what's become of Seymour, though. (He is >> undoubtedly an asset, buy I doubt the Agency would have him liquidated.) > >You mean the avenues that are of PUBLIC record. The possibility could always >exist that the development continues 'in-house'. It wouldn't be the first time >that sort of move has been played. You, whoever you are, asked about the operational status of Cray Computer, and I answered. It entered Chapter Seven liquidation, parts of existing computers were sold for scrap or museum/curio objects, the GaAs fab was sold to another company, and the employees scattered. Claiming the NSA moved it "in-house" is implausible, at least in terms of these events. >> Huh? First, what evidence do you have for this claim? Second, who cares? >> Implementing Clipper in a Cray Computer machine--why bother? > >[Rant mode on] >Speculation Tim... I'm SPECULATING. Could, in theory... AND my kind of theory >probably has holes you could drive a FLEET of Mack trucks through. I have NO >evidence. I'm not sure WHO would care. I'M A PARANOID DILLUSIONAL PSYCHOPATH! >O.K. well maybe not that last part... but I'm asking the questions, remember? >I said I'm new here, so if your going to blow holes in my pet theories, then >do me the 'kindness' of using an accurate weapon... that's why I posted... I asked what evidence you have for this claim. Idle speculation, based on innumerate estimates of plausibility are helpful to no one. >> As to the claim that a million-processor machine could do this, you need to >> work out the math. (If a backdoor exists, or the LEAF has been gotten, a >> supercomputer is not needed....) > >Again... I claimed NOTHING! SPECULATED MUCH! Now it's your turn... Why would >YOU build a machine like this? What could POSSIBLY be it's capabilities? >Speculate with me for a moment... *_take a chance_*. On our list, and in the circles I am familiar with, "speculations" are not treated with more respect than are actual "claims" (whatever they are). If you speculate that "really, really fast computers" will make today's ciphers insecure, based on not even the simplest of calculations, expect to be either ignored or called to task. This is the way science works, by falsification of theories (and speculations). >> If you mean using supercomputers to brute force the general factoring of an >> RSA modulus, this is nonsense. While there may be math shortcuts we don't >> yet publically know about which make factoring easier than we currently >> think it is, a mere million or even a billion processors will not make a >> dent in the factoring of, say, a 700-digit modulus. See the tables in >> Schneier and elsewhere for some estimates of factoring efforts needed. > >Nonsense? Is that 700 decimal digits or 700 binary digits? I don't have the >tables that you refer to. Where may I find them? (LOL) A 2048-bit key, such as many of us use, uses a roughly 700-decimal-digit modulus. "Schneier," mentioned in my paragraph, is "Applied Cryptography." Page 284 of the 1st Ed. has a discussion of the work involved in factoring large moduli. Rivest has made some more detailed estimates. Given your rudeness and self-professed ignorance of even the basic math, I see no point in wasting any more of my time on your posts. --Tim May Views here are not the views of my Internet Service Provider or Government. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 | black markets, collapse of governments. "National borders are just speed bumps on the information superhighway." From ses at tipper.oit.unc.edu Wed Dec 20 22:56:02 1995 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Wed, 20 Dec 95 22:56:02 PST Subject: Digicash and capital adequacy Message-ID: This came out of a corridor discussion yesterday as to how digicash would affect future banking systems: How does digicash interact with capital adequacy requirements? Should each digi-dollar issued require a corresponding hunk'o'assets in the customers account, or should the bank be able to issue digicash using existing rules? Digicash can have a much faster velocity than real cash, so I can sort of imagine their being periods where adequacy limits could be exceeded. What's the panels view? Simon p.s. I got to see the movie "Hackers" while I was sick in bed after WWW IV. The movie was pretty bogus, but the soundtrack was pretty cool. The wonderful movie website had nothing about any soundtrack albums; anyone know if there was one? From jamesd at echeque.com Wed Dec 20 23:13:26 1995 From: jamesd at echeque.com (James A. Donald) Date: Wed, 20 Dec 95 23:13:26 PST Subject: QCF_dec Message-ID: <199512210713.XAA09335@blob.best.net> --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From gbroiles at darkwing.uoregon.edu Wed Dec 20 23:24:01 1995 From: gbroiles at darkwing.uoregon.edu (Greg Broiles) Date: Wed, 20 Dec 95 23:24:01 PST Subject: the problem with attacks on Blaze & Weinstein Message-ID: <199512210723.XAA25191@darkwing.uoregon.edu> The "Blaze & Weinstein are devils in disguise" business is ridiculous, as is the notion of "cypherpunk purity". Cypherpunks is a mailing list. If Blaze and Weinstein were up to something especially tricky, they'd probably post from accounts not traceable to their employers (like, say, anonymous remailers). Suggesting that a person is not to be trusted because they work for organization "X" is particularly silly where the suggestor isn't willing to provide the details of their own organizational ties. This is a mailing list. Mailing lists are for discussing things - like technological defenses for privacy. People may have interesting things to contribute because of, in spite of, or irrespective of their employment or other relationships with large organizations. (And, in fact, they do. Both Matt Blaze and Jeff Weinstein have done and said pro-privacy things despite the equivocal-to-hostile stance their employers have taken with respect to privacy. Brian Davis, the list's token prosecutor :), has recently been sending messages re the limits of governmental power in the context of criminal investigations. Microsoft employees have posted re Microsoft's choices about privacy and encryption/security. And so on.) If this were a secret organization and we were splitting up into individual cells for revolutionary/forbidden activity, your suspicion/paranoia might be useful. But we're not (it's an open list, archived on full-text searchable Web servers), so it's not. And, apart from whether or not they're valuable list contributors, the list really isn't in a position to not "tolerate" unwanted or unproductive readers or authors. The tools which make identity difficult to fix make it difficult to restrict/deny access to an unpopular or unwanted identity. Get used to it. Adapt or die, hmm? -- "The anchored mind screwed into me by the psycho- | Greg Broiles lubricious thrust of heaven is the one that thinks | gbroiles at netbox.com every temptation, every desire, every inhibition." | -- Antonin Artaud | From sdavidm at iconz.co.nz Wed Dec 20 23:24:52 1995 From: sdavidm at iconz.co.nz (David Murray) Date: Wed, 20 Dec 95 23:24:52 PST Subject: The War on Some Money [long] Message-ID: -----BEGIN PGP SIGNED MESSAGE----- [Yes - money laundering _again_.] I want to advance two theses: 1. That the interest and activities of governments in fighting money-laundering is directly contrary to the interest and activities of those seeking to develop anonymous digital commerce; 2. That there is a related, if not underlying, conflict between the rhetoric of concealment and the rhetoric of privacy. If the push for anonymous digital commerce is exemplified by the Cypherpunks (and let's pretend it is), the battle against money-laundering is being led by the Financial Action Task Force (FATF), an autonomous international entity, set up by the G7 as part of the orgy of post-cold-war co-operation between States on this issue. The UN, G7, OAS, Commonwealth, EU and a host of supra- national bodies have called for co-ordinated action on stamping out dirty money. And in an unprecendented fashion, States have responded. There are over 100 States that either have or are considering the criminalisation of money- laundering. These include, by and large, the tax havens of Europe, the Carribbean and the South Pacific. So what is criminal money laundering? Concealing the source of funds that one knows come from serious crime. Three comments about this formulation: 1. The state of mind required is knowledge, although this knowledge can be inferred from objective facts (and knowledge tests in criminal definitions are notoriously elastic). 2. The source of funds must be serious crime. The early UN declaration only referred to drug dealing, but since 1990 there has been a move to widen this to all serious crime. As to what constitutes serious crime, this is still somewhat up for grabs. Some of the BSA's statements about software piracy being the drug dealing of the nineties, and linking piracy with organised crime can be seen as a strategy to position large scale intellectual property theft as serious crime. More ominous (at least for the relationship of citizen and state) is the occasional reference to tax evasion in the same breath as serious crime. 3. This is because the serious crime need not be committed in the same country as the money laundering. This makes sense for conventional serious crime (to coin a phrase), but if tax evasion is included represents a major departure from the convention that the courts of one country will not enforce the taxing statutes of another. Note also the possibility that fraud might be serious crime, which, since the test of fraud is dishonesty, directly brings the competing ethical (or rhetorical) systems into conflict. But more of this below. The key feature of the new supra-national regime, however, is not a more or less co-ordinated criminal law (there are some marked variations on the above scheme), but the new surveillance approach to the financial system. The most obvious signs of this are the requirement of financial institutions to "know your customer" (which includes an explicit prohibition of anonymous accounts) and to report "suspicious" transactions. But the approach goes much further. The FATF's chilling Forty Recommendations (on which the global approach is largely based) urges countries to "further encourage in general the development of modern and secure techniques of money management, including increased use of cheques, payment cards, direct deposit of salary cheques, and book entry recording of securities, as a means to encourage the replacement of cash transfers." [This is taken from a synopsis of the Recommendations.] In case anyone should think this is based on the insecurity to the _customer_ of cash and bearer securities, the FATF suggests countries (i.e. Governments) may like to consider monitoring all domestic financial transactions with a view to building databases for computer analysis -- such databases to be appropriately secured from unauthorised access, of course. So there we have it. The FATF wants a cashless, book entry, universally monitored financial system based on verified True Names. Some Cypherpunks want a cash based, bearer certificate, mathematically unmonitorable financial system revolving around impenetrable pseudonyms. Another way to put this is that Cypherpunks are for privacy, but the FATF is against concealment. Three arguments are often made for the attack on money laundering. 1. Money laundering leads to the corruption of societies and the undermining of institutions and States. This seems to be putting the cart before the horse, somewhat. Even if you consider money laundering as an inextricable part of rendering crime organised, the crimes usually cited (drug dealing, environmental crime, and the smuggling of cultural artifacts [!]) could be decriminalised relatively easily. And of course you could always abolish the State :-) 2. Money laundering puts the financial system at risk. (This, of course, is why the financial institutions used in the Pizza Connection money laundering chain (Merrill Lynch, E F Hutton, Bankers Trust, Barclays, Chase Manhattan, Chemical Bank, Citibank, American Express and Thomas Cook. Bank of Nova Scotia, Ueberseebank (Switzerland)) have without fail spectacularly collapsed.) In so far as this is a result of legislation providing for the forfeiture to the State of the proceeds of crime, another solution is clearly available. 3. The War on Drugs has been a failure, because it isn't in anyone in the drug distribution chain's interest to assist authorities. The financial system is organised crime's exposed flank. (As an(other) aside, it is often mentioned (asserted?) that terrorists are turning to drug dealing etc to finance their terror campaigns. I'm not sure whether this is intended to combat the "drug dealers are just businessmen" argument, or the "terrorists are just patriots" one. Perhaps both.) [Don't get me wrong. I'm not saying Statists are bad because drug dealers are good. I realise that reasonable people can differ as to the trade off between civil liberties and the protection of the State. I know people who think that it is all right to let the Police randomly breath test drivers in order to decrease road deaths. So I can easily imagine people might feel having to front up with two types of ID to open a bank account is a small price to pay to prevent the violence and misery of drug addiction. I happen to think both sets of people are wrong, and dangerously so.] So governments fight money laundering to make it harder for criminals to enjoy the wealth governments can't stop them making. As a side effect, governments gain valuable intelligence about everyone's everyday finances. And we might as well look at cracking down on those evil tax evaders while we're at it... Well -- even I'm willing to admit this summary is a tad glib. It misses something important about attitudes to secrecy: whether secrecy is about privacy or concealment. Michael Froomkin often [:-)] cites Sissela Bok on the danger of secrets inappropriately kept (see e.g. A. Michael Froomkin, "Anonymity and its Enmities," 1995 J. Online L. art. 4, par. 51) -- and certainly the overtones of locked doors, masks, whispers and shadows makes "secret" itself a suspect word. To be open is almost always good; to be secretive is definitely always bad. This sense of the inherent evil of secrets (dark secrets, guilty secrets) runs deep. Take the Equiticorp criminal trial (a local cause celebre of a few years ago) where executives of a company that failed spectacularly after the '87 crash were charged with (inter alia) conspiracy to defraud. The executives in question had caused a large sum of money of (at that time) completely unknown provenance (the so called H-Fee) to be paid to themselves through a series of companies in tax-haven/banking secrecy jurisdictions. The judge (there was no jury) found that, because no one had offered an honest reason to use such a structure, it could only have been for the purpose of concealment of the source of the money from those who may have had a legitimate interest in determining it (IRD, auditors etc.). This amounted to dishonesty, and the charge of conspiracy to defraud was made out. Note the reasoning here: a secret without a reason is concealment; concealment is dishonest. (Cypherpunks would reason exactly oppositely: a secret is an expression of privacy; privacy is good.) We can extend the concealment reasoning in an interesting way: concealment -> dishonesty -> fraud -> serious crime + concealment -> money laundering. So widespread concealment can (conceivably) give rise to an offence of money laundering with no other illegal act. The very fact that the State has an interest in detecting money laundering strengthens that first link: concealment - -> dishonesty. For the cypherpunks, of course, privacy -> nothing at all. Secrecy=privacy is the default. Secrecy=concealment is a red herring. This is not the forum to recite the virtues of privacy. So I'll leave you [at last, they cry!] with a sugestion as to its main (rhetorical) vice: privacy is opposed to public, and public is (usually) good. I'll go further. In the same way that "secret" gives rise to a cascade of negative associations, "public" gives rise to a chain reaction of happy, if not down right noble, thoughts: the public good; public service; the public's right to know; and, of course, the republic itself. Private (and privacy), on the other hand, gains meaning from its distinction from public -- it is _inherently_ negative. All this is so much old rope for those who reject the linguistic turn in philosophy, but I find it a useful way of thinking about trends. And we are seeing trends towards individuality, the rejection of the collective, the privatisation of what once was public. Part of this will be the reversal of the privilegeing of public over private, and the consequent/connected move from secrecy=concealment to secrecy=privacy. And a tangble manifestation of all that will be the rise of anonymous digital commerce, and the abandonment of The War on Some Money. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMNkJOVlo3j8JHzalAQGA/gP8D1mKUVyzybOVuI2AknuznciwghtvndH9 I0GtFnti8zFANMo6LIqb5/Hlz/XDTG6SFZR5D9omFlAd/J781pInaiEtTfXr/y+M BXOppcvXfo28adGR5bgi+JLoZE9XQ511Qrz+HKi7Oa47LudySpRHkd/THM1Wamnw 9aWkxh5JOXs= =FoHd -----END PGP SIGNATURE----- [Palmtop News Reader - Beta Version 3] From eay at mincom.oz.au Wed Dec 20 23:43:12 1995 From: eay at mincom.oz.au (Eric Young) Date: Wed, 20 Dec 95 23:43:12 PST Subject: SSLeay 0.5.1 Message-ID: SSLeay 0.5.1 is now available. It should be quite stable and has documentation for the lower level cryptographic routines. It is incompatible with the previous version but has no global variables of consequence so it should be a much nicer starting point for threaded libraries. The library should have no memory leaks and the general cryptographic functionality has been filled out more. Tim Hudson will be updating the applications available on ftp.psy.uq.oz.au in the next few days. I leave for an 11 week holiday today so please address any problems and questions to the ssl-users at mincom.oz.au mailing list (if it is of general interest) or to ssleay at mincom.oz.au which goes to both myself and Tim Hudson (who will be fixing any bugs while I'm away). Anouncing software and then leaving for 3 months would probably not normally be considered a good practice but 0.5.0 has been tested for the last week or so and I have faith in Tim Hudson's ability to fix bugs after doing pre-alpha testing for the last 6 months :-) As per usual, the primary ftp site is ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL http://www.psy.uq.oz.au/~ftp/Crypto Documentation on the demo application is sparse but I hope Tim Hudson will be able to fill in the gaps while I'm away :-) eric -- SSLeay v 0.5.1 21/12/955 Copyright (c) 1995, Eric Young All rights reserved. This directory contains Eric Young's (eay at mincom.oz.au) implementation of SSL and supporting libraries. The current version of this library is available from ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/SSLeay-x.xx.tar.gz There are patches to a number of internet applications which can be found in ftp://ftp.psy.uq.oz.au/pub/Crypto/SSLapps/ A Web page written by Tim Hudson can be found at http://www.psy.uq.oz.au/~ftp/Crypto This Library and programs are FREE for commercial and non-commercial usage. The only restriction is that I must be attributed with the development of this code. See the COPYRIGHT file for more details. Donations would still be accepted :-). The package includes libssl.a: My implementation of Netscapes SSL v 2 protocol. This library implements the SSL protocol. libcrypto.a: General encryption and X509 stuff needed by SSL but not actual logically part of it. It include routines for the following: libdes - My libdes DES encryption package which has been floating around the net for a few years. It includes 15 'modes/variations' of DES (1, 2 and 3 key versions of ecb, cbc, cfb and ofb; pcbc and a more general form of cfb and ofb) a fast crypt(3), and routines to read passwords from the keyboard. RC4 encryption, IDEA encryption - 4 different modes, ecb, cbc, cfb and ofb. MD5 and MD2 message digest algorithms, SHA (SHA-0) and SHA-1 message digest algorithms, RSA encryption/decryption/key generation. There is no limit on the number of bits. Diffie-Hellman key-exchange/key generation. There is no limit on the number of bits. X509 encoding/decoding into/from binary ASN1 and a PEM based ascii-binary encoding which supports encryption with a private key. Programs in this package include enc - a general encryption program that can encrypt/decrypt using one of 17 different cipher/mode combinations. The input/output can also be converted to/from base64 ascii encoding. dgst - a generate message digesting program that will generate message digests for any of md2, md5, sha (sha-0) or sha-1. asn1parse - parse and display the structure of an asn1 encoded binary file. rsa - Manipulate RSA private keys. dh - Manipulate Diffie-Hellman parameter files. crl - Manipulate certificate revocation lists. x509 - Manipulate x509 certificates, self-sign certificates. req - Manipulate PKCS#10 certificate requests and also generate certificate requests. genrsa - Generates an arbitrary sized RSA private key. gendh - Generates a set of Diffie-Hellman parameters, the prime will be a strong prime. ca - Create certificates from PKCS#10 certificate requests. This program also maintains a database of certificates issued. verify - Check x509 certificate signatures. speed - Benchmark SSLeay's ciphers. s_server - A test SSL server. s_client - A test SSL client. s_time - Benchmark SSL performance of SSL server programs. Documents included are A Postscript and html reference manual (written by Tim Hudson tjh at mincom.oz.au). A list of text protocol references I used. A initial version of the library manual. To install this package, read the INSTALL file. This library has been compiled and tested on Solaris 2.[34] (sparc and x86), SunOS 4.1.3, DGUX, OSF1 Alpha, HPUX 9, AIX 3.5(?), IRIX 5.[23], LINUX, NeXT (intel). For people in the USA, it is possible to compile SSLeay to use RSA Inc.'s public key library, RSAref. From my understanding, it is claimed by RSA inc. to be illegal to use my public key routines inside the USA. Read doc/RSAref.doc on how to build with RSAref. Read the documentation in the doc directory. It is quite rough, but it lists the functions, you will probably have to look at the code to work out how to used them. I will be working on documentation. Look at the example programs. There should be a SSL reference manual which is being put together by Tim Hudson (tjh at mincom.oz.au) in the same location as this distribution. This contains a lot more information that is very useful. For a description of X509 Certificates, their use, and certification, read rfc1421, rfc1422, rfc1423 and rfc1424. ssl/README also goes over the mechanism. We have setup some mailing lists for use by people that are interested in helping develop this code and/or ask questions. ssl-bugs at mincom.oz.au ssl-users at mincom.oz.au ssl-users-request at mincom.oz.au This library is reasonable stable now. Version 0.5 has had extensive rewriting since version 0.4. The purify package has been used extensively and I believe most if not all memory leaks have been removed. There are no writable global variable so a multi-threaded/DLL version of the library should be quite simple to write. Look at TODO for a list of thinks I know I still need to do. eric (December 1995) Eric Young (eay at mincom.oz.au) 86 Taunton St. Annerley 4103. Australia. From nobody at REPLAY.COM Wed Dec 20 23:55:10 1995 From: nobody at REPLAY.COM (Anonymous) Date: Wed, 20 Dec 95 23:55:10 PST Subject: Cypherpunks resumes? Message-ID: <199512210755.IAA28350@utopia.hacktic.nl> Is there any chance of seeing a Cypherpunks 'Rogues Gallery' of sorts in the archives anytime soon? It would be nice to see a face connected to the postings here. Some of us don't get the chance of getting out west for the parties, The only other thing I know about Tim May besides being one of the Fathers of the Cypherpunks is that he was a naked hippie in a hot tub at some party that Robert Hettinga was at some weeks ago, That doesn't paint a good picture for me. Thanks, A.E.N. From blancw at accessone.com Wed Dec 20 23:57:23 1995 From: blancw at accessone.com (blancw at accessone.com) Date: Wed, 20 Dec 95 23:57:23 PST Subject: The Problem With Blaze And Weinstein Message-ID: <9512210757.AA25763@pulm1.accessone.com> >From the Fool on the Hill(aka ECafe): ATT and Netscape are both tools of the CIA/NSA. Blaze and Weinstein are in on the plot to force GAK upon us.... ..Only true visionaries like myself and Dr. Frederic B Cohen are telling it like it is; everyone else has had the wool pulled over their eyes by the NSA/ATT/Netscape axis. ................................................... Surely you're joking, Mr. Feynman! Cpunks, do you not "get it" - This has to be a jest, poking at some of the attitudes which have been expressed on the list. I think it's a bit late, though, as most of the excitement has calmed, and this must be why it's not recognizable. (if you think it's worth a comment, at least make it *funny*!, right.) .. Blanc From blancw at accessone.com Wed Dec 20 23:57:34 1995 From: blancw at accessone.com (blancw at accessone.com) Date: Wed, 20 Dec 95 23:57:34 PST Subject: on web standards: sent to Markoff Message-ID: <9512210757.AA25767@pulm1.accessone.com> Attila: I'm surprised at you. I thought you were anarcho-capitalist. Oh, well; I have a few pithy comments in reply to your post (but anything beyond this will be in private email). I'm tempted to say back to you, as you just recently stated: "if you have not walked in the other's shoes, keep silent." Have you read any of the books on Microsoft or Bill Gates? I think this would provide you with additional perspective on your conclusions about him and the company. But think about this: . no company which MS has done business with has been coerced into dealing with the company and its products. Those who felt compelled to do business on Billg's terms were influenced by their desire to reap the lucrative benefits of it. . no customer has been coerced into purchasing the products offered; they were not prevented from shopping for computers from companies which do not pre-install the OS; if it was already installed on the machines they purchased, they were free to delete it, they were not coerced into using it or into upgrading to the next release. . not only have many software companies not take advantage of the opportunities created for cashing in on the unexpected popularity of MS software, . there have been occasions where competitors failed to see opportunities in the market which Microsoft did and took aim for, or . attempted business deals/associations among competitor software companies did not come about, thus failing to create a concerted competitive threat to Microsoft, or . a dominant software product from a competitor suffered in the market place, (sometimes from the fault of "bad management"), thus again giving the advantage to Microsoft. Often it has been what the competition *didn't do*, which gave Microsoft the advantage in the "market place", rather than any amazing magical business savvy or "unethical business practices". Nevertheless, as someone at MS said, "it isn't the customers who are complaining". There have been many willing participants, apparently, who have cooperated (or "conspired", if you will) in making the company the success which it has become. And continue to do so. .. Blanc p.s. Nuri-logical: I like your idea for a "dog-eat-dog" welfare fund. From vznuri at netcom.com Thu Dec 21 00:22:40 1995 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Thu, 21 Dec 95 00:22:40 PST Subject: attila's fallacious flagwaving In-Reply-To: Message-ID: <199512210819.AAA01149@netcom9.netcom.com> >1) you obviously have no concept of anti-trust or anti-competitive > law, practice or the public interest it represents. I wrote my > thesis on government regulation of monopoly v. monopoly > franchises such as utilities. neither do you, mr. pseudonym. notice how nothing that MS does even remotely resembles the *utility* business, and how painfully absurd it would be to imply such a thing were so... your point above, while seemingly implying something significant, in itself gives absolutely no evidence for what you claim (i.e. that I don't have a clue). this is quite similar to your essay in which you say that "MS *clearly* violates free/fair trade" with nothing to support your case other than innuendo. I am not going to play ----sizewars with you, I wouldn't want to damage your obviously fragile selfesteem. I wouldn't *want* to be an expert on the ridiculous legislative laws that go under the idea of "antitrust", which are just a convenient excuse in most cases for the government to interfere with business when the public is whining a lot. > 2) market domination can, and generally does, stifle competition, > but it also kills innovation of alternatives. Software companies > are too busy kissing arse with Bill, and threatened by Bill, > to release software on other systems say unix or os/2. this is a subjective matter. you continually lace your claims with many subjective claims that have no basis in fact. who is to decide what is unfair and what is not? answer: a court. so far, no court has agreed with you that MS has been involved in unfair trade. you seem to believe that you are the authority. you have failed utterly to give a single concrete instance of how Microsoft is *unfairly* stifling competition, although you have infinite innuendos and seem to think that merely by saying things like "OS2" in your writing that you have proved your case. it may be that Microsoft "stifles" competition because all of its competitors are simply *choosing* not to compete with them on certain platforms and areas. now, *no*amount*of*legislation* will change what a company decides of their own free will in this manner. why is it a horrible calamity if other companies voluntarily *choose* not to compete with microsoft? is microsoft putting a gun to anyone's head not to compete with them? are they essentially paying people not to compete with them? are they trying to sabotage their competitors by contract killings on their programmers? no, they are succeeding because they have a *superior product*, *nothing* more sinister than that is going on. no amount of wet-tissue-paper conspiracy theories ranting about API documentation is going to change that. > a perfect example is Corel. Corel was _very_ enthusiastic to > release for OS/2, in fact they were ported to OS/2 before W95 > released. Shortly after the announcement, the honcho reversed > positions and canceled Rev 6 for OS/2 stating that Rev 2.5 which > has existed for some time, was "adequate" for OS/2. I am not going > to expose my inside source, as their will be retribution. why is this a problem? companies change their course all the time based on the competition. you think this is the first time a company decided to change course when they found out what a powerful competitor was doing? *wrong*. obviously. but because MS is involved, you seem to think this is a horrible injustice for mankind. there's no doubt that people voluntarily choose not to compete with MS. MS voluntarily decided not to compete with Intel for chip fabrication!! *surprise*.. likewise many software companies choose not to compete with MS in particular areas that MS has *won* through hard work. MS is in the position of a marathon runner, not a tyrannical despot as you imply. the *moment* that MS makes a bad strategic decision or trips from their relentless pursuit of customer satisfaction, any one of the numerous hyenas nipping at their hyenas will take advantage of the slip. > 3) you are totally ignoring the comments on anti-thrust and restraint > of trade. In general market terms, anti-thrust is less important > than restraint of trade --Bill _clearly_ violates the rules on > restraint of trade, and therefore should be dismembered to avoid > lack of innovation as in #2 above. no amount of times of saying "Bill clearly violates [x]" will prove your case without concrete examples, none of which you have provided. furthermore, you are correct in that I am ignoring many of your comments about "markets". you don't seem to understand this point: MS dominates in markets that they *created*. MS *created* the "widget" market. then to have other companies and individuals such as yourself screech that they are being "excluded" from this market is the height of hypocrisy, when these people voluntarily decided to "opt out" at an early stage. this basic point of mine in my prior essay totally sailed over your head. antitrust laws make sense in *pre*existing* markets that have come to be dominated by a single company, a "monopoly", that seems to be trying to stifle competition. e.g. there are 5 railroad companies, then suddenly there is only 1 that charges highway robbery. or, series of [x] barons collude to price fix. what has MS done that stifles competition? they stifle competition not by trying to overtly prevent companies from competing. they "stifle competition" by being the best there is. and you are free to change this by creating better software. so far they are so ingenious in creating brilliant software that no one has come close to their prowess. why do you think that antitrust laws are the panacea for all problems in markets? you haven't even proven that MS is a problem, you just take that as a given. then you presume that because antitrust laws exist, they must be sacred and they must apply. well, you look pretty silly to me trying to apply your 19th century antitrust laws and feebleminded market ideas to a state-of-the-art 20th century market that is doing just fine, thank you very much, without interference from legislative busybodies like YOU. do you recall the RAM "crisis" of a few years ago in which the Reagan administration accused Japan of "dumping" RAM chips? do you consider this a success of legislation applied to high tech markets? if so you are in the minority of all people in the technology industry. now, dear sir, I admit that there are unethical businessmen, and I do believe that government antitrust laws make sense when a single businessman or a set of them are conspiring to seize a market and *prevent*competitors* from even participating in that market. but nothing MS has done prevents competitors a-prior. it is a far different thing to have some kind of skullduggery that prevents others from even attempting to get into business (such as blackmail, sabotage, manipulating their employees, manipulating resources, etc.). however we have a clearcut situation in which various companies are simply voluntarily *choosing" not to compete with microsoft. and you complain there is not enough "innovation" in the technological field? you think MS' dominance is preventing "innovation"? this is the most utter ridiculousness I've heard in many years, and I'm embarrassed to see these thoughts on the CP list, although not surprised they come from someone without any interest in revealing their identity. > 4) you clearly have no concept of American free market policy. Yes, > you may be very successful, even filthy rich, but when you > stretch your rights to clearly offend the public interest, then > anti-trust and restraint of trade laws serve the _needs_ of a > free and _competitive/innovative_ market. these things you talk about with breathless patriotism are all *subjective*. its *subjective* whether a given company is preventing competition or free trade. there may be legislative criteria, but they are only subjective guidelines that the courts have to try to figure out. you talk about operating systems as if it is a "public interest" area. well, sir, it seems to me you can manipulate any company to any ends you like by insisting that what they manufacture, after all, is in the "public interest" and therefore this merits legislative brainless busybodiness. furthermore your silly effusive rhetoric above again fails utterly to tangibly demonstrate that MS is engaged in "unfair" practices. again you seem to believe that MS is involved in unfair practices because 1. Gates is the richest man on the planet 2. other companies avoid competing with MS in some areas 3. OS2 is not as successful as windows 4. gosh darn it, there isn't enough *innovation* in software right now > America does not serve dinner to merchants who rape, pillage, and > burn --as Bill Gates has crushed his opponents; the barbarians > are punished. There are grounds for criminal charges in Bill's > actions. all I can say is, hee, hee. Bill Gates is ruthless, I grant you that: he's ruthless in cutting the crap out of his products and the hot air that customers *don't* want, and putting in the concrete meat that people crave, and the marketplace has virtually deified him. to argue with MS's dominance is to argue against the people who buy his products. why do you think they made the wrong choices? with their own cash? your legislative solution are designed to make decisions that individuals are quite happy to make by themselves, thank you very much. > 5) you are incorrect in your assumptions that Gates was sued > anonymously. I didn't say that. I said that his throat-slashing attackers would *like* to be anonymous, as you delightfully prove. >In the initial action by the DOJ, competitors were > _asked_, by subpoena, for factual information by the DOJ. The > _DOJ_ provided the shield in so much as Bill's barbarian actions > were of sufficient interest that evidence providers desired and > were given protection --not much different than the Federal > Witness Protection program. oh brother. yes, Bill is going to go out and hire hit men to get back at all his enemies. (hee, hee, once again). what you fail to understand is that if Bill decides that other companies are trying to slash his own company's wrists, he has full authority to make business decisions regarding their declared enmity. apparently your miracle system would be the following: any company can lodge an anonymous complaint against their enemy and tie that enemy up in court without revealing their own identity. after all, we need to *protect* those accusers, don't we?? heh. in all your sparkling effusion about America (oh, I can hear the flag flapping in the breeze behind you, god, this country is great) you fail to consider the ideas about "confronting ones accuser" deemed important enough to stick in the bill of rights... can you reiterate why you think Bill is a "barbarian"?? hee, hee. > when CI$ and the rest banded together to protest Bill's obvious > restraint of trade and stonewalling on hooks to Win95 for three > months after Win95 released, they did not, and _could_ not, do > so anonymously. yes, what a pity they could not. let me tell you, I really feel your pain. hahahahaha. > 6) how much is Bill paying _you_ for your efforts? You obviously have > too much of an interest in the commercial outcome to be so ignorant. my efforts in what? I have no financial ties to microsoft. I have friends that work there. I have met plenty of people such as you who I think simply fail to understand the concept of free enterprise, which does *not* promote equality. in fact it rewards those people fantastically who can anticipate markets and give consumers precisely what they want. and for this brilliant gift of Gates' which is perhaps unparalleled in the history of business (imho), you would like to cut up his painfully constructed kingdom so that other people have a "chance" to "compete" in markets that Microsoft actually originally created. > 7) Your beliefs are one thing --state 'em, but don't speak for America > until you know the definition of the "public interest" and have > some concept of anti-trust and restraint-of-trade legislation and > court rulings which have set the guidelines. clutch it in, > _after_ your brain is in gear. your using terms such as "anti-trust" and "restraint of trade" do not make you any authority either. I freely admit I am not an expert, but I also think that its translucently obvious to even some of the most uneducated of people that 1. if there are laws, they can be misapplied by bureacrats to manipulate companies. a situation where companies can sabotage each other merely through litigation is a very serious red flag. 2. because a company is not doing well in the marketplace, is not reason to introduce legislation or litigation against a successful company. it is a reason to REJOICE that the market has sent a CLEAR MESSAGE about WHAT IT DOESN'T WANT. any amount of whining and pleading by executives in this company or their sniveling sycophants does not change this *basic* reality. IBM got a massive reality check in the marketplace in the early 80's. no matter how much they though they were sacred, the *market* told them to **** off!!! because they didn't have a clue, and failed to listen to people who were *offering* them clues for free (Bill Gates) included. and you whine that IBM "didn't sabotage themself", that "they weren't their own worst enemy", they just didn't "adjust". oh, the grisly horror. they had half a decade or more to get a clue about what the industry wanted, and it didn't tolerate their egocentric vaporideology. cypherpunks, rejoice. 3. furthermore, because a lot of people hate a company and think that they ought to be restrained, DOES NOT MAKE THIS LEGITIMATE or ACTIONABLE. people are notorious for wanting things they don't really want in the long run, not understanding the full consequences of their own demands. that is, perhaps even demanding something that is self-contradictory (i.e. "kill microsoft so that we can get more software innovation", apparently your own view). 4. antitrust laws were invented in the 19th century and originally were related to railroad price gouging. there was some real skullduggery going on in this period imho, but to compare Gates to these "robber barons" is a disservice to humanity and a black mark on your karma record, imho what is my hidden agenda? to see the truth as it stands, when everyone around is trying to see the truth that fits their hidden agenda. its a rare gift and a curse I assure you but it's known as "speaking one's truth". as someone who has written software and understands the difficulty of *pleasing*customers*, I congratulate Gates as a brilliant pioneer and visionary of the 20th century and say a pox on all his detracters that paint him as a "barbarian" for his sterling accomplishments in *customer*service* in an insanely difficult enterprise (software development). I wouldn't have responded to your last message if you had more coherently rebutted the actual message of my original essay. as it stands I just thought I would sent this little missive to further highlight your own cluelessness and decrease your reputation on the list. having done this, I think now I will probably just ignore you as inconsequential or take fun intermittent potshots at you. sweet dreams!! From gbroiles at darkwing.uoregon.edu Thu Dec 21 01:03:10 1995 From: gbroiles at darkwing.uoregon.edu (Greg Broiles) Date: Thu, 21 Dec 95 01:03:10 PST Subject: The Problem With Blaze And Weinstein Message-ID: <199512210902.BAA03598@darkwing.uoregon.edu> At 01:12 AM 12/21/95 GMT, "Bill Gates" wrote: [...] >Evidently the cypherpunks are all too impressed >with Blaze and Weinstein's master degrees to see >what's really happening. Only true visionaries >like myself and Dr. Frederic B Cohen are telling >it like it is; everyone else has had the wool >pulled over their eyes by the NSA/ATT/Netscape axis. > >It's amazing how clear everything becomes once >one stops taking the medication that THEY prescribed. > >s/ Bill Gates Oh, I see. I think you misspelled "troll". Hope this helps. -- "The anchored mind screwed into me by the psycho- | Greg Broiles lubricious thrust of heaven is the one that thinks | gbroiles at netbox.com every temptation, every desire, every inhibition." | -- Antonin Artaud | From jsw at netscape.com Thu Dec 21 01:03:57 1995 From: jsw at netscape.com (Jeff Weinstein) Date: Thu, 21 Dec 95 01:03:57 PST Subject: King Kong Does e$ In-Reply-To: <199512201719.JAA12291@jobe.shell.portal.com> Message-ID: <30D92197.7C87@netscape.com> Hal wrote: > But this influence is making us a target of companies who know that > gaining our approval, or at least avoiding our criticism, is important > for success on the net. In many cases, such as the recent flap over > Netscape's attitudes towards key escrow, I detect a whiff of two > sidedness, in which one attitude is presented for the benefit of > government and law enforcement interests, while another posture, more > acceptable to cypherpunks, is adopted on the net. At the NIST meeting our representative made a strong statement against the governments GAK proposal, and government interference with crypto in general. If I'm not mistaken that was a government and law enforcement forum. We want to sell (and give away) products that contain strong encryption, and our customers want to buy it. We are beginning to take a more active role in trying to achieve this goal. Its not happening fast enough for me either, but it is happening. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From jsw at netscape.com Thu Dec 21 01:54:28 1995 From: jsw at netscape.com (Jeff Weinstein) Date: Thu, 21 Dec 95 01:54:28 PST Subject: The Problem With Blaze And Weinstein In-Reply-To: <199512202018.UAA02824@pangaea.ang.ecafe.org> Message-ID: <30D92D80.1CED@netscape.com> ECafe Anonymous Remailer wrote: > > I'm not trying to start a flame war. I'm > sure these people are very smart and have > written lots of good code. I'm sure they're > very nice and never kick their dogs. I'm > just tired of people defending them as > cypherpunks. > > They aren't cypherpunks. > > Neither has come out against GAK. They > both carefully avoid commiting to any > statement. They want us to think they're > "one of us" but they don't want to be > pinned down because they are double dipping > on both sides of the fence. > Weinstein is actively promoting GAK by > working at the company that the government > has chosen to bring it to you now that > att has failed. I am against GAK. I have been contributing to EFF for years. I have written and faxed my representatives in congress stating my position against both GAK and government censorship of the net. The reason I'm working on security code at netscape is that I think it may be the only way to foil the government's plans to remove all privacy from its citizens is mass market strong encryption software. Why do you believe that Netscape has been chosen by the government to bring GAK to the masses? Because of the uninformed and misguided comments of Jim Clark? Jim has been educated and the company has taken a firm position against government control of crypto. When you go to the store today and buy netscape you get strong encryption out of the box, without any GAK. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From cpunk at remail.ecafe.org Thu Dec 21 02:17:27 1995 From: cpunk at remail.ecafe.org (ECafe Anonymous Remailer) Date: Thu, 21 Dec 95 02:17:27 PST Subject: The Problem With Blaze And Weinstein Message-ID: <199512211018.KAA02190@pangaea.ang.ecafe.org> I was not interested in starting a flame but I seem to have ignited one. I'm sorry about that. Since almost nobody sees these people from big corps as having a conflict of interest by being here I am willing to drop the subject having raised the point. It just seemed funny to me that cypherPUNKS would be so happy to have these fortune 500 types running the show. I guess I see the point that these people have something to contribute as long as they are honest about who they are. I have to say it rubs me wrong though. Like I said I've written a lot of code in my day and many of you are probably running some of it while you read this (enough said). I just don't want to depend on att or netscape to protect me. Even if they do a good job the cost of using their stuff is too high (for example the fine print in that att product). Lets write our own code and gpl it so no one can take it away! s/ Bill Gates From RDHeffren at gnn.com Thu Dec 21 04:00:32 1995 From: RDHeffren at gnn.com (Robert Heffren) Date: Thu, 21 Dec 95 04:00:32 PST Subject: COMMUNITY CONNEXION PIONEERS PRIVATE ELECTRONIC COMMERCE Message-ID: <199512211159.GAA01454@mail-e1a.gnn.com> -----BEGIN PGP SIGNED MESSAGE----- On 19 Dec 95, sameer wrote; > COMMUNITY CONNEXION PIONEERS PRIVATE ELECTRONIC COMMERCE > Community ConneXion today announced a new service for its customers > which will make secure, private electronic commerce more accessible > to all merchants, from the small single-person business to large > corporations trying to sell goods and services over the > world-wide-web. There went the neighborhood. The Prez and the Coalition on one side and big biz on the other. AOL and their stings, all the motherfuckers spamming the piss out of everybody else and every place you turn, some swinging dick wants to put his goddamn hand in your pocket. Fuck it! Shut this sonfabitch down and take up doll-collecting. Who NEEDS this bullshit! Unsub this bastard AND gone; -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMNlMrBMzypiVqpjNAQG/fAL9GS5NiWR/5mb+KbKwxp2wSB6MUliwJaEV uBb+a7F5s7PQ0lQEWfujPKIoaF/iCB0zRKN0yLWCuvNiQe3YWMnwn5WggPekDRPl 0b3u37WHmeCKyhamMixnyK4w7jjT2use =WaxG -----END PGP SIGNATURE----- From fc at all.net Thu Dec 21 04:39:15 1995 From: fc at all.net (Dr. Frederick B. Cohen) Date: Thu, 21 Dec 95 04:39:15 PST Subject: Gates history In-Reply-To: <199512210204.SAA26757@netcom20.netcom.com> Message-ID: <9512211235.AA29804@all.net> Not that this subject matter is relevent to cypherounks, but... > cpunk relevance: operation of the free market ??? > Gates' conquests can either be made out to be a failure of the free enterprise > system or a success from it. the more I read whining complaints about MS's > dominance, the more I prefer the latter interpretation. perhaps power > corrupts, but on the other hand failure clearly promotes whining. "you cannot > grow taller by chopping off the heads of others". I respectfully disagree with the analogy. In a competitive market economy, you can indeed grow larger by killing off the competition. In fact, that's the whole idea of unfettered capitolism. This was tried 100 years ago and the result was monopolies which in the end eliminated competition and ended up reducing innovation and productivity while increasing prices. Then the US government decided to end this by introducing laws to limit monopolies. The broke up AT+T and essentially forced IBM to become weak in the name of fairness, but when Bill Gates brought Microsoft into the same position, the government failed to act (and is continuing to do so). This is (in my opinion) because Ron Raegan was so influential as president and heavily favored unfettered free trade. > I've seen so many people try to smear MS with innuendo, as if "enough people > being unhappy" at a company is ample evidence that there is "unfairness". > the marketplace is *not* fair. it rewards people who are in tune with it > disproportionately!! sometimes, *dramatically*so* as in the case with Gates. Inuendo or not, there are clear facts that have been widely documented regarding Microsoft (Bill Gates doesn't run it alone you know!). Among them are: - Microsoft forces dealers to buy only Microsoft software bundles if they want to use ANY microsoft products in their PCs at discount prices. I have been personally caught in this one. I had a calendar product a few years back that was marketed to about 1,000 of the largest microcomputer dealers and bundlers in the US. Not one would buy the product, and the reason they gave was that they were not allowed to bundle any non-Microsoft-approved software without losing their ability to sell the Microsoft bundles. This is not a case of sour grapes - it's just plan fact. That is what the dealers said - not just one of them. - Microsoft has historically used undocumented operating system calls which they provided details on to select software companies and which they used for their own products, but which they did not release to the greater market place. Without the use of these undocumented calls, many operating system features were not usable. The net effect was that companies not on the Microsoft chosen list were delayed in delivering new versions of products to meet new versions of operating systems, giving Microsoft and companies they worked with a market advantage. - Microsoft holds a dominant market position. This is a necessary component of the situation because if the same facts held for a non-dominant company, it would be within bounds of the law and would not stifle free trade. > a market for [x] gizmos does not even exist. a brilliant > person says, " I think people really need [x] gizmos. I'm going to make and > sell them. I'm going to find people who will help me, but if I can't find any > I'm going to do it all myself". Nobody is disagreeing with this. That is the desirable part of what Gates and Microsoft did - 20 years ago. But the standards we hold and the requirements we place on companies increase with their size and market dominance. This is done in the name of keeping a thriving competitive environment. In today's environment, Microsoft is dominating the market and thus reducing innovation (or so the theory goes) by using anticompetitive methods, and that is the issue. In my personal opinion, they are doing something far worse. By dominating the market with inferior products, they are essentially forcing the world to build an artificially weakenned global network environment. The net effect will be years of new versions of the Microsoft product line without a single bug fix (they call them feature enhancements). > Gates is such a person and did it with PC OS'es and various windows > applications (Excel, Word Perfect, etc.). he bet his entire future on > the idea that he knew what people wanted even when other companies disagreed. This is factually inaccurate. Microsoft created inferior versions of existing products that have only come to market dominance because of anticompetitive methods. For example, Excel has numerour bugs and produces wrong answers at a rate far in excess of 123. It is truly an inferior product, and yet it now dominates the market - solely because it is bundled with other microsoft products and because interoperation between 123 and Microsoft products is delayed due to undocumented features and changes in the underlying Microsoft operating system. Microsoft did not bet its fortune, nor did Bill Gates, on Excel, WordPerfect, or any other of their applications. With a few exceptions, they took existing products, built their own versions, used inside information and their dominant market position to force the products on PC dealers, and continue to do so. ... > the truth is that the playing field has always been level, but because Gates > is such a brilliant genius, market anticipator, and gizmo producer, he > succeeds far beyond his or anyone else's wildest dreams. It's just not accurate. IBM, until recently, was barred from selling more than a certain dollar value worth of units. Bill Gates didn't build Microsoft alone either. He has thousands of employees. Admitidly he was a driving force, but his team members are largely responsible for his success, and I think he would readily agree to this if you asked him. > the market has *given* bill gates his dominance. all the arguments about > him being "unfair" are absolutely bogus that I have seen. they amount to, > "Bill Gates is using tactics to sell more of his software than his competitors. > therefore, he's not being fair to everyone else who wants to sell their > software as well." That's not what people are saying. They are saying that Microsoft is breaking the law of the land and has been for a long time and that is why they have market dominance. Whether the law has been broken or not, you are mischaracterizing what has been said about Microsoft. Enough of this - sorry for the noise, and let's get back to what cypherpunks are about - cyphers. -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From roy at cybrspc.mn.org Thu Dec 21 05:10:05 1995 From: roy at cybrspc.mn.org (Roy M. Silvernail) Date: Thu, 21 Dec 95 05:10:05 PST Subject: Microsoft Flame[tm] [NOISE] Message-ID: <951221.063231.9N5.rnr.w165w@cybrspc.mn.org> -----BEGIN PGP SIGNED MESSAGE----- There's a lot of finger waving going on over Microsoft's alleged predatory practices. I just want to remind the pro-MS folks of something. Microsoft has a documented track record of using undocumented entry points in their OS and Windows products. These entry points allow MS apps to do some things more efficiently than a competitor which uses the published API. MS has been known to rearrange these undocumented calls, resulting in sudden incompatibilities with competitors. (remember when Win3.1 came out and DR-DOS was suddenly unable to run Windows?) And in the MS countersuit against Stac Electronics, MS successfully argued that undocumented system calls were protected as Trade Secret material. While this isn't the grand-scale conspiracy some people seem to see, IMHO it's still predatory. Perhaps the call to separate the OS and apps divisions is a good idea. It would be interesting to see if Microsoft could maintain its edge in applications when it had no sub rosa advantage in OS access. - -- Roy M. Silvernail [ ] roy at cybrspc.mn.org PGP Public Key fingerprint = 31 86 EC B9 DB 76 A7 54 13 0B 6A 6B CC 09 18 B6 Key available from pubkey at cybrspc.mn.org -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMNlXShvikii9febJAQFoGgP/YtHdGqO8++MfZmk3h61F8SmJBfPYfa1R JlccdIP9BZHVXZseao9b9DqxLY1xRYkK6fWETielJaSjXZKam1WlYKFzL5E8Hf1z IXQmj7rCIIfvqvq3byJq8B3IUbT4UnTMNDAHVlNUwkzrcJ+py8czsWtNy15g3ahY NzYL8UsOtwI= =MpV3 -----END PGP SIGNATURE----- From avatar at mindspring.com Thu Dec 21 05:13:46 1995 From: avatar at mindspring.com (avatar at mindspring.com) Date: Thu, 21 Dec 95 05:13:46 PST Subject: cyphernomicon Message-ID: <199512211313.IAA11974@borg.mindspring.com> If anyone is interested I would be willing to e-mail a copy of the cyphernomicon to you. BEWARE that it is 1.3MB in file size and 414 pages in text. Charles Donald Smith Jr. 582 Clifton Rd. N.E. Atlanta, Ga. 30307-1787 (404)-378-7282 From BRUEN at mitlns.mit.edu Thu Dec 21 05:29:49 1995 From: BRUEN at mitlns.mit.edu (Bob Bruen, MIT Lab for Nuclear Science) Date: Thu, 21 Dec 95 05:29:49 PST Subject: The Problem With Blaze And Weinstein Message-ID: <951221083022.2460067b@mitlns.mit.edu> > MIT is practically floating on government subsidies. It's funny how the grass is always greener somewhere else... Bob From perry at piermont.com Thu Dec 21 06:34:10 1995 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 21 Dec 95 06:34:10 PST Subject: The Problem With Blaze And Weinstein In-Reply-To: <9512210012.AA19612@zorch.w3.org> Message-ID: <199512211432.JAA00971@jekyll.piermont.com> hallam at w3.org writes: > On the one hand we have the screaming libertarians with a bunch of > wedged political notions about property. On the other we have what > appear to be arch anti-capitalists claiming that nobody who earns > a living out of crypto can be a cypherpunk. What is really strange > is that these appear to be the _same_ people. No, Phil. We have just one person who's an annoying nutcase who's been bothering us, and lord knows what he really thinks. .pm From perry at piermont.com Thu Dec 21 06:37:17 1995 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 21 Dec 95 06:37:17 PST Subject: The Problem With Blaze And Weinstein In-Reply-To: <199512210112.BAA05503@pangaea.ang.ecafe.org> Message-ID: <199512211437.JAA00982@jekyll.piermont.com> Rolling on floor... .pm ECafe Anonymous Remailer writes: > I'm not trying to start a flame war, just telling > people what's REALLY happening. [...] > ATT and Netscape are both tools of the CIA/NSA. [...] > Evidently the cypherpunks are all too impressed > with Blaze and Weinstein's master degrees to see > what's really happening. Only true visionaries > like myself and Dr. Frederic B Cohen are telling > it like it is; [...] > It's amazing how clear everything becomes once > one stops taking the medication that THEY prescribed. > > s/ Bill Gates From dmandl at bear.com Thu Dec 21 06:50:04 1995 From: dmandl at bear.com (David Mandl) Date: Thu, 21 Dec 95 06:50:04 PST Subject: KOD In-Reply-To: <199512202258.RAA13656@pipe2.nyc.pipeline.com> Message-ID: On Wed, 20 Dec 1995, John Young wrote: > >Can you reveal who they are? No way am I going to buy > >Newsweek to find out. > > Anyone out of Newsweek's range, return this msg, empty, to me > to get the 50 mugshots, then ... sort out the living from the > dead. I send for copies of John's articles almost every day (thanks, John). I was fooled this time because the reply codes are ALWAYS of the form AAA_bbb, and this time it was just AAA. It went right by me. There must be a psychology lesson in here somewhere. So did Pipeline finally upgrade their software, or what? > Best not to cypherdunk the already nym-shot victims. Privacy is > paramount, bellows this list, no? Um, sure, John. Cypherpunk relevance: There's apparently an encrypted message in John's last paragraph above. A free T-shirt to the first person to find it. --D. -- David Mandl Bear, Stearns & Co. Inc. Phone: (212) 272-3888 Email: dmandl at bear.com -- ******************************************************************************* Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. ******************************************************************************* From james at sparta.lcs.mit.edu Thu Dec 21 08:01:10 1995 From: james at sparta.lcs.mit.edu (James W. O'Toole Jr.) Date: Thu, 21 Dec 95 08:01:10 PST Subject: brief review of MIT 12/15/95 "micro-commerce" talks Message-ID: <9512211605.AA17350@sparta.lcs.mit.edu> This is a quick summary of the Friday 12/15/95 talks at MIT on micro-commerce: Millicent --- Mark Manasse, Digital Equipment Corporation Brokers purchase "scrip" in large batches from vendors; users purchase scrip small batches from brokers; users give small scrip to vendors in each purchase transaction. "Scrip" is vendor-specific and its validity can be efficiently verified using hashing. No public-key crypto is required to carry out the protocols, because pairwise trust relationships between user and broker, and between broker and vendor, are established and these pairs share secrets. PayWord --- Ron Rivest, MIT Users are issued certificates by brokers, indicating that the broker will extend credit to the user. Users generate long hash-chains by repeatedly hashing a random seed value to obtain a hash-chain root. Then the user promises to a specific vendor that he will pay one cent per element of that hash-chain. This promise is made by the user signing (using PKC) the root of the hash chain. Each time the user wants to pay one cent to the vendor, she sends another element of the hash-chain, working backwards from the root, as in the S/Key system. The vendor redeems the whole chain (or whatever portion the user has spent) by sending the user's signed promise and the last spent element of the chain to the broker. MicroMint --- Adi Shamir A scheme for issuing coins that is much more like traditional physical coin systems in that forgery and cheating are possible, but only practical on a large scale, and are detectable and can be combatted. A "coin" in the MicroMint system is a set of 4 values that hash to the same value. Producing such 4-way-colliding values is much less expensive in bulk than individually. The mint produces coins in bulk and will redeem them into cash. To combat active forgers, the mint can embed secrets in the coins and reveal the secrets progressively so that vendors can detect forged coins cheaply. Lightweight Signatures for Revocation --- Silvio Micali, MIT A cost/performance analysis of the key revocation system for the U.S. Federal Goverment's Public Key Infrastructure. Taking a MITRE-designed plan as a starting point, the communications costs are analyzed. In the MITRE plan, the certification authorities issue revocation lists on a semi-weekly or daily basis, these lists being then stored in an untrusted and highly replicated database. When a public key is being checked, the receiver queries the database to determine the status of the public-key. In the talk, Silvio showed how lightweight signatures can be used to reduce the size (and therefore transmission cost) of the revocation lists. He also showed that transmission costs can be dramatically reduced by not sending large revocation lists in response to queries. Instead, the replicated database can store a timestamped key-status-report (signed by the certification authority) for every single key. This key-status-report is much smaller than the full revocation list. Overall, the PayWord scheme is probably the one to watch for actual use on the Internet. Millicent has an advantage of not using PKC, but PayWord may be simpler to implement and is being discussed in the WWW Consortiom and the IETF as a possible draft standard. It is also worth noting that PayWord operates essentially by combining a PKC-signature-based authentication (between user and broker) with a One-Time-Password (OTP) authentication scheme (as in the S/Key system). OTP has been getting standardized recently on the Internet and maybe that will help too. From jya at pipeline.com Thu Dec 21 08:05:48 1995 From: jya at pipeline.com (John Young) Date: Thu, 21 Dec 95 08:05:48 PST Subject: Encryption Rules Coming Message-ID: <199512211605.LAA00150@pipe3.nyc.pipeline.com> Financial Times, December 21, 1995, p. 4. Encryption rules to be prepared By Andrew Jack in Paris Representatives of international business and government yesterday agreed to draw up guidelines on encryption, a system which allows computer users to transmit information electronically with little risk that it can be intercepted and understood by unauthorised "hackers". The meeting, which was held at the International Chamber of Commerce in Paris, could lead to formal propositions prepared jointly by business and government organisations that could be ready by as soon as next summer. Yesterday's meeting did not have any formal legal authority, but was highly significant as the first forum where so many representatives of governments businesses and computer experts met to discuss developments in encryption. Highly sophisticated encryption technology already exists in a number of countries including the US and Sweden. In the US, companies already have access to these programs. A growing number of businesses -- led by the banking sector -- are demanding access to these programs. However, many governments, including that of the US, have resisted permitting the technology to be exported because they fear it will fall into the hands of organised crime and terrorist organisations. They have demanded that they should be able to "hack" into computer transmissions for counter-intelligence and criminal investigation work, in the same way that they can conduct telephone-tapping exercises. An important conclusion of yesterday's Paris meeting was that business agreed in principle to allow such hacking to take place as long as sufficient safeguards were in place and "electronic search warrants" had been issued with proper judicial approval. A number of governments appear willing to permit relaxation of export controls on sophisticated encryption devices as long as these safeguards are in place. Among the issues that experts on both sides need to resolve are the ways in which "keys" allowing computer transmissions to be decoded would be handled. A number of business organisations have discussed the use of third-party organisations, which would be independent of government, would have the keys and would hand them over to government investigators when demands were justified. However, the organisations still have to resolve a number of issues, including how these custodians could be made legally liable for any unauthorised access to this information and for the costs of its misuse. [End] ---------- Does anyone have press reports or more information on this meeting? Any connection to the recently signed Transatlantic Agenda? From samman-ben at CS.YALE.EDU Thu Dec 21 08:07:30 1995 From: samman-ben at CS.YALE.EDU (neB .veR) Date: Thu, 21 Dec 95 08:07:30 PST Subject: KOD In-Reply-To: Message-ID: On Thu, 21 Dec 1995, David Mandl wrote: > > Best not to cypherdunk the already nym-shot victims. Privacy is > > paramount, bellows this list, no? > > Um, sure, John. > > Cypherpunk relevance: There's apparently an encrypted message in > John's last paragraph above. A free T-shirt to the first person to > find it. Um....I think that's just his writing style. Ben. PS: I've just finished the first copy of a zero-knowledge client/server application. Its really basic--I'll be adding BBS to it RSN. IF you want it, mail me. PPS: There's no crypto--just Fiat-Feige-Shamir ZKIPofI. Can I export this? ____ Ben Samman..............................................samman at cs.yale.edu "If what Proust says is true, that happiness is the absence of fever, then I will never know happiness. For I am possessed by a fever for knowledge, experience, and creation." -Anais Nin PGP Encrypted Mail Welcomed Finger samman at powered.cs.yale.edu for key Want to give a soon-to-be college grad a job? Mail me for a resume From jamesd at echeque.com Thu Dec 21 08:34:44 1995 From: jamesd at echeque.com (James A. Donald) Date: Thu, 21 Dec 95 08:34:44 PST Subject: The Problem With Blaze And Weinstein Message-ID: <199512211634.IAA22811@blob.best.net> >ECafe Anonymous Remailer wrote: (A bunch of ridiculous nonsense) At 01:48 AM 12/21/95 -0800, Jeff Weinstein wrote: > I am against GAK. I have been contributing to [...] Please do not reply to silly trolls. By replying, you act as if what this loon said mattered. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From jya at pipeline.com Thu Dec 21 08:39:40 1995 From: jya at pipeline.com (John Young) Date: Thu, 21 Dec 95 08:39:40 PST Subject: KGB_cia Message-ID: <199512211639.LAA04102@pipe3.nyc.pipeline.com> 12-21-95. WPutz: "In an unusual interview Yevgeny Primakov, head of the Russian Foreign Intelligence Service, discussed problems and challenges facing his intelligence agency in terms that often sounded like testimony that CIA Director John M. Deutch gave the House intelligence committee Tuesday. In comments that echoed those of his U.S. counterparts, Primakov charged that some post-Cold War budget cuts in his agency developed 'because the [Russian] press ganged up on us [and] many newspapers wrote absurd things about us, including statements that foreign intelligence was no longer necessary at all.' His remarks about media coverage were similar to recent statements by Deutch and his predecessors, R. James Woolsey and Robert M. Gates." KGB_cia (5 cia) From robl at on-ramp.ior.com Thu Dec 21 08:52:59 1995 From: robl at on-ramp.ior.com (RobL) Date: Thu, 21 Dec 95 08:52:59 PST Subject: Microsoft Flame[tm] [NOISE] Message-ID: At 06:32 AM 12/21/95 CST, Roy M. Silvernail wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >There's a lot of finger waving going on over Microsoft's alleged >predatory practices. I just want to remind the pro-MS folks of >something. Microsoft has a documented track record of using >undocumented entry points in their OS and Windows products. These entry >points allow MS apps to do some things more efficiently than a [snip] > >While this isn't the grand-scale conspiracy some people seem to see, >IMHO it's still predatory. Perhaps the call to separate the OS and apps >divisions is a good idea. It would be interesting to see if Microsoft >could maintain its edge in applications when it had no sub rosa >advantage in OS access. IMHO, I see nothing wrong with predatory behavior.. then again, I hunt in the fall, so it must be a redneck thing.. MS and any of the other software companies are competing for domination in a narrow field.. MS just happens to be the only real choice for OS anymore.. well, for a standard, out of the box OS anyways. The fact that they have to leave in undisclosed hooks to get their own software to excell over others just points to the poor software they produce overall. I have to admit that I like, possibly admire, the way the Bill and crew have captured the market.. from a marketing standpoint, they did a first rate job of running with the ball until there was no pursuit.. Sure, from time to time, someone tries to throw a blocker in thier path, but they just overrun it and keep going.. Forget about the monopoly aspects for a second and look at MS as an American success story. It has all the classic elements: started small, with a crew of social misfits and eventually grew up. Just a few cents worth.. RobL ------------------|----------------------------------------------------------- Rob Lowry | PO Box 288 | Rockford Wa 99030 | ral at otc.mhs.compuserve.com robl at on-ramp.ior.com From jcobb at ahcbsd1.ovnet.com Thu Dec 21 08:54:31 1995 From: jcobb at ahcbsd1.ovnet.com (James M. Cobb) Date: Thu, 21 Dec 95 08:54:31 PST Subject: Political Cleanup program Message-ID: Friend, On 12 17 95 jimbell at pacifier.com proposed ...a system...that would "blind" campaign donations as to their source: The donor could be satisfied that his dona- tion gets to the candidate or cause, but the candidate could- n't know who actually paid the money (and the donor would be unable to prove that he made a donation...). Let's analyse: A gives B what B wants (money) so that B will give A what A wants (whatever). A knows B got the money. A can't prove he gave the money to B. B knows he got the money. B can't be sure that A gave the money. So, depending on time, place, and circumstance; and assum- ing B's elected: B will not give A what A wants OR B will give A what A wants For instance, if... A gives the money but dies before B gets elected. A gives the money but gets sent to the Balkans. A is a nobody. ...B will not give A what A wants. For instance, if... A gives the money but B's already in debt to him, and the baloon payment's due. A gives the money and A's appointed head of an office where B's relatives "work." A is the main man in town. ...B will give A what A wants. Some things are known by some people whether they're entered on the books or not. I agree with the proposer that his system ...would change politics as we know it. Flexible corruption is best. Cordially, Jim From perry at piermont.com Thu Dec 21 09:05:23 1995 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 21 Dec 95 09:05:23 PST Subject: just a reminder... Message-ID: <199512211705.MAA01270@jekyll.piermont.com> This isn't anti-trust punks... ...or microsoft punks... ...its cypherpunks... ...Just a reminder. .pm From nobody at REPLAY.COM Thu Dec 21 09:06:58 1995 From: nobody at REPLAY.COM (Anonymous) Date: Thu, 21 Dec 95 09:06:58 PST Subject: FWD: Intuit and SSNs Message-ID: <199512211706.SAA10738@utopia.hacktic.nl> What does our man in Intuit have to say about this? > Date: 18 Dec 1995 19:10:07 -0800 > From: michael at piglet.amscons.com (Michael Bryan) > Subject: SSN Shown On Payments by Intuit's Banking Service > Organization: none > > Another user (Robert Mayo) discovered, and I confirmed, that Intuit's > online bill payment service sends your payees a printout containing > your social security number. > > This applies to any person who is using Quicken for Windows or > Microsoft Money for Windows to send payment requests electronically, > using Intuit's service. It specifically does -not- apply to using > Quicken with the Checkfree service, as the Checkfree service does not > supply anybody with your SSN. > > The details: > > When the Intuit service sends a payment to a merchant, it will do one > of three things. First, it will try to perform an EFT directly from > your account into the merchant's. Most merchant's are still not setup > for this, however. Second, if your payment is the only payment going > to a given merchant on a given day, then they will print a check, drawn > against your account, and mail it to the merchant. Both of these > methods are ok, and do not result in your merchant receiving your SSN. > > However, if there are multiple payments going to a single merchant on a > given day (i.e., more than one customer has requested a payment to the > given merchang), all of these payments are sent in a single envelope, > and a summary sheet is enclosed. This summary sheet will have a field > called "Control Number", which consists of your SSN, followed by two > other digits. This summary also lists your checking account number, in > addition to your name, account with the merchant, and the amount of > your payment. (In my opinion, only these last three fields are called > for. There is no need for the checking account number to be listed, > even though it -is- printed on your check as part of the MICR > encoding.) > > I have contacted Intuit regarding this matter, and they have been > decidedly less than helpful. I know at least three other people who > have called them, and we have all been told the same thing: > > 1) "Most of your merchants already have your SSN". Perhaps this is > true for some people, but it is not the case with me. > > 2) "The SSN is encrypted on the printout". Absolutely not true. It is > printed under the label "Control Number", and has two extra digits > appended, but this does not "encrypt" the number. Anybody who knows > what the field contains has instant knowledge of your SSN. > > Intuit is currently refusing to address this issue. Furthormore, when > I called in, they tried to tell me I was the only person who was > complaining. I immediately gave them the names of three other people > who had called in, one of whom I knew had talked to this particular > individual. So that little "divide-and-conquer" trick backfired. > > Also, when I said that I would be forced to go to the media if they > didn't address this issue, I was told that by doing so, I would be > responsible for broadcasting this information to those who might then > illegally use the information. I found this two-faced attitude > particularly annoying. On the one hand, they are claiming it's not a > problem, yet on the other they tried to keep me from going to the media > because it might give criminals information they could then exploit. > > Anyway, I've done all I can with talking to Intuit, so I am now > pursuing other avenues. My bank (Union Bank) was particularly > concerned that the SSN was being printed out and mailed with > potentially every payment, and vowed to look into it and work with > Intuit on my behalf to get this behaviour stopped. Also, I and a few > others have contacted various media representatives, in an attempt to > get them to focus a spotlight on Intuit, and let people know that > Intuit is broadcasting their SSN, without their knowledge. And of > course, I'm posting Usenet articles in the privacy newsgroups, as well > as the newsgroup where most Quicken discussion occurs, > comp.os.ms-windows.apps.financial. > > If you are using Intuit's Online Bill Payment service, and are > concerned about this, please call Intuit and express your displeasure. > The number for the Online Bill Payment service is 708-585-8500. Also, > call your bank, and inform them as to what's going on. Finally, write > to your local (or national) newspaper, let them know about this, and > ask them to cover this in their paper. > > It appears that the only way Intuit is going to address this is by > getting some negative publicity, since customer complaints don't seem > to carry enough weight. I wish they were more reasonable, but that > just doesn't seem to be happening here. So be it --- they want a > fight, they've got one. From sameer at c2.org Thu Dec 21 09:10:01 1995 From: sameer at c2.org (sameer) Date: Thu, 21 Dec 95 09:10:01 PST Subject: FTC Privacy Initiative (fwd) In-Reply-To: <9512210144.AA04101@pulm1.accessone.com> Message-ID: <199512211704.JAA12536@infinity.c2.org> > > "Hey, we can't just stand around here with nothing to do. > Give us something to regulate - anything, pro or con; we > must regulate something." Gah. Just what we need, a law to do what technology can do better. Sometime early next year community connexion will be running an anonymizing web proxy, located on high bandwidth pipes to major interchange points. Stay tuned. -- sameer Voice: 510-601-9777 Community ConneXion FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From m5 at dev.tivoli.com Thu Dec 21 09:15:04 1995 From: m5 at dev.tivoli.com (Mike McNally) Date: Thu, 21 Dec 95 09:15:04 PST Subject: Encryption Rules Coming In-Reply-To: <199512211605.LAA00150@pipe3.nyc.pipeline.com> Message-ID: <9512211714.AA08868@alpha> > Financial Times, December 21, 1995, p. 4. > > However, many governments, including that of the US, have > resisted permitting the technology to be exported because > they fear it will fall into the hands of organised crime > and terrorist organisations. I am forced to wonder whether the people who type in stories like this are conscious while they do so. Replace "the technology" with "pistols" in the above paragraph; it doesn't make any sense unless you assume there are no organized crime or terrorist organizations in the US, or that such organizations can only acquire things that pass through national borders. Are news editors so technophobic that they assume there must be something they just "don't get"? On a vaguely related note, I saw a quick preview for an episode of "The Client". The episode was supposed to be about Internet child molesters (who I suppose are the ones that know the secret "meta-alt-ctrl" sequence that causes the innocent victims on the other end of the wire to be abused via modem). Anybody see it? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Nobody's going to listen to you if you just | Mike McNally (m5 at tivoli.com) | | stand there and flap your arms like a fish. | Tivoli Systems, Austin TX | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From janzen at idacom.hp.com Thu Dec 21 10:08:05 1995 From: janzen at idacom.hp.com (Martin Janzen) Date: Thu, 21 Dec 95 10:08:05 PST Subject: CFS and Linux In-Reply-To: <199512210440.XAA28196@crypto.com> Message-ID: <9512211806.AA23346@sabel.idacom.hp.com> -----BEGIN PGP SIGNED MESSAGE----- Matt Blaze writes: > [...] > I'm not sure exactly what problem you're having, but the most common > CFS-Linux problem that people complain about has to do with the rpcgen > output not being in the format expected by the rest of CFS. There > seem to be two things you can do about this: get a version of rpcgen > that generates the "standard" (original Sun) names for the functions it > generates, or just grab the rpcgen output from the cfs-users mailing list > archive ("echo help | mail cfs-users-request at research att.com" for details). You can get the original Sun ONC RPC 4.0 code, including rpcgen, from: ftp://bcm.tmc.edu/nfs/rpc_40.* It also used to be at: ftp://wuarchive.wustl.edu/systems/sun/sun-exchange/rpc4.0 but this server is so busy that I can't verify this URL right now. > NB to "Bill Gates" and friends: To save you the trouble of pointing it out, > I hereby admit that I'm a commie-fascist brainwashed sold out member of the > military-industrial complex who has been programmed by his masters to > infiltrate the cypherpunks in order to sap and impurify their precious > bodily fluids. You left out the part about helping to cover up the UFO abductions... - -- Martin Janzen janzen at idacom.hp.com Pegasus Systems Group c/o Hewlett-Packard, IDACOM Telecom Operation -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMNmh+G3Fsi8cupgZAQFQ6AP/dHlQpig999yDQ8fY3yD3w9ZcKVTGCweU M96oqf5aDltwRp9pMMRp5+5DsajRQoRdtMPhyDWMogkE7/zmMK8RGJlcJ0Z4j0Yi 3brRblzCwIjjSnwTrlPeoccmdrlLiUhisVn7iZknwGzJdmLFutR3TzW+ht08YKHq 6m9MBhQ8MTw= =pYLf -----END PGP SIGNATURE----- From tcmay at got.net Thu Dec 21 10:17:55 1995 From: tcmay at got.net (Timothy C. May) Date: Thu, 21 Dec 95 10:17:55 PST Subject: The War on Some Money [long] Message-ID: Amidst all the flames about impure Cypherpunks on the list, about evil capitalist corporations, about conspiracies involving the underground Grey Alien bases in Nevada, and amidst the flames about posts not dealing solely with number theory or ciphers, it's nice to read a post like this one from David Murray. The tension between "private transactions" and "traceable transactions" is indeed at the core of the debate. Kudos to David on this. I just want to end on a positive note before leaving for the holidays (the birthday of my savior, F. Hayek, of course). --Tim May Views here are not the views of my Internet Service Provider or Government. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 | black markets, collapse of governments. "National borders are just speed bumps on the information superhighway." From hfinney at shell.portal.com Thu Dec 21 10:29:06 1995 From: hfinney at shell.portal.com (Hal) Date: Thu, 21 Dec 95 10:29:06 PST Subject: Bit Commitment Query Message-ID: <199512211827.KAA16701@jobe.shell.portal.com> For Robbie Gates, I agree that the bit commitment he describes seems more complicated than necessary. The simpler one, where you just hash (R,b), is the one I have seen used. I suggest asking on sci.crypt. Bruce Schneier and many other good cryptographers read that group. For Futplex, the idea of using a block encryption algorithm in a similar way, encrypting (R,b) with a secret key K, and later revealing K, is a little questionable because block encryption algorithms are not designed to avoid collisions in the same way hashes are. Futplex suggests that it should be hard to find two keys K_1 and K_2 such that E_K_1(R, b1) = E_K_2(R, b2) where b1<>b2. But this is not necessarily true. A cryptosystem might have the property, say, that complementing the key is equivalent to complementing bit 0 of the plaintext. DES has some simple complementation properties (although not this one). Unless you can show that a cipher with this property is inherently weak then it is not a valid assumption that a cipher won't have this property. There is some literature on creating hash functions out of block ciphers. The two are really not interchangeable. Hal From jimbell at pacifier.com Thu Dec 21 10:52:58 1995 From: jimbell at pacifier.com (jim bell) Date: Thu, 21 Dec 95 10:52:58 PST Subject: Microsoft Flame[tm] [NOISE] Message-ID: Forget about the monopoly aspects for a second and look >at MS as an American success story. It has all the classic elements: started >small, with a crew of social misfits and eventually grew up. >RobL >------------------|----------------------------------------------------------- >Rob Lowry | >PO Box 288 | >Rockford Wa 99030 | ral at otc.mhs.compuserve.com robl at on-ramp.ior.com Well, I disagree. Microsoft succeeded primarily because it was "chosen" by IBM in about 1981 or so, needing an OS for their PC. MS didn't even write it; Seattle Computer did, and that was a port of CP/M. Not much creativity. MSDOS revisions 1.0 and 1.1 were pure crap. From anonymous-remailer at shell.portal.com Thu Dec 21 11:25:50 1995 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Thu, 21 Dec 95 11:25:50 PST Subject: AWARD: CHRISTMAS NET SCROOGE - AT&T & NETSCAPE?? Message-ID: <199512211924.LAA21493@jobe.shell.portal.com> Alice here ... Back on Tue, 19 Dec 1995, I wrote: >>>Can anyone tell me whether Ian Goldberg and David Wagner got their >>>$25,000 from Netscape for finding the HUGE security flaws in Netscape's >>>existing product line?? >>> >> >I can't remember whether they got anything or not ... >> >> That would be no (well, except for the nifty T-shirt from Sameer; Thanks!). > > Not anything?? That's shameful ... where on earth are the values in > America, today? Everyone should ask this question. AT&T can sign-on to a two-page ad, calling on Congress to balance the budget -- to cut off veterans, and cut-off women with dependent children just before Christmas. It can sign on to this, but it can't bother to even offer a scholarship to the students who helped make its fortunes. It would rather leave the impression that it freeloads off of other's efforts. It's shameful. > AT&T and Netscape have jointly made a small fortune distributing this > product, and yet NEITHER company feels that the software engineers who > "voluntarily" made a difference -- a couple of students -- deserve > even a wooden nickel for the ideas which were used. > > It's absolutely shameful. But then, I guess that AT&T and Netscape > have no shame at all. > > They just steal "intellectual property" from students, and don't even > pay a token amount. > > And people wonder what's wrong with America? Luckily for those of us who don't live in the United States, we can perhaps look at that country and truly wonder what is going on over there, and what is wrong with America? Where are the values amongst ALL Americans, not just Netscape and AT&T? What are the role models that all the leaders -- business, sports, and political leaders -- show to the national youth. Here is all I've seen (as a foreigner), over the last while: Enid Greene Waldholtz blubbering in a news conference about how she as a congress person certainly COULDN'T be expected to resign after winning her election with stolen money. Blubbering for five hours straight (except when she had to stop to turn a page, I mean) ... She certainly said that "leadership" is all about playing "victim". Poor little Enid. (And even worse, she was _defended_ by Susan Molinari.) Bob Dole, deciding to go to Bosnia. The former WW II veteran willingly jeopardizing the lives of American boys -- boys who have put their lives on the line in a _volunteer_ armed force -- all for a lousy political photo-op. The chance to say ... "hey look at me, I'm here in Bosnia." Someone who's willing to overrule the Pentagon's own most diplomatic advice on how complex an operation this actually is. And then there is AT&T. A company who's Chairman can publish a letter which calls on Congress to cut off checks to mothers with dependent children and war veterans days before Christmas, all while stealing and freeloading off of the work of some students. Scrooge ... take heart. Here's Holiday wish #1. Enid do the right thing ... resign. Say the "right thing" and say that your child -- the future and the delayed gratification that the future brings -- is much more important than your own personal PRESENT political aspirations. Here's Holiday wish #2. Bob, lots of people worked their asses off to make sure that the American fighter pilot, and the two French fighter pilots could be rescued from Bosnia. If you want to go and get some photo-ops, go to Germany or Italy, and give one hell of a vote of support to the boys that are there -- a support which could just as easily have been given and should be given in Congress. A _real_ strong unfettered commitment. And here's Holiday wish #3. AT&T. Do the right thing. Reward those people who help make you a fortune. Stand tall as an example, rather than as an embarrassment to the nation. You've ignored this for so long now, that you've almost dug your own grave. But you still have a chance to save face. Have the courage to take the chance when it's offered. Simply say that the proposal to reward David Wagner and Ian Goldberg -- some holiday mad money and scholarships -- was lost in committee, and approval processes -- but it WAS in the works, and it was recommended and can now be announced just before Christmas, as a rightful reward. Some holiday cheer. Will people think it's a cynical attempt at manipulation? Yep. But it's a darned site better than the alternatives -- especially when you look at possible future outcomes. Trust me, this is far better than calling for veterans and single mothers with children to be cut-off just before the holidays. Perhaps, Enid, Bob, and AT&T will all learn when to use offense and when to use defense. They might also learn that the best offense is a good defense. They might even begin to look at what "courage" truly is, and of how difficult it can be for anyone to do the "right thing", especially when they think that they're surrounded by minefields. Even when the "right thing" is in your own best interest, you not only have to be shown the right path to take, but you have to have the motivation and courage to make the move and take action. Enid, Bob, and AT&T, take note. Hopefully for the holidays, everyone finds the courage to neutralize some portion of the vulnerability spectrum they've placed themselves in. > > - Ian "There's a reason people talk about `starving grad students'..." > > Alice de 'nonymous ... ...just another one of those... P.S. This post is in the public domain. C. S. U. M. O. C. L. U. N. E. From tcmay at got.net Thu Dec 21 11:26:44 1995 From: tcmay at got.net (Timothy C. May) Date: Thu, 21 Dec 95 11:26:44 PST Subject: Cypherpunks resumes? Message-ID: At 7:55 AM 12/21/95, Anonymous wrote: >Is there any chance of seeing a Cypherpunks 'Rogues Gallery' of sorts >in the archives anytime soon? It would be nice to see a face connected >to the postings here. Some of us don't get the chance of getting out >west for the parties, The only other thing I know about Tim May besides >being one of the Fathers of the Cypherpunks is that he was a naked hippie >in a hot tub at some party that Robert Hettinga was at some weeks ago, > >That doesn't paint a good picture for me. - But, "Anonymous," we don't even know which of the many "Anonymous" ones you are, so why should we go out of our way to provide images, resumes, dossiers, etc., to you? In any case, many of the folks on this list have elected to have Web pages, often with images of themselves, their SOs, their pets, their computers, and so on. Perhaps their images will paint a better picture for you. (I note that the last "Anonymous" person concerned with getting the "real" pictures of people was S. Boxx, or maybe Pablo Escobar, I forget.) (I have not spent time generating a "home page." I see the burgeoning shelves of "HTML Bible" self-help books and see more and more people spending time gussying-up their home pages. People are even putting their personal diaries on the Web, plus all sorts of personal stuff that is finding its way into compiled dossiers. Not for me. I prefer my essays to be what goes into my dossiers.) Or, as our esteemed Gothamite might reJoyce: Erudite, profligate, disputacious -- indistinguishable from many other publicity-saving levitationisms. 'Tis superficially an expurgated part of the Ruby Ridge-slippered Great Oz divulgation. Ostentatiously, the preterite few surf the gilt-edged waves while Jose Sixpacks languish in spider-webbed Quayle-spelt ghettoes populated by home page homeys. For further emendations and emissions, behave normally and reply with a blank message labelled: XMAS_troll --You Know Who From alano at teleport.com Thu Dec 21 11:36:41 1995 From: alano at teleport.com (Alan Olsen) Date: Thu, 21 Dec 95 11:36:41 PST Subject: CFS and Linux Message-ID: <2.2b7.32.19951221193732.008cb5b4@mail.teleport.com> At 11:40 PM 12/20/95 -0500, Matt Blaze wrote: >I'm told that all version of CFS since 1.0.4 (the latest is 1.3.1) >do work out-of-the-box under *some* releases of Linux and with some >coaxing on the others. I am wondering if he is compiling for ELF. That seems to throw a good size monkey wrench into just about every piece of software out there. (At least the ones that have not been written to take the ELF paculiarities into account.) >I'm not sure exactly what problem you're having, but the most common >CFS-Linux problem that people complain about has to do with the rpcgen >output not being in the format expected by the rest of CFS. There >seem to be two things you can do about this: get a version of rpcgen >that generates the "standard" (original Sun) names for the functions it >generates, or just grab the rpcgen output from the cfs-users mailing list >archive ("echo help | mail cfs-users-request at research att.com" for details). I think you may be right on this one. I have heard of a few other things having problems with Linux's version of rpcgen. (The names of which are not coming to mind... Need more coffee.) [rest of reply deleted because I had nothing to say about it] ObNoise: >NB to "Bill Gates" and friends: To save you the trouble of pointing it out, >I hereby admit that I'm a commie-fascist brainwashed sold out member of the >military-industrial complex who has been programmed by his masters to >infiltrate the cypherpunks in order to sap and impurify their precious >bodily fluids. I think that the mention of Mr. Bill as a "good guy" is the most effective use of agent provoceteur-type behaviour I have seen on this list yet. We know who Mat and Jeff work for. Who do the anon-flamers work for? | Remember: Life is not always champagne. Sometimes it is REAL pain. | |"The moral PGP Diffie taught Zimmerman unites all| Disclaimer: | | mankind free in one-key-steganography-privacy!" | Ignore the man | |`finger -l alano at teleport.com` for PGP 2.6.2 key | behind the keyboard.| | http://www.teleport.com/~alano/ | alano at teleport.com | From frantz at netcom.com Thu Dec 21 12:01:29 1995 From: frantz at netcom.com (Bill Frantz) Date: Thu, 21 Dec 95 12:01:29 PST Subject: No Subject Message-ID: <199512211958.LAA27482@netcom17.netcom.com> David Plotnikoff, in his regular (WWW oriented) column in the San Jose Mercury News, writes: DOES YOUR BOSS KNOW WHERE YOU'RE SURFING? The SIMBA Media daily reported recently that a Maryland-based software publisher called Charles River Media has introrduced a $30 electronic fink program called "Internet Watchdog" that keeps an eye on where you've been hanging out on the Net. the program doesn't block or censor sites, but it does maintain a handy record of cyber-footprints that the parent, teacher or employer who controls your Net access can peruse. ----[end]---- Anyone know more about this program? ----------------------------------------------------------------- Bill Frantz Periwinkle -- Computer Consulting (408)356-8506 16345 Englewood Ave. frantz at netcom.com Los Gatos, CA 95032, USA From andr0id at midwest.net Thu Dec 21 12:25:30 1995 From: andr0id at midwest.net (Jason Rentz) Date: Thu, 21 Dec 95 12:25:30 PST Subject: 900mhz digital phones - how much to trust ? Message-ID: <199512212046.OAA18997@cdale1.midwest.net> > >Whats the current thinking on the security level of 900Mhz digital spread >sectrum cordless phones? Clearly it's not a basic scanner job but how much >more equipment is needed to monitor one ? Well when you listen into a spread spectrum conversation what you will hear is open squelch white noise. The spread spectrum radios that I know about send information on several deffrent frequencies throughout the conversation. Unless you have a system to receive the encoding bit that signal what frequency is next you can't easily find the next freqency before it changes again. This change happens several time a second. The information is "packet-like", that is why you are able to use so many spread spectrum units at once. Example, Lynx spread spectrum T1 information signal (data) is combined with a high rate spreading code (chip sequence). A multiplier performs the combination. Because the spreading code is pseudo-randomly generated, the combined signal occupies a significantly expanded bandwidth with a lower uniform power density. At the receiver, a locally generated, synchronized replica of the spreading code recovers the information signal, through a second multiplication. The same code sequence must be used in the transmitter and receiver to avoic losing the information. The coding is direct sequence, 16 x spreading rate, the number of codes is a 9 DIP switch selectable. Intresting is taht the radio acquisition time is 500 msec, typical. If this a security hole I don't know. Note this is typical of a Spread Spectrum Microwave radio, a lot of the same applies to 900MHz T1 and cordless phones. As soon as I have further info on encryption of signal/Freq. destination I'll post it. Dr0id ( Computer Consulting & Management ) (P.O. Box 421 Cambria, IL 62915-0421) -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQENAzCsIi4AAAEH/1hb5+tO/n99Nbppf0ImLJ6AaVZ3NlZP0ZHwRQor00uA129i d4zWixNXxc8t2auaqN+asV99LpIip3/nQzBnjydiumeBdGLF2PR9+6X8X/RrqKa1 dVIukxM5Agg2eM6ih+0J38hgKJ3qzKXSz6sjYmpaxvbXZoHHOLUk/ZtHUKvvEyPw hnJEYnut8NUnIeK56lqeqRw86yoeRKymbfCdjdpgeY2aRwK2FJts8sbb7Fs10s4y jgxWIxIipBznbGUTh1hb2XrLGPENwk3E/qqXQJEsrySbtwdl6VgTVQjhDDEJMitL DYeiQ3W5EgxfcdbM1j2FwYu3P/dM6Y0I8xLMYT0ABRG0NmFuZHIwaWRAb2ljdTgx Mi5jb20gKG9pY3U4MTIuY29tIHN5c3RlbSBhZG1pbmlzdHJhdG9yKYkBFQMFEDCs LO90C7R/GkJcSQEB01cH/0KC3sd+u4OxMku5378SJktoN6QIQYLJ7uVbuV4S51yK NAotCGf4Wl6wwjynzZvXKU0H87oDuMiq7FybgMNL2n+4bQIZi0iz0lIuzwoMDu63 NrHUW9Kz42pOnhrEhrdkHhHL9O5GgD1yc40fJ3qw5h7LQEjDxgypyw0IFILFc34u LeRLliNibxKp8JwAxXNHWSgxu28TQvmnkHi0AHP6tJ/uZYe+4dqJtrMMsYFjzZaz DPmxD+dzbTwlQKtJaP1ZkDI0Sr072wrZDv+G86GyGBMX2lpSafpRitnxuUttjU9o wsQ9Qo5xiH1nZRCs/bDzJe/gng+GHzevixDIITurtNA= =SgPT -----END PGP PUBLIC KEY BLOCK----- From andr0id at midwest.net Thu Dec 21 12:25:51 1995 From: andr0id at midwest.net (Jason Rentz) Date: Thu, 21 Dec 95 12:25:51 PST Subject: ex encrypted script Message-ID: <199512212047.OAA19022@cdale1.midwest.net> ] > >| Is there a way to encrypt a script yet still allow it to be runnable? I >| know that the simple answer is to write it in C and compile it but I don't >| have the means of doing that at the moment. (i.e. there is not compiler on >| the system) >| >| I thought of a few simple protections but they all involve decrypting before >| running. > > Ever hear of chmod? chown? >Adam The vendor also has superuser access.. chmod chown won't protect it.. :( ( Computer Consulting & Management ) (P.O. Box 421 Cambria, IL 62915-0421) -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQENAzCsIi4AAAEH/1hb5+tO/n99Nbppf0ImLJ6AaVZ3NlZP0ZHwRQor00uA129i d4zWixNXxc8t2auaqN+asV99LpIip3/nQzBnjydiumeBdGLF2PR9+6X8X/RrqKa1 dVIukxM5Agg2eM6ih+0J38hgKJ3qzKXSz6sjYmpaxvbXZoHHOLUk/ZtHUKvvEyPw hnJEYnut8NUnIeK56lqeqRw86yoeRKymbfCdjdpgeY2aRwK2FJts8sbb7Fs10s4y jgxWIxIipBznbGUTh1hb2XrLGPENwk3E/qqXQJEsrySbtwdl6VgTVQjhDDEJMitL DYeiQ3W5EgxfcdbM1j2FwYu3P/dM6Y0I8xLMYT0ABRG0NmFuZHIwaWRAb2ljdTgx Mi5jb20gKG9pY3U4MTIuY29tIHN5c3RlbSBhZG1pbmlzdHJhdG9yKYkBFQMFEDCs LO90C7R/GkJcSQEB01cH/0KC3sd+u4OxMku5378SJktoN6QIQYLJ7uVbuV4S51yK NAotCGf4Wl6wwjynzZvXKU0H87oDuMiq7FybgMNL2n+4bQIZi0iz0lIuzwoMDu63 NrHUW9Kz42pOnhrEhrdkHhHL9O5GgD1yc40fJ3qw5h7LQEjDxgypyw0IFILFc34u LeRLliNibxKp8JwAxXNHWSgxu28TQvmnkHi0AHP6tJ/uZYe+4dqJtrMMsYFjzZaz DPmxD+dzbTwlQKtJaP1ZkDI0Sr072wrZDv+G86GyGBMX2lpSafpRitnxuUttjU9o wsQ9Qo5xiH1nZRCs/bDzJe/gng+GHzevixDIITurtNA= =SgPT -----END PGP PUBLIC KEY BLOCK----- From steven at echonyc.com Thu Dec 21 13:43:08 1995 From: steven at echonyc.com (Steven Levy) Date: Thu, 21 Dec 95 13:43:08 PST Subject: KOD In-Reply-To: Message-ID: Oh come on, be a sport. On Wed, 20 Dec 1995, David Mandl wrote: > On Wed, 20 Dec 1995, John Young wrote: > > > Congratulations to the cypherpunks named Newsweek's "Big > > Thinkers of tomorrow -- the list of 50 People Who Matter Most > > on the Internet." In the December 25 issue. > > Can you reveal who they are? No way am I going to buy Newsweek to > find out. > > --Dave. > > -- > David Mandl > Bear, Stearns & Co. Inc. > Phone: (212) 272-3888 > Email: dmandl at bear.com > > -- > ******************************************************************************* > Bear Stearns is not responsible for any recommendation, solicitation, offer or > agreement or any information about any transaction, customer account or account > activity contained in this communication. > ******************************************************************************* > From paul.elliott at hrnowl.lonestar.org Thu Dec 21 14:08:38 1995 From: paul.elliott at hrnowl.lonestar.org (Paul Elliott) Date: Thu, 21 Dec 95 14:08:38 PST Subject: GAK boycott, What are legal implications? Message-ID: <30d9ca78.flight@flight.hrnowl.lonestar.org> -----BEGIN PGP SIGNED MESSAGE----- Here is a question for all of you cyber legal types out there. This question presupposes: The NIST will complete its work on the GAK standard. But no law will be passed (yet) regulating the use of encryption in the U. S. (The GAK standard is an attempt to create an environment in which such laws can be passed.) In the U.S., Big Company INC will start marketing a GAKed encryption product domesticly. A bunch of cypherpunkish types will immediately try to organize a boycott against BIG COMPANY. What are the cypherpunks legal risks? I seem to remember that back in the 70s, the NAACP lost a big case with respect to their boycott in a southern city. As I recall there were people in the street begging money for the NAACP because there was a > 10**6 $ judgement against the NAACP and they needed that much just to appeal. - -- Paul Elliott Telephone: 1-713-781-4543 Paul.Elliott at hrnowl.lonestar.org Address: 3987 South Gessner #224 Houston Texas 77063 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMNnJ8/BUQYbUhJh5AQGbsgP/T0n31SqeuHt+7AbizymcEhu/78DUuym5 sj+MO3ruA9WcEBQUXfabuf/PgOwlrtUAcC3dISPvXwGbdygc9oHBfxSglLi48g7d dvDS4wziRHF7N8sBsYn0ee9YyKhPd9U7Ci0ovOc5frFGSZ2Bt4hU703d7bR+6cB+ iHHqsPaAa6o= =EPoj -----END PGP SIGNATURE----- From ses at tipper.oit.unc.edu Thu Dec 21 14:09:52 1995 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Thu, 21 Dec 95 14:09:52 PST Subject: FTC Privacy Initiative (fwd) In-Reply-To: Message-ID: FWIW, Sunsite has always had a policy of following the guidelines of the American Library Association on both collections policy and use of access records. The ALA rules are pretty cool, and have the great advantage of being easily understood by administrators (it also means that you can rely on the library community as an ally in the event of challenges.) Joe-Bob says check them out Simon From futplex at pseudonym.com Thu Dec 21 15:07:32 1995 From: futplex at pseudonym.com (Futplex) Date: Thu, 21 Dec 95 15:07:32 PST Subject: Encryption Rules Coming In-Reply-To: <199512211605.LAA00150@pipe3.nyc.pipeline.com> Message-ID: <199512212307.SAA14030@thor.cs.umass.edu> > Financial Times, December 21, 1995, p. 4. > > Encryption rules to be prepared > > By Andrew Jack in Paris > > Representatives of international business and government > yesterday agreed to draw up guidelines on encryption, [...] > The meeting, which was held at the International Chamber of > Commerce in Paris, could lead to formal propositions > prepared jointly by business and government organisations > that could be ready by as soon as next summer. [...] > However, many governments [...] > have demanded that they should be able to "hack" into > computer transmissions for counter-intelligence and > criminal investigation work, in the same way that they can > conduct telephone-tapping exercises. > > An important conclusion of yesterday's Paris meeting was > that business agreed in principle to allow such hacking to > take place as long as sufficient safeguards were in place > and "electronic search warrants" had been issued with > proper judicial approval. [...] The Int'l. Chamber of Commerce turns out to have Web pages. Their latest press release on the web came out last week, describing the upcoming conference: Business and governments seek agreed policy on encryption of electronic messages A few excerpts: "OECD governments are participating in the two day conference, together with representatives of the International Chamber of Commerce (ICC), the Business and Industry Advisory Committee to the OECD (BIAC), and information technology associations covering Europe, Canada, Japan, and the United States." "An ICC expert, Stefan Bernhard, said: `Just as government agencies are obliged to seek court warrants before making physical searches within a company, or in the home of a private person, the same restrictions should apply on the information superhighway.'" "For further information contact Lionel Walsh at the ICC communications division (33 1) 49 53 28 23. Email - ICCOM at ibnet.com" -Futplex From weidai at eskimo.com Thu Dec 21 15:11:04 1995 From: weidai at eskimo.com (Wei Dai) Date: Thu, 21 Dec 95 15:11:04 PST Subject: What ever happened to... Cray Comp/NSA co-development In-Reply-To: Message-ID: tcmay at got.net wrote: > Not in cracking "truly large" problems by brute force. Even if each of the > million processors is capable of 100 MIPS (which is unlikely, given the PIM > approach and the fine-granularity, few-bit-or-less word size, etc.), this > is only 10^8 MIPS. For problems that (for instance) 10^75 machines would > have to spend 10^10 years on, not even a drop in an ocean. The problem is there are still people and organizations that use 512-bit RSA keys. The DOE recentedly awarded Intel a contract to build a computer with 9072 Pentium Pro processors. I doubt that it will be used for factoring keys, but if it were, it will be able to factor a 512-bit number in a matter of months. The boundary delimiting "truly large" problems and merely extremely expensive ones inches up all the time. Less than a decade ago people thought factoring RSA-129 was a "truly large" problem. Wei Dai From EALLENSMITH at mbcl.rutgers.edu Thu Dec 21 15:14:28 1995 From: EALLENSMITH at mbcl.rutgers.edu (E. ALLEN SMITH) Date: Thu, 21 Dec 95 15:14:28 PST Subject: Telcom bill report Message-ID: <01HZ2U34JNWW8Y53CL@mbcl.rutgers.edu> Here's the additional info from Reuters. As usual, Clinton is being a coward. For additional Cypherpunks relevance, anonymous remailer operators in the US may need to watch out. -Allen Reuters New Media _ Thursday December 21 2:11 PM EST _ Congress Reaches Compromise On Telecom Reform WASHINGTON - Congressional conferees have agreed to a sweeping reform of telecommunications law that would open competition by allowing the telephone, cable and broadcast industries to invade the others' turf. Vice President Gore says President Clinton will sign the bill. Before the agreement, the president had been threatening for months to veto the bill if Republicans in Congress did not retreat on a long list of issues. They retreated. Vice President Al Gore said "This will unleash a new era in the telecommunications revolution and speed completion of the information highway." The bill would also impose tough new restrictions on sexual material on online services. It has been bitterly opposed by civil rights groups who say the controls on sexual content constitute censorship. The legislation would impose fines of up to $100,000 and prison terms of up to two years on people who make "indecent" material available to minors over computer networks. That could pose big problems for companies that provide online information services. The "cyberporn" issue was championed by conservative religious groups, including the Christian Coalition, and is certain to provoke a new courtroom battle over Constitutional rights to free speech. From jya at pipeline.com Thu Dec 21 15:32:53 1995 From: jya at pipeline.com (John Young) Date: Thu, 21 Dec 95 15:32:53 PST Subject: Telcom bill report Message-ID: <199512212332.SAA13156@pipe2.nyc.pipeline.com> Responding to msg by EALLENSMITH at ocelot.Rutgers.EDU ("E. ALLEN SMITH") on Thu, 21 Dec 6:12 PM > The "cyberporn" issue was championed by conservative > religious groups, including the Christian Coalition, and is certain to > provoke a new courtroom battle over Constitutional rights to free > speech. In the NYT the sentence above was followed by: "Indeed, the measure includes a provision that requires a Federal court in Washington to take up the issue almost as soon as someone challenges its legality." From futplex at pseudonym.com Thu Dec 21 16:12:06 1995 From: futplex at pseudonym.com (Futplex) Date: Thu, 21 Dec 95 16:12:06 PST Subject: Telcom bill report In-Reply-To: <01HZ2U34JNWW8Y53CL@mbcl.rutgers.edu> Message-ID: <199512220011.TAA15741@thor.cs.umass.edu> > The legislation would impose fines of up to $100,000 and prison terms > of up to two years on people who make "indecent" material > available to minors over computer networks. That could pose big > problems for companies that provide online information services. Perhaps my memory is faulty, but it seems to me that the wording of this part of the bill (S.652) has been amended a bit. Sec. 402 of 652 now amends Section 223 (47 U.S.C. 223) subsection (a) to fine or imprison whoever "knowingly permits any telecommunications facility under his control to be used for any activity prohibited by paragraph (1) [indecent communication with intent to annoy blah blah] with the intent that it be used for such activity". (this is from the "House Appropriation Bill as Passed by the Senate" version of S.652 on http://thomas.loc.gov) This (new, I think) part requiring "intent that it be used for such activity" looks like an enormous loophole to me. I can't think of many people who provide communications services _with the intent that they be used to harass [etc.] others with obscene [etc.] communications_. Could a lawyer comment on why intent would be easier to establish than I believe offhand ? -Futplex From fricke at mae.engr.ucdavis.edu Thu Dec 21 16:52:17 1995 From: fricke at mae.engr.ucdavis.edu (Light Ray) Date: Thu, 21 Dec 95 16:52:17 PST Subject: The Problem With Blaze And Weinstein In-Reply-To: <199512210112.BAA05503@pangaea.ang.ecafe.org> Message-ID: On Thu, 21 Dec 1995, ECafe Anonymous Remailer wrote: > ATT and Netscape are both tools of the CIA/NSA. > Blaze and Weinstein are in on the > plot to force GAK upon us. Neither one > says enough about the evils of GAK on their > web page, so they're obviously for GAK and > only pretending to be against it to fool > the cypherpunks and curry favor with their NSA > masters. Hmm. You don't happen to be a conspiracy theorist, do you? Tobin Fricke From ericm at lne.com Thu Dec 21 17:21:39 1995 From: ericm at lne.com (Eric Murray) Date: Thu, 21 Dec 95 17:21:39 PST Subject: GAK boycott, What are legal implications? In-Reply-To: <30d9ca78.flight@flight.hrnowl.lonestar.org> Message-ID: <199512220119.RAA23373@slack.lne.com> > Here is a question for all of you cyber legal types out there. > This question presupposes: > > The NIST will complete its work on the GAK standard. But no law will be > passed (yet) regulating the use of encryption in the U. S. (The GAK standard > is an attempt to create an environment in which such laws can be passed.) > In the U.S., Big Company INC will start marketing a GAKed encryption > product domesticly. > > A bunch of cypherpunkish types will immediately try to organize a boycott > against BIG COMPANY. I think it's more likely that a group of people will work on breaking Big Co's GAKed product. Either finding a flaw in it's algorithm or protocol that can be exploited, or a flaw that renders it's GAK unusable, i.e. Matt Blaze's LEAF hack on Clipper. > What are the cypherpunks legal risks? > > I seem to remember that back in the 70s, the NAACP lost a big case >with respect to their boycott in a southern city. As I recall there were people > in the street begging money for the NAACP because there was a > 10**6 $ > judgement against the NAACP and they needed that much just to appeal. Well, NAACP is an actual organization with papers filed with the IRS, officers or some sort of board members, offices, etc. Cypherpunks is just a mailing list, and many of the members of the list don't use their real identies on the list. Who would they go after? -- Eric Murray ericm at lne.com ericm at motorcycle.com http://www.lne.com/ericm PGP keyid:E03F65E5 fingerprint:50 B0 A2 4C 7D 86 FC 03 92 E8 AC E6 7E 27 29 AF From fricke at mae.engr.ucdavis.edu Thu Dec 21 17:50:02 1995 From: fricke at mae.engr.ucdavis.edu (Light Ray) Date: Thu, 21 Dec 95 17:50:02 PST Subject: Microsoft Flame[tm] [NOISE] In-Reply-To: Message-ID: On Thu, 21 Dec 1995, jim bell wrote: > Well, I disagree. Microsoft succeeded primarily because it was "chosen" by > IBM in about 1981 or so, needing an OS for their PC. MS didn't even write > it; Seattle Computer did, and that was a port of CP/M. Not much creativity. > MSDOS revisions 1.0 and 1.1 were pure crap. I'm sure that's true to a large extent. However, although I may be wrong, I beleive that MS's primary reason for initial success was in MS BASIC. They needed a new OS to go with BASIC, so they used DOS. They needed a new filesystem to store BASIC files, and thus FAT was born. Tobin Fricke From nobody at REPLAY.COM Thu Dec 21 18:20:40 1995 From: nobody at REPLAY.COM (Anonymous) Date: Thu, 21 Dec 95 18:20:40 PST Subject: Alta Vista caches queries Message-ID: <199512220220.DAA27203@utopia.hacktic.nl> -----BEGIN PGP SIGNED MESSAGE----- Here's one more reason to worry about the implications of web search engines: I just stopped in on Digital's new Alta Vista page, and was surprised to find that the query field was filled in--with a search I ran 3 or 4 days ago. I doublechecked my end pretty thoroughly (scrubbing all the files that Netscape 2.0b3 [Mac] generates--caches, global history, etc., and eventually reinstaling Netscape from scratch). And it look an awful lot like Alta Vista cached by query according to my IP address. Maybe dynamically assigned IPs ain't such a bad idea after all... Hieronymous -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQBVAwUBMNoVRb3g0mNE55u1AQEWxAIAiknajMTLiPzKxl4Wz3hoJsE4ntsXQJiV zNoz9LAW16+7+oFKKPwcjQCTi7heMstT9dP0GjCHmYuCl2cFcmQRbQ== =HQ12 -----END PGP SIGNATURE----- From floyddb at alpha.c2.org Thu Dec 21 19:07:52 1995 From: floyddb at alpha.c2.org (floyddb at alpha.c2.org) Date: Thu, 21 Dec 95 19:07:52 PST Subject: No Subject Message-ID: <199512220241.SAA14531@infinity.c2.org> andr0id at midwest.net (Jason Rentz) wrote: >> >>Whats the current thinking on the security level of 900Mhz digital spread >>sectrum cordless phones? Clearly it's not a basic scanner job but how much >>more equipment is needed to monitor one ? > >Well when you listen into a spread spectrum conversation what you will hear >is open squelch white noise. The spread spectrum radios that I know about >send information on several deffrent frequencies throughout the >conversation. [snip] > Dr0id > > >( Computer Consulting & Management ) >(P.O. Box 421 Cambria, IL 62915-0421) > [snip] There is a company called Optoelectronics that markets a radio reciever called the Interceptor. This is a broad band (several hundred MHz) device designed to lock on to the most powerful signal around, regardless of frequency. As supplied, it only has a rubber duck antenna, but a broadband, directional antenna (Log Periodic?) could be attached. There are AM and FM versions that output audio and a version called the Scout that controls a scanner. These could have outboard devices hung on to them to decode digital signals, record the conversation ... all for less than $1000. Floyd D. Barber floyddb at alpha.c2.org Key fingerprint: 8A 98 1F 6B 70 7A FE 24 35 D4 48 CF 9D F6 B0 91 PS Sameer, thanks for the nym. From beavis at bioanalytical.com Thu Dec 21 19:59:25 1995 From: beavis at bioanalytical.com (Beavis B. Thoopit) Date: Thu, 21 Dec 95 19:59:25 PST Subject: ex encrypted script In-Reply-To: <199512212047.OAA19022@cdale1.midwest.net> Message-ID: <199512220357.WAA02638@bioanalytical.com> > >| Is there a way to encrypt a script yet still allow it to be runnable? I > >| know that the simple answer is to write it in C and compile it but I don't > >| have the means of doing that at the moment. (i.e. there is not compiler on > >| the system) > >| > >| I thought of a few simple protections but they all involve decrypting before > >| running. > > > > Ever hear of chmod? chown? > >Adam > > The vendor also has superuser access.. chmod chown won't protect it.. :( I once had to obfuscate an awk script. "Cryptography is Economics." My job was to make it difficult for the enemy to steal the source. There was a license agreement... The simple answer of "no" is right in the strong sense, but there are tricks to make life difficult for the amateur attacker. My approach was a self-decrypting program. The "real" script was encrypted within the body of the encasing script. For increased obfuscation, decrypt only small pieces at a time. From pati at ipied.tu.ac.th Thu Dec 21 20:23:01 1995 From: pati at ipied.tu.ac.th (Patiwat Panurach) Date: Thu, 21 Dec 95 20:23:01 PST Subject: [ecash] Re: Multi-issuer questions In-Reply-To: <199512191429.PAA01228@digicash.com> Message-ID: On Tue, 19 Dec 1995, Marcel van der Peijl wrote in the ecash mailing list: > Q: If user A signs up with bank A, and merchant B signs up with bank B, > can user A buy at merchant B? > > A: In theory: > > Bank A and bank B need to have an interbank clearing agreement. User > A sends his money to merchant B. Merchant B contacts his own bank, > bank B. Bank B recognizes the money as being issued at bank A, > contacts bank A, and clears the coins there. Bank A credits bank B's > account at bank A, bank B sends an acknowledge to merchant B and > merchant B sends the goods to user A. I dispute this even on theoretical grounds. Am I right in assuming that the only reason Bank B has in contacting Bank A is to confirm that the ecash hasn't been double spent? Once that is confirmed, there should be no need for contact between the two banks. Bank A should not have to credit Bank B's account as there has been no transfer from Bank A to Bank B. The transfer has been the deposit from Bank B's customer to Bank B. Bank B is allready "credited", i.e., its (e)cash researves have increased, the moment Bank A confirms that the ecash is valid. But this also makes a second assumption: that ecash is truly an open standard, i.e., that ecash is a "widely acceptable means of payment." Any ecash issuing bank must be obligated to accept customer ecash deposits with one and only one condition: that the originally issuing bank must validate it. Now what if this weren't so? What if Bank B said "I didn't originally issue this ecash and thus, I wont accept its deposit." Now this puts the "cashness" of ecash into some jeopardy. It doesn't immediately make ecash useless, but it puts an auxiliary condition to it. This concerns the difference between Validation and Acceptance. Validation is when Bank B checks the ecash with its original issuer to see if it has been double spent. Acceptance is actually accepting that ecash as a deposit. If Bank B refuses to Validate any non-Bank-B ecash then ecash pretty much fails. Period. How would Bank B's customer be able to handle commerce with non-Bank-B buyers? By having multiple accounts with multiple Banks? What if the number of ecash issuers mushrooms into the hundreds? In anology, would you want to have to have accounts in 500 banks if your customers also used 500 different banks? The other alternitive for the ecash case would be if Bank-B's-customer could bypass Bank-B by validating the ecash directly with Bank A. If it passes, then he must now look at the matter of Acceptance. Now Bank-B's-customer knows that the ecash is valid. He keeps it temporarily in his hard disk. But will Bank B ever Accept it as a deposit? If it doesn't, then Bank-B's-customer needn't worry that much. He can just use that ecash for transactions purpases. Just because you can't deposit every cent of cash that you earn doesn't mean that your cash is worthless. The fundamental test of ecash is whether merchants/customer will accept it. Of course, there is also important value in checking if Banks will accept deposits of it, but I consider that secondary. So some concluding topics include: + independant verification of ecash. some formal system for ecash merchants (sellers) to check directly with the issuing bank that the ecash hasn't been double spent. OR + interbank verification of ecash. formal interbank system for the cleints bank to check the issuing bank to see if the ecash hasn't been double spent. AND + interbank acceptance of ecash. formal acceptance of verified ecash deposits, no matter the issuing bank. The type of verification doesn't really matter that much. Some sort of distributed method of resolving ecash issuers has to be standardized (say like the DNS, each ecash coin has some information as to the issuer. person/bank that wants to verify just transmits that ecash to its original issuer and then receives a reply saying: verified (usable) or not (double spent). The interbank acceptance issue is more important, but digicash (the company) has some power here. If they really aim at ecash beeing true cash (instead of checking), then they gotta force all issuing banks to accept ecash deposits nomatter the original issuer. Like the Real Life cash system: all banks accept cash, even though it is the federal researve that was the original issuer. ------------------------------------------------------------------------------- Patiwat Panurach Whatever you can do, or dream you can, begin it. eMAIL: pati at ipied.tu.ac.th Boldness has genius, power and magic in it. m/18 junior Fac of Economics -Johann W.Von Goethe ------------------------------------------------------------------------------- From jpp at software.net Thu Dec 21 20:58:29 1995 From: jpp at software.net (John Pettitt) Date: Thu, 21 Dec 95 20:58:29 PST Subject: ex encrypted script Message-ID: <199512220457.UAA05102@software.net> At 10:57 PM 12/21/95 -0500, Beavis B. Thoopit wrote: >> >| Is there a way to encrypt a script yet still allow it to be runnable? I >> >| know that the simple answer is to write it in C and compile it but I don't >> >| have the means of doing that at the moment. (i.e. there is not compiler on >> >| the system) >> >| >> >| I thought of a few simple protections but they all involve decrypting before >> >| running. >> > >> > Ever hear of chmod? chown? >> >Adam >> >> The vendor also has superuser access.. chmod chown won't protect it.. :( > >I once had to obfuscate an awk script. "Cryptography is Economics." My >job was to make it difficult for the enemy to steal the source. There >was a license agreement... > >The simple answer of "no" is right in the strong sense, but there are >tricks to make life difficult for the amateur attacker. > >My approach was a self-decrypting program. The "real" script was >encrypted within the body of the encasing script. For increased >obfuscation, decrypt only small pieces at a time. > > There is encrypt and then there is render useless to the reader. A tale I hear is that when HP had to deliver operating system source to the french government they stripped all comments and changed all variable and subroutine names to 32 byte strings of I 1 0 (zero) and O (uppercase O). It still compiled but was 100% useless to human readers. -- John Pettitt email: jpettitt at well.sf.ca.us (home) jpp at software.net (work) From Bill.Humphries at msn.fullfeed.com Thu Dec 21 21:01:30 1995 From: Bill.Humphries at msn.fullfeed.com (Bill Humphries) Date: Thu, 21 Dec 95 21:01:30 PST Subject: Newsweek Nerd 50 Message-ID: Okay, while you other cypherpunks were grousing about how you weren't going to give Newsweek your hard-earned currency, I bought a copy. My pain, your gain (on a significantly smaller scale than that messiah figure some of us celebrate next week.) Cypherpunk Notables on the List: "Newsweek's Epithet" Phil Zimmerman: "Crypto Creator" Marc Rotenberg: "Privacy Advocate" Sameer Parekh: "Protector of Privacy" Johan Helsingius: "Crusader" and Steven Levy, who sometimes posts here has the byline on the "Year of the Net" feature. PS to Newsweek -- Prof. Hoffman should be called a "Data Goddess" not a "Geek" for exposing those bogus factors the marketdroids want to use to control their survey data back up to the population level. Happy Holidays Piss off Ralph Reed, Defend the 1st Amendment. Bill Humphries From jlasser at rwd.goucher.edu Thu Dec 21 21:27:23 1995 From: jlasser at rwd.goucher.edu (Jon Lasser) Date: Thu, 21 Dec 95 21:27:23 PST Subject: CFS and Linux In-Reply-To: <199512201915.UAA00215@asylum.berserk.com> Message-ID: On Wed, 20 Dec 1995, Alex de Joode wrote: > Is there anyone out there that has CFS running with Linux ? > > It installs fine on BSDi 2.0 but I'm unable to install it > under Linux, I would appreciate it if some one would help > me out. I've got it running fine under Linux. To do this, you have to do several things: (1) Use RPC with the 'old style file' option, whatever that is... (2) Edit out the _'s from the RPC-generated files (3) Use the modified make command included in the README. I, for one, hope that Matt Blaze fixes (or at least automates :)) these quirks in the new version due out RSN... Jon Lasser ------------------------------------------------------------------------------ Jon Lasser (410)494-3072 Visit my home page at http://www.goucher.edu/~jlasser/ You have a friend at the NSA: Big Brother is watching. Finger for PGP key. From jeffg at HiWAAY.net Thu Dec 21 21:29:10 1995 From: jeffg at HiWAAY.net (Jeff Gehlbach) Date: Thu, 21 Dec 95 21:29:10 PST Subject: ex encrypted script Message-ID: <9512220528.AA24323@fly.HiWAAY.net> -----BEGIN PGP SIGNED MESSAGE----- At 02:47 PM 12/21/95 -0600, you wrote: >>| Is there a way to encrypt a script yet still allow it to be runnable? I >>| know that the simple answer is to write it in C and compile it but I don't >>| have the means of doing that at the moment. (i.e. there is not compiler on >>| the system) >>| >>| I thought of a few simple protections but they all involve decrypting before >>| running. >> >> Ever hear of chmod? chown? >>Adam > >The vendor also has superuser access.. chmod chown won't protect it.. :( Because I am treading in unfamiliar waters, I will just throw this one on the table, leaving the discussion to the big boys. Have you considered sudo? I really am not familiar with its capabilities, so easy with the flames :^> -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMNpB5Y8AYvAI/GnhAQFx5gP/Ue+KaBLC7gOkH6qFEBKvrKIyvsmObUWU fvJv59OW4hY+/hCFfqvio3+7wQhwgImin7uEU3gIz+O5hLBRnjhknCqqdmxVPH1F XuwJSrSdmuLxyRgrSeSc/b2f93Mvu+2cD8VQb0h6QBwe7vfTFNwMqwfcS0a76r2x lC8IOMH88K8= =cIYu -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- At 02:47 PM 12/21/95 -0600, you wrote: >>| Is there a way to encrypt a script yet still allow it to be runnable? I >>| know that the simple answer is to write it in C and compile it but I don't >>| have the means of doing that at the moment. (i.e. there is not compiler on >>| the system) >>| >>| I thought of a few simple protections but they all involve decrypting before >>| running. >> >> Ever hear of chmod? chown? >>Adam > >The vendor also has superuser access.. chmod chown won't protect it.. :( Because I am treading in unfamiliar waters, I will just throw this one on the table, leaving the discussion to the big boys. Have you considered sudo? I really am not familiar with its capabilities, so easy with the flames :^> -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMNpB5Y8AYvAI/GnhAQFx5gP/Ue+KaBLC7gOkH6qFEBKvrKIyvsmObUWU fvJv59OW4hY+/hCFfqvio3+7wQhwgImin7uEU3gIz+O5hLBRnjhknCqqdmxVPH1F XuwJSrSdmuLxyRgrSeSc/b2f93Mvu+2cD8VQb0h6QBwe7vfTFNwMqwfcS0a76r2x lC8IOMH88K8= =cIYu -----END PGP SIGNATURE----- ---========--- Finger for PGP key & Geek Code * No lemurs were harmed creating this sig. "The significant problems we face cannot be solved at the same level of thinking we were at when we created them." - Albert Einstein From chen at best.com Thu Dec 21 21:37:39 1995 From: chen at best.com (Mark Chen) Date: Thu, 21 Dec 95 21:37:39 PST Subject: FWD: Intuit and SSNs In-Reply-To: <199512211706.SAA10738@utopia.hacktic.nl> Message-ID: <199512220537.VAA11469@shellx.best.com> > What does our man in Intuit have to say about this? Well, the check-writing business does not really fall within my purview, but I'll see if the report is true. Pretty idiotic, if so. - Mark - -- Mark Chen chen at intuit.com 415/944-6913 finger for PGP public key D4 99 54 2A 98 B1 48 0C CF 95 A5 B0 6E E0 1E 1D From jeffg at HiWAAY.net Thu Dec 21 21:48:10 1995 From: jeffg at HiWAAY.net (Jeff Gehlbach) Date: Thu, 21 Dec 95 21:48:10 PST Subject: Remote use=export? Message-ID: <9512220547.AA27294@fly.HiWAAY.net> -----BEGIN PGP SIGNED MESSAGE----- I apologize if this is a dead horse, but... Is granting use of crypto software running in the US to a remote user outside the US considered exportation? For example, if allow my friend in Paris to use a PGP binary residing and running on my PC in Washington, is either of us violating any ITAR or similar restrictions? -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMNpGc48AYvAI/GnhAQHJnAQAxzOPDbj5dzy6Xu/45h+nipatGBgw7tvP +kcHUypA+oMmx1tBuCEz3UjpWIBCY5Nf5LD1sNToHGXJdHtLHG1t7coes8jFHRfL 8mVJNMckuPxwv5rLSVR6i5kWqvaz9UYsEpdjR2tROmyKCEHwNC+yy1OfRP1F65xi nEjvksPjv/U= =DIg7 -----END PGP SIGNATURE----- ---========--- Finger for PGP key & Geek Code * No lemurs were harmed creating this sig. "The significant problems we face cannot be solved at the same level of thinking we were at when we created them." - Albert Einstein From jlasser at rwd.goucher.edu Thu Dec 21 21:56:30 1995 From: jlasser at rwd.goucher.edu (Jon Lasser) Date: Thu, 21 Dec 95 21:56:30 PST Subject: on web standards: sent to Markoff In-Reply-To: <199512210204.SAA26757@netcom20.netcom.com> Message-ID: On Wed, 20 Dec 1995, Vladimir Z. Nuri wrote: > there's been MS flamewars on this list before, but Attila repeats > various snippets that I find highly objectionable. > > cpunk relevance: operation of the free market *sigh* "operation of the free market" isn't necessarily cypherpunk-relevant, unless of course all libertarianism is. I, for one, consider myself a cpherpunk, and not necessarily 100% behind free markets. (I'm still thinking about it.) In short, can this *please* move off list? Jon ------------------------------------------------------------------------------ Jon Lasser (410)494-3072 Visit my home page at http://www.goucher.edu/~jlasser/ You have a friend at the NSA: Big Brother is watching. Finger for PGP key. From Alan.Pugh at internetMCI.COM Thu Dec 21 22:16:47 1995 From: Alan.Pugh at internetMCI.COM (amp) Date: Thu, 21 Dec 95 22:16:47 PST Subject: Encryption Rules Coming Message-ID: <01HZ38W9ELSI95NNMH@MAIL-CLUSTER.PCY.MCI.NET> -- [ From: amp * EMC.Ver #2.3 ] -- > Encryption rules to be prepared > By Andrew Jack in Paris =snip= > Highly sophisticated encryption technology already exists > in a number of countries including the US and Sweden. In > the US, companies already have access to these programs. A > growing number of businesses -- led by the banking sector > -- are demanding access to these programs. ya know, if we could beat the following (true) statement into the heads of the people who write this stuff, it would go far towards making people understand how futile it is to try to stop the spread of encryption technology. "Highly sophisticated encryption technology already exists in every country on the planet. Anyone with a modem and access to the internet has access to these programs. The fact is that a very powerful encryption program can actually be written by hand on a postcard and mailed anywhere in the world." i want to rant more on this but will spare the choir of this. is anyone out there marketing "rsa in 3 lines of pearl" as a postcard? i'm going to have it printed on a business card so i can hand them out to demonstrate the foolishness of itar in my own way. amp <0003701548 at mcimail.com> (since 10/31/88) PGP Key = 57957C9D PGP FP = FA 02 84 7D 82 57 78 E4 E2 1C 7B 88 62 A6 F9 F7 December 22, 1995 0:45 From jim at bilbo.suite.com Thu Dec 21 22:49:28 1995 From: jim at bilbo.suite.com (Jim Miller) Date: Thu, 21 Dec 95 22:49:28 PST Subject: Attacking Clipper with timing info? Message-ID: <9512220648.AA17385@bilbo.suite.com> > I suppose the correct answer is, "It depends." > > It depends on your definition of "should" in the above > paragraph. If "should" means "in keeping with the NSA's > mission statement", then I believe the NSA should remain > quite and exploit the vulnerability as a national > technical asset. If "should" means "in support of US > commerce", then the answer would be that they should > announce/fix the vulnerability. > > I'm not sure from your tone which one you believe to be the > correct definition. :-) > I don't know myself. That's why I still occasionally think about it. It is sometimes comforting to think there is a US agency with the expertise of the NSA. At other times I wonder if we're getting the most for our tax money. Unfortunately, it would be impossible to generate a meaningful cost/benefit analysis even if the NSA was not a secret agency. Of course, if we did not pax taxes there would be no need to wonder if we're getting our money's worth. A self-funded,for-profit NSA? Now there's a liberatarian idea if I ever heard one. Jim_Miller at suite.com From stevenw at best.com Thu Dec 21 23:20:20 1995 From: stevenw at best.com (Steven Weller) Date: Thu, 21 Dec 95 23:20:20 PST Subject: ex encrypted script Message-ID: >At 10:57 PM 12/21/95 -0500, Beavis B. Thoopit wrote: >>> >| Is there a way to encrypt a script yet still allow it to be runnable? I >>> >| know that the simple answer is to write it in C and compile it but I >>>don't >>> >| have the means of doing that at the moment. (i.e. there is not >compiler on >>> >| the system) >>> >| >>> >| I thought of a few simple protections but they all involve decrypting >before >>> >| running. >>> > >>> > Ever hear of chmod? chown? >>> >Adam >>> >>> The vendor also has superuser access.. chmod chown won't protect it.. :( >> >>I once had to obfuscate an awk script. "Cryptography is Economics." My >>job was to make it difficult for the enemy to steal the source. There >>was a license agreement... >> >>The simple answer of "no" is right in the strong sense, but there are >>tricks to make life difficult for the amateur attacker. >> >>My approach was a self-decrypting program. The "real" script was >>encrypted within the body of the encasing script. For increased >>obfuscation, decrypt only small pieces at a time. >> >> >There is encrypt and then there is render useless to the reader. > >A tale I hear is that when HP had to deliver operating system source to >the french government they stripped all comments and changed all variable >and subroutine names to 32 byte strings of I 1 0 (zero) and O (uppercase O). >It still compiled but was 100% useless to human readers. There is a commercial product out there from Gimpel Software called _The C Shroud_. It removes all structure from the code, replacing it with gotos, renames all the symbols to axxxxxxx, converts constants and strings to hex, substitutes all #defines and expands all macros, strips all formatting and comments, etc., resulting in a perfectly compilable, but infuriatingly obfuscated set of source files. ------------------------------------------------------------------------- Steven Weller | "The Internet, of course, is more | than just a place to find pictures | of people having sex with dogs." stevenw at best.com | -- Time Magazine, 3 July 1995 From fricke at mae.engr.ucdavis.edu Fri Dec 22 00:00:39 1995 From: fricke at mae.engr.ucdavis.edu (Light Ray) Date: Fri, 22 Dec 95 00:00:39 PST Subject: Air Force hacks Navy? Eeeek! Message-ID: Read this. It's from the Electronic Telegraph, a neat web site in the UK. This article was later posted to comp.risks, and hence, Risks Forum digest, which is where I found it. The paragraphs have been numbered for easy reference. ---------------------------------------------------------------------------- (paragraph 0) http://www.telegraph.co.uk/et/ (paragraph 1) A few clicks and then the e-mail message entered the ship's control system... War of the microchips: the day a hacker seized control of a US battleship (paragraph 2) BY SIMPLY dialing the Internet and entering some well-judged keystrokes, a young US air force captain opened a potentially devastating new era in warfare in a secret experiment conducted late last September. His target was no less than gaining unauthorised control of the US Navy's Atlantic Fleet. (paragraph 3) Watching Pentagon VIPs were sceptical as the young officer attempted to do something that the old Soviet Union had long tried to do and failed. He was going to enter the very heart of the United States Navy's warships - their command and control systems. (paragraph 4) He was armed with nothing other than a shop-bought computer and modem. He had no special insider knowledge but was known to be a computer whizzkid, just like the people the Pentagon most want to keep out. (paragraph 5) As he connected with the local node of the Internet provider, the silence was tangible. The next few seconds would be vital. Would the world's most powerful navy be in a position to stop him? (paragraph 6) A few clicks and whirrs were the only signs of activity. And then a seemingly simple e-mail message entered the target ship's computer system. (paragraph 7) First there was jubilation, then horror, back on dry land in the control room at the Electronic Systems Centre at Hanscom Air Force Base in Massachusetts. Within a few seconds the computer screen announced "Control is complete." (paragraph 8) Out at sea, the Captain had no idea that command of his multi-million-dollar warship had passed to another. One by one, more targeted ships surrendered control as the codes buried in the e-mail message multiplied inside the ships' computers. A whole naval battle group was, in effect, being run down a phone-line. Fortunately, this invader was benevolent. But if he could do it ... (paragraph 9) Only very senior naval commanders were in the know as the "Joint Warrior" exercise, a number of experiments to test defence systems, unfolded between September 18-25. Taking over the warships was the swiftest and most alarming of the electronic "raids" - and a true shock for US military leaders. "This shows we have a long way to go in protecting our information systems," said a senior executive at the airbase where the experiment was conducted. (paragraph 10) The exact method of entry remains a classified secret. But the Pentagon wanted to the first to test the extent of their vulnerability to the new "cyberwarriors" - and had the confidence to admit it. (paragraph 11) Now they believe they know what they are dealing with and the defences are going up. (paragraph 12) Reply to Electronic Telegraph - et at telegraph.co.uk Electronic Telegraph is a Registered Service Mark of The Telegraph plc -------------------------------------------------------------------------- This sounds very fantastic, like the plot of a movie. Indeed, _Hackers_ featured a "worm" that took over control of the ballast of oil tankers. Perhaps this is a case of a journalist being a good writer but not fully understanding the topic at hand. Does anyone know how true this article is? Or where we could find more info? If it is true, then this is almost scary. Let's pick the article apart: In paragraph (1), the author refers to "the day a hacker siezed control over a US battleship." I assume that "hacker" and "battleship" are being used loosely, as, as noted in an IW-list posting that I received a few minutes ago, there are no currently active US battleships. (?) In paragraphs (2) and (5), the author refers to the "hacker" "dialing the internet" and "[he] connected with the local node of the Internet provider." This implies that the whole operation was conducted over the internet. Do battleships even have internet connections? They may. But the military certainly wouldn't dialup through a civilian ISP where their data goes through unknown hands to perform a very secret operation. Everything is doubtlessly encrypted - was the attack performed with or without keys? Or was the crypto somehow bypassed? The intruder is referred to as "young US air force captain" in par 2, a "young officer" in par 3, a "computer whizzkid" in par 4, an "invader" in par 8, and a "cyberwarrior" in par 10. Who was he? I would assume that it was more likely a group of people who were "in the know." Even the average "Joe Hacker" (is there such a thing?) would have trouble controlling a "batteship" let alone through an ASCII connection. In par 2, the author states that the intruder was attempting to gain "unauthorised control of the US Navy's Atlantic Fleet" (sic). If these were indeed "Joint Warrior" experiments, then it would be authorized. Throughout the article, references are made to the attack beginning with "a simple email message." This could be possible, but it seems that a higher means of control would be necessary. Anyhow, the whole article seems factually incorrect. I'm very interested in finding out more on what ACTUALLY happened, tho.. Tobin Fricke fricke at roboben.engr.ucdavis.edu From fc at all.net Fri Dec 22 03:51:43 1995 From: fc at all.net (Dr. Frederick B. Cohen) Date: Fri, 22 Dec 95 03:51:43 PST Subject: ex encrypted script In-Reply-To: <199512220357.WAA02638@bioanalytical.com> Message-ID: <9512221147.AA06064@all.net> > > >| Is there a way to encrypt a script yet still allow it to be runnable? I > > >| know that the simple answer is to write it in C and compile it but I don't > > >| have the means of doing that at the moment. (i.e. there is not compiler on > > >| the system) > > >| > > >| I thought of a few simple protections but they all involve decrypting before > > >| running. > > I once had to obfuscate an awk script. "Cryptography is Economics." My > job was to make it difficult for the enemy to steal the source. There > was a license agreement... > > The simple answer of "no" is right in the strong sense, but there are > tricks to make life difficult for the amateur attacker. > > My approach was a self-decrypting program. The "real" script was > encrypted within the body of the encasing script. For increased > obfuscation, decrypt only small pieces at a time. There is another technique by which the source is obscured by an automatic rewrite mechanism. This provides for both obscuration of the source and the ability to determine who originated illicit copies. I believe it was first implemented by Gimbel Software as part of their C-terp system (unpublished). A paper on techniques for doing this has also been published: "Operating System Protection Through Program Evolution" Computers and Security - 1992? 3? (F. Cohen) -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From fc at all.net Fri Dec 22 04:06:16 1995 From: fc at all.net (Dr. Frederick B. Cohen) Date: Fri, 22 Dec 95 04:06:16 PST Subject: Navy hacked by Air Force? Message-ID: <9512221202.AA06399@all.net> Following is the actual text extracted from iw at all.net - I doubt if the U.S. DoD will want to release all the details, but we can ask! >From: iw at all.net Subject: IW Mailing List iw/951221 --------------------------------------------- Moderator's Note: Subject: Navy hacked by Air Force I talked to some people I know about the perported IW attack on a battleship by the Air Force, and I thought I would help debunk this story, which my contacts tell me is "wildly inaccurate", but looking at a few facts. Let's start with the title: > War of the microchips: the day a hacker seized control of a US battleship There are NO active US battleships!!! And there weren't any last September. So, at a minimum, there are factual errors. ... > BY SIMPLY dialing the Internet and entering some well-judged keystrokes, > a young US air force captain opened a potentially devastating new era in > warfare in a secret experiment conducted late last September. His > target was no less than gaining unauthorised control of the US Navy's > Atlantic Fleet. According to my sources this was not "SIMPLY dialing the Internet and entering some well-judged keystrokes". It was a controlled experiment with participation of both Navy and Air Force, and involved a great deal of planning by a large number of people. It was performed using DoD owned and properly keyed cryptographic devices designed to be allowed to communicate with the systems being attacked. ... > He was armed with nothing other than a shop-bought computer and modem. > He had no special insider knowledge but was known to be a computer > whizzkid, just like the people the Pentagon most want to keep out. 100% wrong - he was an insider, he had a great deal of assitance, he had cryptographic devices and keys, and he had special insider knowledge. If he was an Air Force captain, he could not have been all that young. Whizzkids are usually considered teenagers. Anyone know of any teenaged AF captains these days? ... > A few clicks and whirrs were the only signs of activity. And then a > seemingly simple e-mail message entered the target ship's computer > system. ... > targeted ships surrendered control as the codes buried in the e-mail > message multiplied inside the ships' computers. A whole naval battle > group was, in effect, being run down a phone-line. Fortunately, this Not quite. This was not an email sent from some Internet site and email messages did not multiply inside the ships' computers. Furthermore, the total bandwidth of a phone line is nowhere near enough to "run" a naval battle group, or probably even a naval kitchen for that matter. > The exact method of entry remains a classified secret. The first (only?) really true part of the story. -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From junger at pdj2-ra.F-REMOTE.CWRU.Edu Fri Dec 22 05:21:52 1995 From: junger at pdj2-ra.F-REMOTE.CWRU.Edu (Peter D. Junger) Date: Fri, 22 Dec 95 05:21:52 PST Subject: Remote use=export? In-Reply-To: <9512220547.AA27294@fly.HiWAAY.net> Message-ID: Jeff Gehlbach writes: : -----BEGIN PGP SIGNED MESSAGE----- : : I apologize if this is a dead horse, but... : : Is granting use of crypto software running in the US to a remote user : outside the US considered exportation? For example, if allow my friend in : Paris to use a PGP binary residing and running on my PC in Washington, is : either of us violating any ITAR or similar restrictions? Nothing about the ITAR is unambiguous, but since what is forbidden is ``exporting'', which includes ``disclosing to foreign persons'', and since use is not forbidden, it is hard to see how what you suggest could violate the ITAR. (And I don't know of any other U.S. law or regulation that it could violate.) On the other hand, it may violate French law, which, or so I understand, does forbid the use of crypto unless the keys are made available to the French government. But I really don't know anything about French law. -- Peter D. Junger--Case Western Reserve University Law School--Cleveland, OH Internet: junger at pdj2-ra.f-remote.cwru.edu junger at samsara.law.cwru.edu From martin at mrrl.lut.ac.uk Fri Dec 22 07:48:35 1995 From: martin at mrrl.lut.ac.uk (Martin Hamilton) Date: Fri, 22 Dec 95 07:48:35 PST Subject: Navy hacked by Air Force? In-Reply-To: <9512221202.AA06399@all.net> Message-ID: <199512221547.PAA27415@gizmo.lut.ac.uk> Dr. Frederick B. Cohen writes: | > The exact method of entry remains a classified secret. | | The first (only?) really true part of the story. To combine two favourite threads - it's that sendmail 8.7.3 hole *they* don't want you to know about...! Cheerio, (and Merry Xmas :-) Martin From rjacoby1 at osf1.gmu.edu Fri Dec 22 07:52:46 1995 From: rjacoby1 at osf1.gmu.edu (Robert A. Jacoby) Date: Fri, 22 Dec 95 07:52:46 PST Subject: GAK boycott, What are legal implications? In-Reply-To: <30d9ca78.flight@flight.hrnowl.lonestar.org> Message-ID: On Thu, 21 Dec 1995, Paul Elliott wrote: Gee, being legally responsible for lost revenue over a boycott. Rev. Donald Wilmond is going to be very broke! I don't know anything about the NAACP case, but it seems to me that free speech & merely *urging* people to boycott would be a perfect defense. > -----BEGIN PGP SIGNED MESSAGE----- > > Here is a question for all of you cyber legal types out there. > This question presupposes: > > The NIST will complete its work on the GAK standard. But no law will be > passed (yet) regulating the use of encryption in the U. S. (The GAK standard > is an attempt to create an environment in which such laws can be passed.) > In the U.S., Big Company INC will start marketing a GAKed encryption > product domesticly. > > A bunch of cypherpunkish types will immediately try to organize a boycott > against BIG COMPANY. > > What are the cypherpunks legal risks? > > I seem to remember that back in the 70s, the NAACP lost a big case > with respect to their boycott in a southern city. As I recall there were people > in the street begging money for the NAACP because there was a > 10**6 $ > judgement against the NAACP and they needed that much just to appeal. > > > - -- > Paul Elliott Telephone: 1-713-781-4543 > Paul.Elliott at hrnowl.lonestar.org Address: 3987 South Gessner #224 > Houston Texas 77063 > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2 > > iQCVAwUBMNnJ8/BUQYbUhJh5AQGbsgP/T0n31SqeuHt+7AbizymcEhu/78DUuym5 > sj+MO3ruA9WcEBQUXfabuf/PgOwlrtUAcC3dISPvXwGbdygc9oHBfxSglLi48g7d > dvDS4wziRHF7N8sBsYn0ee9YyKhPd9U7Ci0ovOc5frFGSZ2Bt4hU703d7bR+6cB+ > iHHqsPaAa6o= > =EPoj > -----END PGP SIGNATURE----- > > Robert A. Jacoby (speaking only for myself--not legal advice) Assistant Law Librarian for LAN/Reference George Mason University Law Library (703) 993-8107 rjacoby1 at osf1.gmu.edu From stend at cris.com Fri Dec 22 08:37:15 1995 From: stend at cris.com (Sten Drescher) Date: Fri, 22 Dec 95 08:37:15 PST Subject: Air Force hacks Navy? Eeeek! In-Reply-To: Message-ID: <55wx7p3vfz.fsf@galil.austnsc.tandem.com> Light Ray said: LR> Read this. It's from the Electronic Telegraph, a neat web site in LR> the UK. This article was later posted to comp.risks, and hence, LR> Risks Forum digest, which is where I found it. The paragraphs have LR> been numbered for easy reference. [...] LR> Let's pick the article apart: [...] I saw the IW article that Light Ray saw in the RISKS Digest, and, while it raises some valid questions, it in turn has some internal problems. For example, the IW author apparently doesn't understand the difference between a Navy captain (O-6) and an Air Force captain (O-3), dismissing the whole story because a Navy captain would be far to old to be a 'whizzkid'. Problem is the story said it was an Air Force captain, and a newly pinned AF captain would certainly be young enough to be considered one in the military culture (had I stuck it out through ROTC, I would have been able to make captain at 24). While the ET article looks like it was written by someone who didn't understand the fine details of what happened, the IW article looks like it was written as military smokescreen. -- #include /* Sten Drescher */ To get my PGP public key, send me email with your public key and Subject: PGP key exchange Key fingerprint = 90 5F 1D FD A6 7C 84 5E A9 D3 90 16 B2 44 C4 F3 Junk email is NOT appreciated. If I want to buy something, I'll find you. From stend at cris.com Fri Dec 22 08:47:23 1995 From: stend at cris.com (Sten Drescher) Date: Fri, 22 Dec 95 08:47:23 PST Subject: Navy hacked by Air Force? In-Reply-To: <9512221202.AA06399@all.net> Message-ID: <55vin93uyk.fsf@galil.austnsc.tandem.com> On Cypherpunks, fc at all.net (Dr. Frederick B. Cohen) said: FBC> Following is the actual text extracted from iw at all.net - I doubt if FBC> the U.S. DoD will want to release all the details, but we can ask! Strange, Dr Fred, this isn't the 'actual text' I saw quoted in RISKS Digest - did you 'fix' it so that it was a bit more credible? Dr Fred's paragraph: FBC> 100% wrong - he was an insider, he had a great deal of assitance, FBC> he had cryptographic devices and keys, and he had special insider FBC> knowledge. If he was an Air Force captain, he could not have been FBC> all that young. Whizzkids are usually considered teenagers. FBC> Anyone know of any teenaged AF captains these days? RISKS Digest's paragraph: RISKS> 100% wrong - he was an insider, he had a great deal of RISKS> assistance, he had cryptographic devices and keys, and he had RISKS> special insider knowledge. If he was a Navy captain, he could RISKS> not have been all that young. Whizzkids are usually considered RISKS> teenagers. Anyone know of any teenaged Navy captains? Has anyone seen the REAL IW article, so we can tell what was really said? The age difference between an AF captain and a Navy captain is enough that one could be considered a 'whizzkid' in the military, while the other could not. -- #include /* Sten Drescher */ To get my PGP public key, send me email with your public key and Subject: PGP key exchange Key fingerprint = 90 5F 1D FD A6 7C 84 5E A9 D3 90 16 B2 44 C4 F3 Junk email is NOT appreciated. If I want to buy something, I'll find you. From andr0id at midwest.net Fri Dec 22 08:55:49 1995 From: andr0id at midwest.net (Jason Rentz) Date: Fri, 22 Dec 95 08:55:49 PST Subject: Message-ID: <199512221717.LAA02498@cdale1.midwest.net> > [snip] > There is a company called Optoelectronics that markets a radio reciever > called the Interceptor. This is a broad band (several hundred MHz) > device designed to lock on to the most powerful signal around, > regardless of frequency. As supplied, it only has a rubber duck > antenna, but a broadband, directional antenna (Log Periodic?) could be > attached. There are AM and FM versions that output audio and a version > called the Scout that controls a scanner. These could have outboard > devices hung on to them to decode digital signals, record the > conversation ... all for less than $1000. > > > > Floyd D. Barber > floyddb at alpha.c2.org > Key fingerprint: > 8A 98 1F 6B 70 7A FE 24 > 35 D4 48 CF 9D F6 B0 91 The problem with the Interceptor is that I think it can only receive one freqency at a time, and it is adjustable by a thumb wheel, not digitally. This would tend to make changing frequencies at high rates VERY hard. :) Also it has no frequancy readout, so this means that if you know what freq. you should be at it is hard to tune in that freq. without searching a little. Dr0id ( Computer Consulting & Management ) (P.O. Box 421 Cambria, IL 62915-0421) -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQENAzCsIi4AAAEH/1hb5+tO/n99Nbppf0ImLJ6AaVZ3NlZP0ZHwRQor00uA129i d4zWixNXxc8t2auaqN+asV99LpIip3/nQzBnjydiumeBdGLF2PR9+6X8X/RrqKa1 dVIukxM5Agg2eM6ih+0J38hgKJ3qzKXSz6sjYmpaxvbXZoHHOLUk/ZtHUKvvEyPw hnJEYnut8NUnIeK56lqeqRw86yoeRKymbfCdjdpgeY2aRwK2FJts8sbb7Fs10s4y jgxWIxIipBznbGUTh1hb2XrLGPENwk3E/qqXQJEsrySbtwdl6VgTVQjhDDEJMitL DYeiQ3W5EgxfcdbM1j2FwYu3P/dM6Y0I8xLMYT0ABRG0NmFuZHIwaWRAb2ljdTgx Mi5jb20gKG9pY3U4MTIuY29tIHN5c3RlbSBhZG1pbmlzdHJhdG9yKYkBFQMFEDCs LO90C7R/GkJcSQEB01cH/0KC3sd+u4OxMku5378SJktoN6QIQYLJ7uVbuV4S51yK NAotCGf4Wl6wwjynzZvXKU0H87oDuMiq7FybgMNL2n+4bQIZi0iz0lIuzwoMDu63 NrHUW9Kz42pOnhrEhrdkHhHL9O5GgD1yc40fJ3qw5h7LQEjDxgypyw0IFILFc34u LeRLliNibxKp8JwAxXNHWSgxu28TQvmnkHi0AHP6tJ/uZYe+4dqJtrMMsYFjzZaz DPmxD+dzbTwlQKtJaP1ZkDI0Sr072wrZDv+G86GyGBMX2lpSafpRitnxuUttjU9o wsQ9Qo5xiH1nZRCs/bDzJe/gng+GHzevixDIITurtNA= =SgPT -----END PGP PUBLIC KEY BLOCK----- From Majordomo at toad.com Fri Dec 22 05:33:14 1995 From: Majordomo at toad.com (Majordomo at toad.com) Date: Fri, 22 Dec 1995 21:33:14 +0800 Subject: Your Majordomo request results Message-ID: <9512221332.AA29343@toad.com> -- Your request of Majordomo was: >>>> subscribe cypherpunks Succeeded. Your request of Majordomo was: >>>> end END OF COMMANDS From aba at atlas.ex.ac.uk Fri Dec 22 06:33:49 1995 From: aba at atlas.ex.ac.uk (aba at atlas.ex.ac.uk) Date: Fri, 22 Dec 1995 22:33:49 +0800 Subject: PGP timeline FAQ... comments requested Message-ID: <297.9512221337@exe.dcs.exeter.ac.uk> There seems to be much confusion amongst some of the newer users of PGP who frequent alt.security.pgp, and recently whilst delving in to give my version of how it happened my post got longer and longer, until it grew on the spur of the moment into a sort of FAQ. I got a few comments, and corrections from that post, but I thought there are likely to be people who know more annecdotes and were around at the time that RSA was being published in the face of NSA opposition, etc. Let me have your comments on the accuracy, plus any annecdotes which you think really should go in to give the correct feel for the historical timeline. Thanks, Adam ====================================================================== PGP timeline and brief history ====================================================================== contents: 0 Definitions of acronyms 1 History of crypto as it applies to PGP 2 Birth of PGP 3 USG decides they don't like PRZ 4 PRZ, MIT and RSA sort out earlier patent issues 5 Current legal status 6 ITARs viewed from inside the US 7 ITARs viewed from outside the US ====================================================================== 0 definitions of acronyms ====================================================================== PGP = Pretty Good Privacy PRZ = Phil R Zimmermann, internet folk hero, author of PGP RSA = The RSA public key algorithm as used in PGP RSADSI = rsa.com, RSA Data Security Inc, patent holders of some public key stuff, which they claim means that no one can use RSA without getting a license from them. PKP = public key partners RSADSI plus Cylink (plus others?) (now disbanded) ITAR = International Traffic in Arms Regulations controls export of controlled munitions from the US, things like military aircraft components, biological and chemical weapons, and also (very strangely) cryptographic software. PK = public key (crypto) NSA = US National Security Agency, US govt's largest spook agency. whimsically known as No Such Agency, because until recently the US govt tried to deny they even existed. OTDC = Office of Defense Trade Controls, USG group charged with enforcing ITAR. They consult with the NSA, the NSA has the last word on what gets export approval. ====================================================================== 1 History of crypto as it applies to PGP ====================================================================== 1.1 The year is 1976 a cryptographer, and privacy advocate named Whitfield Diffie, together with mathematician named Martin Hellman discovers public key cryptography. (DH key exchange is still a commonly used key exchange protocol -- DH = Diffie-Hellman). 1.2 1977 Ron Rivest, Adi Shamir, and Len Adleman discover another more general public key system called RSA (after surnames Rivest, Shamir, and Adleman). R, S & A were researchers at MIT (significant later, because MIT had part ownership of patents.) 1.3 NSA tells MIT and R, S & A that they'd better not publish this or else. 1.4 Amusingly Adi Shamir (A from RSA) isn't even a US citizen, he's an Israeli national, and is now back in Israel at the Technicon (is he, anyone know his current affiliation?) Who knows what the NSA would have done about him if they had succeeded in supressing RSA - not allowed him out of the US? 1.5 MIT and R, S & A ignore NSA and publish anyway in SciAm July 1977. Comms ACM (feb 1978, vol 21, no 2, pp 120-126 in case you want to see if it's in your library - it's in Exeter Univ (UK) library). 1.6 Because the publication was a rush job due to the NSA, R,S & A and the later formed PKP and RSADSI lose patent rights to RSA crypto outside the US. This is because most places outside the US, you have to obtain a patent *before* publication, where as in the US, you have one year from the publication date to file for patents. This also had implications for PGP later 1.7 IDEA was developed by Xuejia Lai and James Massey at ETH in Zurich. (Relevant to PGP because IDEA is the symmetric key cipher used together with RSA in PGP). Also crypto politics relevance in that it is another (of many) examples of the fact that crypto knowledge and expertise is worldwide, ie why export restrict something which is available both sides of the ITAR fence, or even originated *outside* it? (Strangely, ITAR applies to importing and then re-exporting a crypto system, even if no modifications are made). There are lots of other symmetric key ciphers, IDEA is one with a good reputation (no known practical attacks better than brute-force to date, and a good key size), and is just referenced here because of its use in PGP. (some years pass...) ====================================================================== 2 Birth of PGP ====================================================================== 2.1 PRZ wrote PGP 2.2 PRZ gave PGP to some friends 2.3 some friends up loaded onto a few bulletin boards (US only) One friend (allegedly Kelly Goen) went around pay-phones with a portable, an acoustic coupler, and a list of BBS phone numbers uploading and then driving on to another area. This cloak and dagger stuff was because at the time the USG had some draconian sounding proposed law on the books which sounded like it was going to outlaw crypto. The intention was to ensure that PGP was available before this law came into effect, and to avoid being stopped if the USG took interest. 2.4 somehow PGP leaked outside the US via the internet. Information wants to be free, as someone said: `trying to control the free flow of information on the internet is like trying to plug a sieve with a hole in it'. Also Tim May's quote 'National borders are just speedbumps on the information superhighway' expresses the point very nicely. 2.5 people all over the world (yeah outside the US too) start using PGP 2.6 RSA complains to PRZ that PGP violates their PK patents 2.7 PRZ tells RSA to get stuffed, says its the users problem to get a license 2.8 PGP is considered potentially patent infringing because of 2.6 2.9 Illegality taint increases the spread of PGP, generates news, more people get a copy to see what the fuss is about (some time passes, PGP gets real popular...) ====================================================================== 3 USG decides they don't like PRZ ====================================================================== 3.1 US govt decides that they don't like PRZ because the NSA can't tap all those internet mail messages anymore. (the NSA part is speculation, but in my opinion likely true). 3.2 US govt begins investigating PRZ for alleged aiding with ITAR violation. 3.3 Phil Zimmermann legal defense fund set up to cover his legal expenses 3.4 still on going... (concurrently...) ====================================================================== 4 PRZ, MIT and RSA sort out earlier patent issues ====================================================================== 4.1 MIT and PRZ work with RSA to sort out patent issue. 4.2 A solution is obtained in that RSA agree that PGP can use RSA provided that their RSAREF library is used. 4.3 PGP2.5 is written which uses RSAREF in place of MPILIB (also has backwards compatibility with older versions impaired to discourage use of older allegedly patent infringing versions - to keep RSA happy) 4.4 RSAREF may be slower, but at least with some negotiating by PRZ and MIT, PGP is now 100% legal in the US 4.5 MIT begins acting as official US distributor of PGP 4.6 As usual, a few milli-seconds (well okay, minutes) after the official release of a new version of PGP, it gets exported from the US. 4.7 The deal with RSA over RSAREF has fixed the patent related problems in the US, but it has created a copyright related problem outside the US, (recall 0.6). RSAREF is a software package copyrighted by RSA, and RSA is not allowed to export it because of ITAR, and their license agreement says as much (ie it says that you must not export it, and if you do export, you, and the subsequent users of it, are in breach of license). It is therefore supposed that RSA could if they wanted complain about this (who knows that they would want to, or what conceivable benefit it would give them if they did). This isn't enough to bother most people, but commercial users, and big organisations have lawyers, and are wary of such things. 4.8 Staale Schaumaker put together pgp26i to avoid this problem. Main difference between pgp26x and pgp26xi is that pgp26xi uses PRZs original big integer library MPILIB, which is any case faster than RSADSI's RSAREF, and the lack of the legal kludge noted in 3.3. ====================================================================== 5 Current legal status ====================================================================== 5.1 PGP is legal both inside and outside the US. You just need to use pgp26 versions inside the US, and pgp26xi versions outside the US. 5.2 In the US if you are using PGP in a commercial setting, and care about patents, you should purchase a copy of ViaCrypt pgp2.7 5.3 Commercial use outside the US: RSA is free, in the PGP docs (pgp262i & pgp262) Ascom-Tech are quoted as saying that currently no license is required for commercial use of PGP outside the US as far as they are concerned. Ascom-Tech are the patent holders of IDEA (see 1.7), the symmetric crypto system used by PGP. ====================================================================== 6 ITARs viewed from inside the US ====================================================================== 6.1 ITAR means that if you are in the US you should not export PGP. (Yeah it's already available on a few thousand ftp sites around the free world, so another export isn't going to make any difference, but the NSA and the ODTC might not see it in that light). 6.2 Even though controlling the export of freeware software available worldwide might seem incredibly stupid (not to mention pointless), you should bear in mind that the penalties for getting successfully prosecuted for violating ITAR are rather steep. Up to $1,000,000 (US$) fine, and and up to10 years imprisonment per count of export. 6.3 They'd probably never do anything to you, PRZ is just a scape goat (someone they can symbolically persecute to discourage others). I have personally seen several people from US sites post crypto source and binaries (nautilus, PGP itself even). Plus of course this: #!/bin/perl -s-- -export-a-crypto-system-sig -RSA-3-lines-PERL $m=unpack(H.$w,$m."\0"x$w),$_=`echo "16do$w 2+4Oi0$d*-^1[d2%Sa 2/d0 From blancw at accessone.com Sat Dec 23 02:30:26 1995 From: blancw at accessone.com (blancw at accessone.com) Date: Sat, 23 Dec 95 02:30:26 PST Subject: Cypherpunks resumes? Message-ID: <9512231030.AA05276@pulm1.accessone.com> From: attila the Hutt So, who the fuck am I? --just another aging 300 lb gorilla, long haired hippie California freak with an outlaw chopper. ................................................... Such a lovely place... such a lovely face... (sorry, I couldn't help myself) .. Blanc From fc at all.net Fri Dec 22 11:58:39 1995 From: fc at all.net (Fred Cohen) Date: Sat, 23 Dec 1995 03:58:39 +0800 Subject: Air Force hacks Navy? Eeeek! In-Reply-To: <55wx7p3vfz.fsf@galil.austnsc.tandem.com> Message-ID: <9512221857.AA17752@all.net> > I saw the IW article that Light Ray saw in the RISKS Digest, > and, while it raises some valid questions, it in turn has some internal > problems. For example, the IW author apparently doesn't understand the > difference between a Navy captain (O-6) and an Air Force captain (O-3), > dismissing the whole story because a Navy captain would be far to old to > be a 'whizzkid'. Am I reading a different article? What I read was that the IW person talked to several inside sources and found out and reported facts. S/He made a mistake in saying Navy instead of AF somewhere in his posting to Risks and fixed it before sending it to the IW list (which is where I got it). From what I read, s/he found out the truth from people who knew the truth and tried to get the word out. > I would have been able to make captain at 24). While the ET article > looks like it was written by someone who didn't understand the fine > details of what happened, the IW article looks like it was written as > military smokescreen. I thought the ET article indicated an exaguration, but if it's true that there are no Battleships in the US Navy anymore and that the attack was run using DoD crypto equipment and networks, it's a heck of a lot different than buying an off-the-shelf Internet package and taking down the fleet. I have no doubt that someone with enough expertise, classified knowledge and equipment, access, and assistance can get some limited control over some US Navy ships for some period of time - but I seriously doubt that a computer whizzkid can take over the fleet from a PC via Email. -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From an170150 at anon.penet.fi Fri Dec 22 12:02:03 1995 From: an170150 at anon.penet.fi (an170150 at anon.penet.fi) Date: Sat, 23 Dec 1995 04:02:03 +0800 Subject: No subject Message-ID: <9512221713.AA19435@anon.penet.fi> Hi, excuse me for interrupting your conversation with a different subject, but I am not on the list (any longer, due to the bandwidth) so please reply "directly" to me at an170150 at anon.penet.fi ...my question is: Are there any other anon servers running the same software as the one @alpha.c2.org? --****ATTENTION****--****ATTENTION****--****ATTENTION****--***ATTENTION*** Your e-mail reply to this message WILL be *automatically* ANONYMIZED. Please, report inappropriate use to abuse at anon.penet.fi For information (incl. non-anon reply) write to help at anon.penet.fi If you have any problems, address them to admin at anon.penet.fi From sinclai at ecf.toronto.edu Fri Dec 22 12:02:35 1995 From: sinclai at ecf.toronto.edu (SINCLAIR DOUGLAS N) Date: Sat, 23 Dec 1995 04:02:35 +0800 Subject: Remote use=export? In-Reply-To: Message-ID: <95Dec22.121656edt.1000@cannon.ecf.toronto.edu> > Jeff Gehlbach writes: > > : -----BEGIN PGP SIGNED MESSAGE----- > : > : I apologize if this is a dead horse, but... > : > : Is granting use of crypto software running in the US to a remote user > : outside the US considered exportation? For example, if allow my friend in > : Paris to use a PGP binary residing and running on my PC in Washington, is > : either of us violating any ITAR or similar restrictions? > > Nothing about the ITAR is unambiguous, but since what is forbidden is > ``exporting'', which includes ``disclosing to foreign persons'', and > since use is not forbidden, it is hard to see how what you suggest > could violate the ITAR. (And I don't know of any other U.S. law or > regulation that it could violate.) If memory serves, Digital Equipment Corp was obliged to remove a demonstration supercomputer from the net. The argument was that Iraqis could telnet into it (it had free guest accounts) and run nuclear weapons simulations on it. Some of the list members probably remember the details. From ses at tipper.oit.unc.edu Fri Dec 22 12:02:47 1995 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Sat, 23 Dec 1995 04:02:47 +0800 Subject: Remote use=export? In-Reply-To: <9512220547.AA27294@fly.HiWAAY.net> Message-ID: On Thu, 21 Dec 1995, Jeff Gehlbach wrote: > > Is granting use of crypto software running in the US to a remote user > outside the US considered exportation? For example, if allow my friend in Not export, but disclosure, and hence a violation. From jps at monad.semcor.com Fri Dec 22 12:08:10 1995 From: jps at monad.semcor.com (Jack P. Starrantino) Date: Sat, 23 Dec 1995 04:08:10 +0800 Subject: Air Force hacks Navy? Eeeek! In-Reply-To: Message-ID: <9512221714.AA13065@monad.semcor.com> The following article is from Defense News Oct. 9-15, 1995 pp1,37. Hacker Exposes U.S. Vulnerability By Pat Cooper and Frank Oliveri Defense News Staff Writers Washington -- A U.S. Air Force captain, using a personal computer and a modem, penetrated the command and control systems of U.S. Navy ships operating in the Atlantic Ocean, exhibiting the awesome offensive capability of information warfare and the significant danger U.S. forces are just beginning to learn how to counter. Air Force personnel based at Hanscom Air Force Base, Mass., with the knowledge and permission of the Navy, penetrated the computer systems of naval ships in the Atlantic Ocean, Air Force Lt. Gen. John Fairfield, deputy chief of staff for command, control, communications and computers, said Sept. 25. Using standard computers, Air Force operators tapped into the Internet, via a telephone link to the information superhighway, and connected with a ship through an electronic mail link in one of the ships' networked computers, Air Force Officials said Sept. 28. Once inside the ship's computer network, Air Force Operators navigated to the ships command and control system and could have given the ship bogus steering commands, Fairfield said. The methods of the break-in and the actual vulnerabilities it exposed are classified. jps -- Jack P. Starrantino (215) 674-0200 (voice) SEMCOR, Inc. (215) 443-0474 (fax) 65 West Street Road jps at semcor.com Suite C-100 Warminster, PA 18974 From stend at cris.com Fri Dec 22 12:11:00 1995 From: stend at cris.com (Sten Drescher) Date: Sat, 23 Dec 1995 04:11:00 +0800 Subject: Navy hacked by Air Force? In-Reply-To: <9512221718.AA15130@all.net> Message-ID: <55oht13r97.fsf@galil.austnsc.tandem.com> fc at all.net (Fred Cohen) said: FC> Credible? No. Accurate? Yes. We all make mistakes, and whenever I FC> find one that I've made, I try to admit it and fix it ASAP. What's FC> not credible is people who don't correct mistakes when they find FC> them. Well, you corrected it, but you didn't admit it, at least not here, and it makes people who made comments on the _original_ version look like fools. Next time when you quote a corrected article, please note that it's been corrected. The difference between an AF captain (4 years of service) and a Navy captain (17-ish years of service) is substantial when when judging whether they could be considered 'whizzkids' in this environment. -- #include /* Sten Drescher */ To get my PGP public key, send me email with your public key and Subject: PGP key exchange Key fingerprint = 90 5F 1D FD A6 7C 84 5E A9 D3 90 16 B2 44 C4 F3 Junk email is NOT appreciated. If I want to buy something, I'll find you. From fc at all.net Fri Dec 22 12:25:53 1995 From: fc at all.net (Fred Cohen) Date: Sat, 23 Dec 1995 04:25:53 +0800 Subject: Navy hacked by Air Force? In-Reply-To: <55vin93uyk.fsf@galil.austnsc.tandem.com> Message-ID: <9512221718.AA15130@all.net> > On Cypherpunks, fc at all.net (Dr. Frederick B. Cohen) said: > ... > Strange, Dr Fred, this isn't the 'actual text' I saw quoted in > RISKS Digest - did you 'fix' it so that it was a bit more credible? > > Dr Fred's paragraph: > > FBC> 100% wrong - he was an insider, he had a great deal of assitance, > FBC> he had cryptographic devices and keys, and he had special insider > FBC> knowledge. If he was an Air Force captain, he could not have been > FBC> all that young. Whizzkids are usually considered teenagers. > FBC> Anyone know of any teenaged AF captains these days? > > RISKS Digest's paragraph: > > RISKS> 100% wrong - he was an insider, he had a great deal of > RISKS> assistance, he had cryptographic devices and keys, and he had > RISKS> special insider knowledge. If he was a Navy captain, he could > RISKS> not have been all that young. Whizzkids are usually considered > RISKS> teenagers. Anyone know of any teenaged Navy captains? Credible? No. Accurate? Yes. We all make mistakes, and whenever I find one that I've made, I try to admit it and fix it ASAP. What's not credible is people who don't correct mistakes when they find them. -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From tedwards at Glue.umd.edu Fri Dec 22 12:27:30 1995 From: tedwards at Glue.umd.edu (Thomas Grant Edwards) Date: Sat, 23 Dec 1995 04:27:30 +0800 Subject: GAK shutdown? Message-ID: Last night I realized that NIST has been shutdown since the weekend...congratulations to congress for a temporary halt to GAK! -Thomas From alano at teleport.com Fri Dec 22 12:29:48 1995 From: alano at teleport.com (Alan Olsen) Date: Sat, 23 Dec 1995 04:29:48 +0800 Subject: Attacking Clipper with timing info? Message-ID: <2.2b7.32.19951222174145.008d7eb0@mail.teleport.com> At 12:49 AM 12/22/95 -0600, you wrote: >Of course, if we did not pax taxes there would be no need to wonder if >we're getting our money's worth. A self-funded,for-profit NSA? Now >there's a liberatarian idea if I ever heard one. A similar concept has already been explored. Check out http://www.digicrime.com/ I am sure that a "for profit NSA" would be very similar in content and substance to the company at that URL. | Remember: Life is not always champagne. Sometimes it is REAL pain. | |"The moral PGP Diffie taught Zimmerman unites all| Disclaimer: | | mankind free in one-key-steganography-privacy!" | Ignore the man | |`finger -l alano at teleport.com` for PGP 2.6.2 key | behind the keyboard.| | http://www.teleport.com/~alano/ | alano at teleport.com | From mpj at netcom.com Fri Dec 22 12:30:20 1995 From: mpj at netcom.com (Michael Paul Johnson) Date: Sat, 23 Dec 1995 04:30:20 +0800 Subject: Weak keys in Diamond Encryption Algorithm fixed. Message-ID: -----BEGIN PGP SIGNED MESSAGE----- ******* There is a class of weak keys in the Diamond Encryption Algorithm. These are the ones that result in all of the individual substitution arrays being the same. This has a probability of about 2^-40 of happening, and is not the basis of a practical attack, but it is interesting, anyway. Thanks to Colin Plumb for pointing this out. This weakness has been eliminated in the Diamond2 Encryption Algorithm. See ftp://ftp.csn.net/mpj/public/diamond2.ps.gz for details. If you are in the USA or Canada, there is a reference implementation (as well as the above document) in ftp://ftp.csn.net/mpj/I_will_not_export/crypto_???????/file/diamond2.zip, where the ??????? is revealed in ftp://ftp.csn.net/mpj/README along with an export warning. ******* I've also put an updated description of another algorithm, the Sapphire II Stream Cipher, in ftp://ftp.csn.net/mpj/public/sapphire.ps.gz and a reference implementation in ftp://ftp.csn.net/mpj/I_will_not_export/crypto_???????/file/sapphire.zip ******* DLOCK2.ZIP and SAPPHIRE.ZIP are also on the Colorado Catacombs BBS at 303-772-1062. ******* You are invited to review the above algorithms and let me know if you find any weakness in them. ******* These are not commercial products, and this is not an advertisement. This is an electronic publication for the enjoyment of people who are interested in cryptography for constructive purposes. Merry Christmas! ___________________________________________________________ | | |\ /| | | Michael Paul Johnson Colorado Catacombs BBS 303-772-1062 | | \/ |o| | PO Box 1151, Longmont CO 80502-1151 USA Jesus is alive! | | | | / _ | mpj at csn.org aka mpj at netcom.com m.p.johnson at ieee.org | | |||/ /_\ | ftp://ftp.csn.net/mpj/README.MPJ CIS: 71331,2332 | | |||\ ( | ftp://ftp.netcom.com/pub/mp/mpj/README -. --- ----- .... | | ||| \ \_/ | PGPprint=F2 5E A1 C1 A6 CF EF 71 12 1F 91 92 6A ED AE A9 | |___________________________________________________________| -----BEGIN PGP SIGNATURE----- Version: 2.7.1 iQCVAwUBMNpaMfX0zg8FAL9FAQENjgQAoXP16Db9FdBuzRp1VXug3JWh7yCcHQCJ X/t79/q512WGYWBIKznkczgfYNE7V94J2dhEP6EfKeZzVN2J5AHV4zqq7e9IWR49 FQakcZCyIrSJIJCpRk/cyMOX5zc1posAkAAhEka7nOd9n/GgW9mHPr57yFwNQgB4 e2wcSW1r9Oo= =v8d3 -----END PGP SIGNATURE----- From dklur at dttus.com Fri Dec 22 12:32:35 1995 From: dklur at dttus.com (David Klur) Date: Sat, 23 Dec 1995 04:32:35 +0800 Subject: Cybercash questions... Message-ID: <9511228196.AA819668788@cc1.dttus.com> Hello, Just a few questions about Cybercash... - How is the consumer's credit card # stored on his hard drive? Encrypted with the bank's public key? Or does the consumer have a private key? - How does the merchant know where to ship the goods? Is the merchant required to ship the goods to the billing address on the cardholder's credit card account? If so, does the bank provide the merchant with this info? How is it encrypted? Or does the customer indicate to the merchant where to ship the goods? Also, what infor does the merhcant send to Cybercash, and how is it encrypted? The fraud possibility I see is that Bob could steal Alice's encrypted credit card number (by sniffing when she buys something at Charlie's Internet shop). Then, without decrypting it, he could use it (still encrypted) at Don's Internet shop, and ask Don to ship the goods to Bob's address. Since Don will not decrypt Alice's card number he will not know that it is not Bob's card. Cybercash will validate Alice's card, but will not know that it is really Bob who is the customer. Don will ship the goods to Bob, and Alice will get a fraudulent charge on her bill. Am I missing something? From dee at cybercash.com Fri Dec 22 13:05:42 1995 From: dee at cybercash.com (Donald E. Eastlake 3rd) Date: Sat, 23 Dec 1995 05:05:42 +0800 Subject: Cybercash questions... In-Reply-To: <9511228196.AA819668788@cc1.dttus.com> Message-ID: On Fri, 22 Dec 1995, David Klur wrote: > > Hello, > > Just a few questions about Cybercash... > > - How is the consumer's credit card # stored on his hard drive? > Encrypted with the bank's public key? Or does the consumer have a > private key? The customer has a private key. Customer info on their machine is encrypted under a password. > - How does the merchant know where to ship the goods? Is the merchant > required to ship the goods to the billing address on the cardholder's > credit card account? If so, does the bank provide the merchant with > this info? How is it encrypted? Or does the customer indicate to the > merchant where to ship the goods? Also, what infor does the merhcant > send to Cybercash, and how is it encrypted? Billing address establishment is part of shopping. It need not be the card billing address. But the customer needs to enter an addreess when setting up their credit card. see draft-eastlake-cybercash-v08-01.txt in any of the IETF shadow directories. > The fraud possibility I see is that Bob could steal Alice's encrypted > credit card number (by sniffing when she buys something at Charlie's > Internet shop). Then, without decrypting it, he could use it (still > encrypted) at Don's Internet shop, and ask Don to ship the goods to > Bob's address. Since Don will not decrypt Alice's card number he will > not know that it is not Bob's card. Cybercash will validate Alice's > card, but will not know that it is really Bob who is the customer. > Don will ship the goods to Bob, and Alice will get a fraudulent charge > on her bill. The customer signs the message including the merchant id and order id before encrypting a bunch of stuff including the credit card number to send to the merchant. There isn't anything useful to steal from the ecnrypted part of that message. > Am I missing something? Donald ===================================================================== Donald E. Eastlake 3rd +1 508-287-4877(tel) dee at cybercash.com 318 Acton Street +1 508-371-7148(fax) dee at world.std.com Carlisle, MA 01741 USA +1 703-620-4200(main office, Reston, VA) From anonymous-remailer at shell.portal.com Fri Dec 22 13:06:34 1995 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Sat, 23 Dec 1995 05:06:34 +0800 Subject: taking electronic privacy into our own hands Message-ID: <199512222026.MAA21559@jobe.shell.portal.com> On Fri, 15 Dec 1995, Eric Anderson wrote: > Would it be possible to write a program ( i.e. a worm or > Trojan) to ferret out personal information that is stored in databases > and encrypt it? > > I was just wondering what such an undertaking would entail. Actually, there is no need to write any such code. AT&T distributes just such a beast to any and all comers. It can take personal information and send it out over a secure socket layer. I think a couple of partners in crime, Cheswick and Bellovin of AT&T research had a hand in its continuing distribution. > Eric Alice de 'nonymous ... ...just another one of those... P.S. This post is in the public domain. C. S. U. M. O. C. L. U. N. E. From fc at all.net Fri Dec 22 13:17:09 1995 From: fc at all.net (Fred Cohen) Date: Sat, 23 Dec 1995 05:17:09 +0800 Subject: Navy hacked by Air Force? In-Reply-To: <55oht13r97.fsf@galil.austnsc.tandem.com> Message-ID: <9512222020.AA20069@all.net> > fc at all.net (Fred Cohen) said: > > FC> Credible? No. Accurate? Yes. We all make mistakes, and whenever I > FC> find one that I've made, I try to admit it and fix it ASAP. What's > FC> not credible is people who don't correct mistakes when they find > FC> them. > > Well, you corrected it, but you didn't admit it, at least not > here, and it makes people who made comments on the _original_ version > look like fools. Next time when you quote a corrected article, please > note that it's been corrected. The difference between an AF captain (4 > years of service) and a Navy captain (17-ish years of service) is > substantial when when judging whether they could be considered > 'whizzkids' in this environment. Not my mistake - iw at all.net's mistake - only my correction. And it wasn't a correction to an error in this forum - the error appeared in the Risks forum - the Cypherpunks posting (which I posted) was the corrected one. Am I supposed to correct mistakes in other forums made by other people when I post to Cypherpunks? (let me see... in 1928, a mistake was made on page 73 of the New York Times related to cryptography, ...) Even with only 4 years of service (after graduating from College), 25-27 years old is no longer whizzkid age in my book. But even more importantly, the readers who commented on this one error ignored the main body of facts in the posting in favor of creating a conspiracy theory. Next we find out from yet another story that at least part of the original story posted to Risks was in error. According to the second independent source, the Captain was working with the Navy's support and knowledge. How much do you want to bet that the story changes again by Tuesday? -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From mab at crypto.com Fri Dec 22 14:21:47 1995 From: mab at crypto.com (Matt Blaze) Date: Sat, 23 Dec 1995 06:21:47 +0800 Subject: CFS and Linux In-Reply-To: <199512222107.WAA00408@asylum.berserk.com> Message-ID: <199512222143.QAA14493@crypto.com> >two comments for matt thoo: > 1: please make it install 'out-of-the-box' on Linux. > I'd love to. It isn't that simple. No one has ever told me exactly what "the Linux problem" is or even convinced me that a problem actually exists. I don't run Linux. People who do run Linux are divided between telling me it that does run out-of-the-box and that it doesn't. ALL I can do is pass on patches that the people who run CFS under Linux give me. My understanding is that CFS does run out-of-the-box under some of the all-too-many varieties of Linux, but that it depends very much on your particular configuration (particularly your rpcgen version). Some configurations require some tweeking. If you want to see CFS supported out-of-the-box on a particular platform, someone has to tell me about it and supply me with the fixes, which I will galdly wrap into the distribution. Requests that I make something work on a platform that I don't have and don't control are very frustrating. Anyway, this is the wrong list for this. Linux issues come up every now and then on the cfs-users mailing list (cfs-users-request at research.att.com; subscription info included in the distribution). -matt From vin at shore.net Fri Dec 22 14:26:24 1995 From: vin at shore.net (Vin McLellan) Date: Sat, 23 Dec 1995 06:26:24 +0800 Subject: Navy hacked by Air Force? Message-ID: This might be relevant. This is a page from the NCCOSC web site The Naval Command, Control & Ocean Surveillance Center (NCCOSC) is the U.S. Navy's warfare center for command, control and communication systems and ocean surveillance and the integration of those systems which overarch multiplatforms. NCCOSC is based in San Diego, CA. NCCOSC Command Internet (NCI) is part of NCCOSC, of course -- and NCCOsc is part of SpaWar (Space and Naval Warfare Systems Command.) Clear? Note that NCCOSC recently decided to beef up NCI's user authentication. See "Current Initiatives." ================= [* ] NCI net - What it is * An enterprise network serving NCCOSC and other communities of interest * Modelled after the global Internet, logically part of the Internet * Communications nodes at each NCCOSC site, linked by T-1 lines * Nodes consist of... o Cisco router linking T-1 lines and local LANs o Annex terminal server and modem bank for dialup, SLIP, and PPP access o Sun servers providing general Internet services (email, name service, ftp server, world wide web, multicast routing, etc.) o NeXT server supporting corporate office functions * Provides ubiquitous high-speed low-delay TCP/IP connectivity throughout the organization and to the Internet * Provides dialup access from home or TDY via 1-800 number, including SLIP and PPP support [* ] [ ] Network Topology [* ] Recent activities and milestones * MIME adopted as corporate email standard, email systems upgraded o Many user agents upgraded to MIME compliance o Testing gateways for interoperability with non-compliant systems o Performing extensive interoperability tests * New sites connected o CINCLANTFLT, Norfolk, VA o The Pentagon + BRAC Office + OSS LAN + DASN/C3I o FTSCLANT (Portsmouth, VA) and NAVSEACENPAC (San Diego, CA) o Armed Forces Staff College, Norfolk, VA o USACOM site in Suffolk, VA + Joint Training, Analysis, and Simulation Center (JTASC) + NISE East Contingent at USACOM o NISE West Guam o NISE West Yokosuka Japan * Network accredited o Completed Security Test and Evaluation o Completed Risk Assessment o Published Contingency Plan and Configuration Management Plan * Network now under full configuration management * New Web server installed o "neelix", a Sun SparcServer 1000, installed outside firewall o "www.nosc.mil" now points at neelix o "Planet Earth" now served by neelix o Recent updates + 1 additional Sparc processor (completed 6/9/95) + 4 Gb more disk (completed 6/2/95) + another 64 Mbytes of memory (giving total of 96 Mbytes) (completed 6/2/95) + conversion to "Apache" http server (faster) (completed 6/1/95) [* ] Current Initiatives * Enhancing Infrastructure to provide ISDN dialup service * Implementing one-time-passwords using SecurID cards * Implementing Kerberos based authentication for additional security * Connecting additional sites o NISMC o USACOM at CINCLANT compound, Norfolk, VA o Pearl Harbor Naval Shipyard, Pearl Harbor, HI o Federal Internet Exchange (FIX) East, College Park, MD o New NISE East Detachment at Naval Weapons Station, Yorktown, VA o ONI at NMIC * Upgrading D.C. area connectivity to Metropolitan Fiber service at 10 Mbps * Getting sites 100% connected (TCP/IP to every desktop) * Developing MIME to X.400 gateway for connectivity to DMS world [* ] References * Dialup Quick Guide * Monthly Reports * June 28 Internet Security Briefing (postscript) Vin McLellan +The Privacy Guild+ 53 Nichols St., Chelsea, Ma. 02150 USA Tel: (617) 884-5548 <*><*><*><*><*><*><*><*><*> From Greg_Rose at sydney.sterling.com Fri Dec 22 14:37:35 1995 From: Greg_Rose at sydney.sterling.com (Greg Rose) Date: Sat, 23 Dec 1995 06:37:35 +0800 Subject: PGP timeline FAQ... comments requested In-Reply-To: <297.9512221337@exe.dcs.exeter.ac.uk> Message-ID: I've embedded a couple of comments that might be useful. 1.4 Amusingly Adi Shamir (A from RSA) isn't even a US citizen, he's an Shamir is the 'S' from RSA, not the 'A'. 1.6 Because the publication was a rush job due to the NSA, R,S & A and the later formed PKP and RSADSI lose patent rights to RSA crypto outside the US. This is because most places outside the US, you have to obtain a patent *before* publication, where as in the US, you have one year from the publication date to file for patents. This also had implications for PGP later This is only half true. US Patent law was developed independently of most of the rest of the world's, and allowed patents like this. The Australian patent office would, at the time, have rejected the patent anyway on the grounds that you can't patent a mathematical formula. ====================================================================== 3 USG decides they don't like PRZ ====================================================================== You haven't defined USG as an acronym yet. To me it means Unix Support Group. It does come clear later though. regards, Greg. From anonymous-remailer at shell.portal.com Fri Dec 22 14:40:25 1995 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Sat, 23 Dec 1995 06:40:25 +0800 Subject: AWARD: CHRISTMAS NET SCROOGE - AT&T & NETSCAPE?? Message-ID: <199512222111.NAA24171@jobe.shell.portal.com> Just in case, anyone missed this yesterday, I thought I'd renominate AT&T & Netscape for the: *** 1995 CHRISTMAS NET SCROOGE *** *** AWARD *** (T-shirt sales coming soon, to a website near you ...) ------------ Alice here ... Back on Tue, 19 Dec 1995, I wrote: >>>Can anyone tell me whether Ian Goldberg and David Wagner got their >>>$25,000 from Netscape for finding the HUGE security flaws in Netscape's >>>existing product line?? >>> >> >I can't remember whether they got anything or not ... >> >> That would be no (well, except for the nifty T-shirt from Sameer; Thanks!). > > Not anything?? That's shameful ... where on earth are the values in > America, today? Everyone should ask this question. AT&T can sign-on to a two-page ad, calling on Congress to balance the budget -- to cut off veterans, and cut-off women with dependent children just before Christmas. It can sign on to this, but it can't bother to even offer a scholarship to the students who helped make its fortunes. It would rather leave the impression that it freeloads off of other's efforts. It's shameful. > AT&T and Netscape have jointly made a small fortune distributing this > product, and yet NEITHER company feels that the software engineers who > "voluntarily" made a difference -- a couple of students -- deserve > even a wooden nickel for the ideas which were used. > > It's absolutely shameful. But then, I guess that AT&T and Netscape > have no shame at all. > > They just steal "intellectual property" from students, and don't even > pay a token amount. > > And people wonder what's wrong with America? Luckily for those of us who don't live in the United States, we can perhaps look at that country and truly wonder what is going on over there, and what is wrong with America? Where are the values amongst ALL Americans, not just Netscape and AT&T? What are the role models that all the leaders -- business, sports, and political leaders -- show to the national youth. Here is all I've seen (as a foreigner), over the last while: Enid Greene Waldholtz blubbering in a news conference about how she as a congress person certainly COULDN'T be expected to resign after winning her election with stolen money. Blubbering for five hours straight (except when she had to stop to turn a page, I mean) ... She certainly said that "leadership" is all about playing "victim". Poor little Enid. (And even worse, she was _defended_ by Susan Molinari.) Bob Dole, deciding to go to Bosnia. The former WW II veteran willingly jeopardizing the lives of American boys -- boys who have put their lives on the line in a _volunteer_ armed force -- all for a lousy political photo-op. The chance to say ... "hey look at me, I'm here in Bosnia." Someone who's willing to overrule the Pentagon's own most diplomatic advice on how complex an operation this actually is. And then there is AT&T. A company who's Chairman can publish a letter which calls on Congress to cut off checks to mothers with dependent children and war veterans days before Christmas, all while stealing and freeloading off of the work of some students. Scrooge ... take heart. Here's Holiday wish #1. Enid do the right thing ... resign. Say the "right thing" and say that your child -- the future and the delayed gratification that the future brings -- is much more important than your own personal PRESENT political aspirations. Here's Holiday wish #2. Bob, lots of people worked their asses off to make sure that the American fighter pilot, and the two French fighter pilots could be rescued from Bosnia. If you want to go and get some photo-ops, go to Germany or Italy, and give one hell of a vote of support to the boys that are there -- a support which could just as easily have been given and should be given in Congress. A _real_ strong unfettered commitment. And here's Holiday wish #3. AT&T. Do the right thing. Reward those people who help make you a fortune. Stand tall as an example, rather than as an embarrassment to the nation. You've ignored this for so long now, that you've almost dug your own grave. But you still have a chance to save face. Have the courage to take the chance when it's offered. Simply say that the proposal to reward David Wagner and Ian Goldberg -- some holiday mad money and scholarships -- was lost in committee, and approval processes -- but it WAS in the works, and it was recommended and can now be announced just before Christmas, as a rightful reward. Some holiday cheer. Will people think it's a cynical attempt at manipulation? Yep. But it's a darned site better than the alternatives -- especially when you look at possible future outcomes. Trust me, this is far better than calling for veterans and single mothers with children to be cut-off just before the holidays. Perhaps, Enid, Bob, and AT&T will all learn when to use offense and when to use defense. They might also learn that the best offense is a good defense. They might even begin to look at what "courage" truly is, and of how difficult it can be for anyone to do the "right thing", especially when they think that they're surrounded by minefields. Even when the "right thing" is in your own best interest, you not only have to be shown the right path to take, but you have to have the motivation and courage to make the move and take action. Enid, Bob, and AT&T, take note. Hopefully for the holidays, everyone finds the courage to neutralize some portion of the vulnerability spectrum they've placed themselves in. > > - Ian "There's a reason people talk about `starving grad students'..." > > Alice de 'nonymous ... ...just another one of those... P.S. This post is in the public domain. C. S. U. M. O. C. L. U. N. E. From stend at cris.com Fri Dec 22 14:41:09 1995 From: stend at cris.com (Sten Drescher) Date: Sat, 23 Dec 1995 06:41:09 +0800 Subject: Navy hacked by Air Force? In-Reply-To: <9512222020.AA20069@all.net> Message-ID: <55g2ec4xp8.fsf@galil.austnsc.tandem.com> fc at all.net (Fred Cohen) said: FC> Not my mistake - iw at all.net's mistake - only my correction. And it FC> wasn't a correction to an error in this forum - the error appeared FC> in the Risks forum - the Cypherpunks posting (which I posted) was FC> the corrected one. Am I supposed to correct mistakes in other FC> forums made by other people when I post to Cypherpunks? (let me FC> see... in 1928, a mistake was made on page 73 of the New York Times FC> related to cryptography, ...) 1) The correction makes a difference in the credibility of the statement, as you must have felt, since you made the change. Saying that a reporter called a 40-ish Navy captain a 'whizzkid' is foolish, while questioning the reasonableness of a reporter calling a 20-ish Air Force captain a 'whizzkid' is a difference of opinion (see below). Since you said it was the 'actual text', you should have posted the actual text, not your correction of it. If they sent out two messages, one correcting the other, I find it somewhat difficult to believe that they didn't at least preface it with a "sorry, we goofed" tag. FC> Even with only 4 years of service (after graduating from College), FC> 25-27 years old is no longer whizzkid age in my book. 2) As I said before, had I remained in ROTC, I would have been 24 when I was eligible to make captain. 3) At 26, I was still being referred to, by non computer-savvy people, in terms comprable to 'whizzkid'. FC> But even more FC> importantly, the readers who commented on this one error ignored the FC> main body of facts in the posting in favor of creating a conspiracy FC> theory. Next we find out from yet another story that at least part FC> of the original story posted to Risks was in error. According to FC> the second independent source, the Captain was working with the FC> Navy's support and knowledge. How much do you want to bet that the FC> story changes again by Tuesday? 4) The original story said that it was a "secret experiment" conducted in front of "Pentagon VIPs" "at the Electronic Systems Centre at Hanscom Air Force Base". Saying that the Navy was informed that this test would be made, or that Navy personnel were among the watching VIPs, is unremarkable, and does not call into question the original report. There were many security 'surveys' conducted against my systems by AFIWC (sorry, I don't remember the name of the specific group that does the surveys, but it's part of AFCERT) which I was unaware of which were authorized by the Air Force - in fact, I wouldn't be surprised if the "young Air Force captain" was from that group. 5) The second independent source backs up the report that the connection was made through the Internet, involving email connectivity, and with a personal computer and modem, all of which were specifically denied in the message from IW. Now that I've addressed ALL of the points in the 'denial' from IW, do you see why I characterized it as a military smokescreen? The only thing in it which remains unchallenged is that the original report is inaccurate in detail, and that there is a question as to whether someone in their mid-20s is a 'whizzkid'. -- #include /* Sten Drescher */ To get my PGP public key, send me email with your public key and Subject: PGP key exchange Key fingerprint = 90 5F 1D FD A6 7C 84 5E A9 D3 90 16 B2 44 C4 F3 Junk email is NOT appreciated. If I want to buy something, I'll find you. From fc at all.net Fri Dec 22 14:46:40 1995 From: fc at all.net (Fred Cohen) Date: Sat, 23 Dec 1995 06:46:40 +0800 Subject: Navy hacked by Air Force? In-Reply-To: <55g2ec4xp8.fsf@galil.austnsc.tandem.com> Message-ID: <9512222132.AA21783@all.net> ... Not to be picky, but... > 1) The correction makes a difference in the credibility of the > statement, as you must have felt, since you made the change. I agree that the change was important, but... > Saying > that a reporter called a 40-ish Navy captain a 'whizzkid' is foolish, > while questioning the reasonableness of a reporter calling a 20-ish Air > Force captain a 'whizzkid' is a difference of opinion (see below). We don't yet know how old he or she was - let's wait and see before we jump the gun. > Since you said it was the 'actual text', you should have posted the > actual text, not your correction of it. My text was the one published in the IW forum - Risks published first, the error was apparently found and corrected, and thus the IW forum had the corrected text. I will ask iw to inform Risks of the correction - however, I did post the actual text that I got from IW! This IT is so complex, isn't it? > If they sent out two messages, > one correcting the other, I find it somewhat difficult to believe that > they didn't at least preface it with a "sorry, we goofed" tag. They were to different forums, hence the "I goofed" tag would seem inappropriate in IW. Perhaps the next risks will include an 'I goofed' let's wait and see. > FC> Even with only 4 years of service (after graduating from College), > FC> 25-27 years old is no longer whizzkid age in my book. > > 2) As I said before, had I remained in ROTC, I would have been 24 when > I was eligible to make captain. > > 3) At 26, I was still being referred to, by non computer-savvy people, > in terms comprable to 'whizzkid'. I must be getting old. When I was growing up, all Wiz kids had to be 21 or less. I guess the media is running out of 18-year olds making a big splash. ... > 5) The second independent source backs up the report that the connection > was made through the Internet, involving email connectivity, and with a > personal computer and modem, all of which were specifically denied in > the message from IW. I must have read it differently. I thought that IW said something like not all email messages, and email messages did not reproduce, not that there were no email messages involved. I guess we both have to start reading more carefully. > Now that I've addressed ALL of the points in the 'denial' from > IW, do you see why I characterized it as a military smokescreen? The > only thing in it which remains unchallenged is that the original report > is inaccurate in detail, and that there is a question as to whether > someone in their mid-20s is a 'whizzkid'. I think that the whole issue is still pretty questionable - whether the experiment was authorized - whether it was a wiz kid - whether they actually took control - whether it came from the Internet or a Mil net - whether there was insider knowledge - etc. One thing I am becoming more certain of though - that there are no active battleships. -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From usura at berserk.com Fri Dec 22 14:55:57 1995 From: usura at berserk.com (Alex de Joode) Date: Sat, 23 Dec 1995 06:55:57 +0800 Subject: CFS and Linux In-Reply-To: <199512210440.XAA28196@crypto.com> Message-ID: <199512222107.WAA00408@asylum.berserk.com> > > > > > Is there anyone out there that has CFS running with Linux ? > > > > It installs fine on BSDi 2.0 but I'm unable to install it > > under Linux, I would appreciate it if some one would help > > me out. > > > > -AJ- > > I don't run Linux, and every time I open my mouth it seems to provoke > a flame-fest, but I'll risk responding anyway. > > I'm told that all version of CFS since 1.0.4 (the latest is 1.3.1) > do work out-of-the-box under *some* releases of Linux and with some > coaxing on the others. > > I'm not sure exactly what problem you're having, but the most common > CFS-Linux problem that people complain about has to do with the rpcgen > output not being in the format expected by the rest of CFS. There > seem to be two things you can do about this: get a version of rpcgen > that generates the "standard" (original Sun) names for the functions it > generates, or just grab the rpcgen output from the cfs-users mailing list > archive ("echo help | mail cfs-users-request at research att.com" for details). > I would like to thank all people who gave me pointers; with the help of my sysadmin at Utopia we were able to compile and install it. two comments for matt thoo: 1: please make it install 'out-of-the-box' on Linux. 2: please rename the ssh shell programm, it did overwrite my ssh/slogin programm. All things said; thanks for really wonderfull programm. -AJ- ps: Merry Xmas and a Happy NewYear 2all ! From vin at shore.net Fri Dec 22 15:12:31 1995 From: vin at shore.net (Vin McLellan) Date: Sat, 23 Dec 1995 07:12:31 +0800 Subject: Navy hacked by Air Force? Message-ID: Drescher/Cohen/Drescher/Drescher/Cohen/Cohen.... I'm new to C'punks, so I don't yet have a grip on the context in which you consider privacy, property, and other ultimate values. I do wonder, though: Do you spend a lot of time pissin' on each other's shoes like this? From jimbell at pacifier.com Fri Dec 22 15:15:58 1995 From: jimbell at pacifier.com (jim bell) Date: Sat, 23 Dec 1995 07:15:58 +0800 Subject: Newsweek Nerd 50 Message-ID: At 11:04 PM 12/21/95 -0600, you wrote: >Cypherpunk Notables on the List: "Newsweek's Epithet" >Phil Zimmerman: "Crypto Creator" >Marc Rotenberg: "Privacy Advocate" >Sameer Parekh: "Protector of Privacy" >Johan Helsingius: "Crusader" >and Steven Levy, who sometimes posts here has the byline on the "Year of >the Net" feature. >PS to Newsweek -- Prof. Hoffman should be called a "Data Goddess" not a >"Geek" for exposing those bogus factors the marketdroids want to use to >control their survey data back up to the population level. Of course, Newsweek should have included the "baddies" as well: Dorothy Denning would be the Wicked Witch of the West, and Sternlight would have been one of those Winged Monkeys... From jimbell at pacifier.com Fri Dec 22 15:16:17 1995 From: jimbell at pacifier.com (jim bell) Date: Sat, 23 Dec 1995 07:16:17 +0800 Subject: ex encrypted script Message-ID: At 08:57 PM 12/21/95 -0800, you wrote: > >There is encrypt and then there is render useless to the reader. > >A tale I hear is that when HP had to deliver operating system source to >the french government they stripped all comments and changed all variable >and subroutine names to 32 byte strings of I 1 0 (zero) and O (uppercase O). >It still compiled but was 100% useless to human readers. >John Pettitt >email: jpettitt at well.sf.ca.us (home) > jpp at software.net (work) This is EXACTLY the kind of creative uncooperativeness that I was thinking of, on a different subject, when I proposed that Netscape do anything it could think of (legally) to sabotage, undermine, subvert, escape, and otherwise stifle any attempt by the US government to restrict crypto in general, or its export in particular. The fact is, we are all CREATIVE people, and presumably given any particular set of rules (laws) , it should be possible for us to "comply" with "the law" in such a way as to be as obstructively obnoxious as possible. From vin at shore.net Fri Dec 22 15:24:30 1995 From: vin at shore.net (Vin McLellan) Date: Sat, 23 Dec 1995 07:24:30 +0800 Subject: Navy hacked by Air Force? Message-ID: This might be relevant. This is a page from the NCCOSC web site The Naval Command, Control & Ocean Surveillance Center (NCCOSC) is the U.S. Navy's warfare center for command, control and communication systems and ocean surveillance and the integration of those systems which overarch multiplatforms. NCCOSC is based in San Diego, CA. NCCOSC Command Internet (NCI) is part of NCCOSC, of course -- and NCCOsc is part of SpaWar (Space and Naval Warfare Systems Command.) Clear? Note that NCCOSC recently decided to beef up NCI's user authentication. See "Current Initiatives." ================= [* ] NCI net - What it is * An enterprise network serving NCCOSC and other communities of interest * Modelled after the global Internet, logically part of the Internet * Communications nodes at each NCCOSC site, linked by T-1 lines * Nodes consist of... o Cisco router linking T-1 lines and local LANs o Annex terminal server and modem bank for dialup, SLIP, and PPP access o Sun servers providing general Internet services (email, name service, ftp server, world wide web, multicast routing, etc.) o NeXT server supporting corporate office functions * Provides ubiquitous high-speed low-delay TCP/IP connectivity throughout the organization and to the Internet * Provides dialup access from home or TDY via 1-800 number, including SLIP and PPP support [* ] [ ] Network Topology [* ] Recent activities and milestones * MIME adopted as corporate email standard, email systems upgraded o Many user agents upgraded to MIME compliance o Testing gateways for interoperability with non-compliant systems o Performing extensive interoperability tests * New sites connected o CINCLANTFLT, Norfolk, VA o The Pentagon + BRAC Office + OSS LAN + DASN/C3I o FTSCLANT (Portsmouth, VA) and NAVSEACENPAC (San Diego, CA) o Armed Forces Staff College, Norfolk, VA o USACOM site in Suffolk, VA + Joint Training, Analysis, and Simulation Center (JTASC) + NISE East Contingent at USACOM o NISE West Guam o NISE West Yokosuka Japan * Network accredited o Completed Security Test and Evaluation o Completed Risk Assessment o Published Contingency Plan and Configuration Management Plan * Network now under full configuration management * New Web server installed o "neelix", a Sun SparcServer 1000, installed outside firewall o "www.nosc.mil" now points at neelix o "Planet Earth" now served by neelix o Recent updates + 1 additional Sparc processor (completed 6/9/95) + 4 Gb more disk (completed 6/2/95) + another 64 Mbytes of memory (giving total of 96 Mbytes) (completed 6/2/95) + conversion to "Apache" http server (faster) (completed 6/1/95) [* ] Current Initiatives * Enhancing Infrastructure to provide ISDN dialup service * Implementing one-time-passwords using SecurID cards * Implementing Kerberos based authentication for additional security * Connecting additional sites o NISMC o USACOM at CINCLANT compound, Norfolk, VA o Pearl Harbor Naval Shipyard, Pearl Harbor, HI o Federal Internet Exchange (FIX) East, College Park, MD o New NISE East Detachment at Naval Weapons Station, Yorktown, VA o ONI at NMIC * Upgrading D.C. area connectivity to Metropolitan Fiber service at 10 Mbps * Getting sites 100% connected (TCP/IP to every desktop) * Developing MIME to X.400 gateway for connectivity to DMS world [* ] References * Dialup Quick Guide * Monthly Reports * June 28 Internet Security Briefing (postscript) Vin McLellan +The Privacy Guild+ 53 Nichols St., Chelsea, Ma. 02150 USA Tel: (617) 884-5548 <*><*><*><*><*><*><*><*><*> From jimbell at pacifier.com Fri Dec 22 15:38:20 1995 From: jimbell at pacifier.com (jim bell) Date: Sat, 23 Dec 1995 07:38:20 +0800 Subject: ex encrypted script Message-ID: At 11:20 PM 12/21/95 -0800, you wrote: difficult for the amateur attacker. >> >>A tale I hear is that when HP had to deliver operating system source to >>the french government they stripped all comments and changed all variable >>and subroutine names to 32 byte strings of I 1 0 (zero) and O (uppercase O). >>It still compiled but was 100% useless to human readers. > >There is a commercial product out there from Gimpel Software called _The C >Shroud_. It removes all structure from the code, replacing it with gotos, >renames all the symbols to axxxxxxx, converts constants and strings to hex, >substitutes all #defines and expands all macros, strips all formatting and >comments, etc., resulting in a perfectly compilable, but infuriatingly >obfuscated set of source files. >Steven Weller On the other hand, there are some programmers out there whose work product makes such a product totally redundant! From robl at on-ramp.ior.com Fri Dec 22 15:51:05 1995 From: robl at on-ramp.ior.com (RobL) Date: Sat, 23 Dec 1995 07:51:05 +0800 Subject: Navy hacked by Air Force? Message-ID: At 04:58 PM 12/22/95 -0500, Vin McLellan wrote: > Drescher/Cohen/Drescher/Drescher/Cohen/Cohen.... > > I'm new to C'punks, so I don't yet have a grip on the context in >which you consider privacy, property, and other ultimate values. I do >wonder, though: Do you spend a lot of time pissin' on each other's shoes >like this? Laughing my ass off here.. not yet I have seen someone so precisely hit the nail on the head.. Seems this is happening a lot lately.. must be the tension of the holiday season.. Guess I need to start adding plastic shoe-guards to the C-punk kit.. ;) ------------------|----------------------------------------------------------- Rob Lowry | PO Box 288 | Rockford Wa 99030 | ral at otc.mhs.compuserve.com robl at on-ramp.ior.com From karn at qualcomm.com Fri Dec 22 16:00:21 1995 From: karn at qualcomm.com (Phil Karn) Date: Sat, 23 Dec 1995 08:00:21 +0800 Subject: More developments in Karn vs State Dept Message-ID: <30DB37B1.167EB0E7@qualcomm.com> I have been updating my web page almost daily with developments in my case. The latest is that we've written and asked the Court to accept a Supplementary Memorandum opposing the government's motion to toss out our suit, and I've backed it up with a Supplementary Declaration. In it I explain how I just found all of the source code at issue (the Applied Cryptography diskette) on a public FTP site in Italy. This took about 10 minutes using Netscape. I then downloaded the Triple DES code referenced in the earlier Declarations by NSA Deputy Director Crowell and myself in 1.7 seconds, adding that this is somewhat less time that it takes me to move to my computer, insert a floppy disk and return to the keyboard. The government is now asking the judge not to accept these latest filings. Stay tuned! The URL again is http://www.qualcomm.com/people/pkarn/export Phil From lvhove at vnet3.vub.ac.be Fri Dec 22 16:09:11 1995 From: lvhove at vnet3.vub.ac.be (Leo Van Hove) Date: Sat, 23 Dec 1995 08:09:11 +0800 Subject: [ecash] Re: Multi-issuer questions Message-ID: >On Tue, 19 Dec 1995, Marcel van der Peijl wrote in the ecash mailing list: > >> Q: If user A signs up with bank A, and merchant B signs up with bank B, >> can user A buy at merchant B? >> >> A: In theory: >> >> Bank A and bank B need to have an interbank clearing agreement. User >> A sends his money to merchant B. Merchant B contacts his own bank, >> bank B. Bank B recognizes the money as being issued at bank A, >> contacts bank A, and clears the coins there. Bank A credits bank B's >> account at bank A, bank B sends an acknowledge to merchant B and >> merchant B sends the goods to user A. > On Fri, 22 Dec 1995, Patiwat Panurach replied: > I dispute this even on theoretical grounds. > >Am I right in assuming that the only reason Bank B has in contacting Bank >A is to confirm that the ecash hasn't been double spent? Once that is >confirmed, there should be no need for contact between the two banks. >Bank A should not have to credit Bank B's account as there has been no >transfer from Bank A to Bank B. The transfer has been the deposit from --------------------- I guess you mean: from Bank B to Bank A >Bank B's customer to Bank B. Bank B is allready "credited", i.e., its >(e)cash researves have increased, the moment Bank A confirms that the >ecash is valid. > In my understanding - and I'm sure Marcel van der Peijl :-) will correct me :-( if I'm wrong - the only way Bank B can verify with Bank A that the ecash it has received from merchant B has not been spent before is by actually sending the _coins_ to Bank A. Hence there _is_ a transfer from Bank B to Bank A and thus Bank A has to credit Bank B's account... Marcel? Ciao, leo _________________________________________________________________________ Leo Van Hove Centre for Financial Economics Vrije Universiteit Brussel (Free University of Brussels) Pleinlaan 2 B-1050 Brussels Vox: +32 2 629.21.25 Fax: +32 2 629.22.82 e-mail: lvhove at vnet3.vub.ac.be VUB's Web site: http://www.vub.ac.be _________________________________________________________________________ From turner at TeleCheck.com Fri Dec 22 16:23:01 1995 From: turner at TeleCheck.com (turner at TeleCheck.com) Date: Sat, 23 Dec 1995 08:23:01 +0800 Subject: Houston C'punk gathering Message-ID: <9512222346.AA01818@mercury.telecheck.com> For C'punks in the Houston area, there will be an informal gathering at Strack's Restaurant, tomorrow at approx. 11:00 a.m. I will attempt to get there a little early, and I will be the one with a red lamborghini countach on the table. Just come up and sit down. Strack's has a breakfast buffet which is reasonably priced, or at least it was the last time I went there. Possible Topics for Discussion: I will also be bringing the encryption algorithms used by VMS (the AUTODIN-II, Purdy with salted input, Purdy (Purdy V) with variable length username, and the Purdy (Purdy S) with additional bit rotation). I have tested these under VMS 6.2 and they seem to work fine, although they could be (and should be) optimized for brute forcing. I will also be bringing some password brute forcing code that utilize the system services to encrypt the password (and punch CPU usage through the roof). It will crack a three character password in under a minute on a loaded AXP 3000LX. I will also be bringing a copy of the infamous _Giant Black Book of Computer Viruses_ by Mark Ludwig. Interesting stuff. Directions (from Houston): Take I-45 North. You will pass 1960 and then will drive though a stretch of road riddled with construction barrels. Do not exit Holzworth, but take the next exit (Louetta). Get on Louetta (you will have to make a right turn and you will be on the overpass), and take the overpass west towards Tomball. You will cross through several intersections, Strack's will be on your left, after you cross Kukendaul (approx. 1-2 miles ahead). If anyone gets lost, or wants more info you can page me at: (713) 866-0989. From perry at piermont.com Fri Dec 22 16:42:50 1995 From: perry at piermont.com (Perry E. Metzger) Date: Sat, 23 Dec 1995 08:42:50 +0800 Subject: AWARD: CHRISTMAS NET SCROOGE - AT&T & NETSCAPE?? In-Reply-To: <199512222111.NAA24171@jobe.shell.portal.com> Message-ID: <199512222355.SAA04987@jekyll.piermont.com> anonymous-remailer at shell.portal.com writes: > Everyone should ask this question. AT&T can sign-on to a two-page ad, > calling on Congress to balance the budget -- to cut off veterans, and > cut-off women with dependent children just before Christmas. It can > sign on to this, but it can't bother to even offer a scholarship to > the students who helped make its fortunes. It would rather leave the > impression that it freeloads off of other's efforts. > > It's shameful. God, you are annoying Fred, ER, I meant, "Alice". .pm From anonymous-remailer at shell.portal.com Fri Dec 22 16:49:37 1995 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Sat, 23 Dec 1995 08:49:37 +0800 Subject: Navy hacked by Air Force? Message-ID: <199512230006.QAA06030@jobe.shell.portal.com> On Fri, 22 Dec 1995, Vin McLellan wrote: > This might be relevant. This is a page from the NCCOSC web site > Thanks for posting this. It was very helpful. > The Naval Command, Control & Ocean Surveillance Center (NCCOSC) > is the U.S. Navy's warfare center for command, control and communication > systems and ocean surveillance and the integration of those systems which > overarch multiplatforms. NCCOSC is based in San Diego, CA. > > Note that NCCOSC recently decided to beef up NCI's user > authentication. See "Current Initiatives." Duly noted ... (as long as it don't lead to a false sense of security) > [* ] NCI net - What it is > > * An enterprise network serving NCCOSC and other communities of interest > * Modelled after the global Internet, logically part of the Internet ... > * Provides ubiquitous high-speed low-delay TCP/IP connectivity throughout > the organization and to the Internet > * Provides dialup access from home or TDY via 1-800 number, including > SLIP and PPP support Betchya that WATS line gets a whole lotta billings to it.
> * MIME adopted as corporate email standard, email systems upgraded > o Many user agents upgraded to MIME compliance > o Testing gateways for interoperability with non-compliant systems > o Performing extensive interoperability tests MIME??!!?? They adopted MIME??!!?? Good grief. This is not good ... not good at all. > * New sites connected > o CINCLANTFLT, Norfolk, VA > o The Pentagon > + BRAC Office > + OSS LAN > + DASN/C3I Oh no ... it's worse ... *sigh* ... no wonder that Newt and Dole had such a grim look on their faces when they emerged from their scheduled one-hour, (went for two) meeting with the US President -- the one that was the day before the freshman congress persons did their incredible end-run on their own leadership. Impressive. Truly. What would have caused both Newt and Dole to flush like they did? Did they demo a hack into the personal e-mail of the Vice-Chairman of the JCS? > * New Web server installed > o "neelix", a Sun SparcServer 1000, installed outside firewall > o "www.nosc.mil" now points at neelix Pretty firewall ... nice firewall ...
> * Enhancing Infrastructure to provide ISDN dialup service Good idea. ISDN dialup provides significant bandwidth. Very significant bandwidth. Almost enought to control a battleship. (If there were any battleships, I mean). > * Upgrading D.C. area connectivity to Metropolitan Fiber service at 10 > Mbps > * Getting sites 100% connected (TCP/IP to every desktop) > * Developing MIME to X.400 gateway for connectivity to DMS world Yep. Perfect. Just what the doctor ordered. TCP/IP to every desktop. And MIME for all. Oh, and to ice the cake, toll-free ISDN dial-ins. Hmm, let's see ... for Christmas Santa ... I'd like a packet-switched network with a public outdial to a toll-free ISDN dial-in ... oh, that and a Gulfstream V under the Christmas tree. What are they going to do next, give everyone some Czechoslovakian C-4? Stick a bit of civilian software into all of this, and let's all have a good look at whether someone can take over something a little more interesting than a battle ship. Like maybe an aircraft carrier?? Gee, that oughta harden their drawers ... Alice de 'nonymous ... ...just another one of those... P.S. This post is in the public domain. C. S. U. M. O. C. L. U. N. E. P.P.S. Feel free to repost widely ... IW ... c4i-pro ... wherever ... From fc at all.net Fri Dec 22 16:50:20 1995 From: fc at all.net (Fred Cohen) Date: Sat, 23 Dec 1995 08:50:20 +0800 Subject: IW Mailing List iw/951222 (fwd) Message-ID: <9512230004.AA27098@all.net> The following is forwarded from Risks [...s indicate missing regions of text] > --------------------------------------------- > FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) > ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator > ... > Date: Fri, 22 Dec 1995 00:59:09 -0500 > From: RSRMadison at aol.com > Subject: Re: Naval Battleship takeover (Long, RISKS-17.55) > > A message from the InfoWar list noted that: < battleships!!! And there weren't any last September.>> > > As stated, this is true. However, let the record show that the US Navy still > flies the flag daily over 1 commissioned battleship, the USS Arizona, > permanently stationed in Honolulu. > > ... > Date: Fri, 22 Dec 1995 10:53:56 -0500 > From: Bob Brewin > Subject: Re: Naval Battleship takeover (Long, RISKS-17.55) > > Yikes. This story will not die -- it just lives on a Web site at the > Daily Telegraph in London. Having worked for a British news > organization (Reuters) for years, if you believe the Telly story, call > me about a bridge I have for sale. > > The Air Force did not hack the Navy over the Internet. They did it over > a secure network (SIPRNET) which is firewalled from the Internet. > > The Air Force conducted this attack with the Navy's knowledge and > permission. > > The Navy does not have any battleships on active duty. > > The Air Force did not get control of the none-existent battleship. > > Yep. This does have the makings of a legend. > > Bob Brewin editor-at-large (whatever that means) federal computer week > antenna at fcw.com brewin at access.digex.net > ... -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From jya at pipeline.com Sat Dec 23 09:11:00 1995 From: jya at pipeline.com (John Young) Date: Sat, 23 Dec 95 09:11:00 PST Subject: PAN_maw Message-ID: <199512231710.MAA23442@pipe3.nyc.pipeline.com> 12-23-95. WashP: CyberCash this week plans to offer its shares of stock to the public. It is one of a handful of fledgling companies that hope to coin profits by helping others make financial transactions on the Internet. But consumers still worry that hackers on the Internet can ferret out credit card information. CyberCash's technology blocks online seeing of unscrambled credit card numbers. CyberCash and its IPO advisors believe they have developed schemes that will convince lemmings that there is the equivalent of steel-plated armor around their life savings as they vanish into the Internet's mega-panamaW$. "This is the latest Internet digital currency slaughter- offer for fat-fee hacking our Widows and Orphans Ever-Safe Pensions," choraled a split-gut ice-eyed Santanalyst. PAN_maw (5 kb) From perry at piermont.com Fri Dec 22 17:11:48 1995 From: perry at piermont.com (Perry E. Metzger) Date: Sat, 23 Dec 1995 09:11:48 +0800 Subject: Navy hacked by Air Force? In-Reply-To: Message-ID: <199512230006.TAA05018@jekyll.piermont.com> Vin McLellan writes: > Drescher/Cohen/Drescher/Drescher/Cohen/Cohen.... > > I'm new to C'punks, so I don't yet have a grip on the context in > which you consider privacy, property, and other ultimate values. I do > wonder, though: Do you spend a lot of time pissin' on each other's shoes > like this? "Dr." Fred Cohen is a bit of a local pariah. We don't like him much, and we all pretty much agree that he's an obnoxious weenie (except the mysterious anonymous "Alice de Nonymous"). I don't know Drescher. This stuff isn't what this mailing list is for... Perry From anonymous-remailer at shell.portal.com Fri Dec 22 19:39:44 1995 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Sat, 23 Dec 1995 11:39:44 +0800 Subject: CFS and Linux Message-ID: <199512230317.TAA19444@jobe.shell.portal.com> > 1: please make it install 'out-of-the-box' on Linux. AT&T's refusal to support CFS and other so-called "secure" software under Linux is typical and to be expected. Linux, the most popular alternative to Microsoft, represents a direct threat to AT&T's bread and butter and to their ability to control the security software market. The fact that the CFS install programme deletes other security software is no accident. We would be foolish to expect them to admit their malice - they will excuse it as a "mistake" or will ignore it altogether. I don't agree with all of the "Gates" character's claims against AT&T, however I think their motives can be summed up in three words: Greed, Greed, Greed. Use their software and you support the giant. Remember their theft from the Berkeley graduate students each time you accept "free" software from this greedy monster. I also do not accept Blaze's cowardly defense of his actions and of his too-comfortable situation; one cannot help but be reminded of the Nazi "just following orders" prattle repeated rote as they were called to answer for their crimes. It rings no less hollow to this day. But I will not condemn him, nor will I call on others to do so, preferring to leave that matter between him and his Maker. Weinstein, of course, is beast of another color, but that will have to wait. Alice de 'nonymous ... ...just another one of those... P.S. This post is in the public domain. C. S. U. M. O. C. L. U. N. E. From fc at all.net Fri Dec 22 20:25:08 1995 From: fc at all.net (Fred Cohen) Date: Sat, 23 Dec 1995 12:25:08 +0800 Subject: AWARD: CHRISTMAS NET SCROOGE - AT&T & NETSCAPE?? In-Reply-To: <199512222355.SAA04987@jekyll.piermont.com> Message-ID: <9512230029.AA27699@all.net> > anonymous-remailer at shell.portal.com writes: > > Everyone should ask this question. AT&T can sign-on to a two-page ad, > > calling on Congress to balance the budget -- to cut off veterans, and > > cut-off women with dependent children just before Christmas. It can > > sign on to this, but it can't bother to even offer a scholarship to > > the students who helped make its fortunes. It would rather leave the > > impression that it freeloads off of other's efforts. > > > > It's shameful. > > God, you are annoying Fred, ER, I meant, "Alice". I hope you don't think I'm Alice - and I don't think Alice's first name is Fred. -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From Lynnclu at aol.com Fri Dec 22 20:25:16 1995 From: Lynnclu at aol.com (Lynnclu at aol.com) Date: Sat, 23 Dec 1995 12:25:16 +0800 Subject: ACLU Cyber-Liberties Update, 12/22/95 Message-ID: <951222163250_21785823@emout05.mail.aol.com> ---------------------------------------------------------------- December 22, 1995 ACLU CYBER-LIBERTIES UPDATE A bi-weekly e-zine on cyber-liberties cases and controversies at the state and federal level. ---------------------------------------------------------------- IN THIS ISSUE: * ACLU Letter to U.S. Senators Opposing the Telecommunications Deregulation Bill, S. 652 (H.R. 1555) As Reported by the Conference Committee ---------------------------------------------------------------- FEDERAL PAGE (Congress/Agency/Court Cases) ---------------------------------------------------------------- December 22, 1995 Via Fax Subject: Why the Telecommunications Deregulation Bill, S. 652 (H.R. 1555), As Reported by the Conference Committee Should Be Rejected Dear Senator: The American Civil Liberties Union urges you to vote against S. 652 (H.R. 1555), the telecommunications deregulation bill as reported by the conference committee. The conference committee has produced a bill that will immediately damage freedom of expression, the bedrock value at the core of the First Amendment and will structure the telecommunications industry so that free speech and privacy are in permanent jeopardy. While the final text is still being written, these provisions are sufficiently destructive that they warrant rejection of the entire bill. Many reasons could be cited why S. 652 should be rejected; we will focus on just three areas where the conferees have needlessly chosen to attack essential First Amendment values. I. The "Deregulation" Bill Will Establish a Big Government Censorship Regime with New Speech Crimes for the Internet and Online Communications. Title V of the telecommunications bill as adopted by the conference committee will: - Subject first-year college students under 18 to two years in prison and $100,000 fine if they engage in overly salacious dating patter online (even in their private e-mail). - Subject parents to the same prison term and fine if they provide their own teen-ager with online materials that the parents have decided have merit if the material is deemed to violate the bill. - Subject adults merely looking on their own home computer at something deemed obscene to prison for five years for the first peek, plus another ten years if they look again. This is not far-fetched. Electronic "footprints" are left behind whenever a user goes somewhere in cyberspace. Some of the censorship groups backing the bill openly support prosecuting anyone who looks at such material as way of "drying up" demand for it -- so these groups have an incentive to pressure prosecutors to follow those footprints back to the adults at home. - Effectively reduce voluntary communications among consenting adults to those appropriate only for children. Much of what consenting adults -- even married consenting adults -- prize about some of their communications could well be deemed by outsiders as indecent if addressed to minors. The bill will infantalize all communications in cyberspace as users worry about how to avoid prosecution if prohibited material is sought out by someone underage. The educational value of the Internet would be reduced to the equivalent of the children's section in the video store. - Define its new speech crimes so broadly that it will hold access and service providers criminally liable for content they did not create unless the providers have legal departments large and skilled enough to utilize limited and vague defenses. Even then, the defenses would have to be established in costly and time-consuming court proceedings. The predictable effect will be enormous self-censorship, coerced by the government's failure to precisely define what is being made criminal and the threat of prison for transgressors. - Subject all Americans to the most narrow of community standards found in the most socially limiting of locations. Even those who have chosen to adopt the social mores of such locations should not insist on imposing those mores on the millions of Americans who have chosen to live elsewhere. These proposals violate the Constitution. They are also profoundly bad public policy. Title V of the bill is unconstitutional because it takes speech protected by the First Amendment and tries to regulate it in a way that violates what the Supreme Court has said must be the touchstone for regulating protected speech. For example, the bill fails to use the constitutionally required "least restrictive means" to obtain its putative goals. It also fails to take into account the particular characteristics of interactive media in the online environment, rendering its attempt to create new speech crimes constitutionally impermissible. Title V also unconstitutionally invades the privacy rights of those who communicate online. Cyberspace is the first genuinely mass medium in human history, where many individuals can speak to many others at the same time, and where the "start-up" costs of "publishing" are so minimal that almost all users are potential publishers. This is a democratic and truly libertarian communications medium without a centralized governing body. There is no network president or standards department, for example, ultimately overseeing everything that is broadcast -- in fact there is no "network" but instead an endless series of independent areas like newsgroups, chat rooms, bulletin boards and web sites. The conference bill tries to force cyberspace into the mold of the old media with a government-dictated, centralized command structure. Cyberspace gives its users -- including parents concerned about their children -- an unprecedented power over what materials are accessed, or not accessed, from their computers. Parents, for example, already have available software and other technology that will let them control what their children access from their computer. Tragically, the conferees have rejected further private sector development of user empowerment technologies. Instead, the conference bill imposes the most restrictive regime of government regulation over content on what should be the least governmentally restricted of all media. In doing so, the bill would strangle cyberspace, violating the free speech and privacy rights of all those who communicate online. The ACLU believes that all adults have the right to choose for themselves what they see or say online. The conferees have chosen to invest a minority of censorship extremists with the coercive power of the criminal law and Federal prison in order to impose on the rest of us their constricted view of what we should say or see. This is a truly historic turning point. Title V of the bill from the conference committee confronts the Congress with a stark choice: - Will the 104th Congress be seen in history as one who stood up for the freedom of communications in cyberspace and the Internet, or will it be counted as a tool of certain censorship groups determined to impose their conception of "proper" speech on all of us? - Will the 104th Congress stand up for the continuing vitality of private sector development of interactive media, or will it impose a big-government bureaucratic regulatory regime on cyberspace and the content of its communications? - Will the 104th Congress stand up for empowering users -- including parents concerned about their children -- to control what material is accessed from their computers, or will it give the coercive power of federal prison sentences to censorship groups who care more about interfering with what other adults see or say than about protecting their own children? II. The "Deregulation" Bill Will Impose a Big-Government Censorship Regime on Television Programming. The conference committee has agreed to V-chip language in S. 652 that will stifle expression on broadcast and cable television and prevent parents from exercising greater control over their children's television viewing habits. The V-chip provision will vest the government, not parents, with control over which television programs make their way to the family television set. The V-chip hardware is technology that will automatically block a program from television reception if it carries a certain encoded rating in its transmission. The encoding would be transmitted on the same signal that currently carries closed captioning information. However, the V-chip requirement does more than simply call for new hardware in television sets; the bill would set up a television rating system driven by government guidelines on content. Although the television industry is given a one-year window to "voluntarily" develop and transmit an encoded ratings scheme for violent, sexual, or indecent programing, the Federal Communications Commission would have the power to reject the industry's system in favor of its own. In this way, the government ultimately decides what content is appropriate for viewing and what is not. The bill calls for the government to form an "advisory committee" to set recommendations for guidelines on rating content, and those guideline will be formally issued by the FCC. Although the V-chip's congressional sponsors have claimed that these guidelines will not be mandatory, the ratings guidelines will surely have a chilling effect on the creative process in television programming. Would producers make a television mini-series about the violent Civil War? Perhaps not, if the broadcast will automatically be blocked from the television sets of countless families who will not have the opportunity to make an independent judgement as to the program's appropriateness. The weightiest and clearest guidelines for content rating would be that of the government. Such chilling of expression by the government violates the First Amendment. The Supreme Court has held that violent expression enjoys full constitutional protection. Furthermore, what would constitute "sexual" expression would be left up to the government's advisory committee or the industry's "voluntary" internal censors. Would a news program or documentary on breast cancer be blocked as "sexual" expression? That answer is yet unclear, but what is clear is that the encoded ratings will block expression fully protected by the First Amendment. Furthermore, the V-chip scheme created by Congress completely shuts out families from the decision making process. Instead, it empowers bureaucrats and television executives to make decisions for parents. Would the V-chip's automatic censors block out such "violent" programs as "Schindler's List," "Roots," or "The Burning Bed"? Other options for true parental control and choice in children's television viewing will be destroyed by the government's V-chip mandate. Private companies have recently developed technology, such as the Telecommander and the TV Guardian, that would empower parents to screen out the programs or stations that they feel are inappropriate for their children. Additionally, there is the possibility of a true "choice chip," which would allow parents to subscribe to the private rating service of their choice, whether run by the National PTA, TV Guide or the Christian Coalition. Technology and initiatives developed by private business will be crushed by the government's mandatory censoring technology and ratings system. The government will step in as a surrogate parent to turn off the television when a child turns to the "wrong" channel. However, the government's version of what is "wrong" might include a documentary, an afterschool special, or other programming that a parent would actually want their child to watch. Thus, the "V" in V-chip is for the government's "victory" over parental control and the First Amendment. III. The Bill Will Foster Communications Monopolies that Stifle Diversity and Free Speech. A core value of the First Amendment's guarantees of free speech and free press is the vital role in preserving liberty played by robust discussion of public issues among a diversity of viewpoints. Unfortunately, the bill undoes much of the existing protection ensuring diversity in points of view by allowing a greater concentration of media. The conference report would, for example, allow the FCC to use waivers so that a single corporation could own the television station, radio station, cable system, newspaper, phone company and Internet access provider in a locality. On the national level, the bill will allow a greater concentration of control over programming sources. No clearer example exists of the destructive impact on free speech such media concentration will have than CNN's recent rejection of advertisements opposing the telecommunications bill itself. CNN's corporate owners, of course, have vital interests generally being advanced by the bill, but the decision to reject opposing ads (followed up by a decision to reject all ads on the bill -- when the issue was generally developing in favor of CNN's owners) is the kind of content control that will only be repeated as media concentration increases. Conclusion The American Civil Liberties Union urges you to oppose the conference version of S. 652 (H.R. 1555), the telecommunications deregulation bill because it will impose new speech crimes on cyberspace and new censorship on television programming, as well as jeopardize the future of free speech in this country by destroying the diversity of media ownership. Sincerely yours, Laura W. Murphy Director Donald Haines Legislative Counsel ---------------------------------------------------------------- ONLINE RESOURCES FROM THE ACLU NATIONAL OFFICE ---------------------------------------------------------------- Stay tuned for news on the ACLU's world wide web site, under construction at http://www.aclu.org/. America Online users should check out our live chats, auditorium events, *very* active message boards, and complete news on civil liberties, at keyword ACLU. ---------------------------------------------------------------- ACLU Cyber-Liberties Update Editor: Ann Beeson (beeson at aclu.org) American Civil Liberties Union National Office 132 West 43rd Street New York, New York 10036 To subscribe to the ACLU Cyber-Liberties Update, send a message to cyber-liberties at aclu.org with "subscribe Cyber-Liberties Update" in the subject line of your message. To terminate your subscription, send a message to cyber-liberties at aclu.org with "unsubscribe" in the subject line. For general information about the ACLU, write to info at aclu.org. ---------------------------------------------------------------- From attila at primenet.com Sat Dec 23 01:16:24 1995 From: attila at primenet.com (attila) Date: Sat, 23 Dec 1995 17:16:24 +0800 Subject: Cypherpunks resumes? In-Reply-To: Message-ID: Dan Harmon wrote: > and pose the question > 'who the fuck are you.?' good choice of expletives.... 'who the fuck are you.?' --nobody, I guess. I have a Piled higher and Deeper in information techniques from Zuerich (undergrad at Harvard in physical chemistry --boring); I've been around since before the dawn of arpa net, probably as long as TCMay --but I've never held a "job"; I've personally coded two 250,000+ line packages which made me more than comfortable, even if one did go down the black hole (and countless other things like the bit-slice firmware to replace the B3500s in missle silos); I have been charged with crypto offenses by the Feds; and, I have been charged with "treasonable" technology export by the Feds; and, a long time aog did more than one tour in USMC special operations in SE Asia --as a BNCO and chopper pilot. Oh, yeah, I forgot, I hold a license to practice before the court in a couple European countries. read the following while playing 'Hotel California' So, who the fuck am I? --just another aging 300 lb gorilla, long haired hippie California freak with an outlaw chopper. So, who am I? Nobody, I guess -just attila. From hal9001 at panix.com Sat Dec 23 01:57:15 1995 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Sat, 23 Dec 1995 17:57:15 +0800 Subject: Cybercash questions... Message-ID: At 13:39 12/22/95, David Klur wrote: > The fraud possibility I see is that Bob could steal Alice's encrypted > credit card number (by sniffing when she buys something at Charlie's > Internet shop). Then, without decrypting it, he could use it (still > encrypted) at Don's Internet shop, and ask Don to ship the goods to > Bob's address. Since Don will not decrypt Alice's card number he will > not know that it is not Bob's card. Cybercash will validate Alice's > card, but will not know that it is really Bob who is the customer. > Don will ship the goods to Bob, and Alice will get a fraudulent charge > on her bill. > > Am I missing something? If when Alice sends her encrypted card number to Charlie, it were encrypted with Charlie's Public Key, then the version that Bob gets is useless if sent to Don (since it will not decrypt with Don's Secret Key into something that when sent to Cybercash will yield Ann's CC# when decrypted with Cybercash's Secret Key). This still leaves the data as valid for use at Charlie unless the actual decrypt by Charlie contains more than just the CC#, so as to flag an "replay" attempt (ie: if the sending of the CC# is in realtime, there could be a check field in there to validate the response as being for the current request) and reject it. From Majordomo at toad.com Sat Dec 23 03:25:58 1995 From: Majordomo at toad.com (Majordomo at toad.com) Date: Sat, 23 Dec 1995 19:25:58 +0800 Subject: Welcome to cypherpunks Message-ID: <9512221333.AA29359@toad.com> -- Welcome to the cypherpunks mailing list! If you ever want to remove yourself from this mailing list, you can send mail to "Majordomo at toad.com" with the following command in the body of your email message: unsubscribe cypherpunks Cypherpunks Mailing List Here's the general information for the list you've subscribed to, in case you don't already have it: About cypherpunks ----------------- I. Administrivia (please read, boring though it may be) The cypherpunks list is a forum for discussing personal defenses for privacy in the digital domain. It is a high volume mailing list. If you don't know how to do something, like unsubscribe, send mail to majordomo at toad.com and the software robot which answers that address will send you back instructions on how to do what you want. If you don't know the majordomo syntax, an empty message to this address will get you a help file, as will a command 'help' in the body. Even with all this automated help, you may still encounter problems. If you get really stuck, please feel free to contact me directly at the address I use for mailing list management: cypherpunks-owner at toad.com Please use this address for all mailing list management issues. Hint: if you try to unsubscribe yourself from a different account than you signed up for, it likely won't work. Log back into your old account and try again. If you no longer have access to that account, mail me at the list management address above. Also, please realize that there will be some cypherpunks messages "in transit" to you at the time you unsubscribe. If you get a response that says you are unsubscribed, but the messages keep coming, wait a day and they should stop. For other questions, my list management address is not the best place, since I don't read it every day. To reach me otherwise, send mail to eric at remailer.net This address is appropriate for emergencies (and wanting to get off the list is never an emergency), such as the list continuously spewing articles. Please don't send me mail to my regular mailbox asking to be removed; I'll just send you back a form letter. Do not mail to the whole list asking to be removed. It's rude. The -request address is made exactly for this purpose. To post to the whole list, send mail to cypherpunks at toad.com If your mail bounces repeatedly, you will be removed from the list. Nothing personal, but I have to look at all the bounce messages. There is no digest version available. There is an announcements list which is moderated and has low volume. Announcements for physical cypherpunks meetings, new software and important developments will be posted there. Mail to cypherpunks-announce-request at toad.com if you want to be added or removed to the announce list. All announcements also go out to the full cypherpunks list, so there is no need to subscribe to both. II. About cypherpunks The cypherpunks list is not designed for beginners, although they are welcome. If you are totally new to crypto, please get and read the crypto FAQ referenced below. This document is a good introduction, although not short. Crypto is a subtle field and a good understanding will not come without some study. Please, as a courtesy to all, do some reading to make sure that your question is not already frequently asked. There are other forums to use on the subject of cryptography. The Usenet group sci.crypt deals with technical cryptography; cypherpunks deals with technical details but slants the discussion toward their social implications. The Usenet group talk.politics.crypto, as is says, is for political theorizing, and cypherpunks gets its share of that, but cypherpunks is all pro-crypto; the debates on this list are about how to best get crypto out there. The Usenet group alt.security.pgp is a pgp-specific group, and questions about pgp as such are likely better asked there than here. Ditto for alt.security.ripem. The cypherpunks list has its very own net.loon, a fellow named L. Detweiler. The history is too long for here, but he thinks that cypherpunks are evil incarnate. If you see a densely worded rant featuring characteristic words such as "medusa", "pseudospoofing", "treachery", "poison", or "black lies", it's probably him, no matter what the From: line says. The policy is to ignore these postings. Replies have never, ever, not even once resulted in anything constructive and usually create huge flamewars on the list. Please, please, don't feed the animals. III. Resources. A. The sci.crypt FAQ anonymous ftp to rtfm.mit.edu:pub/usenet-by-group/sci.crypt The cryptography FAQ is good online intro to crypto. Very much worth reading. Last I looked, it was in ten parts. B. cypherpunks ftp site anonymous ftp to ftp.csua.berkeley.edu:pub/cypherpunks This site contains code, information, rants, and other miscellany. There is a glossary there that all new members should download and read. Also recommended for all users are Hal Finney's instructions on how to use the anonymous remailer system; the remailer sources are there for the perl-literate. C. Bruce Schneier's _Applied Cryptography_, published by Wiley This is required reading for any serious technical cypherpunk. An excellent overview of the field, it describes many of the basic algorithms and protocols with their mathematical descriptions. Some of the stuff at the edges of the scope of the book is a little incomplete, so short descriptions in here should lead to library research for the latest papers, or to the list for the current thinking. All in all, a solid and valuable book. It's even got the cypherpunks-request address. IV. Famous last words My preferred email address for list maintenance topics only is hughes at toad.com. All other mail, including emergency mail, should go to hughes at ah.com, where I read mail much more regularly. Enjoy and deploy. Eric ----------------------------------------------------------------------------- Cypherpunks assume privacy is a good thing and wish there were more of it. Cypherpunks acknowledge that those who want privacy must create it for themselves and not expect governments, corporations, or other large, faceless organizations to grant them privacy out of beneficence. Cypherpunks know that people have been creating their own privacy for centuries with whispers, envelopes, closed doors, and couriers. Cypherpunks do not seek to prevent other people from speaking about their experiences or their opinions. The most important means to the defense of privacy is encryption. To encrypt is to indicate the desire for privacy. But to encrypt with weak cryptography is to indicate not too much desire for privacy. Cypherpunks hope that all people desiring privacy will learn how best to defend it. Cypherpunks are therefore devoted to cryptography. Cypherpunks wish to learn about it, to teach it, to implement it, and to make more of it. Cypherpunks know that cryptographic protocols make social structures. Cypherpunks know how to attack a system and how to defend it. Cypherpunks know just how hard it is to make good cryptosystems. Cypherpunks love to practice. They love to play with public key cryptography. They love to play with anonymous and pseudonymous mail forwarding and delivery. They love to play with DC-nets. They love to play with secure communications of all kinds. Cypherpunks write code. They know that someone has to write code to defend privacy, and since it's their privacy, they're going to write it. Cypherpunks publish their code so that their fellow cypherpunks may practice and play with it. Cypherpunks realize that security is not built in a day and are patient with incremental progress. Cypherpunks don't care if you don't like the software they write. Cypherpunks know that software can't be destroyed. Cypherpunks know that a widely dispersed system can't be shut down. Cypherpunks will make the networks safe for privacy. [Last updated Mon Feb 21 13:18:25 1994] From floyddb at alpha.c2.org Sat Dec 23 03:55:55 1995 From: floyddb at alpha.c2.org (floyddb at alpha.c2.org) Date: Sat, 23 Dec 1995 19:55:55 +0800 Subject: No Subject Message-ID: <199512231130.DAA26556@infinity.c2.org> On Fri, 22 Dec 1995 andr0id at midwest.net (Jason Rentz) wrote: >> >> > >The problem with the Interceptor is that I think it can only receive one >freqency at a time, and it is adjustable by a thumb wheel, not digitally. >This would tend to make changing frequencies at high rates VERY hard. :) >Also it has no frequancy readout, so this means that if you know what freq. >you should be at it is hard to tune in that freq. without searching a little. > Dr0id > > >( Computer Consulting & Management ) >(P.O. Box 421 Cambria, IL 62915-0421) > The demo of the Interceptor I saw seemed to show it jumping from 150 MHz to 450 MHz without any external adjustments, it locked on the strongest signal. Granted, it can only receive one frequency at a time, but there shouldn't be any significant delays when the phone hops a frequency. The Interceptor's frequency readout is a bargraph style LED. The Scout, from what I can see in Optoelectronics' ad doesn't have any frequency controls on it, it does have a digital frequency readout. As far as timing is concerned, the Scout might be less useful because I think it feeds the frequency into the scanner for reception. Most scanners take a significant amount of time to change frequencies. Merry Christmas Floyd D. Barber floyddb at alpha.c2.org Key fingerprint: 8A 98 1F 6B 70 7A FE 24 35 D4 48 CF 9D F6 B0 91 From master at internexus.net Sat Dec 23 05:49:46 1995 From: master at internexus.net (Laszlo Vecsey) Date: Sat, 23 Dec 1995 21:49:46 +0800 Subject: Encrypted script - sort of In-Reply-To: Message-ID: > >A tale I hear is that when HP had to deliver operating system source to > >the french government they stripped all comments and changed all variable > >and subroutine names to 32 byte strings of I 1 0 (zero) and O (uppercase O). > >It still compiled but was 100% useless to human readers. A somewhat useful utility would be one that would compress C code into as small space as possible, stripping out all spaces and making variable names one character a piece when possible. And of course one to expand it back into 'formatted' text, style could even be incorporated. I'm sure a Perl fanatic knows a quick solution... I'm always amazed at how short Perl code is.. :) Anyone care to take care of this utility? From adam at lighthouse.homeport.org Sat Dec 23 05:52:56 1995 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Sat, 23 Dec 1995 21:52:56 +0800 Subject: (fwd) Java implementation of secure login protocol Message-ID: <199512230408.XAA27975@homeport.org> Look, Ma! Java code! Real cyph3rpunks, of course, flame each other anonymously. (Incidentally, I got tired of Alice making it to my noise box, and the following seems to work well. Deleting the leading ^ characters would cause all responses to go into the junk box; perhaps a good idea. This is, for those of you who don't recognize it, procmail code. My mail filter of choice for hacking in.) :0B: * ^Alice de 'nonymous * ^P.S. This post is in the public domain. | formail -a "Status: O" >> cjunk > From: greg at qualcomm.com (Greg Noel) > Newsgroups: comp.lang.java,sci.crypt > Subject: Java implementation of secure login protocol > Date: 19 Dec 1995 23:12:52 -0800 > Organization: QUALCOMM, Incorporated; San Diego, CA, USA > Lines: 64 > Message-ID: <4b8d1k$6o9 at qualcomm.com> > NNTP-Posting-Host: guru.qualcomm.com > > Please note that this article is cross-posted both to comp.lang.java and > sci.crypt. If you follow up, please trim the newsgroups appropriately. > > Since a number of people expressed interest, I'm releasing an initial > implementation of a secure login protocol in Java. This is still very > much a work in progress (it's not really even of alpha quality), but > the protocol itself is functional. > > It's intended that the classes in crypto.* and qualcomm.qbs.login.* > live on the client; any other classes needed would be downloaded over > the encrypted link. Hopefully, the client-resident classes will be > few in number and change rarely; they are just intended to bootstrap > up the connection. In the long run, the classes in crypto.* could be > provided by the vendor of the Java VM. > > The distribution consists of two files: > ftp://ftp.qualcomm.com/pub/gnoel/java.login.tar.gz > ftp://ftp.qualcomm.com/pub/gnoel/java.no-export.tar.gz > The first file contains the logic to execute the protocol and launch > the splash screen (see below); it also contains the base classes from > crypto.* but no cryptographic functions. The second file contains the > base classes and the actual implementations of a few cryptographic > functions to demonstrate how the base classes can be used. > > For sci.crypt, I've tried to capture the essence of what cryptographic > functions can do in the base classes, without being specific to any > particular protocol. I'm not completely happy with it, and would welcome > any comments people might have on what might be missing. It's as minimal > as I could make it and still provide a basis for whatever protocols need > to be implemented. > > My motivation here is that Sun and Netscape are talking about defining > a standard way of incorporating cryptographic functions in Java; it would > be nice if the specification were usable for a lot more than the security > protocols that come with Netscape. (I wouldn't object to having access > to SSL from Java---in fact, I'd really like it---but I'd also like access > to MD5 and the like.) > > This implementation of the secure login protocol uses short text strings > to identify the packets being exchanged; that's for convenience while > debugging---in a production implementation, it would be done differently. > Other than that, I'd appreciate any suggestions as to how to improve the > implementation. (A MAC digest prefixed to the packets is something I'm > considering, for example.) > > For comp.lang.java, the splash screen is loaded over the secure connection > but attempts to instantiate a member of the class cause a NoSuchMethodError > to be thrown. The class itself seems to be defined correctly, and it should > be no different from how an applet would be loaded and instantiated, but it > still fails. If anyone can tell me what is going wrong and what I can to > to fix it, the pizza and beer will be on me. (This has been a showstopper > for four days now and I'm getting very frustrated by it.) > > The class design tries to minimize the number of classes that must be > present in the bootstrap set; this led to a somewhat, ah, baroque set of > functionality. If anyone has suggestions on how this could be done better, > I'd be pleased to hear about it. > > If anyone has any questions about this, don't hesitate to drop me a line > or post something in one of the newsgroups. I'm going home for some sleep > now, but I'll be banging my head against it again in the morning. > > -- > -- Greg Noel, UNIX Guru greg at qualcomm.com or greg at noel.cts.com From perry at piermont.com Sat Dec 23 08:50:42 1995 From: perry at piermont.com (Perry E. Metzger) Date: Sun, 24 Dec 1995 00:50:42 +0800 Subject: CFS and Linux In-Reply-To: <199512230317.TAA19444@jobe.shell.portal.com> Message-ID: <199512231615.LAA06929@jekyll.piermont.com> Alice B. Cohen writes: anonymous-remailer at shell.portal.com writes: > > 1: please make it install 'out-of-the-box' on Linux. > > AT&T's refusal to support CFS and other so-called "secure" software > under Linux is typical and to be expected. God, you are an obnoxious prick. First of all, this is Matt Blaze's pet project, not a product of AT&T. It is given away for free and you should be happy to get it at all -- no one is obligated to give you a gift. Have you mailed him a Linux machine to do his testing on? Why do you assume he even has one? As it happens, he doesn't, and probably doesn't want to go through the hassle of paying for a computer and putting Linux on it. Be happy he's given you anything at all. Perry From stevenw at best.com Sat Dec 23 09:03:31 1995 From: stevenw at best.com (Steven Weller) Date: Sun, 24 Dec 1995 01:03:31 +0800 Subject: Message-ID: >On Fri, 22 Dec 1995 andr0id at midwest.net (Jason Rentz) wrote: >> >>The problem with the Interceptor is that I think it can only receive one >>freqency at a time, and it is adjustable by a thumb wheel, not digitally. >>This would tend to make changing frequencies at high rates VERY hard. :) >>Also it has no frequancy readout, so this means that if you know what freq. >>you should be at it is hard to tune in that freq. without searching a >>little. >> Dr0id > >The demo of the Interceptor I saw seemed to show it jumping from 150 MHz >to 450 >MHz without any external adjustments, it locked on the strongest signal. >Granted, it can only receive one frequency at a time, but there shouldn't >be any >significant delays when the phone hops a frequency. The Interceptor's >frequency readout is a bargraph style LED. The Scout, from what I can >see in Optoelectronics' ad doesn't have any frequency controls on it, it does >have a digital frequency readout. As far as timing is concerned, the Scout >might be less useful because I think it feeds the frequency into the >scanner for >reception. Most scanners take a significant amount of time to change >frequencies. I used to work for a company that made frequency-hopping military radios. It's a catch-me-if-you-can game, a bit like the amusement arcade toy where stuffed rats pop up through holes and you try to whack them with rubber hammers. You can sure *see* where the next one is, but you can't get there fast enough to make contact. If you knew the pseudo-random pattern, you could anticipate and be there every time. Thus in a frequency-hopping radio you can push the retuning (read RF phase-locked loop) technology to its limit and build transmitters and receivers around them. These typically hop in the order of 100 times a second. The adversary has to find the uncorrelated signal very quickly indeed *and* have PLL technology at least as good as yours to recover anything from it. Finding the signal generally means listening to all frequencies at once, requiring huge amounts of hardware parallelism and/or realtime computing power. Once you throw ten or so radios onto the same band, it's no longer any use looking for the strongest signal, making that approach useless. The primary reason for FH is not to hide information, however. Encryption can be used for that. It's to prevent the enemy from hiding the information from the intended recipient through jamming. Radio jammers work by simply drowning out all other traffic so that the receivers either clip and distort everything or have to attentuate the input signal so far that the interesting stuff is undetectable. Like trying to have an intellectual conversation at a bad rock concert. By employing FH you require the enemy to have enormous and impractical jamming capacity. There are FH radars too. ------------------------------------------------------------------------- Steven Weller | "The Internet, of course, is more | than just a place to find pictures | of people having sex with dogs." stevenw at best.com | -- Time Magazine, 3 July 1995 From ravage at einstein.ssz.com Sat Dec 23 09:03:40 1995 From: ravage at einstein.ssz.com (Jim Choate) Date: Sun, 24 Dec 1995 01:03:40 +0800 Subject: CFS and Linux (fwd) Message-ID: <199512231633.KAA04297@einstein> Forwarded message: > Subject: Re: CFS and Linux > Date: Sat, 23 Dec 1995 11:15:40 -0500 > From: "Perry E. Metzger" > > Alice B. Cohen writes: > anonymous-remailer at shell.portal.com writes: > > > 1: please make it install 'out-of-the-box' on Linux. > > > > AT&T's refusal to support CFS and other so-called "secure" software > > under Linux is typical and to be expected. > > God, you are an obnoxious prick. > Ditto. > First of all, this is Matt Blaze's pet project, not a product of > AT&T. It is given away for free and you should be happy to get it at > all -- no one is obligated to give you a gift. Have you mailed him a > Linux machine to do his testing on? Why do you assume he even has one? > As it happens, he doesn't, and probably doesn't want to go through the > hassle of paying for a computer and putting Linux on it. > > Be happy he's given you anything at all. > > Perry > If you are going to do it, do it right the first time. Second, I really doubt Blaze has a problem obtaining access to computing power and a $25 CD should be within his budget. Merry Christmas. From perry at piermont.com Sat Dec 23 09:14:26 1995 From: perry at piermont.com (Perry E. Metzger) Date: Sun, 24 Dec 1995 01:14:26 +0800 Subject: CFS and Linux (fwd) In-Reply-To: <199512231633.KAA04297@einstein> Message-ID: <199512231640.LAA07020@jekyll.piermont.com> Jim Choate writes: > > > First of all, this is Matt Blaze's pet project, not a product of > > AT&T. It is given away for free and you should be happy to get it at > > all -- no one is obligated to give you a gift. Have you mailed him a > > Linux machine to do his testing on? Why do you assume he even has one? > > As it happens, he doesn't, and probably doesn't want to go through the > > hassle of paying for a computer and putting Linux on it. > > > > Be happy he's given you anything at all. > > If you are going to do it, do it right the first time. > > Second, I really doubt Blaze has a problem obtaining access to computing > power and a $25 CD should be within his budget. Setting up and doing work on a new operating system is *WORK*. It takes time. It takes space in your lab or office. Maybe he just doesn't feel like spending that time, effort, and lab budget. Why should he? CFS is a GIFT. It isn't a product. Maybe if you paid someone to maintain a Linux version you would have one, but you aren't paying a penny. Quit looking a gift horse in the mouth. .pm From perry at piermont.com Sat Dec 23 09:48:31 1995 From: perry at piermont.com (Perry E. Metzger) Date: Sun, 24 Dec 1995 01:48:31 +0800 Subject: CFS and Linux In-Reply-To: <9512231705.AA21041@all.net> Message-ID: <199512231733.MAA07103@jekyll.piermont.com> Fred Cohen writes to me in private: > > Alice B. Cohen writes: > > If you mean to imply that I am Alice, that constitutes slander, and I > will sue. I'd love to see you try. Please, sue me immediately. Since you agree in public with Alice practically all the time, the damages would be fascinating to assess. "Your honor, my client, who has no reputation in the group we are discussing to speak of, feels that by being publically conflated with this anonymous personage who's opinions he univerasally agrees with that his reputation has been damaged, since, well, er, we aren't sure why, but it has. I mean, people might ascribe opinions to him that he claims to hold! Obviously that must be damaging!" What would the monetary damages be, Fred? I mean, there are some people here who would gain a bit of added respect for you since being Alice would imply that you knew how to use anonymous remailers, so there would be some evidence that you could do *something*, which many people here had in doubt up until now. I suspect you actually gain reputation that way, so perhaps I should sue you for unjust enrichment. (*) Perry (* Not close captioned for the sarcasm impaired.) From edgar at Garg.Campbell.CA.US Sat Dec 23 10:34:05 1995 From: edgar at Garg.Campbell.CA.US (Edgar Swank) Date: Sun, 24 Dec 1995 02:34:05 +0800 Subject: Announcing SecureDrive 1.4a Message-ID: -----BEGIN PGP SIGNED MESSAGE----- This is to announce the availability of Version 1.4a of SecureDrive. SecureDrive Version 1.4a replaces version 1.4, 1.3d, and previous versions. Release 1.4a is a maintenance release of 1.4. No new function is added. Only module SDCOMMON.C has a non-cosmetic change, which affects executables LOGIN.EXE and CRYPTDSK.EXE. For that reason, all other executables still self-identify as release 1.4. They are in fact the exact same EXE & COM files as release 1.4. 1.4a fixes a problem decrypting or activating a diskette or disk partition encrypted with both a passphrase and a keyfile. There are also some minor changes in SECDRV.DOC. In the USA, SecureDrive 1.4a is not available at Colorado Catacombs BBS - 303-772-1062 (up to 28,800 bps, 8n1) - log in with your own name or alias. Download SECDR14A.ZIP from the [F]ile menu. see ftp://ftp.csn.net/mpj/README for the ??????? in ftp://ftp.csn.net/mpj/I_will_not_export/crypto_???????/disk/secdr14a.zip See ftp://miyako.dorm.duke.edu/pub/GETTING_ACCESS for access to ftp://miyako.dorm.duke.edu/mpj/crypto/link/mpj/disk/secdr14a.zip These are all controlled-access sites available to USA citizens and residents only. Thanks to the cooperation of Steve Crompton of the U.K., who worked with me closely, I am able to also announce availability on an offshore site, ftp://utopia.hacktic.nl/pub/replay/pub/incoming/SECDR14A.ZIP If you perchance don't find it there try directories /pub/replay/pub/crypto/CRYPTOapps /pub/replay/pub/disk which currently contains previous versions of SecureDrive. But as I write, SECDR14A.ZIP has been left in the incoming directory for several days. Steve also uploaded 1.4a to ftp.ox.ac.uk/incoming But it has been removed from there and has (so far) not reappeared elsewhere. But previous versions are in directory pub/crypto/misc so it might be worth checking there from time to time. In case anyone in the U.S. Justice Dept. is reading this, Steve and I were very careful to do this release without violating US export restrictions. The only things I "exported" to Steve were "diffs" for source changes from 1.4 to 1.4a, which themselves don't contain any code capable of encryption or decryption. Steve combined those with source for 1.4, which "leaked" from the US sites where I released it months ago. Steve compiled the new source code, and sent the new EXE files to me. I compared the new executables to ones I compiled myself and verified they match, bit for bit. I then sent back to Steve detached signature files for the executables. Steve then put together SECDR14A.ZIP and sent that to me for final inspection. I then compared all files against my "master" files here and verified that they matched. I then shipped the SECDR14A.ZIP that Steve sent me to the USA sites. So the USA release matches bit for bit the offshore release. Here are the contents of SECDR14A.ZIP Length Method Size Ratio Date Time CRC-32 Attr Name ------ ------ ----- ----- ---- ---- -------- ---- ---- 18321 DeflatN 6923 63% 06-14-93 22:27 0767480b --w- COPYING 2022 DeflatN 789 61% 08-06-95 00:00 dd3e9e64 --w- COPYSECT.C 12542 DeflatN 7674 39% 08-06-95 00:00 c089888f --w- COPYSECT.EXE 152 Stored 152 0% 08-06-95 00:00 17b02bc2 --w- COPYSECT.SIG 19664 DeflatN 4241 79% 11-19-93 21:42 22c2502c --w- CRYPT2.ASM 19625 DeflatN 4618 77% 11-10-95 16:11 3a6b64fe --w- CRYPTDSK.C 41898 DeflatN 19879 53% 11-14-95 18:59 26bc0200 --w- CRYPTDSK.EXE 4353 DeflatN 1723 61% 08-06-95 00:00 b4e99e6a --w- FPART.C 15450 DeflatN 9794 37% 08-06-95 00:00 44c4a0e7 --w- FPART.EXE 152 Stored 152 0% 08-06-95 00:00 0b345a16 --w- FPART.SIG 5278 DeflatN 3468 35% 11-14-95 20:52 af2f141c --w- KEY.ASC 18450 DeflatN 4541 76% 11-10-95 16:13 c5ad8fa4 --w- LOGIN.C 43558 DeflatN 20297 54% 11-14-95 18:59 cfd0bd3b --w- LOGIN.EXE 278 DeflatN 250 11% 12-06-95 20:33 6c13428c --w- FILE_ID.DIZ 1554 DeflatN 568 64% 08-06-95 00:00 3589f489 --w- MAKEFILE 11557 DeflatN 3315 72% 05-09-93 19:38 e71f3eea --w- MD5.C 3407 DeflatN 1104 68% 05-11-93 12:49 f1f58517 --w- MD5.H 1355 DeflatN 629 54% 01-21-94 08:44 db63ade4 --w- RLDBIOS.ASM 14819 DeflatN 4087 73% 11-14-95 18:56 592274c6 --w- SDCOMMON.C 52551 DeflatN 19113 64% 12-06-95 15:33 cf5e3ded --w- SECDRV.DOC 3656 DeflatN 1098 70% 08-06-95 00:00 6ed75bcc --w- SECDRV.H 32595 DeflatN 8906 73% 08-06-95 00:00 1c7d2225 --w- SECTSR.ASM 2000 DeflatN 1326 34% 08-06-95 00:00 ba1568d1 --w- SECTSR.COM 152 Stored 152 0% 08-06-95 00:00 3817512c --w- SECTSR.SIG 11519 DeflatN 2864 76% 08-06-95 00:00 060d33e8 --w- SETENV.ASM 1254 DeflatN 541 57% 05-09-93 19:39 182978aa --w- USUALS.H 152 Stored 152 0% 12-06-95 17:05 2d1c5fc9 --w- CRYPTDSK.SIG 152 Stored 152 0% 12-06-95 17:10 8dae8ad5 --w- LOGIN.SIG ------ ------ --- ------- 338466 128508 63% 28 Also note that the ZIP file contains PGP detached signatures (*.SIG) for the executable files. Finally here is my public key, also available on many public keyservers; note who has signed it. Also please note my present Email address. Edgar Swank (Only Garg ID is now valid) Type bits/keyID Date User ID pub 1024/DA87C0C7 1992/10/17 Edgar Swank sig 32DD98D9 Vesselin V. Bontchev sig 0F59323D Albert Yee sig DA87C0C7 Edgar Swank Edgar W. Swank sig 91E71221 Cruz sig DA87C0C7 Edgar Swank sig C0595F91 Ian H. Chan sig 61130A1B Arnold L. Cornez, J.D. sig 18239E91 Robert C.Casas <73763.20 at compuserve.com> sig 4AAF00E5 Dave Del Torto sig 08B707C5 Anton Sherwood sig 32DD98D9 Vesselin V. Bontchev sig 34D74DC1 Peter Simons Edgar W. Swank sig 08B707C5 Anton Sherwood sig 32DD98D9 Vesselin V. Bontchev sig FF67F70B Philip R. Zimmermann - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAirfypkAAAEEAKe2jziPeFw6hY19clR2GtQ4gtGCSSVOTgPKEJzHfuC74Scf 9PEuu1kebLhHk43A9wo1vr52o4jpH/P/tnFmRtBQOMzLUzAt5rMucswtSVviMQS2 hBuc9yGJKWHVcyfA79EARKEYTdhx+2qKI+hFJcPE+rmD8wVoF94nNf3ah8DHAAUR tClFZGdhciBTd2FuayAgIDxlZGdhckBHYXJnLkNhbXBiZWxsLkNBLlVTPokAlQMF EDBmZEE2VpfGMt2Y2QEBEsID/0vobHvtD65LmaHQZzPd1fuZzxsKFXG5/dCwx60Q k624Yc7P1m1q+LY8KFuLtvSe1Ltn1dOpQ+eKOqdqh7z6BpywheHSwUPkA80QS9JI PFwj4FBBw5imvPihTG56TRfpDQn1kN2Slaurx3SADtbohOZXuzT+uagk9OWl0/NQ S/ubiQCVAwUQL5YBoVPK4mAPWTI9AQHFAQQAtjRStFaaWND/0ju+ciwcCvvHyQg8 /EEXYekopHkDhHcnD7oSqQhvk/4P4CEaDMKC2U/BQVdmhoXjTH9LpdlxqLuxIkDD 05NBAKJDiWaDcZDOXstHDsQB4X0R0SYn+l4fe0/Dhp+b7tLr0RTYr0A7X8bpi/w/ X68V3EjBph556MeJAJUDBRAvkjv43ic1/dqHwMcBAQnMA/9ORYVRk8WDrEY147hB FrZ3TYYF9XwqRCq7R9pI+75zS42R2CqoBSYSirruE9EcWB8HqDOc8DA9E2lJTGXn lByU6wp0ujAAn/VDEsecHXDaqbRi/y7BKybnRl3xH4grUsjLVnIQLih4BNBsYGnN co8ei8AekUd9jKN/bldazt53C7QnRWRnYXIgVy4gU3dhbmsgPGVkZ2FyQHNwZWN0 cnguc2JheS5vcmc+iQCVAwUQMIDsCDSU0PSR5xIhAQGiBgP8CNKY+MTVoLjUhaxF /FhQJHJe5MB2C3UoNuGGRNMzZLgo8JKtoe4c2cjXWg9GKHKFboIeibKuEdnfuBXF wqM8YlQhzlKRZf4FebO4LHg8y2rd2s43irIlv6ofQ9VdTdgYOumFGSCNb3SWi1Ei 1J7TjneNzj93sq+ecf2RblfDWC+JAJUCBRAtmPSp3ic1/dqHwMcBAWtDA/455Uev GU3OEL5LF+23MhQLeD5UAu4zqC/xv5zLGXS2WTCLof0byqY+H2evamlBlHmMdSG5 t+x6T9AaLzxTA5+5E92H5kOX+tTiQxxe91gZP1yU4uPNeZwszvL2/wXiYUuw228U 3apYuyqd7qFQjsQWfZ5r/y6N2bt6g2Wru3wLK4kAlQMFEC9NxzXpGeQvwFlfkQEB zeED+wfXXvD9aTSTh0l/RCJoGmDWzVqiKmXVCDxuY4S4q6/uN+zEchTVvkuB7acD W1iBa4s57yuI3Anl8U6CIE7Hxl9lYymxnPN0Synddn7rOMh7RjH68dzAM2ssA0eu E7nS0v2+dTdWfeKzOnAYRYf8Xglxy/8m4P2kcimVEatM4eQOiQCVAwUQLspTDYYo qqhhEwobAQEbuQQA1d1ZQbCecS1buYt3TadijMDvn2oMdpXHdC0zlhgHxsNXuJmH sX79dieg+P2HMXgdrSctwhI9cMcEeG2rsKxxgmfwN60nvUIwB7xl3/5b+86oKZSo 5FoxT8vW2qe+k5ZQ2ezA6TNE7M6Y2nD4qrgv6ioEW6ok8NdBhgQUo6y8H0uJAJUC BRAuJJU/XyTewRgjnpEBAblOBACfD1a1z4Z0ZJxnjyG8xZkAGdSIBdOHD5Orv0d0 +74jJI2LtpF+RJ6mmf1APq/Y5LwQtq2CRNK4a3gKkwTqEscHjp9OJN2hcx3D7PT3 aY66pUXapUq2zCcVqvkXLiPRcr/iUTHZ3b/UilpND6xuJwYf0KoKhY4oDLWPYvL0 l/tmB4kAlQIFEC3V00GhwThfSq8A5QEBB2ED+QHa9NcIiNka07D9sLqA5Mecw8FV NB5cchncFnjFhF0x90qzE3eBN7M4jxCLFCgfOG80YHTZ8HkR0Hz5SXD2SfTwBHZv 6ZPCSB422XK281nnYTtSlYRW3OfGUZ6LBExs4UhoYokWwZcVJHDcXz1mqhSeh5G9 GAvSQkhA5kIsXrZliQCUAgUQLaj9LxgzoWUItwfFAQEdywP2LSjZ3tDauwb+JFHB qnEYpBsc/GBBcIHowtU0MRrdz+meDyvY8D1w55FzDHbFj9fE25mjuUdc2n+PnHBi Giir7JMEkgvwNmpb31BPz5zTm/DszVQISnLs1PV7GQzOhVH9jeMpshrhfW1fVmt2 aijPFbRPcPAJwJnt1Hbp5leXHYkAlQIFEC2bD642VpfGMt2Y2QEBQsoD/jCp0yfY YICkCr7mQlP6ImYu9V41mPQlWNaykYNx37VyMIr1dZVMBNW1EB9ZsO6SgnbA3M27 PuBupUcdytXue9xC3cpSzFZHJqFESSVzvk+1cGbQ8qmvlM1MzYn8qqXbwZdBDIv4 8drBMNBUTzJsI+P5ZSArmp3Wj/ZA/GdvgQCZiQCVAgUQLZsasA9HL1s0103BAQGE sAP/e9agO7iazPhgDwFyd+6i8jQCkMvl6RK7jjsHJeAhyo1F7igO0Z2+upe8mGnK 6Pm3u9UMa3OBATSNTwfq745ymPWcGU5cvfoMBJJom4sSsHI0LOpNoZXJrlYbGYra b6kpLpRUheK0Xa0bGsq7492neuS/eg8dNZWAVPl4ZG98kgq0KUVkZ2FyIFcuIFN3 YW5rIDxlZGdhckBzcGVjdHJ4LnNhaWdvbi5jb20+iQCVAgUQLAAAujTiKn8yRb9d AQGY1AP/SNRWpPQsyhW/DtnPYVfJat0GfptGXIbF6pBaGKANdGKlnzbj98dsDa+R sBzMRrLDxmnBFWaFY2zHFaGNgUiL3YpglsA/9chuv6sS5MiE8oooqG64YtRaF9eE IWW4eOzcIDplDCdPiOe7U2UKRydYtsviS2q5vbMvCscI9R7fUvWJAJQCBRAr1jnT GDOhZQi3B8UBAc+sA/MFt/qVDLPBtTB3FrLMsOiHcfKCe6cuiiL7LPOIRVByE6BK 3ewt7YjXTwMvFOCn7bqUlhMBkH4aDwcbIH43PrbrcPReVVRdCL3/sJJHJ3xuFgV6 4U/AXMc9ZmXIsMAiy5oR8GyanYMEuB9++FQKqKJZiY/2hr6s4D7kgdL7E3y0iQCV AgUQK2PmLDZWl8Yy3ZjZAQEMRgP/aIwyaXrl4Vo1as0/tptiHxBbf4yePKXkI2kC MaTF6OYibidkqpQc3kO4bOkkOey1HBvPp1pcrXldygzWbyC6G7pTMjAez36FsoTq KdMLPgLSYTnk9Ka8X96ON7GcbOyIWm4WeM3+xGtIdznt+U4hRYEJkPweLPPdpgHG a/AnzreJAJUCBRArERcc4nXeDv9n9wsBAbJiA/9qly/1XYxscWBTSGXQPgwuoaMF F5R8OujFAKyCxNv/SevVb3KW0Eypg+APtOEsB/avEg81sbIPtVQDbstPBBNLqfaZ u2Qc68ZBXDsnYbBMDrfX0Z/RCd7QzWHtUlaMVfRXOO6H+eTpu3Eza5MtIXadSwNd 7n/03ld56wWGttc2sw== =n5hN - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMNszct4nNf3ah8DHAQHBGQQAhbb0ZCJ3iiB096HxJac33XFTxG/GwNB4 4nWN5/I2s8Cve/USUGVC9YIHKV7NHkHn0Pybo727w46am6DMLoQTdnPzR2O+C+TY mozxnwDYfznzWCzjqadHOsPRK9/ix8aB2ThfGsNaAvOgVjvnDg/uG8ztLwW/G1Hv L/zVBh8nIs0= =YArx -----END PGP SIGNATURE----- -- edgar at Garg.Campbell.CA.US (Edgar Swank) The Land of Garg BBS -- +1 408 378-5108 From anonymous-remailer at shell.portal.com Sat Dec 23 11:09:06 1995 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Sun, 24 Dec 1995 03:09:06 +0800 Subject: AWARD: CHRISTMAS NET SCROOGE - AT&T & NETSCAPE?? Message-ID: <199512231817.KAA24182@jobe.shell.portal.com> On Fri, 22 Dec 1995, Perry E. Metzger wrote: > anonymous-remailer at shell.portal.com writes: > > Everyone should ask this question. AT&T can sign-on to a two-page ad, > > calling on Congress to balance the budget -- to cut off veterans, and > > cut-off women with dependent children just before Christmas. It can > > sign on to this, but it can't bother to even offer a scholarship to > > the students who helped make its fortunes. It would rather leave the > > impression that it freeloads off of other's efforts. > > God, you are annoying Fred, ER, I meant, "Alice". My dearest Perry. I am not Fred. I am not he. He is not me. Got it?? We aren't even in the same category or the same country. Fred's an American, and I am not. Scary, isn't it?? A non-American ... Oh ... and a Happy Ho Ho to ya, Perry. My own best wishes. (just in case you didn't get my email, which wished the same, I mean). And _none_ of this changes the fact that AT&T and Netscape are my personal nominees for the "Christmas Net Scrooge" award. Anyone willing to second, that?? Alice de 'nonymous ... ...just another one of those... P.S. This post is in the public domain. C. S. U. M. O. C. L. U. N. E. From perry at piermont.com Sat Dec 23 11:13:10 1995 From: perry at piermont.com (Perry E. Metzger) Date: Sun, 24 Dec 1995 03:13:10 +0800 Subject: CFS and Linux In-Reply-To: <9512231757.AA22460@all.net> Message-ID: <199512231833.NAA07171@jekyll.piermont.com> Fred Cohen writes: > The dollar value would be $1 plus a public apology plus all costs of the > suit plus my time to right the wrong (at my usual fee of course). Of > course the fact that you have decided to make this posting in public > justifies my extensive efforts to clear my reputation which, unless you > apologize immediately will be surprisingly enjoyable for me. Go and sue, Fred. Its what I have lawyers for. If you can even find an attorney willing to take your "case", mine will likely remind yours that lawyers can now be punished by the court in many jurisdictions for knowingly aiding in bringing frivolous suits. If you are seeking $1 in damages the court is especially likely to consider the whole thing a waste of time. I think you will find that I'm very, very hard to intimidate. Don't bother "giving me a second chance" or any such stuff. Either find a lawyer stupid enough to risk his license by taking this case and let me know you are suing me by sending over a process server, or quit bothering me. > Let's see. I guess I would start by having the police confiscate the > toad.com computers becfause thay are part of a criminal conspiracy to > daamage my reputation. Criminal because of the recent changes in the > law that prohibit you from sending me information I don't want to get. I think you will find that John Gilmore is even more difficult to intimidate than I am. Perry From perry at piermont.com Sat Dec 23 11:14:20 1995 From: perry at piermont.com (Perry E. Metzger) Date: Sun, 24 Dec 1995 03:14:20 +0800 Subject: Fred Cohen: Re: CFS and Linux Message-ID: <199512231823.NAA07160@jekyll.piermont.com> I thought people would love to see this. Note especially "Dr." Fred's threat to have toad.com confiscated as part of a conspiracy against his reputation. Perry ------- Forwarded Message From: fc at all.net (Fred Cohen) Message-Id: <9512231757.AA22460 at all.net> Subject: Re: CFS and Linux To: perry at piermont.com Date: Sat, 23 Dec 1995 12:57:40 -0500 (EST) In-Reply-To: <199512231733.MAA07103 at jekyll.piermont.com> from "Perry E. Metzger" at Dec 23, 95 12:33:15 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text X-UIDL: 819742624.003 > Fred Cohen writes to me in private: > > > Alice B. Cohen writes: > > > > If you mean to imply that I am Alice, that constitutes slander, and I > > will sue. > > I'd love to see you try. Please, sue me immediately. > > Since you agree in public with Alice practically all the time, the > damages would be fascinating to assess. "Your honor, my client, who > has no reputation in the group we are discussing to speak of, feels > that by being publically conflated with this anonymous personage who's > opinions he univerasally agrees with that his reputation has been > damaged, since, well, er, we aren't sure why, but it has. I mean, > people might ascribe opinions to him that he claims to hold! Obviously > that must be damaging!" To the contrary, I have a very good global reputation, and you are knowingly and maliciously attempting to slander me by claiming that I use a false identity to support my positions. > What would the monetary damages be, Fred? I mean, there are some > people here who would gain a bit of added respect for you since being > Alice would imply that you knew how to use anonymous remailers, so > there would be some evidence that you could do *something*, which many > people here had in doubt up until now. I suspect you actually gain > reputation that way, so perhaps I should sue you for unjust > enrichment. (*) Let's see. I guess I would start by having the police confiscate the toad.com computers becfause thay are part of a criminal conspiracy to daamage my reputation. Criminal because of the recent changes in the law that prohibit you from sending me information I don't want to get. The dollar value would be $1 plus a public apology plus all costs of the suit plus my time to right the wrong (at my usual fee of course). Of course the fact that you have decided to make this posting in public justifies my extensive efforts to clear my reputation which, unless you apologize immediately will be surprisingly enjoyable for me. - -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 ------- End of Forwarded Message From perry at piermont.com Sat Dec 23 11:32:38 1995 From: perry at piermont.com (Perry E. Metzger) Date: Sun, 24 Dec 1995 03:32:38 +0800 Subject: Fred Cohen: Re: CFS and Linux Message-ID: <199512231845.NAA07203@jekyll.piermont.com> More Fun from Fred. For those that haven't been following, he threatened to sue me for quoting an Alice post as "Alice B. Cohen", and threatened to have his attorneys seize the machines the cypherpunks mailing lists run on for being part of a "criminal conspiracy" against him. Perry ------- Forwarded Message From: fc at all.net (Fred Cohen) Message-Id: <9512231834.AA23326 at all.net> Subject: Re: CFS and Linux To: perry at piermont.com Date: Sat, 23 Dec 1995 13:34:49 -0500 (EST) In-Reply-To: <199512231833.NAA07171 at jekyll.piermont.com> from "Perry E. Metzger" at Dec 23, 95 01:33:45 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text X-UIDL: 819744158.001 > Fred Cohen writes: > > The dollar value would be $1 plus a public apology plus all costs of the > > suit plus my time to right the wrong (at my usual fee of course). Of > > course the fact that you have decided to make this posting in public > > justifies my extensive efforts to clear my reputation which, unless you > > apologize immediately will be surprisingly enjoyable for me. > > Go and sue, Fred. Its what I have lawyers for. If you can even find an > attorney willing to take your "case", mine will likely remind yours > that lawyers can now be punished by the court in many jurisdictions > for knowingly aiding in bringing frivolous suits. If you are seeking > $1 in damages the court is especially likely to consider the whole > thing a waste of time. Your choice, but it's not a very nice Christmas present to find yourself in litigation. I'll give you till Tuesday to reconsider. If I see the public apology, I won't call the lawyers. If I were you, I would talk to those lawyers of yours and get their opinion of whether it's worth your while to be malicious toward people in this way in exchange for defending against a law suit when all you have to do to prevent it is apologize for what you now know to be a falsehood. - -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 ------- End of Forwarded Message From perry at piermont.com Sat Dec 23 11:40:36 1995 From: perry at piermont.com (Perry E. Metzger) Date: Sun, 24 Dec 1995 03:40:36 +0800 Subject: CFS and Linux In-Reply-To: <9512231834.AA23326@all.net> Message-ID: <199512231855.NAA07214@jekyll.piermont.com> Fred Cohen writes: > > Go and sue, Fred. Its what I have lawyers for. If you can even find an > > attorney willing to take your "case", mine will likely remind yours > > that lawyers can now be punished by the court in many jurisdictions > > for knowingly aiding in bringing frivolous suits. If you are seeking > > $1 in damages the court is especially likely to consider the whole > > thing a waste of time. > > Your choice, but it's not a very nice Christmas present to find yourself > in litigation. I'll give you till Tuesday to reconsider. If I see the > public apology, I won't call the lawyers. As I said, Fred, quit giving me "second chances"; either send the process server with the court papers or let the matter drop. Don't bother sending any more "just one more chance" messages to me -- I won't be altering my opinion. As for apologies, I have nothing to apologize for, so I have no intention of apologizing to you -- ever. Perry From ericm at lne.com Sat Dec 23 11:47:48 1995 From: ericm at lne.com (Eric Murray) Date: Sun, 24 Dec 1995 03:47:48 +0800 Subject: Fred Cohen: Re: CFS and Linux In-Reply-To: <199512231823.NAA07160@jekyll.piermont.com> Message-ID: <199512231904.LAA00483@slack.lne.com> > I thought people would love to see this. > > Note especially "Dr." Fred's threat to have toad.com confiscated as > part of a conspiracy against his reputation. I'm sure a number of people, myself included, would be willing to host the CP list should "Dr" Fred make good his threat. I'd even be willing to testify in court as to the nature of Fred's reputation. I'm sure the operator of the Firewalls list would be too. -- Eric Murray ericm at lne.com ericm at motorcycle.com http://www.lne.com/ericm PGP keyid:E03F65E5 fingerprint:50 B0 A2 4C 7D 86 FC 03 92 E8 AC E6 7E 27 29 AF From frenchie at magus.dgsys.com Sat Dec 23 12:12:32 1995 From: frenchie at magus.dgsys.com (J.Francois) Date: Sun, 24 Dec 1995 04:12:32 +0800 Subject: Fred Cohen In-Reply-To: <199512231845.NAA07203@jekyll.piermont.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- While browsing my mail I noticed that Perry E. Metzger wrote: > More Fun from Fred. For those that haven't been following, he > threatened to sue me for quoting an Alice post as "Alice B. Cohen", > and threatened to have his attorneys seize the machines the > cypherpunks mailing lists run on for being part of a "criminal > conspiracy" against him. > > Perry Maybe the Jargon File offers some insight: :Mbogo, Dr. Fred: /*m-boh'goh, dok'tr fred/ [Stanford] n. The archetypal man you don't want to see about a problem, esp. an incompetent professional; a shyster. "Do you know a good eye doctor?" "Sure, try Mbogo Eye Care and Professional Dry Cleaning." The name comes from synergy between {bogus} and the original Dr. Mbogo, a witch doctor who was Gomez Addams' physician on the old "Addams Family" TV show. Compare {Bloggs Family, the}, see also {fred}. It all starts to make sense now..... Long Live Procmail! Mail filtering is cool...... =====================PGP Encrypted Mail Preferred======================== PGP Public Keys: 1024/BEB3ED71 & 2047/D9E1F2E9 on request. As soon as any man says of the affairs of the state " What does it matter to me? " the state may be given up for lost. J.J.Rousseau - The Social Contract =========================No Unsolicited Email============================ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: The Gray-haired Woman's Complaint My back aches, my pussy is sore; I simply can't fuck any more; I'm covered with sweat, And T�u have iQCVAgUBMNxWfrbmxeO+s+1xAQGTzAP/VA7pG3vFTwx+OTS1tNLdua6rgieSPyez eXdVUbVaVqdxCuRwFlpxDbZjKeclx9D3TZyPnnUF/ZDQf/Tb89+d8iLRz3SROVTZ a0RK5tOFB1/E/d4lWK+rtd4q6fB2se1/NGUE5dC7l97njyQfgBJNE8KdZc9lcLNP C3f9b9fgZGM= =zRqP -----END PGP SIGNATURE----- From dlv at bwalk.dm.com Sat Dec 23 12:27:54 1995 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Sun, 24 Dec 1995 04:27:54 +0800 Subject: CFS and Linux In-Reply-To: <199512231615.LAA06929@jekyll.piermont.com> Message-ID: "Perry E. Metzger" writes: > Alice B. Cohen writes: > anonymous-remailer at shell.portal.com writes: > > > 1: please make it install 'out-of-the-box' on Linux. I have the impression that the vast majority of free Unix stuff, even systems-related, runs well under Linux. Some program have problems with flavors of Unix. E.g., I remember how much trouble it was to get pcomm to run under SunOS. I see nothing at all "obnoxious" about this polite request to fix CFS. I see tons of polite requests to fix free stuff on Usenet. > > AT&T's refusal to support CFS and other so-called "secure" software > > under Linux is typical and to be expected. > > God, you are an obnoxious prick. > > First of all, this is Matt Blaze's pet project, not a product of > AT&T. It is given away for free and you should be happy to get it at > all -- no one is obligated to give you a gift. Have you mailed him a > Linux machine to do his testing on? Why do you assume he even has one? > As it happens, he doesn't, and probably doesn't want to go through the > hassle of paying for a computer and putting Linux on it. Perry, one doesn't need to mail someone a Linux machine, or pay for a new computer. One can install it easily in a partition on a non-dedicated PC running Windows, and boot it and MS DOS alternatively. I got the latest Linux CD from $12 from Morse Communications. Or, one can download Linux. Most people have an Intel box somewhere. Linux is free, and comes with source code. Everyone I know who writes code serously has at least tried Linux. No everyone uses it for serious work, but everyone at least played with it. Not having even tried suggests (to me) a regrettable lack of intellectual curiosity. After using both Linux and SCO Unix Extensively on Intel boxes, I can attest that Linux is much less buggy and better supported (via Usenet) than SCO. (*Unix is no longer a trademark of AT&T Bell Labs) --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From proff at suburbia.net Sat Dec 23 12:29:29 1995 From: proff at suburbia.net (Julian Assange) Date: Sun, 24 Dec 1995 04:29:29 +0800 Subject: CFS and Linux (fwd) In-Reply-To: <199512231640.LAA07020@jekyll.piermont.com> Message-ID: <199512231941.GAA00983@suburbia.net> > > > Jim Choate writes: > > > > > First of all, this is Matt Blaze's pet project, not a product of > > > AT&T. It is given away for free and you should be happy to get it at > > > all -- no one is obligated to give you a gift. Have you mailed him a > > > Linux machine to do his testing on? Why do you assume he even has one? > > > As it happens, he doesn't, and probably doesn't want to go through the > > > hassle of paying for a computer and putting Linux on it. > > > > > > Be happy he's given you anything at all. > > > > If you are going to do it, do it right the first time. > > > > Second, I really doubt Blaze has a problem obtaining access to computing > > power and a $25 CD should be within his budget. I am annoyed. Matt Blaze has no obligation to produce CFS for free, let alone a version for dummies. And boy, are you a dummy. As someone who has hacked away at CFS for a long time now on several platforms, including linux, I can state that the issues of porting CFS to linux were trivial and involved a one line sed on the rpcgen output. The more recent versions of linux don't even require this. Further, Matt is hardly the government/corporate lacky that you suggest him to be. Why don't you read some of his papers before you show your technical and social ignorance? Get a life. -- +----------------------------------+-----------------------------------------+ |Julian Assange | "if you think the United States has | |FAX: +61-3-9819-9066 | has stood still, who built the largest | |EMAIL: proff at suburbia.net | shopping centre in the world?" - Nixon | +----------------------------------+-----------------------------------------+ From scs at lokkur.dexter.mi.us Sat Dec 23 12:45:20 1995 From: scs at lokkur.dexter.mi.us (Steve Simmons) Date: Sun, 24 Dec 1995 04:45:20 +0800 Subject: Fred Cohen: Re: CFS and Linux In-Reply-To: <199512231904.LAA00483@slack.lne.com> Message-ID: <4bhndf$avo@lokkur.dexter.mi.us> Eric Murray writes: >I'm sure a number of people, myself included, would be willing >to host the CP list should "Dr" Fred make good his threat. And a number of people would no doubt start boycotting Dr. Freds company loudly and publicly should he attack an innocent third party such as toad.com. Fred and Perry are two peas in pod, but as long as they keep their disputes strictly between them I could care less. -- "Home pages are the pet rock of the 90s. We all have them, we all think they're very cute. But in a few years we're going to look back and be pretty embarrassed." -- Tony Shepps From mab at crypto.com Sat Dec 23 12:45:49 1995 From: mab at crypto.com (Matt Blaze) Date: Sun, 24 Dec 1995 04:45:49 +0800 Subject: CFS and Linux (fwd) In-Reply-To: <199512231633.KAA04297@einstein> Message-ID: <199512232014.PAA23147@crypto.com> > If you are going to do it, do it right the first time. > > Second, I really doubt Blaze has a problem obtaining access to computing > power and a $25 CD should be within his budget. > What, exactly, is your complaint? I'm honestly confused. Please see my previous message on this subject for an explanation of the situation regarding CFS with respect to Linux. I'm not "refusing to support" anything. I want to do whatever it takes to get CFS (and other applications of strong cryptography) as widely deployed as possible. I am unwilling to allow supporting CFS to become a full-time job, however, and I'm not going to apologize for that. I have a Linux machine, in fact. But I've tried to run CFS on it and it seems to work fine. I've not investigated further because that seems like a poor use of my time given the large number of Linux experts (who know far more than I ever will about the vagaries of the various Linux releases) who have not come up with a satisfactory, general patch that runs on all the various Linux platforms. The problem seems to be that some versions of Linux include an rpcgen that produces non-standard output. I don't have one of those versions, however, so I've not encountered this "problem" myself. Again, if you want to see CFS, or any other software that I distribute, run on some platform that I don't have, you are welcome to send me patches that I will happily wrap into the distribution (as long as it doesnt break the other supported platforms). Until you do that, you have nothing to whine about. -matt From steve at miranova.com Sat Dec 23 13:05:38 1995 From: steve at miranova.com (Steven L. Baur) Date: Sun, 24 Dec 1995 05:05:38 +0800 Subject: [NOISE] Alta Vista caches queries In-Reply-To: <199512220220.DAA27203@utopia.hacktic.nl> Message-ID: >>>>> "Hieronymous" == Anonymous writes: Hieronymous> Here's one more Hieronymous> reason to worry about the implications of web search Hieronymous> engines: I just stopped in on Digital's new Alta Hieronymous> Vista page, and was surprised to find that the query Hieronymous> field was filled in--with a search I ran 3 or 4 days Hieronymous> ago. I see no evidence whatsoever that caching is taking place. The Alta Vista robot browsed the web site I manage for months prior to public release, and behaved in exemplary fashion. In short, they appear to be managed by people who know what they're doing. There's nothing sinister about Alta Vista IMHO. Furthermore, no one has mentioned the positive changes made to Dejanews since it got bashed thoroughly on this list a few weeks ago. They've significantly turned down the amount of old information indexed, and have restricted the groups (and mailing lists) they archive. -- steve at miranova.com baur From weld at l0pht.com Sat Dec 23 13:30:55 1995 From: weld at l0pht.com (Weld Pond) Date: Sun, 24 Dec 1995 05:30:55 +0800 Subject: 900mhz digital phones Message-ID: <199512232055.PAA01594@l0pht.com> floyddb at alpha.c2.org: > There is a company called Optoelectronics that markets a > radio reciever > called the Interceptor. This is a broad band (several > hundred MHz) device designed to lock on to the most > powerful signal around, regardless of frequency. As > supplied, it only has a rubber duck antenna, but a > broadband, directional antenna (Log Periodic?) could be > attached. There are AM and FM versions that output audio > and a version called the Scout that controls a scanner. > These could have outboard devices hung on to them to decode > digital signals, record the conversation ... all for less > than $1000 I don't think that the Interceptor is going to be much use with spread spectrum reception. Unless you are really, really close to your target other non-ss signals are going to be much stronger. The freq range of the device is 30MHz-2GHz. It is also legal to sell even though it is great at picking up the cellular phone conversations in the car you are tailing. There is also the plausible deniability in a device like this because you don't know what frequency you are listening to so you don't know if it is one of those "illegal ones". A directional antenna isn't much use with a device like this because it will pick up many other stronger signals that will overwhelm your target transmission. I am speaking of suburban or urban areas here. This may work if you are in a rural region where there are no cell towers, braodcast towers, or repeaters in use. The Scout is a just frequency counter so you must have a scanner or the Interceptor to actually listen in. - Weld Pond - From warlord at MIT.EDU Sat Dec 23 14:14:49 1995 From: warlord at MIT.EDU (Derek Atkins) Date: Sun, 24 Dec 1995 06:14:49 +0800 Subject: CFS and Linux In-Reply-To: Message-ID: <199512232154.QAA05863@toxicwaste.media.mit.edu> Just to pick nits... > Everyone I know who writes code serously has at least tried > Linux. No everyone uses it for serious work, but everyone at least > played with it. Not having even tried suggests (to me) a regrettable > lack of intellectual curiosity. I do serious development work under Linux. For example, I've been doing development of PGP 3 on an IBM Thinkpad running Linux. So, I can honestly say that I use Linux for serious work... -derek From nobody at REPLAY.COM Sat Dec 23 14:39:57 1995 From: nobody at REPLAY.COM (Anonymous) Date: Sun, 24 Dec 1995 06:39:57 +0800 Subject: Polish telco policy change Message-ID: <199512232221.XAA26875@utopia.hacktic.nl> Pardons requested from those who rightly try to keep Cypherpunks focused. If any of you can think of ways to get this message out and about, you'd be doing a Good Thing: without bandwidth, privacy means a lot less. >------- Forwarded Message------- >Date: Tue, 19 Dec 1995 15:55:49 +0100 (MET) >From: Marta Dubrzynska >To: Marjan Kokot >Subject: Polish internet > >Dear Netpersonality, > >This is a request for help on behalf of the Polish internet. We >have one single internet provider in Poland: NASK. NASK has >bacause of an agreement with the Polish Telecom a >monopoly on lines connecting Poland with the rest of the world. >University's schools and commercial internet providers have to >get their acces from NASK. >Prizes of internet are high. A complete account with SLIP etc. >costs around 60 $ a month. Telephone costs are 3.7 $ per hour. If you >take into account that wages of around 350 $ per month are >considdered normal it is clear why internet is not used by so many people >in Poland. >And now NASK announced that too many people are using the >internet and that they need more money to keep the lines open. >They decided that from January they would raise the prizes, >and that they would calculate costs per bytes sent or recieved. >Yes that's right, we have to pay for letters you send us and we >have to pay for WWW pages you download from us. This will mean >the end of most internet activity in Poland. >If you want to know the details you can find them at: >http://galaxy.uci.agh.edu.pl/~szymon/protest-eng.html >http://www.put.poznan.pl/hypertext/isoc-pl/battle.html >protest at uci.agh.edu.pl > >That's why we Marta Dubrzynska, Webmaster of the Centre for >Contemporary Art in Warsaw, (http://sunsite.icm.edu.pl/culture/csw/) and >Michiel van der Haagen, Net user (http://www.atm.com.pl/COM/michiel/) ask >your help. >Can you make it clear to our Government and NASK that this policy is >disasterous for Polish culture, economy and education? Please check out >these WWW adresses and react. From abostick at netcom.com Sat Dec 23 15:44:11 1995 From: abostick at netcom.com (Alan Bostick) Date: Sun, 24 Dec 1995 07:44:11 +0800 Subject: PGP timeline FAQ... comments requested In-Reply-To: <297.9512221337@exe.dcs.exeter.ac.uk> Message-ID: <2QF3w8m9LgHf085yn@netcom.com> -----BEGIN PGP SIGNED MESSAGE----- Not to belittle something that is the obvious result of painstaking work; but I think the timeline FAQ can be improved in two general ways: (1) More of the specific events should be specifically dated; and (2) I think it would be appropriate to include a version history of PGP. Among other things, I think it appropriate to note the distinction between PRZ's own Bass-o-matic conventional encryption in the earliest versions and the use of IDEA in later versions. These comments aside, you've done an excellent job, and the facts you present jibe well with my own understanding. - -- Alan Bostick | SWINDON: What will history say? Seeking opportunity to | BURGOYNE: History, sir, will tell lies as usual. develop multimedia content. | George Bernard Shaw, THE DEVIL'S DISCIPLE Finger abostick at netcom.com for more info and PGP public key -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMNxVXeVevBgtmhnpAQHJ1QMAmkcQCxoXN5RW4TaviA6yN8BG4aKF2kHh 98/+2WJDrht15SBNna7M1cclT3k0nb4bY2gTIQpCi080vw6tZVhYMRs+lvBjgbLm 7lGyDvdAzAr6azliI6DKwrL7n8aflRiB =dPNR -----END PGP SIGNATURE----- From sameer at c2.org Sat Dec 23 16:29:40 1995 From: sameer at c2.org (sameer) Date: Sun, 24 Dec 1995 08:29:40 +0800 Subject: apache/ssl now commercially available Message-ID: <199512232359.PAA19453@infinity.c2.org> I've finally gotten the licensing taken care of. Whee! http://www.c2.org/apachessl/ -- sameer Voice: 510-601-9777 Community ConneXion FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From adam at homeport.org Sun Dec 24 09:14:09 1995 From: adam at homeport.org (Adam Shostack) Date: Sun, 24 Dec 95 09:14:09 PST Subject: CFS and Linux In-Reply-To: <199512241606.IAA04460@slack.lne.com> Message-ID: <199512241717.MAA29337@homeport.org> Eric Murray wrote: | Where we're headed is mail filters with PGP imbedded (PGP 3 will | make this much easier) that check incoming mail for a valid signature | for certain PGP keyid/fingerprints and pass that mail along. | Other mail that doesn't match gets tossed into a 'junk' folder | or thrown away if you really don't want to talk to anyone that you | don't already know. I agree with the assesment of where we may be going, but the technology is available now. (Marshall Rose uses it; if you want to get mail into his private mailbox, offer him some $ via imbedded FV authorizations in the mail, and it goes into his inbox. If he thinks it was worth his time, he doesn't charge you.) Anyway, the code is defeintely available now. The back end is a little kludgy, but it was needed for an auto ley retreival script. This could easily be hacked to include a +pubring=$people line. The script gives you a keyid, which you can then use to filter on, ie: :0BW * -----BEGIN PGP KEYID=|sender_unknown # the sender unknown script is below :0: ? [ $KEYID = (`cat .buddies`) ] | /var/spool/mail/adam :0e: junk #!/bin/sh # unknown returns a keyid, exits 1 if the key is known # $output is to get the exit status. Othierwise, this would be a one liner. OUTPUT=`pgp -f +VERBOSE=0 +batchmode -o /dev/null` echo $OUTPUT | egrep -s 'not found in file' EV=$? if [ $EV -eq 0 ]; then echo $OUTPUT | awk '{print $6}' fi exit $EV -- "It is seldom that liberty of any kind is lost all at once." -Hume From stewarts at ix.netcom.com Sat Dec 23 19:22:50 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 24 Dec 1995 11:22:50 +0800 Subject: Air Force hacks Navy? Eeeek! Message-ID: <199512240246.SAA10574@ix5.ix.netcom.com> At 01:57 PM 12/22/95 -0500, fc at all.net (Fred Cohen) wrote: >I thought the ET article indicated an exaguration, but if it's true that >there are no Battleships in the US Navy anymore and that the attack was >run using DoD crypto equipment and networks, it's a heck of a lot >different than buying an off-the-shelf Internet package and taking down >the fleet. > >I have no doubt that someone with enough expertise, classified knowledge >and equipment, access, and assistance can get some limited control over >some US Navy ships for some period of time - but I seriously doubt that >a computer whizzkid can take over the fleet from a PC via Email. Depends on how much of a firewall the Navy's got; it may be that the guy really did a dialin to the Pentagon using passwords, or maybe that the ship really does have network connections without adequate security. People _do_ build dialin and other gateways to get around corporate firewalls, in spite of company policy; wouldn't surprise me if the military has the same problem. About 20 years ago, you could dial an FX line in Des Moines which connected to a line at Offutt AFB in Nebraska and autorotored to a radio circuit up to Looking Glass. Looking Glass had a small PBX; you could dial a 2-digit extension to reach somebody on the plane, or dial back down to the ground. At one point, the radio officer on the plane noticed two lights on on the PBX when nobody on the plane was talking on the phone; the rapidly ensuing investigation found a guy in the barracks using a 16-button Autovon phone dialing through the system to call his buddies in Guam. As one might expect, the phone lines coming down from Looking Glass are authorized to call anywhere in the world, at any precedence/preemption level they want to :-) While I don't personally know either the radio officer or the guy who got busted, I do have a friend who was around there when it happened... And similar nonsense is probably still possible today, unless Murphy's left the military. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # .... Heading back to The Big Phone Company From stewarts at ix.netcom.com Sat Dec 23 19:22:52 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 24 Dec 1995 11:22:52 +0800 Subject: cyphernomicon FTP site? Message-ID: <199512240247.SAA10588@ix5.ix.netcom.com> At 09:07 AM 12/20/95 -0800, you wrote: >At 12:59 AM 12/20/95 -0800, you wrote: >>At 9:18 PM 12/19/95, Vinod Valloppillil wrote: >>>Anyone know where I can FTP a full copy of the cyphernomicon? >[Much deleted] >>Anybody who plans to download the entire linear file and then print it out >>must be missing a bits in his shift register. > >There are reasons to want a non-html version. The best being uploading to >your favorite text-oriented BBSes. (Or crypto-oriented BBSes.) Not >everyone has access to the web. (Yes, I know it is blasphemy...) It's also nice to be able to read it offline, or feed it to grep, or load copies of it to other sites to reduce congestion on Netcom... #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # .... Heading back to The Big Phone Company From stewarts at ix.netcom.com Sat Dec 23 21:29:03 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 24 Dec 1995 13:29:03 +0800 Subject: Java and timing info - second attempt Message-ID: <199512240510.VAA03013@ix5.ix.netcom.com> At 10:31 PM 12/18/95 -0800, Jeff Weinstein wrote: > In Netscape Navigator 2.0 Java and JavaScript do not have access >to crypto routines. At some point in the future this will probably >change, but only after we understand the implications much better >than we do today. Doug and/or Amanda Barnes posted some Java crypto stuff a while back, I think using RSAREF; don't know the platform issues. As far as timing goes, Bad Guys can always run accurate timing on their own machines, even if Innocent Victims don't on theirs. However, it may be worthwhile to allow the Java browser users to set the resolution on the clocks available to Java scripts. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # .... Heading back to The Big Phone Company From anonymous-remailer at shell.portal.com Sat Dec 23 22:03:32 1995 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Sun, 24 Dec 1995 14:03:32 +0800 Subject: CFS and Linux Message-ID: <199512240544.VAA05521@jobe.shell.portal.com> So the master is at last fallen. Kudos to Mr. Jim Choate and Dr. Dimitri Vulis for having the courage of their convictions to help unmask AT&T's deceit in claiming to support Linux and free software when, in truth, it is doing just the opposite. Maybe, just maybe, we can seize this opportunity to advance the cause of justice, if not justice itself (true justice would require AT&T to recognize its obligation to our heros at Berkeley and pay them their USD 25,000). I call upon us all to expose AT&T for what it is! Had your software erased by the CFS install programme? Return their own medicine! Sue them! Tired of Blaze's prattle about how he is a Linux-lover even though he can't be bothered to use Linux? Challenge him! Tired of AT&T and Netscape employees stealing your resources? Configure your servers to deny W3 access to AT&T and Netscape computers! Linux isn't perfect, but its open environment is a good start for building REAL secure software. Don't let AT&T's lies bully you into abandoning it! CFS will never run under Linux until it is plucked from the monster's grasp. We, too, are guilty when we continue to invite the monster not only to walk in our midst unchecked, but to sleep in our homes as an invited, nay, paid, guest. Alice de 'nonymous ... ...just another one of those... P.S. This post is in the public domain. C. S. U. M. O. C. L. U. N. E. From jamesd at echeque.com Sat Dec 23 23:01:37 1995 From: jamesd at echeque.com (James A. Donald) Date: Sun, 24 Dec 1995 15:01:37 +0800 Subject: Fred Cohen: Re: CFS and Linux Message-ID: <199512240623.WAA25488@blob.best.net> At 03:05 PM 12/23/95 -0500, Steve Simmons wrote: > Fred and Perry are two peas in pod, Perry is an asshole. Fred is a stupid ignorant asshole who talks nonsense. Perry often mixes useful, accurate and informative information in between the insults. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From jamesd at echeque.com Sat Dec 23 23:01:59 1995 From: jamesd at echeque.com (James A. Donald) Date: Sun, 24 Dec 1995 15:01:59 +0800 Subject: Fred Cohen: Re: CFS and Linux Message-ID: <199512240623.WAA25485@blob.best.net> At 11:04 AM 12/23/95 -0800, Eric Murray wrote: >I'd even be willing to testify in court as to the nature of >Fred's reputation. I'm sure the operator of the Firewalls list >would be too. Fred's reputation is so low he cannot be defamed. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From bdavis at thepoint.net Sat Dec 23 23:14:46 1995 From: bdavis at thepoint.net (Brian Davis) Date: Sun, 24 Dec 1995 15:14:46 +0800 Subject: Fred Cohen: Re: CFS and Linux In-Reply-To: <199512231823.NAA07160@jekyll.piermont.com> Message-ID: On Sat, 23 Dec 1995, Perry E. Metzger wrote: > > Fred Cohen writes to me in private: ... > > Let's see. I guess I would start by having the police confiscate the > toad.com computers becfause thay are part of a criminal conspiracy to ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ I didn't realize that AI research was that far along. Can someone point me to the specs for the computer that can become a "part of a criminal conspiracy"?? EBD > daamage my reputation. Criminal because of the recent changes in the > law that prohibit you from sending me information I don't want to get. > Not a lawyer on the Net, although I play one in real life. ********************************************************** Flame away! I get treated worse in person every day!! From bdavis at thepoint.net Sat Dec 23 23:17:15 1995 From: bdavis at thepoint.net (Brian Davis) Date: Sun, 24 Dec 1995 15:17:15 +0800 Subject: Fred Cohen: Re: CFS and Linux In-Reply-To: <199512231845.NAA07203@jekyll.piermont.com> Message-ID: On Sat, 23 Dec 1995, Perry E. Metzger wrote: > > Fred Cohen writes: > > > The dollar value would be $1 plus a public apology plus all costs of the > > > suit plus my time to right the wrong (at my usual fee of course). Of > > > course the fact that you have decided to make this posting in public > > > justifies my extensive efforts to clear my reputation which, unless you > > > apologize immediately will be surprisingly enjoyable for me. > > > > Go and sue, Fred. Its what I have lawyers for. If you can even find an > > attorney willing to take your "case", mine will likely remind yours > > that lawyers can now be punished by the court in many jurisdictions > > for knowingly aiding in bringing frivolous suits. If you are seeking > > $1 in damages the court is especially likely to consider the whole > > thing a waste of time. > > Your choice, but it's not a very nice Christmas present to find yourself > in litigation. I'll give you till Tuesday to reconsider. If I see the > public apology, I won't call the lawyers. > > If I were you, I would talk to those lawyers of yours and get their > opinion of whether it's worth your while to be malicious toward people > in this way in exchange for defending against a law suit when all you > have to do to prevent it is apologize for what you now know to be a > falsehood. How, exactly, does Perry (or anyone else here) "know" it to be a falsehood. Fred denies it. If I was posting anonymously and was accused of being the anonymous poster, I'd deny it too. Oh, I forgot, someone posting as one of the "Alices" denied it too. That makes it conclusive. This anonymity thing is easier than I thought. EBD Not a lawyer on the Net, although I play one in real life. ********************************************************** Flame away! I get treated worse in person every day!! From don at wero.cs.byu.edu Sun Dec 24 00:04:38 1995 From: don at wero.cs.byu.edu (Don M. Kitchen) Date: Sun, 24 Dec 1995 16:04:38 +0800 Subject: CFS and Linux In-Reply-To: <199512240544.VAA05521@jobe.shell.portal.com> Message-ID: <199512240748.AAA13767@wero.cs.byu.edu> -----BEGIN PGP SIGNED MESSAGE----- Sorry for being one of those who responds to Detweiler's troll... > So the master is at last fallen. Kudos to Mr. Jim Choate and Dr. > Dimitri Vulis for having the courage of their convictions to help > unmask AT&T's deceit in claiming to support Linux and free software > when, in truth, it is doing just the opposite. Patting yourself on the back again eh? I didn't know people as stupid as you knew how to use email. CFS is Matt Blaze's toy. A toy. When ATT starts charging money for CFS, then all your bitching and moaning about ATT _might_ make sense. Oh, by the way, since when did att "claim" to support linux? > Linux isn't perfect, but its open environment is a good start for > building REAL secure software. Don't let AT&T's lies bully you > into abandoning it! CFS will never run under Linux until it is Oh brother, now I know for sure that this is a spoof. Nobody could be this lame for reals... Don - -- fRee cRyPTo! jOin the hUnt or BE tHe PrEY PGP key - http://students.cs.byu.edu/~don or PubKey servers (0x994b8f39) June 7&14, 1995: 1st amendment repealed. Junk mail to root at 127.0.0.1 * This user insured by the Smith, Wesson, & Zimmermann insurance company * -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMN0F4cLa+QKZS485AQFjFwL+Pk6s59bAATKkSgoH4eGrdcDQ1gwA0Nog Lih8rbkWD7RIf3g2g7xiaPnEI+HQBCWvSHkdeybZ8CPLC/E40ONHeA06+l+J6jDK PpAskeZxu8aUKlyXDl3seIb3Xmguy+Mz =3Kr4 -----END PGP SIGNATURE----- From jimbell at pacifier.com Sun Dec 24 00:58:04 1995 From: jimbell at pacifier.com (jimbell) Date: Sun, 24 Dec 1995 16:58:04 +0800 Subject: Spread-Spectrum computer clock? Message-ID: Recently there has been a substantial amount of discussion concerning the use of accurate timing in an attempt to uncover encryption keys, by carefully noting the length of time that a decryption takes in a computer of a known cpu speed. I have noticed that most of the discussion focussed on the delay time of the overall operation done over a network, for example a LAN or perhaps the Internet, but it has been recognized that imprecision due to indeterminate network timings make such a tactic problematic at least. However, being a ham and occasionally listening to the various odd noises produced by a computer when you tune a VHF or UHF ham radio to a harmonic of the clock speed, it ccurred to me that the delay times WITHIN a particular encryption/decryption would be far more easily measured with local RF snooping. I would imagine that if you can determine even a fraction of a bit of key from a network "ping," you could do a lot better "listening" to the execution of a program within a few hundred feet with an ordinary radio receiver and a sophisiticated analysis program. Okay, I admit, this is certainly not a new idea. The military's TEMPEST program is to build electronic equipment which is so "quiet" that it is impossible (or, at least, arbitrarily difficult) to capture useful information by inadvertent radio transmission. Obviously, that is out of the league (not to mention the budget) of the vast majority of the users of personal computers. Nevertheless, it seems to me that if we as a community of computer users are interested in security, we should not merely focus on the mathematics and algorithms used and their reliability, but also secondary methods to break the systems involved. True, most of us are not sufficiently interesting "targets" to justify this kind of attack, but machines such as encrypted remailers are sufficiently "high value" that protecting them would be worth a little extra effort I'm not under any illusion that we can hope to make them "snoop-proof", but a little effort should substantial raise the difficulty level.. More than a year ago, it occurred to me that it might be worth it to build a CPU clock replacement module that took the place of the main CPU crystal oscillator, and replaced it with a oscillator module whose frequency was (very long period!) pseudorandomly varied, possibly with a resolution of 16-bit and over a range of perhaps 1%., with the frequency varying every few tens or hundreds of microseconds. The result, I presume, is that every operation synchronized to the microprocessor clock would vary in time and would be hard to "tune" with a normal radio receiver. It seems to me that this would make the resulting computer harder to "bug" using standard equipment. If this were do-able and were in fact done, it would probably be worth it to "tailor" the spectrum of variation in clock speed so that these variations do not tend to average out over "long" times, for example a few hundred milliseconds or even tens of seconds. This would at least help to disguise the decryption-time information that is commonly discussed. A complicating factor is the fact that modern motherboards often generate their microprocessor clocks using PLL synthesis from a master clock, probably the 14.318 MHz clock. On the one hand, that might make the process easier; only one clock to vary. On the other, it is at least conceivable that there are some devices in any given computer which depend on a precisely constant clock speed, and would not tolerate such variation. This was probably more true in the early days of the IBM PC; today you usually see separate crystals on any cards that need truly specific frequencies. (Hey, I didn't say this was a perfect solution, merely one that would raise the barrier a bit...) Other potential tactics. (Some of which are already happening; if anybody out there is more informed about such techniques, please tell me) 0. Copper-screen cages. Okay, maybe this appears to be a bit too obvious, but it really isn't too involved: A few years ago, I happened onto a roll of honest-to-goodness copper screen; sort of line window screen but made of pure copper. Sewn/soldered into a bag, it would make an excellent cover. (openings required for floppies and CDROMS, as well as cables are obviously a complication, but... 1. Use CPUs with Internal caches as well as external caches, both to reduce the amount of electronic noise transmitted to antenna-length wires outside the microprocessors, as well as make external memory accesses less predictable and less frequent. Fortunately, I suppose, the natural transition to 486's, DX2's and DX4/4s) and Pentiums has make this happen without any anti-snooping motivaition. 2. Eventually, CRT's will be replaced with some sort of matrix-type displays that emit far less useable information and will be easier to shield. 3. Filtering of every wire that comes out of the computer's case, primarily using a combination of ferrite beads and decoupling capacitors. This would be especially true of the telephone line, which would be accessible from outside a house or office. Also, use of multiple powerline filters/surge protectors in series. 4. I'd pay particular attention to the keyboard interface and its associated microcontroller: Years ago, I speculated that if a VFO (voltage to frequency converter) was placed on the data line between the keyboard and the computer, it would transmit the identity of every key pressed. (This would obviously include passwords, too) (Does the keyboard hardware of the typical PC allow echobacks, whcih would allow the CPU to fill the CPU/Keyboard channel with apparently meaningless random garbage, thwarting RF overhearing of this data?!?) And I wouldn't be surprised if the NSA has built replacement keyboard controllers to be used to surreptiously replace on garden-variety keyboards, controllers which deliberately "broadcast" such information in an even easier-to-discern pattern. Even a short access to such a keyboard and it might be telling your secrets. Even if a black-bag job wasn't possible, If it were possible to tune to its normal keyboard microprocessor operation rate, and given a known keyboard scan pattern a particular pressed key could be identified. Given how cheap keyboards are these days, a slightly paranoid person might buy one from a trustworthy source and glue the case shut to prevent tampering, and replace it monthly with cast-offs. 5. While this isn't my area of expertise, it occurs to me that softrware should be written to complete operations in an identical time frame, no matter the input data. While this has already been hashed over on the nets, the "solution" that is typically discussed involves adding a null loop at the end of the real operation, and contining only after the "wall clock" shows enough time has passed. This isn't an adequate solution, I think, if local RFmonitoring of the computer can be done. (It will know when the actual result ended) A better (and, sadly, more inefficient) method would involve executing BOTH branches of conditional jump, and only using the data generated from the desired half at the very end.. Another possibility might be (for certain large mathematical algorithms) is to split up the functions and to execute them in a "random" order, with enough "dummy" operations inserted to further disguise the facts. For example, if you're multiplying two 1024-bit values to get a 2048-bit result, program this to be done in a pseudrandom order and intersperse any operations with pseudorandom operations to disguise it. (A pseudorandom interrupt generator might help, here.) 6. Think like an NSA hack. If I were such a sneaky bastard, I'd try to figure out a way to module a visible LED on the computer's case with data, or modulate the video display's brightness to signal slow-speed data.. Well, that's just a few thoughts. There's a lot more material out there that ought to be discussed. Admittedly, these subjects can appear to be a bit more than a little paranoid, but without such discussion we're almost certain to be at risk. From attila at primenet.com Sun Dec 24 00:58:08 1995 From: attila at primenet.com (attila) Date: Sun, 24 Dec 1995 16:58:08 +0800 Subject: Fred Cohen: Re: CFS and Linux In-Reply-To: Message-ID: On Sun, 24 Dec 1995, Brian Davis wrote: > On Sat, 23 Dec 1995, Perry E. Metzger wrote: > > > Fred Cohen writes to me in private: > ... > > > > Let's see. I guess I would start by having the police confiscate the > > toad.com computers becfause thay are part of a criminal conspiracy to > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > I didn't realize that AI research was that far along. Can someone point > me to the specs for the computer that can become a "part of a criminal > conspiracy"?? > > EBD > > > > daamage my reputation. Criminal because of the recent changes in the > > law that prohibit you from sending me information I don't want to get. > > > the basis of the seizure is for evidence collection. then they take their sweet time scrounging the disks for evidence. If no evidence is found, they give it back --eventually. I saw one case go by a couple years back where they were trying to make the computer an accessory to the crime (I dunno, maybe it was supposed to auto-dial and drop the dime --no that's in 18USC as failure to snitch!) of course, if there are drugs involved, they confiscate it as spoils of the criminal act and the equipment is impounded and eventually sold after conviction for the benefit of their slush funds. I would imagin you have seen plenty of the latter one in the Federal attorney's office. this also gets into the issues of private cryptography and that _everybody_ should give up privacy protection, first amendment rights, etc. so uncle can catch a few dopers, gun runners, and other assorted malcreants [sic] --like the difference between {mis,mal}feasance: in both cases you get fucked, but 'mal' is intentional... > Not a lawyer on the Net, although I play one in real life. > hey, at least you admit you're having a good time! > ********************************************************** > Flame away! I get treated worse in person every day!! > -- -------------------------------------------------------------------- #!/bin/perl -s-- -export-a-crypto-system-sig -RSA-3-lines-PERL $m=unpack(H.$w,$m."\0"x$w),$_=`echo "16do$w 2+4Oi0$d*-^1[d2%Sa 2/d0 Message-ID: On Sun, 24 Dec 1995, attila wrote: > On Sun, 24 Dec 1995, Brian Davis wrote: > > > On Sat, 23 Dec 1995, Perry E. Metzger wrote: > > > > Fred Cohen writes to me in private: > > ... > > > > > > Let's see. I guess I would start by having the police confiscate the > > > toad.com computers becfause thay are part of a criminal conspiracy to > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > I didn't realize that AI research was that far along. Can someone point > > me to the specs for the computer that can become a "part of a criminal > > conspiracy"?? > > > > EBD > > > > > > > daamage my reputation. Criminal because of the recent changes in the > > > law that prohibit you from sending me information I don't want to get. > > > > > > the basis of the seizure is for evidence collection. then they > take their sweet time scrounging the disks for evidence. If no > evidence is found, they give it back --eventually. I saw one case go > by a couple years back where they were trying to make the computer an > accessory to the crime (I dunno, maybe it was supposed to auto-dial > and drop the dime --no that's in 18USC as failure to snitch!) Much truth here, but not relevant to Dr. Fred's threat of a civil suit. He can't have his attorneys just call the FBI to pick up toad's computer. CoS's seizure of computers, while shameful, was based on a different legal theory than the good Dr. can possibly allege. EBD > of course, if there are drugs involved, they confiscate it as > spoils of the criminal act and the equipment is impounded and > eventually sold after conviction for the benefit of their slush funds. > > I would imagin you have seen plenty of the latter one in the > Federal attorney's office. this also gets into the issues of private > cryptography and that _everybody_ should give up privacy protection, > first amendment rights, etc. so uncle can catch a few dopers, gun > runners, and other assorted malcreants [sic] --like the difference > between {mis,mal}feasance: in both cases you get fucked, but 'mal' is > intentional... > > > > Not a lawyer on the Net, although I play one in real life. > > > hey, at least you admit you're having a good time! > > > ********************************************************** > > Flame away! I get treated worse in person every day!! > > > > > -- > -------------------------------------------------------------------- > #!/bin/perl -s-- -export-a-crypto-system-sig -RSA-3-lines-PERL > $m=unpack(H.$w,$m."\0"x$w),$_=`echo "16do$w 2+4Oi0$d*-^1[d2%Sa > 2/d0 pack('H*',$_)while read(STDIN,$m,($w=2*$d-1+length$n&~1)/2) > > -----BEGIN PGP PUBLIC KEY BLOCK----- > Version: 2.6.2 > > mQCNAy5vBesAAAEEAN8cl6vHXrKZ9lFfZDgfyJRr3HidW77Uio7F25QF6QXca5z/ > AS3ZrWsa0CjF2nwrqmyb1E5no7dFB+70ZfK8233r7ykVkWRojT+0K71lnUZO4cjG > +d19/ehXkDpkH3iHU7Uyo4ZdXLiI6uoFDS7ilzx8PCKcgvfq7b04kQrCC2kFAAUX > tAZhdHRpbGGJAJUDBRAur/X7xUpiaI661j0BAbVUA/9RSKN5sOFVB4rjV6+a2aWD > LjD5g/+eZaB/hI98qlPP+SBwzO3+K7+JWt3Fez0gKVju228ACGkvilg2VkMtQ0zm > YCexYL0U9StzHt4xEpowpmaWx22jpEvWnI10LZvT/NO3uYg5r/ezVYc7autKvfvI > rVOo322RkA0HNVV1rqjMGw== > =UNt4 > -----END PGP PUBLIC KEY BLOCK----- > > Not a lawyer on the Net, although I play one in real life. ********************************************************** Flame away! I get treated worse in person every day!! From jirib at sweeney.cs.monash.edu.au Sun Dec 24 03:03:42 1995 From: jirib at sweeney.cs.monash.edu.au (Jiri Baum) Date: Sun, 24 Dec 1995 19:03:42 +0800 Subject: ex encrypted script In-Reply-To: <199512202339.RAA05220@cdale1.midwest.net> Message-ID: <199512241046.VAA06529@sweeney.cs.monash.edu.au> -----BEGIN PGP SIGNED MESSAGE----- Hello andr0id at midwest.net (Jason Rentz) and Cypherpunks Dr0id wrote: > I have several simple scripts that are simple yet handle important realtime > call proccessing tasks and remote control operations. These programs are my > programs but are running on a system that is dialed into by the vendor once > in a while. The problem will be that a superuser can do just about anything... > Is there a way to encrypt a script yet still allow it to be runnable? I ... Well, what's wrong with pgp -f | /bin/sh ? Obviously, it still decrypts before use, and may or may not be useful depending on your application, but it never has a file with the unencrypted script around. > I thought of a few simple protections but they all involve decrypting before > running. It depends on what you want to prevent: copying the scripts, running them, understanding them, or what? To prevent copying/running them, you can use the above script, but you'll have to type in the passphrase each time (checking that noone is watching you, which is impossible with a determined su). If you just want them to not understand, obfuscation should suffice. (But reverse-engineering can still be applied.) (On the "supply useless source" subthread, it is possible to define the term "source code" so as to disallow such obfuscation. See the GNU GPL ("copyleft") licence for an example.) Adiau Jiri - -- If you want an answer, please mail to . On sweeney, I may delete without reading! PGP 463A14D5 (but it's at home so it'll take a day or two) PGP EF0607F9 (but it's at uni so don't rely on it too much) -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMN0vfyxV6mvvBgf5AQGHkwP9EXLywkYYY6yNEAD3psLr/mbd7ACDe9hF NxDdu1LRQqtTmRx2GaozIEg2QWBaADEZ3TP7WyQyN9g81mC5bPk6Ys7imCvSDYW5 U1qg6MuE/biLlKuScE0AlpPeeKmqwSdG8bo8IsnMyyBnaeN1mBvfXVbwXzkpgJ7O 3IwGHbmB/wg= =+g0v -----END PGP SIGNATURE----- From blancw at accessone.com Sun Dec 24 05:42:51 1995 From: blancw at accessone.com (blancw at accessone.com) Date: Sun, 24 Dec 1995 21:42:51 +0800 Subject: To Youall Message-ID: <9512241324.AA23587@pulm1.accessone.com> ^ _:(O):_ <<<<<+>>>>> }}:{{ '^'^'^'^'^' ~~d^~q~V~p~^b~~ ^ |[pg/M\pgvgp/M\gp]| ^ g/M\pgp/M.M\pgp/M.M\pgp/M\p /M/:\M\V/M/:\M\V/M/:\M\V/M/:\M\ ~==|\M/&:&\MVM/&:&\MVM/&:&\MVM/&:&\M/|==~ *{$$$MeRrYxmaS$TocpunKs at eVeryWheRE.CoM$$$}* ~==|\/M\:/M\V/M\:/M\V/M\:/M\V/M\:/M\/|==~ '{\O[o%[anDtimMIe&eLDee,to0]&o]O/}' ^/.\:^.^W^.^:^.^W^.^:^.^W^.^:/\.^ {p\qVp^q:p^qVp^q:p^qVp/q} o=o\==o===O===o==/o=o x..X\..X../X..x (dbdb\W/dbdb) )'\\%//'( '***' &:& : . From bplib at wat.hookup.net Sun Dec 24 05:50:30 1995 From: bplib at wat.hookup.net (Tim Philp) Date: Sun, 24 Dec 1995 21:50:30 +0800 Subject: Civility Message-ID: Ladies and Gentlemen; As I am sure that most of you have noticed, this is a high volume list. I have just spent the last 20 minutes deleting personal attacks and non-crypto related junk from my mail. Normally, this list is of fairly high quality and I enjoy reading the technical and political discussions that appear here. It must be something in the water but lately the nonsense has reached epic proportions. Now I realize that trying to get an independent bunch of people (as the cypherpunks must be) to conform to a minimum standard of behaviour is like herding cats ( I like that image! ) but in the interests of your fellow list members, please take the attacks to private E-mail. This might make the volume of crypto-related material managable to the rest of us. Let the flames begin! ( In private E-mail please!) By the way, seasons greetings to everyone! Tim Philp Brantford, Ontario, Canada =================================== For PGP Public Key, Send E-mail to: pgp-public-keys at swissnet.ai.mit.edu In Subject line type: GET PHILP =================================== From dlv at bwalk.dm.com Sun Dec 24 07:10:19 1995 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Sun, 24 Dec 1995 23:10:19 +0800 Subject: CFS and Linux In-Reply-To: <199512240748.AAA13767@wero.cs.byu.edu> Message-ID: <1T7LgD3w165w@bwalk.dm.com> "Don M. Kitchen" writes: > Sorry for being one of those who responds to Detweiler's troll... I wonder which of the participants are Lance... > > So the master is at last fallen. Kudos to Mr. Jim Choate and Dr. > > Dimitri Vulis for having the courage of their convictions to help > > unmask AT&T's deceit in claiming to support Linux and free software > > when, in truth, it is doing just the opposite. There's been a bit of confusion here. Perry Metzger stated that Matt Blaze doesn't have Linux and shouldn't support it. Naturally, this got a few Linux fans (like myself) overly emotional. Matt Blaze later said that he does have Linux (contrary to what Perry said), that CFS installs fine, under his version, and that he's been unable to duplicate the problem reported here (but will include a fix in future distributions if someone supplies it). It's a perfectly reasonable position. In particular, this is a much more reasonable position than the anal-retentive one most MS Windows freeware authors take when you ask them about running their programs under WinOS2. I told Matt what I thought of this in private e-mail. _I_ don't have a problem with Matt Blaze. My conjecture is that during this long holiday weekend certain contributors are taking recreational drugs before posting to the mailing list. > Patting yourself on the back again eh? I didn't know people as stupid > as you knew how to use email. That's what's wrong with the net in general. 10+ years ago, when I started using it, it was hard to use e-mail and Usenet, so most of the people using it had to be fairly intelligent. Today, no intelligence is required to use e-mail, or even a cpunks anonymous remailer. I wish crypto software and mail filtering software followed the suit and became as easy to use and transparent at the rest of our comm software. I've been communicating with one sci.crypt personality, who configured his procmail to accept e-mail only from a list of people he knows. To be able to send him e-mail, I had to contact him by other means and ask him to add my name to the list of approved correspondents. :) He's not checking digital signatures, just the from lines. (By the way, he's not on cypherpunks because he considers the level of crypto expertise here to be too low.) Is this where we're heading? --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From jya at pipeline.com Sun Dec 24 08:34:26 1995 From: jya at pipeline.com (John Young) Date: Mon, 25 Dec 1995 00:34:26 +0800 Subject: TAX_zip Message-ID: <199512241540.KAA04264@pipe2.nyc.pipeline.com> 12-24-95. NYPaper: "Money Laundering, New and Improved. To really hide loot, wait for the arrival of 'cybercash.' " The days when you could trust a Swiss banker to hold on to your millions and keep his mouth shut are long gone. Embarrassing disclosure incidents are forcing any money launderer worth his pocket change to go high-tech, using the wonder of home-banking computer programs to zip money across borders. What American authorities fear the most, however, is the rise of "cybercash." "The nightmare of it is that there is no registration of every transaction, the way there is if you use a Visa or Mastercard," said Stanley E. Morris, who heads the financial crimes enforcement network. TAX_zip (7k) From jya at pipeline.com Sun Dec 24 08:38:29 1995 From: jya at pipeline.com (John Young) Date: Mon, 25 Dec 1995 00:38:29 +0800 Subject: KID_zoo Message-ID: <199512241541.KAA04332@pipe2.nyc.pipeline.com> 12-24-95. NYPaper: "Case Involving Free Speech And the Internet Is Settled." A dispute about free speech on the Internet has been settled out of Court here after a local school district admitted that a high school principal had wrongly reprimanded a student for lampooning his school on the World Wide Web. The school district apologized to Mr. Paul Kim for the punitive actions. "We now know our own boundaries," said Ann Oxrieder, the school district's spokeswoman. "The Internet is unexplored territory for schools and we now know that when a student uses his own equipment and on his own time, we should stay out of it." KID_zoo (6k) From jya at pipeline.com Sun Dec 24 08:51:34 1995 From: jya at pipeline.com (John Young) Date: Mon, 25 Dec 1995 00:51:34 +0800 Subject: RAT_357 Message-ID: <199512241548.KAA04638@pipe2.nyc.pipeline.com> The NYPaper of 12-23 and 12-24-95 report on the arrest Wednesday and "suicide" yesterday of Thomas Lewis Lavy, who was jailed under anti-terrorism statutes for trying to import from Canada to Alaska 130 grams of the deadly poison ricin -- enough to "kill thousands of people," officials said. Some 40 F.B.I. agents and Army chemical warfare specialists mounted the assault in deadly "survivalist, fundamentalist" Arkansas, right deadly Ollie North's recreational-poison/gun swap fly-in. Lavy's attorney, Sam Heuer, took sharp issue with the government's accusations. "It is such a tragic case," Mr. Heuer said. "An overzealous U.S. Attorney in Alaska and a hot dog F.B.I. agent tried to paint Tom as something he was not. Tom was a very gentle, very kindly person. We have the right to have rat poison or coyote poison, just like we have the right to have a .357 Magnum." RAT_357 (12k) From jcobb at ahcbsd1.ovnet.com Sun Dec 24 09:03:18 1995 From: jcobb at ahcbsd1.ovnet.com (James M. Cobb) Date: Mon, 25 Dec 1995 01:03:18 +0800 Subject: FTC Privacy Initiative Message-ID: Friend, You may wish to inform yourself about the FTC Privacy Initia- tive: The US Federal Trade Commission has launched a "Privacy Initia- tive" to investigate whether the information collected at web- sites (either that affirmatively submitted by a visitor via a form or information collected based upon a visitor's selection of pages at a site to reflect personal interests) should be the subject of regulation by the FTC. To get background on this effort, you may want to read a speech by FTC Commissioner Varney on Electronic Commerce and Privacy which is available at the FTC's site under speeches http://www.ftc.gov or [at] the Advertising Law Internet Site http;//www.webcom.com/~lewrose/home.html under speeches. This week the staff of the FTC established a mailing list to allow interested parties to discuss the issues surrounding the privacy interests of consumers visiting web sites. To subscribe, send the message subscribe to privacy-request at ftc.gov ---- The above is an excerpt from a 12 20 95 message to another list. Cordially, Jim From dsr at lns598.lns.cornell.edu Sun Dec 24 09:05:14 1995 From: dsr at lns598.lns.cornell.edu (Daniel S. Riley) Date: Mon, 25 Dec 1995 01:05:14 +0800 Subject: [Noise] Re: Alta Vista caches queries In-Reply-To: <199512220220.DAA27203@utopia.hacktic.nl> Message-ID: <9512241608.AA07620@lns100.lns.cornell.edu> In article <199512220220.DAA27203 at utopia.hacktic.nl> nobody at REPLAY.COM (Anonymous) writes: nobody> I just stopped in on Digital's new Alta Vista page, and was nobody> surprised to find that the query field was filled in--with a nobody> search I ran 3 or 4 days ago. The forms interface for Alta Vista uses METHOD="GET", which means the parameters for the query are encoded in the URL, not transmitted separately as it would be for METHOD="POST". For example, a search for "cypherpunks" sends a request for the URL http://www.altavista.digital.com\ /cgi-bin/query?what=web&q=cypherpunks&Submit.x=0&Submit.y=0&pg=q If I bookmark that URL and return to it later, Alta Vista will rerun the query just as it did the first time (btw, the first two hits from that search are detweiler pages). On several visits to http://www.altavista.digital.com/ I see no evidence that they are caching queries, so I suspect you cached the query yourself by bookmarking a search result. Of course, this does not mean that one shouldn't have the usual privacy concerns that apply to any WWW service... From ericm at lne.com Sun Dec 24 09:05:34 1995 From: ericm at lne.com (Eric Murray) Date: Mon, 25 Dec 1995 01:05:34 +0800 Subject: CFS and Linux In-Reply-To: <1T7LgD3w165w@bwalk.dm.com> Message-ID: <199512241606.IAA04460@slack.lne.com> > That's what's wrong with the net in general. 10+ years ago, when I started > using it, it was hard to use e-mail and Usenet, so most of the people using it >had to be fairly intelligent. Today, no intelligence is required to use e-mail, > or even a cpunks anonymous remailer. I wish crypto software and mail filtering > software followed the suit and became as easy to use and transparent at the > rest of our comm software. Long for the good old days of bang-paths, 300 baud acoustic couplers and UUCP maps? see http://www.lne.com/lemay/writings/curmudgeonnet.html > I've been communicating with one sci.crypt personality, who configured his > procmail to accept e-mail only from a list of people he knows. To be able to >send him e-mail, I had to contact him by other means and ask him to add my name > to the list of approved correspondents. :) He's not checking digital > signatures, just the from lines. (By the way, he's not on cypherpunks because > he considers the level of crypto expertise here to be too low.) > > Is this where we're heading? Close. Where we're headed is mail filters with PGP imbedded (PGP 3 will make this much easier) that check incoming mail for a valid signature for certain PGP keyid/fingerprints and pass that mail along. Other mail that doesn't match gets tossed into a 'junk' folder or thrown away if you really don't want to talk to anyone that you don't already know. -- Eric Murray ericm at lne.com ericm at motorcycle.com http://www.lne.com/ericm PGP keyid:E03F65E5 fingerprint:50 B0 A2 4C 7D 86 FC 03 92 E8 AC E6 7E 27 29 AF From owner-cypherpunks at toad.com Sun Dec 24 13:44:32 1995 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Mon, 25 Dec 1995 05:44:32 +0800 Subject: No Subject Message-ID: Eric Murray wrote: | Where we're headed is mail filters with PGP imbedded (PGP 3 will | make this much easier) that check incoming mail for a valid signature | for certain PGP keyid/fingerprints and pass that mail along. | Other mail that doesn't match gets tossed into a 'junk' folder | or thrown away if you really don't want to talk to anyone that you | don't already know. I agree with the assesment of where we may be going, but the technology is available now. (Marshall Rose uses it; if you want to get mail into his private mailbox, offer him some $ via imbedded FV authorizations in the mail, and it goes into his inbox. If he thinks it was worth his time, he doesn't charge you.) Anyway, the code is defeintely available now. The back end is a little kludgy, but it was needed for an auto ley retreival script. This could easily be hacked to include a +pubring=$people line. The script gives you a keyid, which you can then use to filter on, ie: :0BW * -----BEGIN PGP KEYID=|sender_unknown # the sender unknown script is below :0: ? [ $KEYID = (`cat .buddies`) ] | /var/spool/mail/adam :0e: junk #!/bin/sh # unknown returns a keyid, exits 1 if the key is known # $output is to get the exit status. Othierwise, this would be a one liner. OUTPUT=`pgp -f +VERBOSE=0 +batchmode -o /dev/null` echo $OUTPUT | egrep -s 'not found in file' EV=$? if [ $EV -eq 0 ]; then echo $OUTPUT | awk '{print $6}' fi exit $EV -- "It is seldom that liberty of any kind is lost all at once." -Hume From cp at proust.suba.com Sun Dec 24 15:08:17 1995 From: cp at proust.suba.com (Alex Strasheim) Date: Mon, 25 Dec 1995 07:08:17 +0800 Subject: CFS and Linux Message-ID: <199512242026.OAA02586@proust.suba.com> > AT&T's refusal to support CFS and other so-called "secure" software > under Linux is typical and to be expected. This is the dumbest thread I've ever seen. First of all, AT&T lets Matt distribute CFS and other crypto related tools from an AT&T site. In the current legal environment, I think that's a good show of "support". Second of all, Matt has put in a lot of effort to make CFS usable to Linux users. I have personally gotten help on more than one occaision from Matt with CFS and Linux, and I've seen him answer lots of questions on the CFS users' mail list. Here's an example: when I first started using CFS, the documents were formatted with a macro that wasn't included with the most popular linux distributions. I pointed this out to Matt and took the time to rewrite the docs using a different macro, so Linux users would be able to read it. I'll bet he's done dozens of fixes to make CFS run better on Linux boxes. What's more, Matt recently took the trouble to set up a Linux box for the sole purpose of testing CFS on it. I love Linux and I use it, but the fact that everyone has a slightly different distribution makes it a tough platform to support. As Matt's already pointed out, most of the problems that people have with Linux and CFS seem to stem from a broken rpgen that come with some, but not all, distributions of Linux. Finally, as Perry pointed out, neither Matt nor AT&T owe us anything, so it would be impossible to find fault with Matt even if he hadn't done any work to support Linux. Lots of people run CFS on Linux. I'd even be willing to bet that Linux is the most popular CFS platform, judging from the traffic on the list. If you can't run CFS on your Linux box, you might want to consider the possibility that you don't know what you're doing. From cp at proust.suba.com Sun Dec 24 15:09:04 1995 From: cp at proust.suba.com (Alex Strasheim) Date: Mon, 25 Dec 1995 07:09:04 +0800 Subject: corporate bashing Message-ID: <199512242101.PAA02640@proust.suba.com> There have been some recent posts here flaming AT&T, Netscape, and people like Matt and Jeff who work for them. These posts seem to come out a paranoid mindset that distrusts any institution with power, and a romantic idea that the cypherpunks are subversive idealists fighting for truth and justice in the face of overwhelmingly powerful opponents. The truth is that several important institutions have contributed a lot to the fight for privacy. That may not be romantic, and it may not fit well with some people's adolescent fantasies, but it is what's actually happened. The New York Times, the most influential paper in America, has consistently argued against censorship on the net. MIT, one of our most prestigious universities, has taken on the free distribution of strong crypto tools and lent considerable credibility to Phil Zimmermann. AT&T funded the research Matt Blaze did which deomonstrated that a forge chip would interoperate with an escrowed one. If we had to pick one single thing that killed clipper, it would probably be that deomonstration. Netscape not only put crypto into its products, it's opening them up so that they'll talk to other people's products. This is a big step forward: even if Netscape caves into GAK, you'll be able to talk to one of Sameer's Apache-SSL servers in the Netherlands. GAK is unenforceable if standards are open and interoperability is possible. And despite the complaints of many here, Netscape has taken a strong stand aginst GAK and ITAR. Even Microsoft's Bill Gates has apparently written well and persuasively aginst GAK. None of this is conincidental, and if you don't understand why you ought to read Friedman's "Capitalism and Freedom". We are not extremists. There is nothing extreme about believing that an email you send to your spouse or your friend ought to be private, or that people ought to be able to read and write about whatever subject interests them. The extremists are those who are fighting so hard to preserve the possibility of totalitarianism. From anonymous-remailer at shell.portal.com Sun Dec 24 15:10:46 1995 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Mon, 25 Dec 1995 07:10:46 +0800 Subject: AWARD: CHRISTMAS NET SCROOGE - AT&T & NETSCAPE?? Message-ID: <199512242051.MAA24295@jobe.shell.portal.com> Well, it looks like somebody finally seconded my vote for AT&T & Netscape to win the Christmas Net Scrooge Award. His words were: "It makes me sick ... it's like the Nazi's sending out the Brownshirts to break the windows for all the looters." So, I'll just repost the entire nomination without any editting. Even though I've gotten Christmas wish #2 (Bob Dole is NOT going to Bosnia), I think it's still topical, since I'm still waiting on Christmas wish #1 and #3. So ... just in case Santa is listening ... and since I already got wish #2, rather than just bringing Peace on Earth and Goodwill to All Men, which everybody asks for, anyhow -- could Santa do something about the Big Bad Oil Companies who want to drill in the Arctic National Wildlife Refuge?? I _know_ that Santa wants to protect the sensitive tundra around his Northern home. We all know that we aren't short of oil on the North American continent, like the Big Bad Oil Companies would have us believe. The Canadian tar sands in Alberta have proven reserves larger than Saudi Arabia, and are already a proven technology, and Torch Energy out of Texas is already a player, there, I think. No need to disturb the Wildlife. Protecting some Cariboo, would be a right friendly Christmas present, from Santa, if he can pull some strings. Thanks Santa. (if you're listening, I mean ...) (And now, for the repost ...) - - - - - - - - - - - - - - - - - - - - - Just in case, anyone missed this yesterday, I thought I'd renominate AT&T & Netscape for the: *** 1995 CHRISTMAS NET SCROOGE *** *** AWARD *** (T-shirt sales coming soon, to a website near you ...) ------------ Alice here ... Back on Tue, 19 Dec 1995, I wrote: >>>Can anyone tell me whether Ian Goldberg and David Wagner got their >>>$25,000 from Netscape for finding the HUGE security flaws in Netscape's >>>existing product line?? >>> >> >I can't remember whether they got anything or not ... >> >> That would be no (well, except for the nifty T-shirt from Sameer; Thanks!). > > Not anything?? That's shameful ... where on earth are the values in > America, today? Everyone should ask this question. AT&T can sign-on to a two-page ad, calling on Congress to balance the budget -- to cut off veterans, and cut-off women with dependent children just before Christmas. It can sign on to this, but it can't bother to even offer a scholarship to the students who helped make its fortunes. It would rather leave the impression that it freeloads off of other's efforts. It's shameful. > AT&T and Netscape have jointly made a small fortune distributing this > product, and yet NEITHER company feels that the software engineers who > "voluntarily" made a difference -- a couple of students -- deserve > even a wooden nickel for the ideas which were used. > > It's absolutely shameful. But then, I guess that AT&T and Netscape > have no shame at all. > > They just steal "intellectual property" from students, and don't even > pay a token amount. > > And people wonder what's wrong with America? Luckily for those of us who don't live in the United States, we can perhaps look at that country and truly wonder what is going on over there, and what is wrong with America? Where are the values amongst ALL Americans, not just Netscape and AT&T? What are the role models that all the leaders -- business, sports, and political leaders -- show to the national youth. Here is all I've seen (as a foreigner), over the last while: Enid Greene Waldholtz blubbering in a news conference about how she as a congress person certainly COULDN'T be expected to resign after winning her election with stolen money. Blubbering for five hours straight (except when she had to stop to turn a page, I mean) ... She certainly said that "leadership" is all about playing "victim". Poor little Enid. (And even worse, she was _defended_ by Susan Molinari.) Bob Dole, deciding to go to Bosnia. The former WW II veteran willingly jeopardizing the lives of American boys -- boys who have put their lives on the line in a _volunteer_ armed force -- all for a lousy political photo-op. The chance to say ... "hey look at me, I'm here in Bosnia." Someone who's willing to overrule the Pentagon's own most diplomatic advice on how complex an operation this actually is. And then there is AT&T. A company who's Chairman can publish a letter which calls on Congress to cut off checks to mothers with dependent children and war veterans days before Christmas, all while stealing and freeloading off of the work of some students. Scrooge ... take heart. Here's Holiday wish #1. Enid do the right thing ... resign. Say the "right thing" and say that your child -- the future and the delayed gratification that the future brings -- is much more important than your own personal PRESENT political aspirations. Here's Holiday wish #2. Bob, lots of people worked their asses off to make sure that the American fighter pilot, and the two French fighter pilots could be rescued from Bosnia. If you want to go and get some photo-ops, go to Germany or Italy, and give one hell of a vote of support to the boys that are there -- a support which could just as easily have been given and should be given in Congress. A _real_ strong unfettered commitment. And here's Holiday wish #3. AT&T. Do the right thing. Reward those people who help make you a fortune. Stand tall as an example, rather than as an embarrassment to the nation. You've ignored this for so long now, that you've almost dug your own grave. But you still have a chance to save face. Have the courage to take the chance when it's offered. Simply say that the proposal to reward David Wagner and Ian Goldberg -- some holiday mad money and scholarships -- was lost in committee, and approval processes -- but it WAS in the works, and it was recommended and can now be announced just before Christmas, as a rightful reward. Some holiday cheer. Will people think it's a cynical attempt at manipulation? Yep. But it's a darned site better than the alternatives -- especially when you look at possible future outcomes. Trust me, this is far better than calling for veterans and single mothers with children to be cut-off just before the holidays. Perhaps, Enid, Bob, and AT&T will all learn when to use offense and when to use defense. They might also learn that the best offense is a good defense. They might even begin to look at what "courage" truly is, and of how difficult it can be for anyone to do the "right thing", especially when they think that they're surrounded by minefields. Even when the "right thing" is in your own best interest, you not only have to be shown the right path to take, but you have to have the motivation and courage to make the move and take action. Enid, Bob, and AT&T, take note. Hopefully for the holidays, everyone finds the courage to neutralize some portion of the vulnerability spectrum they've placed themselves in. > > - Ian "There's a reason people talk about `starving grad students'..." > > Alice de 'nonymous ... ...just another one of those... P.S. This post is in the public domain. C. S. U. M. O. C. L. U. N. E. From nobody at valhalla.phoenix.net Sun Dec 24 15:15:42 1995 From: nobody at valhalla.phoenix.net (Anonymous) Date: Mon, 25 Dec 1995 07:15:42 +0800 Subject: X-Mas-Pisswords Message-ID: <199512241945.NAA06757@ valhalla.phoenix.net> Pseudonymous confusion. S. Boxx and Sue D. Nym (and some others with short duration) are proven historical nyms of Larry (Lance) Detweiler. Vladimir S. Nuri is the going suspected (proven?) tentacle; some believe he is Larry's better self. Dimitri Vulis seems closely related letter-wise. Alice originally drew attention when claiming that he had found a 'huge hole' in Netscape (if configured to run Postscript code). Alice (now with a penet address) is claiming to be a Canadian and has knowledge supporting that claim (according to other Canadians on the list). He is still attacking Netscape (and ATT) now and then, in between political causeries. The obvious other Alice('s) posted for a short period mainly to make a point about signatures. Fred Cohen once(?) had a reputation as a virus expert, being on the panel of various security conferences. He has since obviously made many enemies on the firewall list, and now also on this list. He is not a Canadian(?). He shares Alice's concern for Postscript (and JAVA) on the WWW but does not come anyway near Alice in political (occasionally rather funny) muck-raking. Analysis of writing styles clearly outdistance Larry (Nuri, Vulis) from (the Canadian) Alice. Fred and Alice are not as easy to separate, especially when they are flaming, but probably they are not the same. Pissy From jkm3 at pipeline.com Sun Dec 24 15:17:10 1995 From: jkm3 at pipeline.com (John K. Mackenzie) Date: Mon, 25 Dec 1995 07:17:10 +0800 Subject: Mailing list Message-ID: <30DDD1E3.3A09@nyc.pipeline.com> Put me on your list if you get anything started. From jya at pipeline.com Sun Dec 24 15:17:17 1995 From: jya at pipeline.com (John Young) Date: Mon, 25 Dec 1995 07:17:17 +0800 Subject: Jingling Bells Message-ID: <199512241953.OAA15659@pipe4.nyc.pipeline.com> That NY Times upbeat shopping report on gift-horse laundering recalls Judeo-Christo-Muslim-Buddhist-whatever X-marketing of indulgences to complicitously blessed international drug-running bandit-patrons of days gone by. Battling the state for tax-whack is the grand legacy of brawling twix cult and state. Tithe or tax, forgiveness or the noose, adorable mass-murderer, theism or atheism, no exit, you're hoisted. It's a fine compact for building monuments to bedrugged faith of earthly pleasures, temples and capitols, cons spiritual blessing and caressing cons secular for percentages generous. Bedrugged with the rich history and rewarding journalism of such back-scratching by gods of mammons galore, one wonders how many Caribbean rimmers of yet unadvertized international cults are now bulging their laundry sacks cuts of the drugs. To the cults of rome and jerusalem and mecca for swamplords of rickety blow-downs, of scientologists mimcking these venerable predecessors, add the ex-swiss bankers now sweltering in hellish Cayman, the hot-eyed ex-usa's with kids in college, sole-practitioner very hungry beagles, all deeply inhaling the colombian aroma. All offering mother goose refuge from Sam, off-shore, in the cave of shadows, any world of illusory power where you're willing to pay the stiff-arm dues for protective delusion. There's no fee meal like that served by god-mammon's own earthly courtesans and courtiers sweet-and-sour abrading innermost money=immortality fears. CoS's E-meter-cleaner is dead-on for E-cash-drug jingling bells. From dlv at bwalk.dm.com Sun Dec 24 15:19:06 1995 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Mon, 25 Dec 1995 07:19:06 +0800 Subject: CFS and Linux In-Reply-To: <199512241606.IAA04460@slack.lne.com> Message-ID: Eric Murray writes: > > > That's what's wrong with the net in general. 10+ years ago, when I started > > using it, it was hard to use e-mail and Usenet, so most of the people using > >had to be fairly intelligent. Today, no intelligence is required to use e-ma > > or even a cpunks anonymous remailer. I wish crypto software and mail filter > > software followed the suit and became as easy to use and transparent at the > > rest of our comm software. > > Long for the good old days of bang-paths, 300 baud acoustic couplers > and UUCP maps? see http://www.lne.com/lemay/writings/curmudgeonnet.html Not at all -- I welcome all progress. My first modem was 110 bps. When we got a 300 bps one, it seemed lightning fast (and really cut down the LD bill for the data calls to Virginia). In fact, I'm very happy that easy-to-use Internet software enables people to use the net who couldn't do it before. I've been telling all my non-computer acquaintences to get onto the net for 5--8 years, but most of them did only in the last year or two. I wish there was real easy privacy-enhancement software that every "clueless newbie" could use. Maybe in PGP 3... > Where we're headed is mail filters with PGP imbedded (PGP 3 will > make this much easier) that check incoming mail for a valid signature > for certain PGP keyid/fingerprints and pass that mail along. > Other mail that doesn't match gets tossed into a 'junk' folder > or thrown away if you really don't want to talk to anyone that you > don't already know. Alas, this is what the future net will be like. Some out-of-band communication will be necessary before e-mail can be exchanged; or perhaps there will be a protocol to enable Alice to write Bob (who doesn't know Alice) and say: "You don't know me, but Carol vouches that it's worth your while for you to read my e-mail." Or Alice can ask Carol to e-mail Bob directly. Is something like this already available for FTP? :) --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From harmon at tenet.edu Sun Dec 24 15:19:22 1995 From: harmon at tenet.edu (Dan Harmon) Date: Mon, 25 Dec 1995 07:19:22 +0800 Subject: CFS and Linux (fwd) In-Reply-To: <199512231640.LAA07020@jekyll.piermont.com> Message-ID: On Sat, 23 Dec 1995, Perry E. Metzger wrote: < elided> > > Setting up and doing work on a new operating system is *WORK*. It > takes time. It takes space in your lab or office. Maybe he just > doesn't feel like spending that time, effort, and lab budget. Why > should he? CFS is a GIFT. It isn't a product. Maybe if you paid > someone to maintain a Linux version you would have one, but you aren't > paying a penny. Quit looking a gift horse in the mouth. > > .pm > I concur it is work!!!! and very time consuming. And it also takes time away from other projects, and if you are like most of us we don't have enough time for our current projects. Dan From perry at piermont.com Sun Dec 24 15:20:13 1995 From: perry at piermont.com (Perry E. Metzger) Date: Mon, 25 Dec 1995 07:20:13 +0800 Subject: CFS and Linux In-Reply-To: <1T7LgD3w165w@bwalk.dm.com> Message-ID: <199512241852.NAA12570@jekyll.piermont.com> Dr. Dimitri Vulis writes: > There's been a bit of confusion here. Perry Metzger stated that Matt Blaze > doesn't have Linux and shouldn't support it. I was incorrect that he didn't have Linux, but I stand by my position that Matt is under no obligation to support anything, or even maintain CFS at all. Its free software. Saying that someone is obligated to do anything for free is repugnant. If he wants to support Linux better, thats nice of him, but no one should bitch at him if he chooses not to work for nothing for them. One should thank Matt for being nice enough to do any of this AT ALL. Perry From fc at all.net Sun Dec 24 15:50:21 1995 From: fc at all.net (Fred Cohen) Date: Mon, 25 Dec 1995 07:50:21 +0800 Subject: corporate bashing In-Reply-To: <199512242101.PAA02640@proust.suba.com> Message-ID: <9512242220.AA04636@all.net> > We are not extremists. There is nothing extreme about believing that an > email you send to your spouse or your friend ought to be private, or that > people ought to be able to read and write about whatever subject interests > them. The extremists are those who are fighting so hard to preserve the > possibility of totalitarianism. In that sense, many cypherpunks are not extremists, but in another sense, many (most?) cypherpunks are. They seem to believe that in the Intenet, slander is acceptable behavior and that anonymity should be used as an escape from responsibility for what they do and say. If you want to remain free to speak your mind, you have to become responsible in at least two ways: 1 - You must top slandering people. 2 - You must stop using anonymity as a way to avoid being responsible. When I say must, I am not intending to mean anything less. If the cypherpunks continue to do these two things, they will rapidly find that they are doing more to destroy all of our rights to free speech in the Internet than they ever did to encourage freedom of expression. -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From cp at proust.suba.com Sun Dec 24 16:16:13 1995 From: cp at proust.suba.com (Alex Strasheim) Date: Mon, 25 Dec 1995 08:16:13 +0800 Subject: corporate bashing In-Reply-To: <9512242220.AA04636@all.net> Message-ID: <199512242356.RAA03010@proust.suba.com> > 1 - You must top slandering people. > 2 - You must stop using anonymity as a way to avoid being responsible. No. You must learn how to decide whether or not you want to believe something by looking it's plausibility and where it came form, and when you do learn that you need to realize that other people know how to do it as well. Don't blame anonymity for your own or others' inability to think critically. From fc at all.net Sun Dec 24 16:27:22 1995 From: fc at all.net (Fred Cohen) Date: Mon, 25 Dec 1995 08:27:22 +0800 Subject: bashing (fwd) Message-ID: <9512250004.AA08671@all.net> Forwarded message: >From fc Sun Dec 24 19:04:04 1995 Subject: bashing To: cp at proust.suba.com (Alex Strasheim) Date: Sun, 24 Dec 1995 19:04:04 -0500 (EST) In-Reply-To: <199512242356.RAA03010 at proust.suba.com> from "Alex Strasheim" at Dec 24, 95 05:56:44 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 1253 > > 1 - You must top slandering people. > > 2 - You must stop using anonymity as a way to avoid being responsible. > > No. > > You must learn how to decide whether or not you want to believe something > by looking it's plausibility and where it came form, and when you do learn > that you need to realize that other people know how to do it as well. I'm all for believing or not believing based on your understandings, but this is not the same as slander or irresponsible behavior hidden behind false identity. I'm also in favor of anonymity, but not for the purpose of slander. There are a lot of good and valid reasons for anonymity, and I believe that it is a basic requirement of freedom, but we will lose the ability to be anonymous if enough of us abuse the freedom. > Don't blame anonymity for your own or others' inability to think critically. I don't and didn't blam anonymity for this. I blame people who hide behind anonymity as a way to be irresponsible without apparent recourse. Evaluating statements and giving your opinion is not the same as making insluting, untrue, and crude remarks about individuals. -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From wlkngowl at unix.asb.com Sun Dec 24 17:33:26 1995 From: wlkngowl at unix.asb.com (Mutatis Mutantdis) Date: Mon, 25 Dec 1995 09:33:26 +0800 Subject: PGP timeline FAQ... comments requested Message-ID: <199512250123.UAA18523@UNiX.asb.com> On Fri, 22 Dec 95 13:37:35 GMT, you wrote: [..] Great job. A couple of suggestions... Version histories, with differences in each version. Also good to debunk the "PGP before version x isn't safe to use" myth. Might also want to throw in info about PGP hacks (mainly outside US), development of other software like SecureDrive, SFS, HPack (an archiver that uses PGP keys for digital signatures of files or encryption), development of anonymous remailers that use PGP, and even something about planned future developments (PGP 3.0, PGPPhone, etc...) >Long live the Pretty Good revolution, >Adam Back Merry solstice, --Mutant Rob From alanh at infi.net Sun Dec 24 17:59:31 1995 From: alanh at infi.net (Alan Horowitz) Date: Mon, 25 Dec 1995 09:59:31 +0800 Subject: bashing (fwd) In-Reply-To: <9512250004.AA08671@all.net> Message-ID: > Evaluating statements and giving your opinion is not the same as making > insluting, untrue, and crude remarks about individuals. So Fred, I gather that you believe that there is an absolute metric of insultingness, of untruthfulness, of crudeness. Possibly you think that you, Fred Cohen, are a good judge of these things, or that you know who to trust, to delegate these measurements to? Yes, Fred, please do act now to ensure that other Netters are held to the standards you propose. Perhaps you can propose a law that will enforce your will? From alano at teleport.com Sun Dec 24 19:30:47 1995 From: alano at teleport.com (Alan Olsen) Date: Mon, 25 Dec 1995 11:30:47 +0800 Subject: [Rant] Flame threads Message-ID: <2.2b7.32.19951225030300.008f8cbc@mail.teleport.com> -----BEGIN PGP SIGNED MESSAGE----- Well, this is getting real unpleasant... So far we have at least three distinct flame threads going on and all of them are being pretty fucking pointless. I am gpoing to address a few issues concerning this just to get them off my chest and then I am going to drop the issue. Alice and the Net Scrooge thread: I agree that Netscape owes a bit more to people who help them out, but some of your statements come from so far into left field that they are suffering from lack of oxygen. Where does AT&T come into the break of SSL and Netscape? AT&T may licence Netscape, but they do not own it. As a licence, I cannot see how they would bear any financial responsibility for fixes, breaks or other security breaches. The only reason I can see for the anger directed against them is because they are a big company. Still, your arguments do not follow. As for Netscape... They have been trying pretty damn hard to clean up their act. They are actually FIXING bugs that are being reported and not just forwarding them to Dave Null. This is an incredible improvement over past versions. I think the IPO has had a positive effect becuase now they have to act like a real company and have real quality control. This is a good thing! Hopefully they will keep up the good work on bug fixes. (We will see if they have yet fixed the HP4 print header bug in 2.0b4 though...) The Anti-Jeff/Matt/AT&T/Netscape thread: People are not a wholly owned subsidiary of their company. I judge people by their actions and not who they work for. Jeff Weinstien has worked pretty hard to get things done right within Netscape. That is not an easy feat. (I know this from experience.) He may sound defensive at times, but who would not after some of the shit he has to take from idiots who have no clue as to what it takes to get things done in a corporate environment. So far he seems to be doing a pretty damn good job for Netscape and the crypto community at large. As for Matt Blaze. He has done more for the crypto community as a whole that most anyone I can name. His accomplisments are pretty impresive. Anyone who can break Clipper and describe the break in just eight pages deseves a bit more credit than the anon-twits give him credit for. (Plus CFS and the various other crypto code he maintains and distributes.) So far the attacks on Jeff and Matt as being somehow corrupt seem more to weaken any efforts this list has and not to help them. Fred Cohen: You have no respect for the freedom or opinions of others. You expect the net to operate under your terms and under your rules. You want people to be "responsible". From what I have read here that seems to mean "punishable". I do not like some of flames I have seen, but I do not threated legal action against them. You have. I have meet the keeper of the list. He is a very nice guy and i would not want to see him go through hardship because of some whacko with a faschist control complex. Fred -- Go somewhere else. I suggest you get together with Dan Gannon and his ilk. I think you will find him more to your liking. (Or maybe the $cientologists. They are into sueing anyone who disagrees with them. I am sure they will help you start a list with your control fetishes in mind. Maybe you can borrow a few of their lawyers.) BTW, Fred has been killfiled on my mailreader. I am sick of listening to the twit. To understand what an honor this is... He is the only person I have killfiled on this or any mailinglist. Sorry to inject this much noise to the list. I am pretty damn hot over the amount of shit I have waded through in the last few days. The legal threats from Fred were the final straw. If toad.com ever needs financial support fighting legal battles from twits such as Fred, they will have my support! I know Perry will find all of this off topic. It probibly is... It just needed to be said due to my own peace of mind. Back to the regular scheduled flamethrowing... -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMN4ToeQCP3v30CeZAQFQHQf/U7xnRgq+J50EbEE2qXyPTDjKxq3O1Px1 kY2TtVfSCa5202PL8n7PrMDq9OSvz+IlK1/jmGR8vwncbUerWbZCht23rzK5Kxfn FnCMPZg0/dCSg/2wsh4O71VU759Gs7lv7cPW2PX2Cjv2RhQ5dqixjui1Tai6DHvG MSUREvyZf113DJEpWp9GzIARaZVoUK74YgKHnQxjZjYtTI7AqMs+45bf9DyBwYkc HugoHdsJJ4YuAoozSfuejIkPqlxLY9FDc+4jZBpf6VUr7NpAhYEhrg4VdeENe293 Vd5rJZb0295rDeqIz16hOkoTlQ7vSIglttXufzFNjQVcqaV8YJPSQw== =QObR -----END PGP SIGNATURE----- | Remember: Life is not always champagne. Sometimes it is REAL pain. | |"The moral PGP Diffie taught Zimmerman unites all| Disclaimer: | | mankind free in one-key-steganography-privacy!" | Ignore the man | |`finger -l alano at teleport.com` for PGP 2.6.2 key | behind the keyboard.| | http://www.teleport.com/~alano/ | alano at teleport.com | From attila at primenet.com Sun Dec 24 22:56:28 1995 From: attila at primenet.com (attila) Date: Mon, 25 Dec 1995 14:56:28 +0800 Subject: Fred Cohen: Re: CFS and Linux In-Reply-To: Message-ID: Brian: There is no way Cohen can send the police to confiscate toad.com, or any other computer without some form of criminal complaint --other than by himself as citizen whistle-blower. I read the situation as Cohen was planning to attempt to make the actions a _criminal_ conspiracy. _If_ Cohen was successful in convincing either a state or Federal DA to seek a grand jury indictment, then the local police or the federal marshalls could be issued a search warrant to collect evidence. I can see Cohen trying to present his case before the Federal bench! In fact, I might be willing to pay admission. Cohen lives in Hudson OH which is also the location of jis private . Hudson is in Summit County and Akron (the county seat) has a branch court of the 4th Federal District (or used to). In West Virginia hill towns they teach the 3Rs: reading, 'riting, and the route to Akron, which is referred to as the capital of West Virignia. I can see the tremendous empathy of these people for Cohen's cause. As I mention above, getting a DA's attention on questionable slander, is a bit far-fetched! Tactically, I would think Cohen would find it necessary to actually win a civil suit which clearly indicated there was not only slander, but there was a malicious conspiracy to discredit Cohen. Until Cohen actually manages to score a civil victory, I believe he is dead in the water. Cohen should probably include me in his action --my idea of discrediting Dr. Fred was putting him in procmailrc. Dr. Frederick B. Cohen became Fred Cohen so part of this thread (missing anything from all.net) bled through. No more, so I will not even see any of the falderol if Fred*Cohen is anywhere in the text. On Sun, 24 Dec 1995, Brian Davis wrote: > On Sun, 24 Dec 1995, attila wrote: > > > On Sun, 24 Dec 1995, Brian Davis wrote: > > > > > On Sat, 23 Dec 1995, Perry E. Metzger wrote: > > > > > Fred Cohen writes to me in private: > > > ... > > > > > > > > Let's see. I guess I would start by having the police confiscate the > > > > toad.com computers becfause thay are part of a criminal conspiracy to > > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > > I didn't realize that AI research was that far along. Can someone point > > > me to the specs for the computer that can become a "part of a criminal > > > conspiracy"?? > > > > > > EBD > > > > > > > > > > daamage my reputation. Criminal because of the recent changes in the > > > > law that prohibit you from sending me information I don't want to get. > > > > > > > > > the basis of the seizure is for evidence collection. then they > > take their sweet time scrounging the disks for evidence. If no > > evidence is found, they give it back --eventually. I saw one case go > > by a couple years back where they were trying to make the computer an > > accessory to the crime (I dunno, maybe it was supposed to auto-dial > > and drop the dime --no that's in 18USC as failure to snitch!) > > Much truth here, but not relevant to Dr. Fred's threat of a civil suit. > He can't have his attorneys just call the FBI to pick up toad's computer. > > CoS's seizure of computers, while shameful, was based on a different > legal theory than the good Dr. can possibly allege. > > > EBD > > > > of course, if there are drugs involved, they confiscate it as > > spoils of the criminal act and the equipment is impounded and > > eventually sold after conviction for the benefit of their slush funds. > > > > I would imagin you have seen plenty of the latter one in the > > Federal attorney's office. this also gets into the issues of private > > cryptography and that _everybody_ should give up privacy protection, > > first amendment rights, etc. so uncle can catch a few dopers, gun > > runners, and other assorted malcreants [sic] --like the difference > > between {mis,mal}feasance: in both cases you get fucked, but 'mal' is > > intentional... > > > > > > > Not a lawyer on the Net, although I play one in real life. > > > > > hey, at least you admit you're having a good time! > > > > > ********************************************************** > > > Flame away! I get treated worse in person every day!! > > > > > > > > > -- > > -------------------------------------------------------------------- > > #!/bin/perl -s-- -export-a-crypto-system-sig -RSA-3-lines-PERL > > $m=unpack(H.$w,$m."\0"x$w),$_=`echo "16do$w 2+4Oi0$d*-^1[d2%Sa > > 2/d0 > pack('H*',$_)while read(STDIN,$m,($w=2*$d-1+length$n&~1)/2) > > > > -----BEGIN PGP PUBLIC KEY BLOCK----- > > Version: 2.6.2 > > > > mQCNAy5vBesAAAEEAN8cl6vHXrKZ9lFfZDgfyJRr3HidW77Uio7F25QF6QXca5z/ > > AS3ZrWsa0CjF2nwrqmyb1E5no7dFB+70ZfK8233r7ykVkWRojT+0K71lnUZO4cjG > > +d19/ehXkDpkH3iHU7Uyo4ZdXLiI6uoFDS7ilzx8PCKcgvfq7b04kQrCC2kFAAUX > > tAZhdHRpbGGJAJUDBRAur/X7xUpiaI661j0BAbVUA/9RSKN5sOFVB4rjV6+a2aWD > > LjD5g/+eZaB/hI98qlPP+SBwzO3+K7+JWt3Fez0gKVju228ACGkvilg2VkMtQ0zm > > YCexYL0U9StzHt4xEpowpmaWx22jpEvWnI10LZvT/NO3uYg5r/ezVYc7autKvfvI > > rVOo322RkA0HNVV1rqjMGw== > > =UNt4 > > -----END PGP PUBLIC KEY BLOCK----- > > > > > > Not a lawyer on the Net, although I play one in real life. > ********************************************************** > Flame away! I get treated worse in person every day!! > -- -------------------------------------------------------------------- #!/bin/perl -s-- -export-a-crypto-system-sig -RSA-3-lines-PERL $m=unpack(H.$w,$m."\0"x$w),$_=`echo "16do$w 2+4Oi0$d*-^1[d2%Sa 2/d0 Message-ID: <9512251230.AA25381@all.net> Sorry to post this to the list. I would normally only post it in private to the sender, but since the sender has decided to speak without listening I guess the only way to get the message back to them is by indirect communication. Will someone on the list please forward this reply to the original sender on my behalf? ... > Fred Cohen: > > You have no respect for the freedom or opinions of others. You expect the > net to operate under your terms and under your rules. You want people to be > "responsible". I know it's a lot to ask - being responsible - but I think it's the only way cypherpunks will survive in the coming environment. > From what I have read here that seems to mean "punishable". With rights come responsibilities. If you want the right of free speech, you have to use it responsibly - otherwise, you will lose the right - and quite possible lose it for me as well. > I do not like some of flames I have seen, but I do not threated legal action > against them. You have. I have meet the keeper of the list. He is a very > nice guy and i would not want to see him go through hardship because of some > whacko with a faschist control complex. Since you don't know me, you have no idea of whether these statements are true. Put yourself in my place. I posted no messages to the net and yet I was publicly accused without any cause of doing things I did not do by someone who knew that I didn't do them. When I complained to that person *in private* he published my personal mail to the list. As a result, you and others on the list are publicly calling me names like a whacko with a faschist control complex. It's not a matter of flames - it's a matter of intentionally and maliciously perpetrating a falsehood about me in a manner and fashion designed to damage my reputation. That's different than voicing your honest opinion and different than frivolous speech. It's within your freedom of speech to say a lot of senseless things - but it's not within your freedom of speech to intentionally perpetrate damaging falsehoods about other people. Your name calling is so outrageous that nobody is likely to take you seriously, and for that reason probably is not libelous - at least not at the level you do it today, but what Perry did was something quite different. His statement could well be taken seriously - he has not denied knowing that it was a falsehood - and it was clearly intended to damage my reputation. > Fred -- Go somewhere else. I suggest you get together with Dan Gannon and > his ilk. I think you will find him more to your liking. (Or maybe the > $cientologists. They are into sueing anyone who disagrees with them. I am > sure they will help you start a list with your control fetishes in mind. > Maybe you can borrow a few of their lawyers.) I have a better idea. I have as much right to be here or anywhere else as anyone in the world. Anyone who says I don't could easily be accused of being a "whacko with a faschist control complex", but I won't make such accusations in public against you. It is you who can't stand the heat of openly discussing one of the central issues of cypherpunks - responsibility and freedom relating to speech. The reason you can't stand serious conversation is because your position is unsupportable. > BTW, Fred has been killfiled on my mailreader. I am sick of listening to the > twit. To understand what an honor this is... He is the only person I have > killfiled on this or any mailinglist. People who close their minds to communication and choose to make one-way proclamations doom themseleves to ignorance. -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From dlv at bwalk.dm.com Mon Dec 25 05:26:56 1995 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Mon, 25 Dec 1995 21:26:56 +0800 Subject: Only accepting e-mail from known parties In-Reply-To: Message-ID: <901NgD5w165w@bwalk.dm.com> owner-cypherpunks at toad.com writes: > Eric Murray wrote: > > | Where we're headed is mail filters with PGP imbedded (PGP 3 will > | make this much easier) that check incoming mail for a valid signature > | for certain PGP keyid/fingerprints and pass that mail along. > | Other mail that doesn't match gets tossed into a 'junk' folder > | or thrown away if you really don't want to talk to anyone that you > | don't already know. > > I agree with the assesment of where we may be going, but the > technology is available now. (Marshall Rose uses it; if you want to > get mail into his private mailbox, offer him some $ via imbedded FV > authorizations in the mail, and it goes into his inbox. If he thinks > it was worth his time, he doesn't charge you.) > > Anyway, the code is defeintely available now. The back end is a > little kludgy, but it was needed for an auto ley retreival script. > This could easily be hacked to include a +pubring=$people line. The > script gives you a keyid, which you can then use to filter on, ie: This is much better than nothing. This would stop the e-mail being sent to everyone who's ever posted to Usenet. I see a couple of attacks: 1. Alice only accepts signed e-mail from Bob. Carol receives a signed e-mail from Bob to Carol, sends 10,000 e-mails to Alice (via sendmail) with From: bob, same body+signature, possibly varying message-ids and subjects. 2. Alice only accepts signed e-mail from Bob. Carol, a rogue sysadmin, intercepts an e-mail from Bob to Alice, sends 10,000 more copies of it to Alice (via sendmail) with From: bob, possibly varying message-ids and subjects. As I keep pointing out, pgp-signing the body is not enough. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From jya at pipeline.com Mon Dec 25 06:49:15 1995 From: jya at pipeline.com (John Young) Date: Mon, 25 Dec 1995 22:49:15 +0800 Subject: ROS_pig Message-ID: <199512251432.JAA11244@pipe4.nyc.pipeline.com> 12-25-95. NYPaper: "Fear Of Freedom: The urge to censor persists." Anthony Lewis column. The very essence of the on-line world is freedom. The effect of the "indecent" prohibition of the telecom bill will be to reduce all users of cyberspace to the level of children. That is exactly what Justice Felix Frankfurter found unconstitutional writing for the Supreme Court in 1957, about a Michigan law that banned sales to anyone of material unsuitable for children. "Surely," he wrote, "this is to burn the house to roast the pig." "Coming Soon to Computers Everywhere, a World's Fair." John Markoff. In an era when the Internet has become synonymous with commercialism and instant fortunes, Carl Malamud's commitment to public service has set him apart. Mr. Malamud maintains that there are still two ways to build the Internet. One is the high-stakes high-visibility route of initial public offerings in the stock market, the money-raising approach being pursued by people like Netscape Communication's founders, Jim Clark and Mark Andreeson. The other route, Mr. Malamud maintains, is by soliciting funds and building viable public works projects that benefit the common good. 2 in 1: ROS_pig (13k) From raph at CS.Berkeley.EDU Mon Dec 25 07:11:22 1995 From: raph at CS.Berkeley.EDU (Raph Levien) Date: Mon, 25 Dec 1995 23:11:22 +0800 Subject: List of reliable remailers Message-ID: <199512251450.GAA06781@kiwi.cs.berkeley.edu> I operate a remailer pinging service which collects detailed information about remailer features and reliability. To use it, just finger remailer-list at kiwi.cs.berkeley.edu There is also a Web version of the same information, plus lots of interesting links to remailer-related resources, at: http://www.cs.berkeley.edu/~raph/remailer-list.html This information is used by premail, a remailer chaining and PGP encrypting client for outgoing mail, which is available at: ftp://ftp.csua.berkeley.edu/pub/cypherpunks/premail/premail-0.33a.tar.gz For the PGP public keys of the remailers, finger pgpkeys at kiwi.cs.berkeley.edu This is the current info: REMAILER LIST This is an automatically generated listing of remailers. The first part of the listing shows the remailers along with configuration options and special features for each of the remailers. The second part shows the 12-day history, and average latency and uptime for each remailer. You can also get this list by fingering remailer-list at kiwi.cs.berkeley.edu. $remailer{"extropia"} = " cpunk pgp special"; $remailer{"portal"} = " cpunk pgp hash"; $remailer{"alumni"} = " cpunk pgp hash"; $remailer{"bsu-cs"} = " cpunk hash ksub"; $remailer{"c2"} = " eric pgp hash reord"; $remailer{"penet"} = " penet post"; $remailer{"ideath"} = " cpunk hash ksub reord"; $remailer{"hacktic"} = " cpunk mix pgp hash latent cut post ek"; $remailer{"flame"} = " cpunk mix pgp. hash latent cut post reord"; $remailer{"rahul"} = " cpunk pgp hash filter"; $remailer{"mix"} = " cpunk mix pgp hash latent cut ek ksub reord ?"; $remailer{"ford"} = " cpunk pgp hash ksub ek"; $remailer{"hroller"} = " cpunk pgp hash latent ek"; $remailer{"vishnu"} = " cpunk mix pgp. hash latent cut ek ksub reord"; $remailer{"robo"} = " cpunk hash mix"; $remailer{"replay"} = " cpunk mix pgp hash latent cut post ek"; $remailer{"spook"} = " cpunk mix pgp hash latent cut ek reord"; $remailer{"rmadillo"} = " mix cpunk pgp hash latent cut ek"; $remailer{"ecafe"} = " cpunk mix"; $remailer{"wmono"} = " cpunk mix pgp. hash latent cut"; $remailer{"shinobi"} = " cpunk mix hash latent cut ek reord"; $remailer{"amnesia"} = " cpunk mix pgp hash latent cut ek ksub"; $remailer{"gondolin"} = " cpunk mix pgp hash latent cut ek reord"; $remailer{"tjava"} = " cpunk mix pgp hash latent cut"; $remailer{'alpha'} = ' alpha pgp'; $remailer{'gondonym'} = ' alpha pgp'; catalyst at netcom.com is _not_ a remailer. lmccarth at ducie.cs.umass.edu is _not_ a remailer. usura at replay.com is _not_ a remailer. Groups of remailers sharing a machine or operator: (c2 robo hroller alpha) (gondolin gondonym) (flame hacktic replay) (alumni portal) (vishnu spook wmono) Use "premail -getkeys pgpkeys at kiwi.cs.berkeley.edu" to get PGP keys for the remailers. Fingering this address works too. Note: all of the "ek" tags have been verified correct. Apologies to those who were inconvenienced by incorrect "ek" tags in the past. Last update: Mon 25 Dec 95 6:45:54 PST remailer email address history latency uptime ----------------------------------------------------------------------- hacktic remailer at utopia.hacktic.nl ***+*+****** 7:48 99.98% c2 remail at c2.org -+++++++.-++ 1:29:45 99.96% replay remailer at replay.com ******+***** 9:47 99.95% portal hfinney at shell.portal.com .#**+####### 11:36 99.94% bsu-cs nowhere at bsu-cs.bsu.edu #*#-####*#+# 12:47 99.91% rmadillo remailer at armadillo.com ++ +++++++++ 39:31 99.89% shinobi remailer at shinobi.alias.net ++--_.--++++ 4:25:47 99.88% alumni hal at alumni.caltech.edu -+*++##+###* 15:14 99.86% ford remailer at bi-node.zerberus.de .-+++++-+-++ 4:08:57 99.85% flame remailer at flame.alias.net ***+**++.-- 5:58:46 99.75% hroller hroller at c2.org -##+####.-## 47:58 99.75% spook remailer at valhalla.phoenix.net * *+* **.--+ 3:44:23 99.69% vishnu mixmaster at vishnu.alias.net #*++*** --- 1:19:08 99.68% tjava remailer at tjava.com # :23 99.48% mix mixmaster at remail.obscura.com +-+++____.- 20:55:03 99.27% extropia remail at extropia.wimsey.com -.-.-----. 14:54:08 99.16% wmono wmono at valhalla.phoenix.net * *+* * ** 13:17 98.94% amnesia amnesia at chardos.connix.com ----- --++- 3:09:50 98.65% penet anon at anon.penet.fi _....-.--- * 13:40:31 98.35% gondolin mix at remail.gondolin.org --____.-*+ 18:46:33 96.41% rahul homer at rahul.net *#++***-+##* 21:00 99.97% ecafe cpunk at remail.ecafe.org -####**-# 27:03 65.05% History key * # response in less than 5 minutes. * * response in less than 1 hour. * + response in less than 4 hours. * - response in less than 24 hours. * . response in more than 1 day. * _ response came back too late (more than 2 days). cpunk A major class of remailers. Supports Request-Remailing-To: field. eric A variant of the cpunk style. Uses Anon-Send-To: instead. penet The third class of remailers (at least for right now). Uses X-Anon-To: in the header. pgp Remailer supports encryption with PGP. A period after the keyword means that the short name, rather than the full email address, should be used as the encryption key ID. hash Supports ## pasting, so anything can be put into the headers of outgoing messages. ksub Remailer always kills subject header, even in non-pgp mode. nsub Remailer always preserves subject header, even in pgp mode. latent Supports Matt Ghio's Latent-Time: option. cut Supports Matt Ghio's Cutmarks: option. post Post to Usenet using Post-To: or Anon-Post-To: header. ek Encrypt responses in reply blocks using Encrypt-Key: header. special Accepts only pgp encrypted messages. mix Can accept messages in Mixmaster format. reord Attempts to foil traffic analysis by reordering messages. Note: I'm relying on the word of the remailer operator here, and haven't verified the reord info myself. mon Remailer has been known to monitor contents of private email. filter Remailer has been known to filter messages based on content. If not listed in conjunction with mon, then only messages destined for public forums are subject to filtering. Raph Levien From grafolog at netcom.com Mon Dec 25 07:20:54 1995 From: grafolog at netcom.com (Jonathan Blake) Date: Mon, 25 Dec 1995 23:20:54 +0800 Subject: Only accepting e-mail from known parties In-Reply-To: <901NgD5w165w@bwalk.dm.com> Message-ID: On Mon, 25 Dec 1995, Dr. Dimitri Vulis wrote: > As I keep pointing out, pgp-signing the body is not enough. You're wrong. You can setup Procmail to detect if something is signed with PGP, and if it is, to run a script which determines the authenticity of the signature. If the signature is not authentic, the message goes to /dev/null. That way, even if Carol is using intercepted messages from Bob, Carol's messages won't be accepted or seen. xan jonathon grafolog at netcom.com **************************************************************** Opinions represented are not necessarilly mine. OTOH, they are not representations of any organization I am affiliated with, either. WebPage: ftp://ftp.netcom.com/gr/graphology/home.html For a good prime, call 391581 * 2^216193 - 1 ********************************************************************** From jhupp at novellnet.gensys.com Mon Dec 25 07:51:41 1995 From: jhupp at novellnet.gensys.com (Jeff Hupp) Date: Mon, 25 Dec 1995 23:51:41 +0800 Subject: Only accepting e-mail from known parties Message-ID: <13060E503DA@Novellnet.Gensys.com> On 25 Dec 95 at 7:45, Dr. Dimitri Vulis wrote: [much on a pgp based gateway filter for email] : : This is much better than nothing. This would stop the e-mail being : sent to everyone who's ever posted to Usenet. I see a couple of attacks: : : 1. Alice only accepts signed e-mail from Bob. Carol receives a signed e-mail : from Bob to Carol, sends 10,000 e-mails to Alice (via sendmail) with From: bob, : same body+signature, possibly varying message-ids and subjects. : : 2. Alice only accepts signed e-mail from Bob. Carol, a rogue sysadmin, : intercepts an e-mail from Bob to Alice, sends 10,000 more copies of it to Alice : (via sendmail) with From: bob, possibly varying message-ids and subjects. : : As I keep pointing out, pgp-signing the body is not enough. : Keep checksums of signitures (or body text) for a week, duplicate messages are routed to /dev/null. -- JHupp at gensys.com |For PGP Public Key: http://gensys.com |finger jhupp at gensys.com You are lost in a maze of twisty little standards, all different. From lull at acm.org Mon Dec 25 08:23:04 1995 From: lull at acm.org (John Lull) Date: Tue, 26 Dec 1995 00:23:04 +0800 Subject: FH radios In-Reply-To: Message-ID: <30de2109.16381795@smtp.ix.netcom.com> On Sat, 23 Dec 1995 08:20:28 -0800, Steven Weller wrote: > Thus in a frequency-hopping radio you can push the retuning (read RF > phase-locked loop) technology to its limit and build transmitters and > receivers around them. These typically hop in the order of 100 times a > second. The adversary has to find the uncorrelated signal very quickly > indeed *and* have PLL technology at least as good as yours to recover > anything from it. Finding the signal generally means listening to all > frequencies at once, requiring huge amounts of hardware parallelism and/or > realtime computing power. Once you throw ten or so radios onto the same > band, it's no longer any use looking for the strongest signal, making that > approach useless. This is nowhere near the limit of the technology. 15 years ago, I was working on PLLs that would stabilize within a couple degrees of final phase within 3.5 microseconds. That permits you to do useful work at 100,000 hops per second. From ericm at lne.com Mon Dec 25 09:35:48 1995 From: ericm at lne.com (Eric Murray) Date: Tue, 26 Dec 1995 01:35:48 +0800 Subject: Only accepting e-mail from known parties In-Reply-To: Message-ID: <199512251710.JAA08899@slack.lne.com> > On Mon, 25 Dec 1995, Dr. Dimitri Vulis wrote: > > > As I keep pointing out, pgp-signing the body is not enough. > > You're wrong. He's right. > You can setup Procmail to detect if something is signed > with PGP, and if it is, to run a script which determines > the authenticity of the signature. If the signature is > not authentic, the message goes to /dev/null. That way, > even if Carol is using intercepted messages from Bob, Carol's > messages won't be accepted or seen. Ok. If I want to get my email ad for the Ronco turnip-twaddler past a filter like that, all I need to do is to create a PGP key with a user name that's the same as one that the victim already receives. i.e. if I know that joe at blort.com exchanges email with phred at none.net, then I just create a PGP key with the name "phred at none.net", and sign the turnip-twaddler ad with that. It'd have a valid signature, and one coming from Joe's friend phred. Mail accepted. In addition to checking for a valid signature, the filtering software would have to also check the PGP key id of the key used. It would also need to make sure that there is ONLY PGP-signed content in the mail. Otherwise Mallet could grab an innocuous mail message that Phred signed and included it at the bottom of the turnip-twaddler ad. It wouldn't make sense (although that might be usual with Phred), but it'd contain a valid signature from Phred, and therefore get the ad past the filter. I'm sure there's other caveats, these are just the ones I can think of now. I wish all Cypherpunks a Merry Christmas. I hope Santa brought you all something nice, like a fast new stream cipher, a new key exchange protocol, or maybe a note from the Fedz saying that ITAR has been lifted. -- Eric Murray ericm at lne.com ericm at motorcycle.com http://www.lne.com/ericm PGP keyid:E03F65E5 fingerprint:50 B0 A2 4C 7D 86 FC 03 92 E8 AC E6 7E 27 29 AF From dlv at bwalk.dm.com Mon Dec 25 09:43:47 1995 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Tue, 26 Dec 1995 01:43:47 +0800 Subject: Only accepting e-mail from known parties In-Reply-To: Message-ID: Jonathan Blake writes: > On Mon, 25 Dec 1995, Dr. Dimitri Vulis wrote: > > > As I keep pointing out, pgp-signing the body is not enough. > > You're wrong. I'll be delighted if someone convinces me that I'm wrong about this. I may even start using PGP signatures. :) > You can setup Procmail to detect if something is signed > with PGP, and if it is, to run a script which determines > the authenticity of the signature. If the signature is > not authentic, the message goes to /dev/null. That way, > even if Carol is using intercepted messages from Bob, Carol's > messages won't be accepted or seen. Carol needn't put her real name in the "From:" line. Much of the unsolicited commercial junk e-mail comes from bogus addresses. I said, Carol can *forge* the RFC 822 header, so her e-mails look like they came from Bob, and use the body from Bob's authentic PGP-signed message. For example, Bob may have once sent Carol an e-mail that looked like this: ----------------------------------------------------------------------- From: Bob To: Carol Date: 25 Dec 1965 Subject: Carol, we're history Message-ID: <111 at bob> ----BEGIN PGP SIGNED MESSAGE---- I no longer wish to go out with you. Merry Christmas! ----BEGIN PGP SIGNATURE---- Version 2.6.2 12341234... ----END PGP SIGNATURE---- "Ask not what your country can do to you, but what you can do to your country" ----------------------------------------------------------------------- Carol can *easily* forge an e-mail to Alice that looks like this: ----------------------------------------------------------------------- From: Bob To: Alice Date: 25 Dec 1995 Subject: Alice, we're history Message-ID: <222 at bob> ----BEGIN PGP SIGNED MESSAGE---- I no longer wish to go out with you. Merry Christmas! ----BEGIN PGP SIGNATURE---- Version 2.6.2 12341234... ----END PGP SIGNATURE---- "Sex with Carol was the greatest sex I've ever had" ----------------------------------------------------------------------- The e-mail is sent by Carol, but the RFC 822 header says "From: Bob". If you think this is hard to accomplish, take a look, e.g., at the source code the Lance Cotrell's mixmaster and see how it talks to sendmail. The PGP-signed portion is copied verbatim from an authentic message. Alice _may_ notice that the _Received:_ headers are weird, but this forgery will certainly pass through a script that checks signatures. E.g., this trick could be used to mailbomb someone with many copies of the same authentic e-mail. That's because PGP only signed a portion of the body, not the important headers like "Date:", "To:", "Subject:", and "Newsgroups:", nor the .sig. Happy holidays, --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From grafolog at netcom.com Mon Dec 25 10:00:27 1995 From: grafolog at netcom.com (Jonathan Blake) Date: Tue, 26 Dec 1995 02:00:27 +0800 Subject: Only accepting e-mail from known parties In-Reply-To: <199512251710.JAA08899@slack.lne.com> Message-ID: Erik: On Mon, 25 Dec 1995, Eric Murray wrote: > > On Mon, 25 Dec 1995, Dr. Dimitri Vulis wrote: > Ok. If I want to get my email ad for the Ronco turnip-twaddler past a filter > like that, all I need to do is to create a PGP key with > a user name that's the same as one that the victim already > receives. > > i.e. if I know that joe at blort.com exchanges email with phred at none.net, then > I just create a PGP key with the name "phred at none.net", and sign > the turnip-twaddler ad with that. It'd have a valid signature, and > one coming from Joe's friend phred. Mail accepted. But will the signature match that of phred at none.net's PGP key. I doubt it. > In addition to checking for a valid signature, the filtering software > would have to also check the PGP key id of the key used. It would To check a signature, you need the public key the signature was created with. You allready have phred at none.net's public key on your keyring. If that key does not demonstrate an authentic signature for the messge, then the message is a fake. Now, if you assume that your keyring has been compromised, then you can also check the signatures of who signed the keys. At a minimu, your signature should be on the authentic key. If it is missing, then you can place the message in a "suspected to be forged bin", or just send it to dev/null, unread. > also need to make sure that there is ONLY PGP-signed content in the > mail. Otherwise Mallet could grab an innocuous mail message that I hadn't thought of that, but here is one solution. Run a perl script that automatically deletes everything that is not signed by pgp, with the exception of the date, the sender, and the subject line. > I'm sure there's other caveats, these are just the ones I can think of now. Let's figure out some more threat models. And how to counter them. Man in the middle --- he has your public key, joe at none.net's public key, and access to both your pbulic ring, and joe at none.net public ring. I don't know know how to counter this one using filters with perl --- yet. xan jonathon grafolog at netcom.com **************************************************************** Opinions represented are not necessarilly mine. OTOH, they are not representations of any organization I am affiliated with, either. WebPage: ftp://ftp.netcom.com/gr/graphology/home.html For a good prime, call 391581 * 2^216193 - 1 ********************************************************************** From adam at lighthouse.homeport.org Mon Dec 25 10:20:32 1995 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Tue, 26 Dec 1995 02:20:32 +0800 Subject: Only accepting e-mail from known parties In-Reply-To: Message-ID: <199512251754.MAA01460@homeport.org> Dr. Dimitri Vulis wrote: | I said, Carol can *forge* the RFC 822 header, so her e-mails look like they | came from Bob, and use the body from Bob's authentic PGP-signed message. Yes, this is possible. No, I'm not going to take the time to write a fix now, but, we both know its not tough to prevent. Take the hash of the pgp signed message, use it to filter on. I'll occaisonally add text outside a signature (literally, a postscript), so filtering out everything outside the signed text is a bad idea. You might get a few spams, but not hundreds. Its tough to ensure that mail always has an envelope that matches the key. I still use a key that say adam at bwh.harvard.edu, but most of my mail is signed with an adam at homeport.org key. Cryptography can't solve social problems. It can, however, transform them into tougher problems for the anti-social. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From adam at lighthouse.homeport.org Mon Dec 25 10:28:37 1995 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Tue, 26 Dec 1995 02:28:37 +0800 Subject: Only accepting e-mail from known parties In-Reply-To: Message-ID: <199512251804.NAA01482@homeport.org> Jonathan Blake wrote: | > also need to make sure that there is ONLY PGP-signed content in the | > mail. Otherwise Mallet could grab an innocuous mail message that [...] | > I'm sure there's other caveats, these are just the ones I can think of now. | | Let's figure out some more threat models. And how to counter | them. | | Man in the middle --- he has your public key, joe at none.net's | public key, and access to both your pbulic ring, and | joe at none.net public ring. I don't know know how to counter | this one using filters with perl --- yet. The real threat model that Dimitri seems to be worried about is spammers, so lets address them. There are two types of spammers, commercial and personal. The commercial spammer wants to get messages into hundreds or thousands of mail boxes. The effort to do this, per mailbox, needs to be very low, or they go for people with worse filters. The personal spammer is more difficult, since they seek specifically to annoy you, and can thus be expected to expend more effort. They can possibly get a copy of each signed message that comes to you, but of course, you can cache filter them. A problem occurs if they can get their spam to you before the legit message, in which case you need to wade through tripe to get to the real message. The personal spammer is a social problem, and I recommend using social methods to fix it. An auto-responder that says "Please grow up" might do the trick. -- "It is seldom that liberty of any kind is lost all at once." -Hume From grafolog at netcom.com Mon Dec 25 10:33:58 1995 From: grafolog at netcom.com (Jonathan Blake) Date: Tue, 26 Dec 1995 02:33:58 +0800 Subject: Only accepting e-mail from known parties In-Reply-To: Message-ID: Dr Dimitri Vulis: On Mon, 25 Dec 1995, Dr. Dimitri Vulis wrote: > Jonathan Blake writes: > > On Mon, 25 Dec 1995, Dr. Dimitri Vulis wrote: > > > I'll be delighted if someone convinces me that I'm wrong about this. > I may even start using PGP signatures. :) When I get the bugs out of the procmail script I'm writing, to accomplish this, I'll send it to you. > I said, Carol can *forge* the RFC 822 header, so her e-mails look like they > came from Bob, and use the body from Bob's authentic PGP-signed message. Strip out everything that is not header information, and is not signed with pgp. You could even strip out all header information, except for who sent the message. That you need, so you know who to respond to. > The e-mail is sent by Carol, but the RFC 822 header says "From: Bob". > If you think this is hard to accomplish, take a look, e.g., at the source Forged signatures are not that difficult to accomplish. > The PGP-signed portion is copied verbatim from an authentic message. This is a good point. However, won['t most messages have the name of the intended recipient inside the PGP signature lines? Regardless, you've stated a weakness that I hadn't realized existed. > Alice _may_ notice that the _Received:_ headers are weird, but this > forgery will certainly pass through a script that checks signatures. I'll have to give this some thought. Have the script match the from id, with the message id. << Not sure how I can do this one, yet. >> > That's because PGP only signed a portion of the body, not the important > headers like "Date:", "To:", "Subject:", and "Newsgroups:", nor the .sig. The Header won't be signed by PGP. That part I will concede. The signature might be signed by PGP, depending on what one is using to read & respond to email with. With SLMR can sign signatures. << Granted, it is for DOS, and is geared towards FidoNet conferences. And I had to right a batch file to call the editor, then the program to attach the signature, then sign the thing. But the signature was included in the signed part of the pgp message. >> xan jonathon grafolog at netcom.com **************************************************************** Opinions represented are not necessarilly mine. OTOH, they are not representations of any organization I am affiliated with, either. WebPage: ftp://ftp.netcom.com/gr/graphology/home.html For a good prime, call 391581 * 2^216193 - 1 ********************************************************************** From tallpaul at pipeline.com Mon Dec 25 12:06:04 1995 From: tallpaul at pipeline.com (tallpaul) Date: Tue, 26 Dec 1995 04:06:04 +0800 Subject: Only accepting e-mail from known parties Message-ID: <199512251933.OAA14735@pipe8.nyc.pipeline.com> How about one-time electronic stamps. I generate a large-ish number of long-ish random numbers. I store these into a data base on my system. I send one e-stamp to all of the people I want to communicate with and vice versa. Each person uses the e-stamp in the header or some other area of their message to me easily accessible to my mail bot. My bot reads the e-stamp and then checks the data base to see if the stamp is valid. If not, then /dev/null. If so, then: a) send the message to me; b) delete the used e-stamp from the data base; c) send a confirmation of received message with a new e-stamp in it. Thoughts? (I see one problem with this but it should be able to be worked out once the basic method is agreed to). --tallpaul From DMiskell at envirolink.org Mon Dec 25 12:16:04 1995 From: DMiskell at envirolink.org (Daniel Miskell) Date: Tue, 26 Dec 1995 04:16:04 +0800 Subject: bashing (fwd) Message-ID: <9512251936.AA29575@envirolink.org> Allan, shut the hell up. This thread is truely unnecessary, can we just let it die? Munster --- _________________________________ *!Cheese Doctrine:!* Though cultured over time, and aged to perfection, one must not yield to produce mold. One must also not belittle themselves by conforming to the "whiz", but melt over the unprocessed ideas of Ghuda. _________________________________ From adam at lighthouse.homeport.org Mon Dec 25 12:32:19 1995 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Tue, 26 Dec 1995 04:32:19 +0800 Subject: Only accepting e-mail from known parties In-Reply-To: <199512251933.OAA14735@pipe8.nyc.pipeline.com> Message-ID: <199512251953.OAA01614@homeport.org> The basic problem is that (personal) spam is a social, not a technical problem. If someone wants to annoy you via the internet, they can do so. You can raise the cost of their annoying you, but you need to be careful not to make it difficult to talk to you. Stamps are an annoying solution unless the stamp buys the sender something that the sender wants (perhaps such as pseudononymity). It would seem that only accepting signed mail, and caching the hash of the signed part would work pretty well, and also not require anything (other than a signature) from the remote end. The cost of a spam is the time to generate a new key pair. (You probably need some way to add new keys, for people to be able to say 'I'd like to talk to you.') Adam | If not, then /dev/null. If so, then: | | a) send the message to me; | b) delete the used e-stamp from the data base; | c) send a confirmation of received message with a new e-stamp in it. | | Thoughts? (I see one problem with this but it should be able to be worked | out once the basic method is agreed to). -- "It is seldom that liberty of any kind is lost all at once." -Hume From tallpaul at pipeline.com Mon Dec 25 12:43:36 1995 From: tallpaul at pipeline.com (tallpaul) Date: Tue, 26 Dec 1995 04:43:36 +0800 Subject: Only accepting e-mail from known parties Message-ID: <199512252009.PAA18246@pipe8.nyc.pipeline.com> On Dec 25, 1995 14:53:19, 'Adam Shostack ' wrote: > The basic problem is that (personal) spam is a social, not a >technical problem. If someone wants to annoy you via the internet, >they can do so. You can raise the cost of their annoying you, but you >need to be careful not to make it difficult to talk to you. > I agree in many ways. On a personal level, I am far more interested in the *social* are of this form of privacy. It is more a problem of the data-hermit than privacy. And in a society increasingly generating narcissistists, I see the problem getting worse. Negroponte of the MIT Media Lab can sing the praises of the personal e-newspaper with personal filters to cut out everything uninteresting while culling the world new feeds for desired information. I see this feeding into the narcissitism problem. E.G. Imagine two people who "feel" that members of the other gender are "only interested in one thing." Each wakes up in the morning and looks at their personal e-paper. She reads nothing of particularly nasty rapes, serial rapists at large, rapists who have been convicted, and rapists who an uncaring pro-male system has let out to rape again (i.e. been found not guilty). He reads nothing of particularly nasty robberies of men by women, serial robberies by prostitutes, female robbers who have been convicted, and robbers who an uncaring pro-female system has let out to rob again. Both believe that their custom filtered feeds are the *real* events going on in the world and are far more accurate than any non-customized news feed. I hope nobody takes this as a generic attack on the privacy issues that the list is devoted to. I am a great supporter of privacy and pro-privacy tek. But I see myself as a realist on privacy issues, not as a privacy-utopian or a privacy-dystopian. We live in a post-Faustian world. It is divided into two groups of people. First are those who understand the post-Faustian character and devote themselves to getting used to it and even having fun with the new opportunities while understanding that the new world also generates new problems (like furthering data-narcicism). Second are those classic-reactionary forces (from all parts of the political spectrum) who whine about how the post-Faustian world is personally unfair to them and how everybody in the world has a personal obligation to them to move the world back to its pre-Faustian origins. --tallpaul PS to Tim May: I understand your posts on material that is off-topic. I usually agree with your posts. But I see the issues I discussed above as far more on topic (even if highly mediated) than, say, the ongoing discourse on the differences between an Army Captain and a Navy Captain. From rah at shipwright.com Mon Dec 25 13:38:00 1995 From: rah at shipwright.com (Robert Hettinga) Date: Tue, 26 Dec 1995 05:38:00 +0800 Subject: Future Scenarios for e$: The DCSB Forecast Message-ID: -----BEGIN PGP SIGNED MESSAGE----- **************>>>>>> Meeting Reminder: One week to go! <<<<<<*********** ****>>>>>> Checks due to Shipwright *this* Saturday, December 30, 1995 <<<<<<** The Digital Commerce Society of Boston (Formerly The Boston Society for Digital Commerce) Presents Art Hutchinson and John Kelly Northeast Consulting Resources Inc., (NCRI) "Future Scenarios for e$: The DCSB Forecast" Tuesday, January 2, 1995 12 - 2 PM The Downtown Harvard Club of Boston One Federal Street, Boston, MA I've been talking to Art Hutchinson last week, and it looks like we're in for a treat. This is going to be particularly useful, coming as it does at the beginning of the new year. He and John Kelly are going to put our prognostication skills through their paces with what amounts to a 90's version of Delphi exercise, using us, a bunch of people who, if anyone, should have an interesting take on where commerce on the internet is going in the next few years. I'm psyched. Art and John are old pros at this kind of thing, so I expect this is going to be great fun. Since we're going to be doing something different besides listening to a speaker this time, I'd like to suggest that we get there right at 12 noon to get things started immediately, New Year's aldehyde toxcicity notwithstanding. ;-). Instead of one big group around a table, we'll be sitting at smaller tables with a pile of future "events" to prognisticate about. Our opinions about the likelihood about those events will be recorded by a "scribe" at each table, and then posted for all to look at during/after lunch. The "events" are drawn from a giant database of these things that NCRI has acquired over the years, filtered down to e$-relevance, plus some suggestions from the stuff we've discussed on the dcsb list and at monthly meetings. This meeting of the Boston Society for Digital Commerce will be held on Tuesday, January 2, 1995 from 12pm - 2pm at the Downtown Branch of the Harvard Club of Boston, One Federal Street. The price for lunch is $27.50. This price includes lunch, room rental, and the speaker's lunch. ;-). The Harvard Club *does* have a jacket and tie dress code. We need to receive a company check, or money order, (or if we *really* know you, a personal check) payable to "The Harvard Club of Boston", by *this* Saturday, December 30 , or you won't be on the list for lunch. We're trying to hold the line on advance registration this time, because the holiday makes for considerable uncertainty in reservations. I will be sending confirmations early this time, on Thursday, just to make sure. Checks payable to anyone else but The Harvard Club of Boston will have to be sent back. Checks should be sent to Robert Hettinga, c/o The Shipwright Development Corporation, 44 Farquhar Street, Boston, Massachusetts, 02131. Again, they must be made payable to "The Harvard Club of Boston". If anyone has questions, or has a problem with these arrangements (We've had to work with glacial A/P departments more than once, for instance), please let us know via e-mail, and we'll see if we can work something out. Planned speakers for the following few months are: February Fred Hapgood Freelance Author March Glenda Barnes X.9 Electronic Commerce Security Group April Donald Eastlake CyberCash May Perry Metzger Security Consultant and Cypherpunk June Dan Shutzer FSTC We are actively searching for future speakers. If you are in Boston on the first Tuesday of the month, and you would like to make a presentation to the Society, please send e-mail to the DCSB Program Commmittee, care of Robert Hettinga, rah at shipwright.com . For more information about the Boston Society for Digital Commerce, send "info dcsb" in the body of a message to majordomo at ai.mit.edu . If you want to subscribe to the DCSB e-mail list, send "subscribe dcsb" in the body of a message to majordomo at ai.mit.edu . Looking forward to seeing you there! Cheers, Robert Hettinga Moderator, The Digital Commerce Society of Boston -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMN8PKfgyLN8bw6ZVAQGC4AP/fSCT1Fxxa/Q8x5ujQNeN6rk8tWtt2K2c S63F3ff3FJ6lbqAQLEZiXcbyYJSMDeZt0+3vSckKG54xa3dz/e+a9K7e3eE+jdrF tZRvwYMvH2X3CKszVbh++I9cO8MlJfTgrMJc4GZKEpdfl0qxuQpz5YPqU9uIS3SL mgJ5nqn7iew= =fTao -----END PGP SIGNATURE----- ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA (617) 958-3971 "Reality is not optional." --Thomas Sowell The NEW(!) e$ Home Page: http://thumper.vmeng.com/pub/rah/ >>>>Phree Phil: Email: zldf at clark.net http://www.netresponse.com/zldf <<<<< From mab at research.att.com Mon Dec 25 13:43:09 1995 From: mab at research.att.com (Matt Blaze) Date: Tue, 26 Dec 1995 05:43:09 +0800 Subject: New release (v1.3.2) of CFS encrypting file system available Message-ID: <199512252112.QAA07556@nsa.tempo.att.com> [Perhaps this isn't the best time for me to post this here; apologies in advance if this sparks another flame fest. -matt] Source code for the latest version (release 1.3.2) of CFS, the Cryptographic File System, is now available upon request for research and experimental use in the US and Canada. CFS pushes encryption services into the Unix(tm) file system. It supports secure storage at the system level through a standard Unix file system interface to encrypted files. Users associate a cryptographic key with the directories they wish to protect. Files in these directories (as well as their pathname components) are transparently encrypted and decrypted with the specified key without further user intervention; cleartext is never stored on a disk or sent to a remote file server. CFS employs a novel combination of DES stream and codebook cipher modes to provide high security with good performance on a modern workstation. CFS can use any available file system for its underlying storage without modification, including remote file servers such as NFS. System management functions, such as file backup, work in a normal manner and without knowledge of the key. CFS runs under SunOS and several other BSD-derived systems with NFS. It is implemented entirely at user level, as a local NFS server running on the client machine's "loopback" interface. It consists of about 5000 lines of code and supporting documentation. You must have "root" access to install CFS. CFS was first mentioned at the work-in-progress session at the Winter '93 USENIX Conference and was more fully detailed in: Matt Blaze. "A Cryptographic File System for Unix", Proc. 1st ACM Conference on Computer and Communications Security, Fairfax, VA, November 1993. (PostScript available by anonymous ftp from research.att.com in the file dist/mab/cfs.ps.) and in Matt Blaze. "Key Management in an Encrypting File System", Proc. Summer '94 USENIX Tech. Conference, Boston, MA, June 1994. (PostScript available by anonymous ftp from research.att.com in the file dist/mab/cfskey.ps.) Version 1.3 of CFS also includes ESM, the Encrypting Session Manager. ESM provides shell-to-shell encrypted sessions across insecure links and requires no OS or network support. It is useful for typing cfs passphrases when logged in over the network. ESM needs RSAREF 2.0 to compile and is tested only on SunOS and BSDI. ESM is the first released part of a suite of session encryption tools that are described in Matt Blaze and Steve Bellovin. "Session-layer Encryption." Proc. 1995 USENIX Security Workshop, Salt Lake City, June 1995. (PostScript is available from ftp://research.att.com/dist/mab/sesscrypt.ps) The new version of CFS differs from the version described in the papers in a few ways: * The DES-based encryption scheme has been strengthened, and now provides greater security but with the online latency of only single-DES. * Support for the smartcard-based key management system is not included and a few of the tools are not included. * An impoved key management scheme now allows chaning the passphrase associated with a directory. * The performance has been improved. * The security of the system against certain non-cryptanalytic attacks has been improved somewhat. * User-contributed ports to a number of additional platforms. * Hooks for adding new ciphers. * 3-DES, MacGuffin, and SAFER-SK128 encryption options. * Timeout options allow automatic detach of encrypted directories after a set time or period of inactivity. CFS is distributed as a research prototype; it is COMPLETELY UNSUPPORTED software. No warranty of any kind is provided. We will not be responsible if the system deletes all your files and emails the cleartext directly to the NSA or your mother. Also, we do not have the resources to port the software to other platforms, although you are welcome to do this yourself. The software was developed under SunOS and BSDI, and there are also unsupported user-contributed ports available for AIX, HP/UX, Irix, Linux, Solaris and Ultrix. We really can't promise to provide any technical support at all, beyond the source code itself. We also maintain a mailing list for CFS users and developers; subscription information is included with the source code. Because of export restrictions on cryptographic software, we are only able to make the software available within the US and Canada to US and Canadian citizens and permanent residents. Unfortunately, we cannot make it available for general anonymous ftp or other uncontrolled access, nor can we allow others to do so. Sorry. Legal stuff from the README file: * Copyright (c) 1992, 1993, 1994, 1995 by AT&T. * Permission to use, copy, and modify this software without fee * is hereby granted, provided that this entire notice is included in * all copies of any software which is or includes a copy or * modification of this software and in all copies of the supporting * documentation for such software. * * This software is subject to United States export controls. * * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR IMPLIED * WARRANTY. IN PARTICULAR, NEITHER THE AUTHORS NOR AT&T MAKE ANY * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE MERCHANTABILITY * OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR PURPOSE. If you would like a copy of the CFS source code, please read to the end of this message and then send email to: cfs at research.att.com DO NOT REPLY DIRECTLY TO THIS MESSAGE. You must include a statement that you are in the US or Canada, are a citizen or legal permanent resident of the US or Canada, and have read and understand the license conditions stated above. Be sure to include an email address in a US- or Canada-registered domain. The code will be sent to you via email in a "shar" shell archive (a little over 300K bytes long). From die at pig.die.com Mon Dec 25 14:55:52 1995 From: die at pig.die.com (Dave Emery) Date: Tue, 26 Dec 1995 06:55:52 +0800 Subject: FH radios In-Reply-To: <30de2109.16381795@smtp.ix.netcom.com> Message-ID: <9512252206.AA10260@pig.die.com> > > On Sat, 23 Dec 1995 08:20:28 -0800, Steven Weller wrote: > > > Thus in a frequency-hopping radio you can push the retuning (read RF > > phase-locked loop) technology to its limit and build transmitters and > > receivers around them. These typically hop in the order of 100 times a > > second. The adversary has to find the uncorrelated signal very quickly > > indeed *and* have PLL technology at least as good as yours to recover > > anything from it. Finding the signal generally means listening to all > > frequencies at once, requiring huge amounts of hardware parallelism and/or > > realtime computing power. Once you throw ten or so radios onto the same > > band, it's no longer any use looking for the strongest signal, making that > > approach useless. > > This is nowhere near the limit of the technology. 15 years ago, I was > working on PLLs that would stabilize within a couple degrees of final > phase within 3.5 microseconds. That permits you to do useful work at > 100,000 hops per second. > There is also a newer technology called direct digital synthesis or DDS that works by accumulating phase (adding to the previous value) each tick of a high frequency clock in a register at a rate determined by the contents of another register (the value here sets the frequency) with the upper bits of the accumulated phase being used to address a sine/cosine lookup table rom which in turn feeds digital output values into a D/A converter. The output of the D/A converter is a sampled approximation of a sine or cosine wave at a frequency set by the increment register. The sample rate is set by the high frequency clock rate. DDS permits instanteous frequency shifts with phase continuous output by simply reloading the phase increment register with another value. Unlike phase locked loop synthesizers a there is no transient phase and frequency error after a frequency shift. The primary limitation of DDS is set by the speed of the rquired digital hardware (and various subtler considerations such as clock jitter and output filtering) - current VLSI implementations work up to around 100 mhz with .1 hz or better frequency resolution. And with a bit more sophistication the DDS principle can be used to digitally generate vector modulation (BPSK, QPSK, QAM etc) and even digitally filter the result with FIR filters to limit occupied bandwidth. There have even been some experiments with generating broadcast FM stereo signals directly from digital music samples using this technology. But to get back to the original point of this thread - while such techniques are possible (as is full hard encryption), it is my understanding that actual conusmer 900 mhz digital cordless phones that use frequency hopping use a very limited set of frequencies and a small set of fixed hopping patterns and don't hop very fast. There is certainly little additional cost to building a trully secure digital cordless phone given the dense ASIC technology that is standard in this kind of product - but someone has to persuade the manufacturers that there is a real need and find a way to allow them to export the product. When the brand of cordless phones that most emphasizes security from eavesdropping in its point of sale advertising display is the one that uses open FM with simple speech inversion you know there is something wrong, particularly when the company that makes it is a pioneer in really secure digital speech over handheld radios (and a big governmeent contractor). Dave Emery N1PRE From nobody at REPLAY.COM Mon Dec 25 15:48:00 1995 From: nobody at REPLAY.COM (Anonymous) Date: Tue, 26 Dec 1995 07:48:00 +0800 Subject: corporate bashing Message-ID: <199512252215.XAA07650@utopia.hacktic.nl> -----BEGIN PGP SIGNED MESSAGE----- Fred seems to have been slipping through my filters in recent days. Though I usually trash any message containing a reference to him, I thought that this latest escalation into the ionosphere of net-sillies begs to be brought to heel... On 24 Dec 95 at 17:20, Fred Cohen wrote: > and that anonymity should be used as an escape from > responsibility for what they do and say. If you want to > remain free to speak your mind, you have to become > responsible in at least two ways: > > 1 - You must top slandering people. > 2 - You must stop using anonymity as a way to avoid being > responsible. > > When I say must, I am not intending to mean anything less. > If the cypherpunks continue to do these two things, they will > rapidly find that they are doing more to destroy all of our > rights to free speech in the Internet than they ever did to > encourage freedom of expression. There are several things wrong with this, but first, just on the surface: Fred has now dropped his cyberdrawers and stands before us displaying the ugly engine of his manhood, the handle by which he maintains a grip on his pointless existence. He reveals himself to be yet another in that small, tired parade of self-appointed lightning rods -- people with so little of import in their lives that they have to resort to trolling for what they can claim are offenses against them, then flex the borrowed, imagined musculature of mindless law to rise in self-righteous threats of exercise of vindictive wrath. This is worse than "My big brother will kick your ass!" It is like a 90-pound weakling going to the beach with a large but retarded cousin in tow. The idea is to troll to get sand kicked in his face, then to point to the drooling cousin and use him as a lever to gain and exercise control over the hapless dupes of the ruse. Freds have existed on BBS's, and before the technological age in most small clubs and societies. In the Internet they show up in newsgroups and on mailing lists, and when crossed they ALWAYS descend to threats of legal action. So predictable, so utterly dull and unimaginative, they are like the party guest who has that inappropriate laugh, who doesn't seem to notice that pairs of people are together, who approaches people oddly and, in the end, makes a scene and reveals himself to be a complete fruitcake. Unmoderated fission looking for a place to fulminate. Fred, you've come to the wrong place. If you want to be ignored, just pack your terminal and stay home with the sitcoms. Noone asked you to interject your trolls and threats here. You invited yourself, and whatever you are suffering is of your own creation. Speaking of Freds brings me to a more interesting aspect of this nonsense: How do we know there is only one Fred? Fred doesn't sign his messages... oh-oh. This attack of deja vu feels like I've had it before. Why do I get the feeling that Fred is about to embarrass himself terribly by blurting out some of the poison that fills his soul? Let him who hath not slandered cast the first suit. We Jurgar Din (that will have to suffice: I do not yet live in a free country) +"The battle, Sir, is not to the strong alone. It is to the+ +vigilant, the active, the brave. Besides, Sir, we have no + +election. If we were base enough to desire it, it is now + +too late to retire from the contest." -Patrick Henry 1775 + -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQBVAwUBMN8TVEjw99YhtpnhAQFDngH/cTzEDHzxYZ7Z9jOmoALxaIdxpgpvlIr+ /zsZndz1KfQlqUunH5i7YsJS7tm/XOsrRcWQgKQEr9WaI8wRgrqh5g== =Hl/v -----END PGP SIGNATURE----- From mpd at netcom.com Mon Dec 25 15:49:12 1995 From: mpd at netcom.com (Mike Duvos) Date: Tue, 26 Dec 1995 07:49:12 +0800 Subject: Encryption Discrimination from Sun Message-ID: <199512252216.OAA09495@netcom2.netcom.com> I was just browsing through the rules for the million dollar contest just announced by Sun Microsystems to encourage the writing of killer applets in Java, Sun's new architecture- independent program format. The URL is http://javacontest.sun.com/rules/index.html in case anyone is interested. While reading the contest rules, I found the following one particularly interesting... "No entries may include encryption as a feature or part of an applet." This was made even more curious by the later revelation that one of the criteria for judging entries was... "The applet should be able to transfer information from one point to another, with no possibility of interception or other interference during the process." Doubtless the reason Sun nixed encryption is because this is an international contest, and they did not want to deal with legal hassles involving international borders and different laws in every country. Nonetheless, they seem to have missed an excellent opportunity to encourage the migration of privacy software into the new realm they are creating. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From jya at pipeline.com Mon Dec 25 16:16:44 1995 From: jya at pipeline.com (John Young) Date: Tue, 26 Dec 1995 08:16:44 +0800 Subject: Bidzos on C-Span 2 Message-ID: <199512252241.RAA26805@pipe4.nyc.pipeline.com> If you care, Jim is smoothly hawking a beautiful world of easy-going crypto on C-Span 2, at least in NYC at 5:35 PM. At a session in San Francisco, probably a recording. Jingle jangle. From grafolog at netcom.com Mon Dec 25 16:22:32 1995 From: grafolog at netcom.com (NOT Jonathan Blake) Date: Tue, 26 Dec 1995 08:22:32 +0800 Subject: Only accepting e-mail from known parties In-Reply-To: Message-ID: (No, this is not Jonathan Blake; see .sig below :) Jonathan Blake writes: > When I get the bugs out of the procmail script I'm > writing, to accomplish this, I'll send it to you. I'd be very interested. I may even use it, if it works. :) I like Adam Shostak's suggestion regarding caching hashes of signed portions of incoming e-mail. If the filter is going to keep track of e-mail history, then another possible useful feature would be to limit the number of e-mails accepted from a given party (even distinict). "You mail is being returned to you because you're only authorized to send 10 e-mails here in a 24-hour period". Heh. > However, won['t most messages have the name of the intended > recipient inside the PGP signature lines? Not necessarily. Most e-mails say something like "Dear Alice," but not all. I wish the important headers were included in the signed portion. Here's another variant of the same attack: Bob sends Alice a PGP-signed e-mail. Alice posts a Usenet forgery, making it look like it came from Bob, and using the same PGP-signed body. > > Alice _may_ notice that the _Received:_ headers are weird, but this > > forgery will certainly pass through a script that checks signatures. > > I'll have to give this some thought. Have the script > match the from id, with the message id. << Not sure > how I can do this one, yet. >> It's a piece of cake to forge the message-id to match the forged "From:". In fact, I'll do just that in this article, and I bet it'll take me less than a minute. Besides, your message-id doesn't match your host. :) I'm off to teach C++ now. (Yes, on Xmas) --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From jya at pipeline.com Mon Dec 25 16:24:22 1995 From: jya at pipeline.com (John Young) Date: Tue, 26 Dec 1995 08:24:22 +0800 Subject: Bidzos Coda Message-ID: <199512252256.RAA27240@pipe4.nyc.pipeline.com> The Bidzos show was recorded 12/8/95 at the Commonwealth Club in SF. It finished here at about 5:45 PM. Only caught a piece. Jim was answering written questions about a range of crypto and Internet security issues from the audience. Among other things, he says they're working on an encryption program "closely tied to the OS of portables, to protect the data if the machine is lost or stolen." He also said, "don't throw tomatoes," but they're doing something with "private key escrow" for those who want to provide access to their encrypted material in case of death or other emergency. Maybe some other idle sinner saw more, or was at the realtime tomato-chucker. From rah at shipwright.com Mon Dec 25 16:36:08 1995 From: rah at shipwright.com (Robert Hettinga) Date: Tue, 26 Dec 1995 08:36:08 +0800 Subject: Bidzos on C-Span 2 Message-ID: At 5:41 PM 12/25/95, John Young wrote: >If you care, Jim is smoothly hawking a beautiful world of >easy-going crypto on C-Span 2, at least in NYC at 5:35 PM. Actually, he did a pretty good job of towing the er, party line. Lots of good opportunities for analogical heavy lifting in arguments with statists. "Suppose you had a very strong door which protected your whole house and made it inviolate. Suppose then the government then wanted to have copy of your door keys on the off-chance you turn into a crack dealer someday...", etc. Except for the fact that he wants Uncle to protect his patents, that is... ;-). This was done on December 8 at the Commonwealth Club in SFO. Were there c'punks there? The questions sounded like it... He also said something about some kind of magic badge with biometric/PK software which would allow you to work anywhere there was a network connection. Reminiscent of our discussions about Xerox PARC's ubiquitous computing stuff, Gerry O'Neil's 2081, etc. I feel a rant coming on about this "information toaster" stuff, Metcalfe's fight with Alsop in Infoworld, etc. Guess I'll start it tomorrow. Take cover everybody... Merry Christmas! Cheers, Bob ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA (617) 958-3971 "Reality is not optional." --Thomas Sowell The NEW(!) e$ Home Page: http://thumper.vmeng.com/pub/rah/ >>>>Phree Phil: Email: zldf at clark.net http://www.netresponse.com/zldf <<<<< From rah at shipwright.com Mon Dec 25 16:36:41 1995 From: rah at shipwright.com (Robert Hettinga) Date: Tue, 26 Dec 1995 08:36:41 +0800 Subject: (cpx) Re: Bidzos on C-Span 2 Message-ID: At 5:41 PM 12/25/95, John Young wrote: >If you care, Jim is smoothly hawking a beautiful world of >easy-going crypto on C-Span 2, at least in NYC at 5:35 PM. Actually, he did a pretty good job of towing the er, party line. Lots of good opportunities for analogical heavy lifting in arguments with statists. "Suppose you had a very strong door which protected your whole house and made it inviolate. Suppose then the government then wanted to have copy of your door keys on the off-chance you turn into a crack dealer someday...", etc. Except for the fact that he wants Uncle to protect his patents, that is... ;-). This was done on December 8 at the Commonwealth Club in SFO. Were there c'punks there? The questions sounded like it... He also said something about some kind of magic badge with biometric/PK software which would allow you to work anywhere there was a network connection. Reminiscent of our discussions about Xerox PARC's ubiquitous computing stuff, Gerry O'Neil's 2081, etc. I feel a rant coming on about this "information toaster" stuff, Metcalfe's fight with Alsop in Infoworld, etc. Guess I'll start it tomorrow. Take cover everybody... Merry Christmas! Cheers, Bob -------------------------------------------------- The e$ lists are brought to you by: Making Commerce Convenient (tm) - Oki Advanced Products - Marlboro, MA Value-Checker(tm) smart card reader= http://www.oki.com/products/vc.html Where people, networks and money come together: Consult Hyperion http://www.hyperion.co.uk info at hyperion.co.uk See your name here! Be a charter sponsor for e$pam, e$, and Ne$ws! e-mail rah at shipwright.com for details... ------------------------------------------------- From rah at shipwright.com Mon Dec 25 16:44:08 1995 From: rah at shipwright.com (Robert Hettinga) Date: Tue, 26 Dec 1995 08:44:08 +0800 Subject: (cpx) Re: Bidzos on C-Span 2 Message-ID: Oops. You can shoot me now... Sorry, folks! e$pam first and let god sort 'em out. Fixing that little problem this week, as a matter of fact. Cheers, Bob ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA (617) 958-3971 "Reality is not optional." --Thomas Sowell The NEW(!) e$ Home Page: http://thumper.vmeng.com/pub/rah/ >>>>Phree Phil: Email: zldf at clark.net http://www.netresponse.com/zldf <<<<< From dxm at alpha.c2.org Mon Dec 25 16:54:01 1995 From: dxm at alpha.c2.org (dxm at alpha.c2.org) Date: Tue, 26 Dec 1995 08:54:01 +0800 Subject: New Release of CFS Message-ID: <199512260014.QAA08982@infinity.c2.org> Matt Blaze writes: > [Perhaps this isn't the best time for me to post this here; apologies > in advance if this sparks another flame fest. -matt] > > Source code for the latest version (release 1.3.2) of CFS, the Cryptographic > File System, is now available upon request for research and experimental > use in the US and Canada. Dear Mr. Blaze: As you seem to have noticed, a few subscribers to cypherpunks are more interested in exploring their own personal psychopathologies than in the creation and spread of strong cryptography. Please do not feel that you need to apologize for their actions, and especially please do not restrict your actions and/or posts because of them. To correct merely one of the many mis-statements made by these people desperate to draw attention to themselves, the Linux community is NOT interested in 'out-of-the-box'. If we were interested in 'out-of-the- box', we would be running OSs that COME in a box. What we ARE interested in is source (or, if source isn't available, at least 128 bit keys). If you provide source, we'll port it. It's that simple. While support is nice, and appreciated, it is NOT NEEDED. We can take care of ourselves. So, on behalf of the Linux community and those of us running CFS, thank you very much for your contribution. And please don't let a couple of idiots like these lower your opinion of the over 1 million Linux users who appreciate your efforts and support. -- Deus Ex Machina dxm at alpha.c2.org From root at deimos.toad.com Mon Dec 25 17:15:39 1995 From: root at deimos.toad.com (Tom Zerucha) Date: Tue, 26 Dec 1995 09:15:39 +0800 Subject: ex encrypted script In-Reply-To: <199512202339.RAA05220@cdale1.midwest.net> Message-ID: On Wed, 20 Dec 1995, Jason Rentz wrote: > Forgive me if this is a stupid question. > > I'm using AT&T unix Version 5 release 3.2.2 ( UNIX System V/386 Release 3.2) > > I have several simple scripts that are simple yet handle important realtime > call proccessing tasks and remote control operations. These programs are my > programs but are running on a system that is dialed into by the vendor once > in a while. > > Is there a way to encrypt a script yet still allow it to be runnable? I > know that the simple answer is to write it in C and compile it but I don't > have the means of doing that at the moment. (i.e. there is not compiler on > the system) You can try something similar to what gzexe does, but... > I thought of a few simple protections but they all involve decrypting before > running. ...unless the CPU has built in decryption this will be a necessity. A compromise might be to put this into the kernel zerucha at shell.portal.com finger zerucha at jobe.portal.com for PGP key From fc at all.net Mon Dec 25 17:37:22 1995 From: fc at all.net (Fred Cohen) Date: Tue, 26 Dec 1995 09:37:22 +0800 Subject: anonther anonymous poster afraid to even tell us who they are In-Reply-To: <199512252215.XAA07650@utopia.hacktic.nl> Message-ID: <9512260044.AA14158@all.net> Another anonymous poster tells the cypherpunks to abandon liberty by abusing it. When will the cypherpunks learn stand up to these people. -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From dlv at bwalk.dm.com Mon Dec 25 18:21:59 1995 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Tue, 26 Dec 1995 10:21:59 +0800 Subject: Only accepting e-mail from known parties In-Reply-To: <199512251953.OAA01614@homeport.org> Message-ID: Adam Shostack writes: > It would seem that only accepting signed mail, and caching the > hash of the signed part would work pretty well, and also not require Keeping a hash of the signed part sounds like an excellent defense from the attack of recycled messages. "Your mail blah blah is being returned to you because it appears to be similar to the e-mail you send on dd/mm/yy". Cool. > anything (other than a signature) from the remote end. The cost of a > spam is the time to generate a new key pair. (You probably need some > way to add new keys, for people to be able to say 'I'd like to talk to > you.') When thinking of a protocol, it's useful to consider what do we do in "real life" to reach an important person: Either ask a common acquiantance to introduce you, or go through a secretary. Say, Alice wants to send e-mail to Bob who doesn't accept e-mail to strangers. Alce may learn that Bob accepts Carol's e-mail, and ask Carol to forward Alice's e-mail to Bob (with Carol's signature). An interesting idea would be for Bob (together with other people) to pay some David to screen their e-mail received from strangers (manually, or with the help of some programs) and to decide whether to pass them on to Bob or to discard it. E-mail from known senders goes straight to Bob, and e-mail from strangers goes to David the screener. Not unlike "real life". --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From adam at lighthouse.homeport.org Mon Dec 25 20:14:29 1995 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Tue, 26 Dec 1995 12:14:29 +0800 Subject: FH radios In-Reply-To: Message-ID: <199512260358.WAA02279@homeport.org> jim bell wrote: | Is there actually a restriction on the export of really-fast | frequency-hopping radios, even those (like cordless phones) which have no | clear military value? Yes. The ITARs restrict the export of any radio which hops faster than one frequency per second. (Or ten seconds if it hops between more than 8 bands.) See ITAR XIII.b.1.iii.C (ftp://ftp.cygnus.com/pub/export/itar.in.full) -- "It is seldom that liberty of any kind is lost all at once." -Hume From jamesd at echeque.com Mon Dec 25 21:26:20 1995 From: jamesd at echeque.com (James A. Donald) Date: Tue, 26 Dec 1995 13:26:20 +0800 Subject: Assault presses with cop killer computers. Message-ID: <199512260507.VAA09404@blob.best.net> While channel surfing around 6PM today on Christmas day, I saw President Clinton announce the grave international threat posed by terrorists, drug dealers and money launderers wielding computers (Only three horsemen -- he left out child pornographers.) He was immediately followed by an Expert In Television Expertise, who told us that computers were getting more and more powerful, and doing more and more things, and that Something Must Be Done. The Expert did not actually use the phrase "The first Amendment was never intended to protect modern assault presses using cop killer computers", but that was the message. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From nobody at flame.alias.net Tue Dec 26 01:09:50 1995 From: nobody at flame.alias.net (Anonymous) Date: Tue, 26 Dec 1995 17:09:50 +0800 Subject: HRB Systems Data Storage Encryptor Message-ID: <199512260845.JAA28578@utopia.hacktic.nl> Check out http://www.hrb.com/encryption/ssp.html, your exclusive source of the Ultron Crypto-Engine (tm) From futplex at pseudonym.com Tue Dec 26 01:18:59 1995 From: futplex at pseudonym.com (Futplex) Date: Tue, 26 Dec 1995 17:18:59 +0800 Subject: Encryption Discrimination from Sun In-Reply-To: <199512252216.OAA09495@netcom2.netcom.com> Message-ID: <199512260855.DAA16540@thor.cs.umass.edu> Mike Duvos writes (re: The Java Cup) > While reading the contest rules, I found the following one > particularly interesting... > > "No entries may include encryption as a feature > or part of an applet." [...] > Doubtless the reason Sun nixed encryption is because this is an > international contest, and they did not want to deal with legal > hassles involving international borders and different laws in > every country. OTOH, they don't have any ITAR-like rules about not installing crypto hooks. (It's pretty amusing that residents of Romania are eligible to enter, but not residents of Vermont. At least to me, since I don't live in Vermont. ;) > Nonetheless, they seem to have missed an excellent opportunity > to encourage the migration of privacy software into the new > realm they are creating. I'm not convinced that such a contest is capable of that anyway. As in most such contests, entries basically become the property of the sponsor. In this case, "By participating in the Contest, Contestant waives all claim to intellectual property rights in the entry, including patent rights and copyright, and waives all moral rights, except where prohibited." (Wow ! I didn't know I could waive my moral rights !) I'm not inclined to hand the Java privacy software on which I'm working over to Sun, even though I like Sun. If I were just working on a Tetris applet or something, I wouldn't mind.... -Futplex Cowboys 37, Cardinals 13; Merry Christmas, 49ers: We'll see you in Dallas ! From Kevin.L.Prigge-2 at cis.umn.edu Tue Dec 26 09:17:05 1995 From: Kevin.L.Prigge-2 at cis.umn.edu (Kevin L Prigge) Date: Wed, 27 Dec 1995 01:17:05 +0800 Subject: Assault presses with cop killer computers. In-Reply-To: <199512260507.VAA09404@blob.best.net> Message-ID: <30df89c1456a002@noc.cis.umn.edu> According to rumor, James A. Donald said: > > While channel surfing around 6PM today on Christmas day, I saw > President Clinton announce the grave international threat > posed by terrorists, drug dealers and money launderers wielding > computers (Only three horsemen -- he left out child pornographers.) Probably because child pornographers have been dealt with in the recent bill signed by Bill, which mandates 24-30 months for transmitting child porn, double if a computer is used. > > He was immediately followed by an Expert In Television Expertise, > who told us that computers were getting more and more powerful, and > doing more and more things, and that Something Must Be Done. I'll have to keep an eye on my machine, I think it may be subversive. Remember, computers don't break laws, people do... > The Expert did not actually use the phrase "The first Amendment was never > intended to protect modern assault presses using cop killer computers", > but that was the message. > I'll have to rename my machine black-rhino :) -- Kevin L. Prigge |"Have you ever gotten tired of hearing those UofM Central Computing | ridiculous AT&T commercials claiming credit email: klp at tc.umn.edu | for things that don't even exist yet? 010010011101011001100010| You will." -Emmanuel Goldstein From anon-remailer at utopia.hacktic.nl Wed Dec 27 03:40:38 1995 From: anon-remailer at utopia.hacktic.nl (Anonymous) Date: Wed, 27 Dec 95 03:40:38 PST Subject: New release (v.1.3.2) of CFS Unix encrypting file system available Message-ID: <199512271140.MAA04896@utopia.hacktic.nl> >Source code for the latest version (release 1.3.2) of CFS, the Cryptographic >File System, is now available upon request for research and experimental >use in the US and Canada. Does anyone know if this code has made it across the pond yet? If so please post the ftp location to sci.crypt or comp.os.linux.misc. I don't read this list. Thanx. From tallpaul at pipeline.com Tue Dec 26 13:30:18 1995 From: tallpaul at pipeline.com (tallpaul) Date: Wed, 27 Dec 1995 05:30:18 +0800 Subject: Assault presses with cop killer computers. Message-ID: <199512261249.HAA01723@pipe8.nyc.pipeline.com> On Dec 25, 1995 23:36:00, 'Kevin L Prigge ' wrote: >According to rumor, James A. Donald said: >> >> While channel surfing around 6PM today on Christmas day, I saw >> President Clinton announce the grave international threat >> posed by terrorists, drug dealers and money launderers wielding >> computers (Only three horsemen -- he left out child pornographers.) > >Probably because child pornographers have been dealt with in >the recent bill signed by Bill, which mandates 24-30 months >for transmitting child porn, double if a computer is used. > see Reuters, "Clinton acts to tougher penalties" 23 Dec 95 08:40 clari.news.crime.sex Message-ID: see AP, "Clinton signs porn bill," 23 Dec 95 09:40 clari.news.crime.sex Message-ID: What is most interesting is how far the four horsemen have rampaged and the destruction they have already done. The internet is not the *least* regulated as those pushing for "tougher penalties" claim. One can argue, using the new federal doubling of prison terms when computers are used, that it is the *most* regulated. One can also see how far the combination of sexual hysteria and fear of new technology has fed into and been used by politicians from throughout the political spectrum. It also shows how much of the government threat to privacy is a social, not a technological, issue. While people argue about heat-death-of-the-universe encryption algos, a different form of hot air is producing the heat death of civil liberties. While cyber-libertarians talk about how strong crypto algos are needed to protect property and how "the statists in Washington" are trying to take away their crypto, right-wing pro-capitalist politicians have already taken away civil liberties. While crypto-radicals talk about how strong crypto algos are needed to lead the revolution and how "the nazis in Washington" are trying to take away their crypto, sexual hysterics calling themselves "radical feminists" have already helped take away many civil liberties. I support strong crypto. I support powerful and secure algos. I see it as a wonderful development of technology to protect individual privacy. But privacy is only one right of the citizen; it is only one of the many civil liberties under attack. I am also disturbed by the number of discussions on the list that may be on topic but avoid *these* social issues, E.G. Army vs. Navy Captain? how cheap is AT&T? Bizdos: confused executive vs. conspiratorial swine? Are CFS programmers being treated nicely? Fred Cohen: nice guy victim or swine? Why Alice should use PGP. Ever heard of bit fiddlin' while Rome burns? --tallpaul From hal9001 at panix.com Tue Dec 26 15:20:18 1995 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Wed, 27 Dec 1995 07:20:18 +0800 Subject: Only accepting e-mail from known parties Message-ID: At 14:33 12/25/95, tallpaul wrote: >Thoughts? (I see one problem with this but it should be able to be worked >out once the basic method is agreed to). I assume that the "Problem" is that by only giving each corespondent ONE E-Stamp, you are single streaming your connections with them (ie: Are talking Half-Duplex). Not only are they restricted to one message "in-flight" but they can not start another message until they have done a capture run to acquire your ACK and get the new key. From combee at techwood.org Wed Dec 27 08:11:43 1995 From: combee at techwood.org (Ben Combee) Date: Wed, 27 Dec 95 08:11:43 PST Subject: Austin CPunk Video Update Message-ID: <199512271611.KAA16961@matrix.eden.com> First, a lot of thanks to all of you who sent me ideas for the Cypherpunk video we are working on here in Austin. I'm sorry I haven't individually acknowledged all of you, but it was been a busy couple of months. Here is our status: We have agreed on the meeting infrastructure, with a video working group meeting twice a month of planning/strategy meetings and at other times for filming, editing, and so on. We have decided to do a 30 minute video with segments dealing with crypto history, basic theory, popular applications, and possible futures. We may go one to produce further videos which look at these topics in more detail. We have a outline of the segments of the video. The outline was originally conceived for a 60 minute program, so some items might have to be cut. This outline should be available online sometime soon off my web page at http://www.yak.net/combee/crypto/ (URL not yet active). This program will initially air on Austin's public access stations, but we have nebulous plans to distribute it once that requirement is met. Questions? Just write to me or to all the Austin CPunks at austin-cpunks at einstein.ssz.com. -- eebmoC .L nimajneB | Benjamin L. Combee (REVERSE) gro.doowhcet at eebmoc | combee at techwood.org (ENGINEERING) \eebmoc\ten.kay.www\\:ptth | http://www.yak.net/combee/ (RESERVE) From bugs at ritz.mordor.com Wed Dec 27 08:12:06 1995 From: bugs at ritz.mordor.com (Mark Hittinger) Date: Wed, 27 Dec 95 08:12:06 PST Subject: a new idea: stocks == currency Message-ID: <199512271611.LAA20760@ritz.mordor.com> > I've not seen promoted by any single author yet (although I have seen > some prominent cpunks argue the opposite). There was a book written some time ago called "SuperMoney" that basically argues this point (that stocks were not only money, they were *better* than money). One example would be a deposit at a bank. How can you tell if there is a potential solvency problem at the bank? One quick and easy check is to look at the value of the stock of the bank! You see this behavior in currencies when you are exchanging a stronger one for a weaker one or vice versa :-) PS: I read Prechter's "turn of the tidal wave" book over the holidays, and although it is mostly dry, it is an interesting read. Regards, Mark Hittinger Netcom/Dallas bugs at freebsd.netcom.com bugs at ritz.mordor.com From jamesd at echeque.com Tue Dec 26 19:09:23 1995 From: jamesd at echeque.com (James A. Donald) Date: Wed, 27 Dec 1995 11:09:23 +0800 Subject: HRB Systems Data Storage Encryptor Message-ID: <199512261539.HAA04685@blob.best.net> At 09:45 AM 12/26/95 +0100, Anonymous wrote: >Check out http://www.hrb.com/encryption/ssp.html, your >exclusive source of the Ultron Crypto-Engine (tm) The web page proudly announces: "is the only NSA-approved Type I data encryptor available today." There are probably some people ignorant enough to regard that as a recommendation. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From "Jason D. Livingood/WSC" at hks.net Wed Dec 27 13:54:19 1995 From: "Jason D. Livingood/WSC" at hks.net ("Jason D. Livingood/WSC" at hks.net) Date: Wed, 27 Dec 95 13:54:19 PST Subject: Employer Probing Precedents? Message-ID: <199512272151.QAA05241@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- To Whom It May Concern: I was curious as to where I might find some electronic freedom legal precedents. If, for example, an employer was planning to probe file systems on PCs in the off-hours and employees began encrypting their hard drives, what legal precedents would support the employees or would support the employer in blocking the encryption? Thanks for any info you can give me!! Jason Livingood jlivingood at hammer.net - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMOG/6ioZzwIn1bdtAQHQ2QF/cOq8vE9o+V/yGuk5KLbYv5E6xWJjV2cB pSHFhr4O0HtiTgOtTxMhylVmXFZpuosm =fIWG -----END PGP SIGNATURE----- From jimbell at pacifier.com Tue Dec 26 22:05:55 1995 From: jimbell at pacifier.com (jim bell) Date: Wed, 27 Dec 1995 14:05:55 +0800 Subject: FH radios Message-ID: At 05:06 PM 12/25/95 -0500, you wrote: > There is certainly little additional cost to building a >trully secure digital cordless phone given the dense ASIC technology >that is standard in this kind of product - but someone has to >persuade the manufacturers that there is a real need and find a way >to allow them to export the product. > > Dave Emery N1PRE Is there actually a restriction on the export of really-fast frequency-hopping radios, even those (like cordless phones) which have no clear military value? From Kevin.L.Prigge-2 at cis.umn.edu Tue Dec 26 22:10:40 1995 From: Kevin.L.Prigge-2 at cis.umn.edu (Kevin L Prigge) Date: Wed, 27 Dec 1995 14:10:40 +0800 Subject: [NOISE] Re: anonther anonymous poster In-Reply-To: <9512260044.AA14158@all.net> Message-ID: <30df67d24001002@noc.cis.umn.edu> According to rumor, Fred Cohen said: > > > Another anonymous poster tells the cypherpunks to abandon liberty by > abusing it. When will the cypherpunks learn stand up to these people. > This is really noise, but I just had a Woody flashback... All that he'd have to do is change the second sentance to "When will the cypherpunks learn to evaluate data." Anyhow, Merry Christmas :) -- Kevin L. Prigge |"Have you ever gotten tired of hearing those UofM Central Computing | ridiculous AT&T commercials claiming credit email: klp at tc.umn.edu | for things that don't even exist yet? 010010011101011001100010| You will." -Emmanuel Goldstein From jimbell at pacifier.com Tue Dec 26 22:11:05 1995 From: jimbell at pacifier.com (jim bell) Date: Wed, 27 Dec 1995 14:11:05 +0800 Subject: [Rant] Flame threads and factual accuracy Message-ID: At 07:30 AM 12/25/95 -0500, you (Fred Cohen) wrote: >With rights come responsibilities. If you want the right of free speech, you >have to use it responsibly - otherwise, you will lose the right - and quite >possible lose it for me as well. This commentary is pure bullshit. If it were possible to quantify it throughout history, I strongly suspect that the vast majority of instances where "free speech" was LOST (or was never had in the first place) occurred NOT because of some objectively agreed-upon ABUSE (irresponsible use) of that free speech, but in fact merely because those in power WANTED there to be no free speech. In short, "losing the right" had NOTHING to to with abuse. (Though admittedly, that might be a common excuse given...in lieu of the truth!) Fred, you richly deserve your bad reputation. From kdf at gigo.com Tue Dec 26 22:20:09 1995 From: kdf at gigo.com (John Erland) Date: Wed, 27 Dec 1995 14:20:09 +0800 Subject: Mix Ported to DOS Yet? Message-ID: [Please respond netmail, as I have but periodic contact w/list.] Subject says it all: Has anyone ported Mixmaster to DOS yet? It has been impending for about a year, it seems, but no one had actually done it last time I asked. Thanks for any new info... JE -- : Fidonet: John Erland 1:203/8055.12 .. speaking for only myself. : Internet: kdf at gigo.com From andr0id at midwest.net Wed Dec 27 00:28:33 1995 From: andr0id at midwest.net (Jason Rentz) Date: Wed, 27 Dec 1995 16:28:33 +0800 Subject: FH radios Message-ID: <199512262025.OAA09759@cdale1.midwest.net> Dave Emery writes: > There is also a newer technology called direct digital synthesis >or DDS that works by accumulating phase (adding to the previous value) We use DDS in some of our Microwave equipment between sites. > > There is certainly little additional cost to building a >trully secure digital cordless phone given the dense ASIC technology >that is standard in this kind of product - but someone has to >persuade the manufacturers that there is a real need and find a way >to allow them to export the product. > I agree; but, if the information you are passing is truly that important just use a landline phone. Eliminate the possable "leak". I'm not claiming that a landline phone is secure, but your cordless is connected to it, so no matter how good your security is on the phone its no longer secure once it leaves the base station and enters the landline. Further encryption can be implemented but this requires equipment on both ends. Really aren't we trying to create the most secure methods of information exchange with the least amount of cost? I'm budget restricted so PGP and the internet are more secure and cheaper for me than most other means of comunication, so far. :) Dr0id (andr0id at midwest.net callsign: N9XLM) ( Computer Consulting & Management ) (P.O. Box 421 Cambria, IL 62915-0421) -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQENAzCsIi4AAAEH/1hb5+tO/n99Nbppf0ImLJ6AaVZ3NlZP0ZHwRQor00uA129i d4zWixNXxc8t2auaqN+asV99LpIip3/nQzBnjydiumeBdGLF2PR9+6X8X/RrqKa1 dVIukxM5Agg2eM6ih+0J38hgKJ3qzKXSz6sjYmpaxvbXZoHHOLUk/ZtHUKvvEyPw hnJEYnut8NUnIeK56lqeqRw86yoeRKymbfCdjdpgeY2aRwK2FJts8sbb7Fs10s4y jgxWIxIipBznbGUTh1hb2XrLGPENwk3E/qqXQJEsrySbtwdl6VgTVQjhDDEJMitL DYeiQ3W5EgxfcdbM1j2FwYu3P/dM6Y0I8xLMYT0ABRG0NmFuZHIwaWRAb2ljdTgx Mi5jb20gKG9pY3U4MTIuY29tIHN5c3RlbSBhZG1pbmlzdHJhdG9yKYkBFQMFEDCs LO90C7R/GkJcSQEB01cH/0KC3sd+u4OxMku5378SJktoN6QIQYLJ7uVbuV4S51yK NAotCGf4Wl6wwjynzZvXKU0H87oDuMiq7FybgMNL2n+4bQIZi0iz0lIuzwoMDu63 NrHUW9Kz42pOnhrEhrdkHhHL9O5GgD1yc40fJ3qw5h7LQEjDxgypyw0IFILFc34u LeRLliNibxKp8JwAxXNHWSgxu28TQvmnkHi0AHP6tJ/uZYe+4dqJtrMMsYFjzZaz DPmxD+dzbTwlQKtJaP1ZkDI0Sr072wrZDv+G86GyGBMX2lpSafpRitnxuUttjU9o wsQ9Qo5xiH1nZRCs/bDzJe/gng+GHzevixDIITurtNA= =SgPT -----END PGP PUBLIC KEY BLOCK----- From aleph1 at dfw.dfw.net Wed Dec 27 16:49:25 1995 From: aleph1 at dfw.dfw.net (Aleph One) Date: Wed, 27 Dec 95 16:49:25 PST Subject: Reputation capital: FIBS case study In-Reply-To: <2sY4wMz2BcRC083yn@mail.msen.com> Message-ID: On Wed, 27 Dec 1995, Lou Poppler wrote: > > I'm not really asking for suggestions here or anything. It's likely that > most of them have already been debated to death on r.g.b. I just wanted > to show you a case of reputation markets in action. If the server can keep track of drop games and the restart it should not be diffucult to keep a record for each player of how many games he has dropped and not restarted. A high number would mean a cheater or someone with a very bad phone line. In either case you dont want to play with them. For the second problem there is no easy solution. One thing to make it more anoying for the cheater is to keep a history of matches played by each players. A player that has played 50 matches with anotherone an won all is either cheating or not looking for a challange. Of curse the cheater just has to create a new nym each time to play agains in this case. Bottom line is that on the net a nym can be multiple persons and a person can have multiple nyms. > :::::::::::::::::::::::::::::::::::::: Thank you VERY much! You'll be > :: Lou Poppler :: getting a Handsome Simulfax Copy > :: http://www.msen.com/~lwp/ :: of your OWN words in the mail > :::::::::::::::::::::::::::::::::::::: soon (and My Reply). > Aleph One / aleph1 at dfw.net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 From tadc at thetics.europa.com Wed Dec 27 16:52:05 1995 From: tadc at thetics.europa.com (T.R. Cox) Date: Wed, 27 Dec 95 16:52:05 PST Subject: BoS: Re: Misconfigured Web Servers In-Reply-To: <9511278200.AA820083186@cc2.dttus.com> Message-ID: On Wed, 27 Dec 1995, David Klur wrote: > > Re: the "trick" below... an even more effective search is the > following... > Is it just me, or is everyone getting a dozen of these? ////////////////////////////////////////////////////////////////////////\ |Thaddeus Cox = tadc at europa.com <==- Finger for standard legal disclaimer| |\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ |Are you using Europa? You ought to be-- Dial 503.222.4244, login as new | \///////////////////////////////////////////////////////////////////////// From sameer at c2.org Wed Dec 27 02:02:36 1995 From: sameer at c2.org (sameer) Date: Wed, 27 Dec 1995 18:02:36 +0800 Subject: COMMUNITY CONNEXION ANNOUNCES APACHE-SSL COMMERCE Message-ID: <199512262112.NAA00652@infinity.c2.org> For Immediate Release Contact: Sameer Parekh 510-601-9777 COMMUNITY CONNEXION ANNOUNCES APACHE-SSL COMMERCE Community ConneXion today announced Apache-SSL Commerce, a commercial version of the Apache webserver with support for Netscape Communication Corporation's Secure Sockets Layer, a standard for encrypted communications over the Internet. Community ConneXion's Apache-SSL package includes Apache v1.0.0, extensions to Apache which enable the SSL protocol, additional customizations to the webserver, and tools to aid in server and SSL maintainence. The server supports virtual hosts and an extensible API to allow for easy modifications to the behavior of the server. Apache is currently the fastest growing HTTP server, looking set to become the most used web server on the net in 1996. Sameer Parekh, President of Community ConneXion, commented on their release of the encrypting webserver, "We're very happy to make available an affordable SSL server to the Internet community. For security to work, it must be ubiquitous, which requires that encrypting servers be affordable and widely deployed." Apache-SSL is available for free to non-commercial users, and the commercial use package, Apache-SSL Commerce, is available for $495.00. Customers who own versions of other commercial encrypting webservers can upgrade to Apache-SSL Commerce for $295.00. In addition to the right to use the server in commercial applications, the commercial package includes support and free lifetime upgrades from Community ConneXion. Apache-SSL Commerce is not available outside the United States, but Apache-SSL is available for free, both commercially and non-commercially, outside the United States from Ben Laurie, of A. L. Digital, Ltd. The Apache-SSL Commerce webserver is the only commercial encrypting webserver with source available. Ian Goldberg, graduate student at U.C. Berkeley, well-known for his work on SSL security, commented on the importance of available source, "The public release of source, especially for security-critical sections of code, is vital for a product in which the public must put its trust. It's far better for me to be able to check the software that's used, say, for accessing my bank account via the Web, for security problems, than for me to be forced to trust whatever company put out the product. Companies will soon find that releasing more information about the internals of their products will lead not only to better products, but better reputations, as well." Portions developed by the Apache Group, taken with permission from the Apache Server http://www.apache.org/. This product includes software developed by Ben Laurie for use in the Apache-SSL HTTP server project. This product includes software developed by Eric Young (eay at mincom.oz.au). Information on Apache-SSL is available at http://www.c2.org/apachessl/. Questions and inquiries regarding the server should be sent to apachessl at c2.org. Community ConneXion, founded in June of 1994, is the leading provider of privacy on the Internet. They provide anonymous and pseudonymous internet access and web pages in addition to powerful web service, virtual hosts, and web design consultation. Information is available from their web pages at http://www.c2.org/. From dklur at dttus.com Wed Dec 27 04:59:19 1995 From: dklur at dttus.com (David Klur) Date: Wed, 27 Dec 1995 20:59:19 +0800 Subject: Cybercash security Message-ID: <9511268200.AA820017186@cc2.dttus.com> What are the major security risks of the Cybercash system? I can't really find any, other than someone cracking the consumer's Cybercash client s/w password and using the victim's account to order something, or someone cracking RSA!. The following features seem to mitigate other risks... - The merchant never sees the credit card number - The Cybercash server does not store any credit card numbers (only temporarily while it is waiting for an authorizatino for a specific card purchase) - The consumer's credit card number is stored on his hard disk encrypted w/DES - The consumer sends his credit card number across the Internet encrypted w/DES and signed w/ 768-bit RSA From stig at hackvan.com Wed Dec 27 05:15:33 1995 From: stig at hackvan.com (Stig) Date: Wed, 27 Dec 1995 21:15:33 +0800 Subject: Fwd: Re: Fwd: Re: FH radios [Dave Emery] [Vaughan Pratt] Message-ID: -----BEGIN PGP SIGNED MESSAGE----- I forwarded a cypherpunks message to technomads, where it got a killer response, so I'll bounce it back to Cypherpunks... Stig - ------- start of forwarded message (RFC 934 encapsulation) ------- From: Vaughan Pratt To: technomads at UCSD.EDU Subject: Re: Fwd: Re: FH radios [Dave Emery] Sender: pratt at cs.stanford.edu Date: Tue, 26 Dec 1995 12:00:43 -0800 Message-Id: <199512262000.MAA23334 at Coraki.Stanford.EDU> In-reply-to: Your message of "Tue, 26 Dec 1995 07:07:00 PST." >>> Thus in a frequency-hopping radio you can push the retuning (read RF >>> phase-locked loop) technology to its limit and build transmitters and >>> receivers around them. These typically hop in the order of 100 times a >>> second. The adversary has to find the uncorrelated signal very quickly >>> indeed *and* have PLL technology at least as good as yours to recover >>> anything from it. Finding the signal generally means listening to all >>> frequencies at once, requiring huge amounts of hardware parallelism and/or >>> realtime computing power. Once you throw ten or so radios onto the same >>> band, it's no longer any use looking for the strongest signal, making that >>> approach useless. >> >> This is nowhere near the limit of the technology. 15 years ago, I was >> working on PLLs that would stabilize within a couple degrees of final >> phase within 3.5 microseconds. That permits you to do useful work at >> 100,000 hops per second. >> > There is also a newer technology called direct digital synthesis >or DDS that works by accumulating phase (adding to the previous value) >each tick of a high frequency clock in a register at a rate determined >by the contents of another register (the value here sets the frequency) >with the upper bits of the accumulated phase being used to address a >sine/cosine lookup table rom which in turn feeds digital output values >into a D/A converter. The output of the D/A converter is a sampled >approximation of a sine or cosine wave at a frequency set by the >increment register. The sample rate is set by the high frequency clock >rate. This is all wishful thinking. A 26-MHz wide channel such as 902-928MHz has a channel capacity of 2*26 Mbs or 6.5 megabytes/sec. So if someone can tell *that* you are transmitting somewhere within that channel then they simply record *everything* at that data rate in the entire channel, your transmission and everyone else's, for the necessary time. A $600 3.5Gb Sequel drive can record a ten-minute transmission; then the eavesdropper can use one Pentium or two dozen, budget permitting, to extract your message from that data. If all you are doing is frequency hopping or spread spectrum, reconstruction is a very undemanding algorithmic task, and one Pentium should be able to reconstruct your signal the same day, two dozen the same hour. >But to get back to the original point of this thread - while >such techniques are possible (as is full hard encryption), it is my >understanding that actual conusmer 900 mhz digital cordless phones >that use frequency hopping use a very limited set of frequencies >and a small set of fixed hopping patterns and don't hop very fast. Hopping speed is almost completely irrelevant to the computational complexity of this problem. >When the brand of cordless phones that most emphasizes security >from eavesdropping in its point of sale advertising display is the one that >uses open FM with simple speech inversion you know there is something >wrong, particularly when the company that makes it is a pioneer in >really secure digital speech over handheld radios (and a big governmeent >contractor). To put it mildly. You can never overestimate the cost of decryption. What looks expensive enough today to decrypt can plummet by orders of magnitude on alarmingly short notice. We used to think TCP was mildly secure until easily installed sniffers became freely available on the internet that would reconstruct a telnet connection and print out the first 100 characters, making it child's play to extract passwords. If you think that you are secure because the effort of an attack seems on the high side, bear in mind that the tasks in a systematic attack can by definition of "systematic" be programmed, greatly easing the attacker's task. And once programmed, the program can be distributed to all and sundry on the internet. If a given level of cryptographic strength seems adequate for a message, add several orders of magnitude and maybe you'll be lucky. I know of only two really satisfactory places to hide information worth hiding: combinatorial search space (read: real encryption such as DES or RSA, with a hefty key), and the real world, which as a search space is approximately the size corresponding to a combinatorial space encrypted with a 256-bit key (i.e. the world seems bigger than 128 bits and smaller than 512). The latter is distributed in space-time and frequency (momentum-energy); if you consider only space-time or only frequency the universe looks like only a 128-bit hiding place in either case. Both together give you 256 bits (very approximately, that's a very round binary number). Vaughan Pratt - ------- end ------- -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.3, an Emacs/PGP interface iQCVAwUBMOCS5khaKuRiAqcVAQEJEAP/WNqKrjrGk5LpYt5fw70BtFYZEIMqkBzu TQscTmoK2sSOeI9yjxmOp8aQhArLpOdN0ZQgfwkuelfV+/n73ms3hMV+JIDOvuFx hirE1iBvZDMgEPX1BdyP94Me13a1f8mBKTTG1cPLIYKLSTZ1tmQ/MVI0EYN9H16U AETV7FJilvM= =l+fI -----END PGP SIGNATURE----- From ponder at wane-leon-mail.scri.fsu.edu Wed Dec 27 07:07:25 1995 From: ponder at wane-leon-mail.scri.fsu.edu (P.J. Ponder) Date: Wed, 27 Dec 1995 23:07:25 +0800 Subject: MD5 for DOS/Windows Message-ID: Anybody have a DOS or Windows implementation of MD5 available? Thanks. -- PJ Ponder From sameer at c2.org Wed Dec 27 08:41:34 1995 From: sameer at c2.org (sameer) Date: Thu, 28 Dec 1995 00:41:34 +0800 Subject: fun with rsaref and 64-bit machines Message-ID: <199512270120.RAA19559@infinity.c2.org> Does anyone know if RSAREF works on 64 bit CPUs? It seems that RSAREF's NN_Mod is getting stuck in digit.c at: 99 */ 100 while ((t[1] > 0) || ((t[1] == 0) && t[0] >= c)) { 101 if ((t[0] -= c) > (MAX_NN_DIGIT - c)) 102 t[1]--; 103 aLow++; 104 } on a dec alpha.. -- sameer Voice: 510-601-9777 Community ConneXion FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From vznuri at netcom.com Wed Dec 27 09:57:52 1995 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Thu, 28 Dec 1995 01:57:52 +0800 Subject: a new idea: stocks == currency Message-ID: <199512270222.SAA01737@netcom6.netcom.com> I've been mulling over recent essays on digital cash by diverse authors that have popped up here and elsewhere and I'd like to highlight a revolutionary new "meme" of high cpunk relevance I see emerging, which I've not seen promoted by any single author yet (although I have seen some prominent cpunks argue the opposite). the basic thesis is as follows. digital cash obviously leads to an entirely new economic system in which the nature of routine future transactions may be radically altered. one of the chief alterations discussed ad infinitum on this list is the rise of economic freedom from taxation etc. however there is another interesting theme that is worth exploring at length that is at least as significant as this (bugaboo) taxation issue. one might look at the modern world and suggest that there is an increasing unification of currencies. the EU (European Union) is an example of this "trend". however I'm going to argue the opposite and suggest that the trend is toward increasing diversity of currencies. I believe we are moving toward a new system in which explosively more "currencies" will exist than do today. where will these come from? answer: stocks. I believe that future company stock will be considered a kind of currency issued by the company. when you are buying and selling stocks, what you are really doing is buying and selling currencies backed by different corporate entities. I have seen EH argue here and elsewhere that only a government has the legal capability of creating a currency. his view is that a currency is backed through *liability* that is enforced through laws. this is an interesting statist-flavor argument coming from a radical libertarian. what I would propose instead is that what a government has is *credibility*. this is the old "reputation capital" issue discussed here frequently too. a government is a massive entity larger than many companies that uses its full legislative "force" to back its currency. in another word, *trust*. however, I don't believe there is fundamentally a major difference between a company and a government, particularly in this area. (go ahead, flame me to oblivion for saying this, but I believe it is actually a very libertarian argument.) the only difference is in size and influence. it seems to me when a private company issues "cash", the basic principle is the same. the person who uses this cash is *trusting* the entity that issues it to back it with whatever they say they are backing with it. to use my stocks == currency analogy, the stock or currency of that company is backed by that company's assets and profitability. the interesting theme behind this is that it unifies the entire economic picture. suddenly the difference between currency and a stock tends to blur when stocks 1. can be exchanged readily 2. there is no government intervention/regulation in the exchange 3. middleman ("stockbroker" etc.) costs are minimized 4. (other similar elements yet to be identified) note that all these things appear to be the inevitable trend of uniting an economic system with cyberspace. -- my view of all this is somewhat blasphemous. the current system says that we have to have a government entity called the SEC to ensure that stocks are safe for those who invest in them. however, what I am suggesting is that a free market can actually devise its own methods of sorting out bogus from valid currency/stocks without government intervention. in fact, in my opinion that's precisely what investment advice is. this is exactly analogous too to the way that capital "naturally" moves away from unstable currencies and economies (of course capital does not do it, but the intelligent human forces that guide it amount to this basic effect). hence what I am proposing is a sort of currency spectrum. stocks are high risk but greater profit, and currency is low risk (stable) but subject to inflation or loss of value. they are two ends on a currency spectrum. and what I am proposing is that in the future, this currency spectrum will tend to emerge out of economic transactions in cyberspace. this currency spectrum will be recognized as a basic function of the cyberspatial economy. this economy will evolve overall to cut out middlemen and anything that decreases cash value. hence, you will see things such as companies offering their own cash (stock) directly to "consumers" without the large overhead associated with today's stock market (which will be considered a rather backward way of running an economy in the future because of the horrendous dissipation of capital involved in merely moving it from place to place). -- in the end, the government and various bankers lose their economic monopoly on "creating" cash, which affords them no end to manipulative capabilities. governments will compete with all other entities that desire to create cash systems. cash will move where governments and entities most "respect" it. oppressive tax laws etc. will be considered a lack of "respect" for cash. I know that the opposite trend seems to be happening: an increasing clampdown on "black cash". I think this may actually succeed in the short run, but the eventual movement of the economy is toward unrestrained cash in the same way there is a clear movement to an unrestrained cyberspace. there may be "blips" or "disturbances" on the way, but they'd merely be anomalies. my own view is that governments are either legitimately created or they are not ("consent of the governed" etc.). if they are legitimately created and maintained, then people will continue to support them even when it seems they have the choice not to (such as evade taxes). if they are not supported, then they are not legitimate. putting one's money where one's mouth is is the ultimate test of legitimacy in our reality. that is, support of a government by its people is the ultimate test of its legitimacy, and the the ultimate test of support is *cash*transferred*. no amount of policemen thugs pointing machine guns at tax protesters attempting to intimidate the entire population will change this basic reality imho. in fact I believe that many systems of today that are based on intimidation are going to dissolve as cyberspace becomes more prevalent. the scientology battle is a good example of this. before the internet their litigious intimidation tactics may have succeeded (and arguably did). however the tactics are becoming increasingly discredited in my view. but I am not saying this will happen without a struggle. I believe this will be the ultimate conclusion after a lot of turbulence and perhaps even bloodshed. -- today we think that cash moves around the world very readily, in the blink of an eye. but I suggest that today we actually have tremendous amounts of "friction" that are dissipating economic value of "currencies" merely as it moves through the system (the stock market would be one example). looking only at today's *cash* systems, indeed there is low friction, but when considers that *stocks* are actually cash, then our overall economic system is quite backward. cyberspace will act as a sort of economic lubricant of the highest degree in decreasing this friction. I will debate intelligent opposition to these ideas in this essay, but frankly I think what I describe is a reality that is going to emerge completely independent of my own promotion or anyone else's opposition. the famous Gilmore quote is that "cyberspace sees censorship as a defect and routes around it" has an analogy in the economic realm: "cash sees the middlemen as a defect and routes around him". inflation is one example of instability or lack of resiliency (a defect) of a currency. it can be seen as the exact opposite effect the growth of a stock is: loss of economic capital due to dissipation. I imagine one of the main claims against my essay will be as I anticipated above: only governments have the force and power necessary to back a currency. but I believe this is an anti-libertarian view. it suggests that cash only works when the government is involved, and the force associated with that government is employed as a means of keeping the system in check. can one have an economic system not based on mandatory obeisance to a government? I think it is clear to most on this list such a thing is not only possible but advantageous, desireable, and preferrable. the "trust" that a person places in a company stock is absolutely no different, in essence, from that placed in a currency of a government-- only the scale and the participants are different. I don't really believe that the legal framework associated with a government is what holds commerce together. there are many situations where companies simply eat their losses even when they are in the "right" legally and could sue and win. cyberspace will tend to prefer "anticipation" to legalities. in other words, it will tend to prefer to develop systems that anticipate failure (such as currency crashes) before they happen. courts will be seen as the absolute last resort for any kind of arbitration. in my view this has already happened today. From jya at pipeline.com Wed Dec 27 12:11:49 1995 From: jya at pipeline.com (John Young) Date: Thu, 28 Dec 1995 04:11:49 +0800 Subject: Rawbutt Day Message-ID: <199512261643.LAA28628@pipe1.nyc.pipeline.com> Rasping rawbutts for National Whiners Day here's a duo of pinhole puckers about the shut-your-filthy-hole bill: ---------- The Wash Post, Dec 25, 1995: Internet Football The Internet provisions are still in flux along with the rest of the host telecommunications bill, in which this newspaper and its parent company have an interest. If these provisions go through in anything like their present form, then their vulnerability to challenge on First Amendment grounds seems clear. It makes sense for a court to sort out the constitutional from the technical aspects of this new form of "speech," and the sooner the better. It won't be easy. The main legal questions about the proposed Internet indecency regulations as they now stand are inextricably wound up with technical issues. Can the "transmitters" of material that is deemed "indecent" ensure to a reasonable degree of certainty that underage computer users cannot get to it? If they fail, how can they show they tried? Several ideas here are flags for trouble. No legally solid test exists for the "indecency" standard now in the regulations -- patterned on those used for earlier dial-a-porn legislation but addressing totally different technologies. The coalition of moderate conferees had tried to replace the term with the more explicit "harmful to minors" but failed by a single vote. The Justice Department said in a letter last week that a "harmful to minors" standard was more likely than "indecency" to pass scrutiny but that "an overly broad restriction would likely not withstand constitutional scrutiny regardless of the standard chosen." That brings up the meaning of "transmit." Who is responsible for "transmitting" a smutty text that, say, a high school student locates by using an ordinary commercial account to (1) find, download and install free software that searches the Web, (2) use that tool to find a pornographic bulletin board overseas, and (3) make a copy to store in his own computer? The regulations now would punish anyone who "uses any interactive computer service to display [indecent material] in a manner available to a person under 18 years of age." But the bulletin board overseas isn't subject to U.S. Iaw. Most likely it will be up to the commercial providers to demand ID for certain types of accounts -- or up to account-buying parents to limit the scope of their kids' accounts. Whether providers can actually wall off sectors of the electronic world without cooperation from the adults paying the bills has more to do with the available electronic gizmos than with the laws governing the world to which they give access. There is much complicated back-and-forth about whether providers such as America Online and Prodigy will be held responsible for the effectiveness of the measures they take. But only the courts can decide what truly works. A court muddled its way through the Prodigy case on this topic in New York State recently. It declined to modify its own judgment that the provider was more liable because it had tried to create a "PG bulletin board" than if it had not. Whether or not this stands, it's a measure of the disconnect that persists as this legislation stumbles toward final enaction. ---------- The NY Times, Dec 26, 1995: Mr. Hollings Saves the Phone Bill House and Senate conferees seemed ready to negotiate a damaging telecommunications compromise until Senator Ernest Hollings of South Carolina, the chief Senate negotiator, altered that destiny last week. Wielding the threat of a filibuster and a deft legislative hand, he rescued the best parts of flawed House and Senate bills passed earlier, added some good new ideas and threw out most of the rot. His draft bill could spark innovation and set off consumer-friendly competition among television, cable and telephone companies. Its biggest flaw is a heavy-handed and probably unconstitutional effort to ban "indecent material" from the Internet. The original bills sought to break down barriers that keep media companies from entering each other's markets. But three mistakes were made. The bills would have deregulated cable rates before competition by other video companies could protect customers from price-gouging cable operators. Local phone companies would have been allowed to enter the long-distance market before they faced competition from cable or other companies. Worse still, the bills would have allowed broadcasters, cable operators, telephone companies and newspapers to merge too easily. That could expose consumers to a frightening concentration of information sources. Mr. Hollings, with the help of key Republicans like Senator Larry Pressler, fixed most of these flaws. His draft bill would hold up entry of local phone companies into long-distance service until the Federal Communications Commission says O.K. after giving weight to an antitrust review by the Justice Department. The bill leaves it up to the F.C.C. to set reasonable guidelines for mergers. It would put off deregulation of most cable rates for three years -- enough time for phone and satellite services to take on cable operators. The one serious error is a prohibition against transmission of allegedly indecent materials over the Internet -- the network of millions of on-line computer subscribers around the world. The indecency standard is probably unconstitutionally vague and restrictive. The standard is also unnecessary. The law already forbids sending obscene materials by computer. To protect children, parents can buy easy-to-use programs that block indecent materials from any source. The draft bill threatens to trigger further Government control of electronic communication -- which has blossomed so far precisely because Government has stayed on the sidelines. Fortunately, Republican leaders like Speaker Newt Gingrich are troubled by the indecency standard. There is a good opportunity to knock the provision out before Congress takes a vote. Some Republicans, miffed when Vice President Al Gore declared the draft an Administration victory, threatened to withhold support. But telecommunications, the heart of a high-tech economy, is too important for small-minded sparring. Congress should take up the draft bill, remove the indecency provision and put Mr. Holling's good deed into law. ---------- [The coccyx of a 12-26-95 WSJ eunucher]: First Amendment advocates, who have criticized the bill because it cracks down on Internet indecency and sets up a rating system and show-blocking circuitry against TV violence, got one small gift: The bill contains a provision for an expedited legal review of the constitutionality of those provisions. On the other hand, it also sets up a new law allowing 10-year prison terms for anyone who, using interstate phone calls, mail or other means, "persuades, induces, entices, or coerces" a minor to engage in any illegal sexual act. From jamesd at echeque.com Wed Dec 27 12:14:19 1995 From: jamesd at echeque.com (James A. Donald) Date: Thu, 28 Dec 1995 04:14:19 +0800 Subject: COMMUNITY CONNEXION ANNOUNCES APACHE-SSL COMMERCE Message-ID: <199512270332.TAA01269@blob.best.net> At 01:12 PM 12/26/95 -0800, sameer wrote: > The Apache-SSL Commerce webserver is the only commercial encrypting > webserver with source available. Ian Goldberg, graduate student at > U.C. Berkeley, well-known for his work on SSL security, commented on > the importance of available source, Thanks for the great work. This protects the web against GAK far more effectively than any political campaign ever could. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From tallpaul at pipeline.com Wed Dec 27 12:48:49 1995 From: tallpaul at pipeline.com (tallpaul) Date: Thu, 28 Dec 1995 04:48:49 +0800 Subject: Only accepting e-mail from known parties Message-ID: <199512261823.NAA27668@pipe3.nyc.pipeline.com> On Dec 26, 1995 08:37:30, '"Robert A. Rosenberg" ' wrote: >At 14:33 12/25/95, tallpaul wrote: > >>Thoughts? (I see one problem with this but it should be able to be worked >>out once the basic method is agreed to). > >I assume that the "Problem" is that by only giving each corespondent ONE >E-Stamp, you are single streaming your connections with them (ie: Are >talking Half-Duplex). Not only are they restricted to one message >"in-flight" but they can not start another message until they have done a >capture run to acquire your ACK and get the new key. > Actually, with e-mail the problem was an infinite loop of stamp exchanges. E.G. both of us are finickians who only accept e-mail from known associates. So they send me an e-message with the correct stamp. I send them an acknowlegmenet with a new stamp, but ... they won't accept the message from me unless I stamp it. So I stamp my return receipt. They get the return receipt and have to send me a new stamp, using the stamp I just sent them. I then ackowledge receipt from them, using the stamp they just sent me, and it is turtles all the way down. The workaround would be to have a semi-psycho e-bot who hoarded stamps, i.e. would accept stamps from anybody without treating an e-stamp as an e-mail message to me. I hadn't picked up the problem you mentioned. Thanks for pointing it out. I supposed the fix would be to send family (so to speak) books of stamps so they could send multiple messages when I was on vacation, my personal e-bot was down, etc. Of course, then family could get conned out of their stamps by smooth talking ad spammers. But this would, I think, be a rare occurance. That is, I wasn't thinking of *absolute* security just "good enough privacy." --tallpaul From hal9001 at panix.com Wed Dec 27 12:50:08 1995 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Thu, 28 Dec 1995 04:50:08 +0800 Subject: Only accepting e-mail from known parties Message-ID: At 13:23 12/26/95, tallpaul wrote: >I hadn't picked up the problem you mentioned. Thanks for pointing it out. > You're welcome - You _did_ ask for comments/analysis . From dlv at bwalk.dm.com Wed Dec 27 13:56:52 1995 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Thu, 28 Dec 1995 05:56:52 +0800 Subject: Bidzos on C-span Message-ID: <8NaRgD2w165w@bwalk.dm.com> I was very impressed by Bidzos's talk to C-Span. I'm sorry I didn't tape it. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From floyddb at alpha.c2.org Wed Dec 27 14:02:25 1995 From: floyddb at alpha.c2.org (floyddb at alpha.c2.org) Date: Thu, 28 Dec 1995 06:02:25 +0800 Subject: 900 MHz phones Message-ID: <199512270428.UAA04497@infinity.c2.org> It seems like the hornets nest has been stirred. I was merely trying to point out a possible consumer grade hole in some of the FH phones currently on the market. If the Interceptor or Scout can be used to listen to a FH phone, then surely it is being done. I used to work with a guy who would program his scanner to all of his neighbors cordless phone frequencies, then he would call them to verify his programming. A six-pack on a Saturday night and the scanner would be more entertaining than the bug light. Personally, my concern is with my next door neighbor listening to me talk to my girlfriend, not the NSA. If I want to arrange delivery of PGP to the Russians of where I should pick up my next 50 kg of cocaine, I'm *not* going to use my home phone. Because of these concerns, I refuse to own a cordless phone. So if the 900 MHz phones are resistant to these consumer grade attacks, they might be worth the money, otherwise the neighbors will just upgrade. Floyd D. Barber floyddb at alpha.c2.org Key fingerprint: 8A 98 1F 6B 70 7A FE 24 35 D4 48 CF 9D F6 B0 91 From frantz at netcom.com Wed Dec 27 15:05:46 1995 From: frantz at netcom.com (Bill Frantz) Date: Thu, 28 Dec 1995 07:05:46 +0800 Subject: a new idea: stocks == currency Message-ID: <199512270801.AAA11701@netcom9.netcom.com> At 18:22 12/26/95 -0800, Vladimir Z. Nuri wrote: >...An I believe that future company >stock will be considered a kind of currency issued by the company. when >you are buying and selling stocks, what you are really doing is buying >and selling currencies backed by different corporate entities. Here are some differences between stocks and currencies. I don't know how they effect your arguments, but I do invite comment: Stocks Curriences (1) Voting Most stock Based on residency inplies voting not net worth (2) Reputation availability Many stocks, Few curriencies, reputations hard to reputations well known find (3) Legal backing Based on government same (4) Dividends Commonly payed never heard of it ----------------------------------------------------------------- Bill Frantz Periwinkle -- Computer Consulting (408)356-8506 16345 Englewood Ave. frantz at netcom.com Los Gatos, CA 95032, USA From cpunk at remail.ecafe.org Thu Dec 28 09:21:40 1995 From: cpunk at remail.ecafe.org (ECafe Anonymous Remailer) Date: Thu, 28 Dec 95 09:21:40 PST Subject: Cryptolib 1.1 rsa.c Message-ID: <199512281722.RAA18284@pangaea.ang.ecafe.org> I am informed that there is a serious bug in the version of cryptolib that gets sent to people who don't have RSA licenses. The bug prevents it from doing RSA encrypt, decrypt or signature. I cannot imagine how this bug slipped through but it seems only to exist in the copies of cryptolib that are sent to those without RSA licenses. Fortunately I have an RSA licesnse and so my new copy (thanks Jack and Matt!) does not suffer from the bug. Here is the version of rsa.c that fixes the bug. /* * This is version 1.1 of CryptoLib * * The authors of this software are Jack Lacy, Don Mitchell and Matt Blaze * Copyright (c) 1991, 1992, 1993, 1994, 1995 by AT&T. * Permission to use, copy, and modify this software without fee * is hereby granted, provided that this entire notice is included in * all copies of any software which is or includes a copy or * modification of this software and in all copies of the supporting * documentation for such software. * * NOTE: * Some of the algorithms in cryptolib may be covered by patents. * It is the responsibility of the user to ensure that any required * licenses are obtained. * * * SOME PARTS OF CRYPTOLIB MAY BE RESTRICTED UNDER UNITED STATES EXPORT * REGULATIONS. * * * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR IMPLIED * WARRANTY. IN PARTICULAR, NEITHER THE AUTHORS NOR AT&T MAKE ANY * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE MERCHANTABILITY * OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR PURPOSE. */ /* * Code for generating and manipulating RSA keys * and doing encryption and decryption using RSA. * AT&T recognizes that RSA is patented * (Rivest et. al. U.S. Patent 4,405,829, issued 9/20/83). * Use of this code assumes proper licensing. * * coded by Jack Lacy, December, 1991 * */ #include "libcrypt.h" static Key_exps *genKeyExps P((BigInt, BigInt, BigInt, int, BigInt)); static void chineseRemTheorem P((BigInt , RSAPrivateKey *, BigInt)); static void genPrimesFor3 P((int, BigInt, BigInt, BigInt, BigInt)); #ifdef K_AND_R static Key_exps * genKeyExps(p, q, e, ebits, randomStart) BigInt p, q, e; int ebits; BigInt randomStart; #else static Key_exps *genKeyExps(BigInt p, BigInt q, BigInt e, int ebits, BigInt randomStart) #endif { BigInt phi, p1, q1; BigInt u1, ngcd, ignore; Key_exps *exps; int ebytes; #ifdef DLLEXPORT HGLOBAL handle = clib_malloc(sizeof(Key_exps)); exps = (Key_exps *)GlobalLock(handle); exps->exp_handle = handle; #else exps = (Key_exps *)clib_malloc(sizeof(Key_exps)); #endif p1 = bigInit(0); q1 = bigInit(0); phi = bigInit(0); u1 = bigInit(0); ngcd = bigInit(0); ignore = bigInit(0); if (e == NULL) e = bigInit(3); bigSubtract(p, one, p1); bigSubtract(q, one, q1); bigMultiply(p1, q1, phi); freeBignum(p1); freeBignum(q1); /* Get public exponent, relatively prime to modulus. */ /* A by product of the extendedGcd calculation is the inverse of e mod phi, which is d, the private exponent. If e has been specified, skip this. */ if (e == NULL) { if (ebits > 2) { ebytes = (ebits/8) + (ebits%8? 1: 0); if (randomStart == NULL) { bigRand(ebytes, e, PSEUDO); } else { bigCopy(randomStart, e); } if (EVEN(e)) bigAdd(e, one, e); } } extendedGcd(e, phi, u1, ignore, ngcd); while (bigCompare(ngcd, one) != 0) { bigAdd(e, two, e); extendedGcd(e, phi, u1, ignore, ngcd); } exps->d = u1; exps->e = e; freeBignum(phi); freeBignum(ngcd); freeBignum(ignore); return exps; } #ifdef K_AND_R _TYPE( RSAPublicKey * ) buildRSAPublicKey(e, n) BigInt e, n; #else _TYPE( RSAPublicKey * ) buildRSAPublicKey(BigInt e, BigInt n) #endif { RSAPublicKey *pk; #ifdef DLLEXPORT HGLOBAL handle = clib_malloc(sizeof(RSAPublicKey)); pk = (RSAPublicKey *)GlobalLock(handle); pk->pubkey_handle = handle; #else pk = (RSAPublicKey *)clib_malloc(sizeof(RSAPublicKey)); #endif pk->publicExponent = e; pk->modulus = n; return pk; } #ifdef K_AND_R _TYPE( RSAPrivateKey * ) buildRSAPrivateKey(e, d, p, q, dp, dq, c12) BigInt e, d, p, q, dp, dq, c12; #else _TYPE( RSAPrivateKey * ) buildRSAPrivateKey(BigInt e, BigInt d, BigInt p, BigInt q, BigInt dp, BigInt dq, BigInt c12) #endif { RSAPrivateKey *pk; ChineseRemStruct *crt; #ifdef DLLEXPORT HGLOBAL crt_handle = clib_malloc(sizeof(ChineseRemStruct)); HGLOBAL handle = clib_malloc(sizeof(RSAPrivateKey)); crt = (ChineseRemStruct *)GlobalLock(crt_handle); crt->crt_handle = crt_handle; pk = (RSAPrivateKey *)GlobalLock(handle); pk->privkey_handle = handle; #else crt = (ChineseRemStruct *)clib_malloc(sizeof(ChineseRemStruct)); pk = (RSAPrivateKey *)clib_malloc(sizeof(RSAPrivateKey)); #endif pk->publicExponent = e; pk->privateExponent = d; pk->modulus = bigInit(0); bigMultiply(p, q, pk->modulus); pk->crt = crt; pk->crt->p = p; pk->crt->q = q; pk->crt->dp = dp; pk->crt->dq = dq; pk->crt->c12 = c12; return pk; } #ifdef K_AND_R _TYPE( RSAKeySet * ) buildRSAKeySet(e, d, p, q) BigInt e, d, p, q; #else _TYPE( RSAKeySet * ) buildRSAKeySet(BigInt e, BigInt d, BigInt p, BigInt q) #endif { BigInt pminus1, qminus1, n, dp, dq, c12; BigInt ecopy, dcopy; RSAKeySet *ks; #ifdef DLLEXPORT HGLOBAL ks_handle = clib_malloc(sizeof(RSAKeySet)); ks = (RSAKeySet *)GlobalLock(ks_handle); ks->keyset_handle = ks_handle; #else ks = (RSAKeySet *)clib_malloc(sizeof(RSAKeySet)); #endif n = bigInit(0); bigMultiply(p, q, n); ecopy = bigInit(0); bigCopy(e, ecopy); ks->publicKey = buildRSAPublicKey(ecopy, n); pminus1 = bigInit(0); qminus1 = bigInit(0); bigSubtract(p, one, pminus1); bigSubtract(q, one, qminus1); dp = bigInit(0); dq = bigInit(0); bigMod(d, pminus1, dp); bigMod(d, qminus1, dq); c12 = bigInit(0); getInverse(q, p, c12); ecopy = bigInit(0); bigCopy(e, ecopy); dcopy = bigInit(0); bigCopy(d, dcopy); ks->privateKey = buildRSAPrivateKey(ecopy, dcopy, p, q, dp, dq, c12); freeBignum(pminus1); freeBignum(qminus1); return ks; } #ifdef K_AND_R static void genPrimesFor3(nbits, p, q, r1, r2) int nbits; BigInt p, q, r1, r2; #else static void genPrimesFor3(int nbits, BigInt p, BigInt q, BigInt r1, BigInt r2) #endif { BigInt ngcd, ignore, three, pminus1, qminus1; ignore = bigInit(0); three = bigInit(3); pminus1 = bigInit(0); qminus1 = bigInit(0); /* Gordon algorithm doesn't care about the p-1 factor size */ genStrongPrimeSet(nbits/2, p, (int)NULL, ignore, GORDON, r1); bigSubtract(p, one, pminus1); ngcd = gcd(three, pminus1); while (bigCompare(ngcd, one) != 0) { if (r1 != NULL) randomize(r1); freeBignum(ngcd); genStrongPrimeSet(nbits/2, p, (int)NULL, ignore, GORDON, r1); bigSubtract(p, one, pminus1); ngcd = gcd(three, pminus1); } freeBignum(ngcd); genStrongPrimeSet(nbits/2, q, (int)NULL, ignore, GORDON, r2); bigSubtract(q, one, qminus1); ngcd = gcd(three, qminus1); while (bigCompare(ngcd, one) != 0) { if (r2 != NULL) randomize(r2); freeBignum(ngcd); genStrongPrimeSet(nbits/2, q, (int)NULL, ignore, GORDON, r2); bigSubtract(q, one, qminus1); ngcd = gcd(three, qminus1); } freeBignum(ngcd); freeBignum(pminus1); freeBignum(qminus1); freeBignum(ignore); freeBignum(three); } #ifdef K_AND_R _TYPE( int ) randBytesNeededForRSA (modlen, ebits) int modlen, ebits; #else _TYPE( int ) randBytesNeededForRSA (int modlen, int ebits) #endif { int bytes; bytes = ((modlen + ebits)/8) + ((modlen+ebits)%8? 1: 0); return bytes; } #ifdef K_AND_R _TYPE( RSAKeySet * ) genRSAKeySet(nbits, ebits, e, randomStart) Ulong nbits, ebits, randomStart; BigInt e; #else _TYPE( RSAKeySet * ) genRSAKeySet(int nbits, int ebits, BigInt e, BigInt randomStart) #endif { BigInt p, q, ignore, r1, r2; Key_exps *exps; RSAKeySet *key_set; int oldlen; BigInt randStart; p = bigInit(0); q = bigInit(0); r1 = NULL; r2 = NULL; randStart = NULL; if (randomStart != NULL) { r1 = bigInit(0); r2 = bigInit(0); randStart = bigInit(0); bigCopy(randomStart, randStart); oldlen = LENGTH(randStart); LENGTH(randStart) = nbits/32/2; bigCopy(randStart, r1); LENGTH(randStart) = oldlen; bigRightShift(randStart, nbits/2, randStart); oldlen = LENGTH(randStart); LENGTH(randStart) = nbits/32/2; bigCopy(randStart, r2); LENGTH(randStart) = oldlen; bigRightShift(randStart, nbits/2, randStart); } if (ebits == 2) genPrimesFor3(nbits, p, q, r1, r2); else { ignore = bigInit(0); genStrongPrimeSet(nbits/2, p, (int)NULL, ignore, GORDON, r1); genStrongPrimeSet(nbits/2, q, (int)NULL, ignore, GORDON, r2); freeBignum(ignore); } exps = genKeyExps(p, q, e, ebits, randStart); key_set = buildRSAKeySet(exps->e, exps->d, p, q); freeBignum(exps->e); freeBignum(exps->d); if (r1 != NULL) { freeBignum(r1); freeBignum(r2); freeBignum(randStart); } #ifdef DLLEXPORT GlobalUnlock(exps->exp_handle); GlobalFree(exps->exp_handle); #else free((char *)exps); #endif return key_set; } /* Chinese Remainder Theorem reconstruction of m^d mod n, using m^dp mod p and m^dq mod q with dp = d mod p-1, dq = d mod q-1. */ #ifdef K_AND_R static void chineseRemTheorem(m, key, em) BigInt m, em; RSAPrivateKey *key; #else static void chineseRemTheorem(BigInt m, RSAPrivateKey *key, BigInt em) #endif { BigInt u1, u2; BigInt p, q, dp, dq, c12; p = key->crt->p; q = key->crt->q; dp = key->crt->dp; dq = key->crt->dq; c12 = key->crt->c12; u1 = bigInit(0); u2 = bigInit(0); bigPow(m, dp, p, u1); bigPow(m, dq, q, u2); crtCombine(u1, u2, p, q, c12, em); freeBignum(u1); freeBignum(u2); } #ifdef K_AND_R _TYPE( void ) freeRSAPublicKey(pk) RSAPublicKey *pk; #else _TYPE( void ) freeRSAPublicKey(RSAPublicKey *pk) #endif { freeBignum(pk->publicExponent); freeBignum(pk->modulus); #ifdef DLLEXPORT GlobalUnlock(pk->pubkey_handle); GlobalFree(pk->pubkey_handle); #else free((char *)pk); #endif } #ifdef K_AND_R _TYPE( void ) freeRSAPrivateKey(pk) RSAPrivateKey *pk; #else _TYPE( void ) freeRSAPrivateKey(RSAPrivateKey *pk) #endif { freeBignum(pk->publicExponent); freeBignum(pk->privateExponent); freeBignum(pk->modulus); freeBignum(pk->crt->p); freeBignum(pk->crt->q); freeBignum(pk->crt->dp); freeBignum(pk->crt->dq); freeBignum(pk->crt->c12); #ifdef DLLEXPORT GlobalUnlock(pk->crt->crt_handle); GlobalFree(pk->crt->crt_handle); GlobalUnlock(pk->privkey_handle); GlobalFree(pk->privkey_handle); #else free((char *)pk->crt); free((char *)pk); #endif } #ifdef K_AND_R _TYPE( void ) freeRSAKeys(ks) RSAKeySet *ks; #else _TYPE( void ) freeRSAKeys(RSAKeySet *ks) #endif { freeRSAPublicKey(ks->publicKey); freeRSAPrivateKey(ks->privateKey); #ifdef DLLEXPORT GlobalUnlock(ks->keyset_handle); GlobalFree(ks->keyset_handle); #else free((char *)ks); #endif } #ifdef K_AND_R _TYPE( BigInt ) RSAEncrypt(message, key) BigInt message; RSAPublicKey *key; #else _TYPE( BigInt ) RSAEncrypt(BigInt message, RSAPublicKey *key) #endif { BigInt result; result = bigInit(3); if (bigCompare(key->publicExponent, result) == 0) { reset_big(result, 0); bigCube(message, key->modulus, result); } else { reset_big(result, 0); bigPow(message, key->publicExponent, key->modulus, result); } return result; } #ifdef K_AND_R _TYPE( BigInt ) RSADecrypt(message, key) BigInt message; RSAPrivateKey *key; #else _TYPE( BigInt ) RSADecrypt(BigInt message, RSAPrivateKey *key) #endif { BigInt result; result = bigInit(0); chineseRemTheorem(message, key, result); return result; } #ifdef K_AND_R _TYPE( RSASignature * ) RSASign(message, key) BigInt message; RSAPrivateKey *key; #else _TYPE( RSASignature * ) RSASign(BigInt message, RSAPrivateKey *key) #endif { return (RSASignature *)RSADecrypt(message, key); } #ifdef K_AND_R _TYPE( Boolean ) RSAVerify(message, sig, key) BigInt message; RSASignature *sig; RSAPublicKey *key; #else _TYPE( Boolean ) RSAVerify(BigInt message, RSASignature *sig, RSAPublicKey *key) #endif { Boolean retval; BigInt cmp; cmp = (BigInt)RSAEncrypt((BigInt)sig, key); if (bigCompare(message, cmp) == 0) retval = TRUE; else retval = FALSE; freeBignum(cmp); return retval; } #ifdef K_AND_R _TYPE( void ) freeRSASig(sig) RSASignature *sig; #else _TYPE( void ) freeRSASig(RSASignature *sig) #endif { freeBignum((BigInt)sig); } #ifdef K_AND_R _TYPE( void ) RSAPrivateKeyDesEncrypt(pk, deskey) RSAPrivateKey *pk; unsigned char *deskey; #else _TYPE( void ) RSAPrivateKeyDesEncrypt(RSAPrivateKey *pk, unsigned char *deskey) #endif { bignumDesEncrypt(pk->publicExponent, deskey); bignumDesEncrypt(pk->privateExponent, deskey); bignumDesEncrypt(pk->modulus, deskey); bignumDesEncrypt(pk->crt->p, deskey); bignumDesEncrypt(pk->crt->q, deskey); bignumDesEncrypt(pk->crt->dp, deskey); bignumDesEncrypt(pk->crt->dq, deskey); bignumDesEncrypt(pk->crt->c12, deskey); } #ifdef K_AND_R _TYPE( void ) RSAPrivateKeyDesDecrypt(pk, deskey) RSAPrivateKey *pk; unsigned char *deskey; #else _TYPE( void ) RSAPrivateKeyDesDecrypt(RSAPrivateKey *pk, unsigned char *deskey) #endif { bignumDesDecrypt(pk->publicExponent, deskey); bignumDesDecrypt(pk->privateExponent, deskey); bignumDesDecrypt(pk->modulus, deskey); bignumDesDecrypt(pk->crt->p, deskey); bignumDesDecrypt(pk->crt->q, deskey); bignumDesDecrypt(pk->crt->dp, deskey); bignumDesDecrypt(pk->crt->dq, deskey); bignumDesDecrypt(pk->crt->c12, deskey); } #ifdef K_AND_R _TYPE( BigInt ) quantized_RSADecrypt(m, key) BigInt m; RSAPrivateKey *key; #else _TYPE( BigInt ) quantized_RSADecrypt(BigInt m, RSAPrivateKey *key) #endif { BigInt result; start_quantize(STD_QUANTUM); result = RSADecrypt(m, key); end_quantize(); return result; } #ifdef K_AND_R _TYPE( RSASignature *) quantized_RSASign(m, key) BigInt m; RSAPrivateKey *key; #else _TYPE( RSASignature *) quantized_RSASign(BigInt m, RSAPrivateKey *key) #endif { return (RSASignature *)quantized_RSADecrypt(m, key); } From die at pig.die.com Wed Dec 27 18:01:04 1995 From: die at pig.die.com (Dave Emery) Date: Thu, 28 Dec 1995 10:01:04 +0800 Subject: Fwd: Re: Fwd: Re: FH radios [Dave Emery] [Vaughan Pratt] In-Reply-To: Message-ID: <9512270551.AA23874@pig.die.com> > > This is all wishful thinking. A 26-MHz wide channel such as 902-928MHz > has a channel capacity of 2*26 Mbs or 6.5 megabytes/sec. So if someone That is not what Mr Shannon says, Shannon's law relates date rate, bandwidth and signal to noise ratio - the "channel capacity" of 26 mhz of spectrum is determined by the signal to noise ratio in the 26 mhz channel and ranges from much less than 26 mbs to several times that rate depending on the signal to noise ratio (and of course how clever the modulation technology is at exploiting it). Witness a 28.8 kb modem which stuffs 28.8 kb into less than 3.2 khz given about 32 db gross SNR. But more significant to the predection recording technique you are talking about is how many samples a second it takes to reproduce information in the 26 mhz bandwidth. Crudely, as a rule of thumb the Nyquist criterion would suggest that you need to sample at twice the highest frequency (or 26 mhz if you downtranslate to DC). This means 52 megasamples per second. Now depending on how much junk there is in the 902-928 mhz band at the location of interest and how far below the other signals the signal of interest is, you might be able to get away with 8 bit samples (providing about 35 db dynamic range) but would probably need more bits than that for things to work reliably. Say 12 bits (72 Mbytes sec) or 16 bits (104 Mbytes/sec), Yes, perhaps compression could buy you back some of that, but you are still realisticlly talking about recording somewhere between maybe 20 and 100 Mbytes/sec. The low end of this range is about the upper limit of present day high performance disk system bandwidth. So you are not talking about a simple configuration with off the shelf disks and controllers (unless you run several in parallel). And one minute of audio gobbles up way more than a gigabyte, or less than 2 minutes per $K of disk cost. And that assumes some compression. > can tell *that* you are transmitting somewhere within that channel then > they simply record *everything* at that data rate in the entire > channel, your transmission and everyone else's, for the necessary > time. A $600 3.5Gb Sequel drive can record a ten-minute transmission; > then the eavesdropper can use one Pentium or two dozen, budget > permitting, to extract your message from that data. If all you are > doing is frequency hopping or spread spectrum, reconstruction is a very > undemanding algorithmic task, and one Pentium should be able to > reconstruct your signal the same day, two dozen the same hour. > I will agree that such techniques can be used, and am well aware that they have been used for the last 25 or so years by the NSA and other like organizations for handling this kind of problem (originally in the HF radio spectrum for finding and reading covert burst transmissions - at least so I have heard). > >But to get back to the original point of this thread - while > >such techniques are possible (as is full hard encryption), it is my > >understanding that actual conusmer 900 mhz digital cordless phones > >that use frequency hopping use a very limited set of frequencies > >and a small set of fixed hopping patterns and don't hop very fast. > > Hopping speed is almost completely irrelevant to the computational > complexity of this problem. > I agree in general, though the degenerate case of very slow hopping permits of some simplifications and speedups since demodulating bits between hops can be done with less computation per sample than estimating where the next hop frequency is when it is unknown. And a phone that slowly hops in a fixed simple pattern onto a small number of channels can be demodulated by very simple approaches indeed, including much less sophisticated and costly ones than fast DSP of wideband sampled channels. > > You can never overestimate the cost of decryption. What looks > expensive enough today to decrypt can plummet by orders of magnitude on > alarmingly short notice. We used to think TCP was mildly secure until > easily installed sniffers became freely available on the internet that > would reconstruct a telnet connection and print out the first 100 > characters, making it child's play to extract passwords. > I must say that I was not amoung those who ever thought that TCP was secure, perhaps because I have spent too much time looking at packet dumps from protocol analyzers and bus traffic on logic analyzers. And even the oldest and slowest systems could reconstruct TCP - it was not a leap of system technology at all, but a leap of hacker application skills and awareness. I hate to even whisper the other places in the fragile web of our infrastructure that are vulnerable to intelligent attack ... there are many unexploited holes left even as we plug some of the obvious ones. The good thing is that people are begining to think about them. > If you think that you are secure because the effort of an attack seems > on the high side, bear in mind that the tasks in a systematic attack can > by definition of "systematic" be programmed, greatly easing the > attacker's task. And once programmed, the program can be distributed to > all and sundry on the internet. > That I agree with and think the current rash of sophisticated hacker tools in the hands of relatively unsophisticated kids who could in no way have created them proves your point well. > If a given level of cryptographic strength seems adequate for a message, > add several orders of magnitude and maybe you'll be lucky. > I wouldn't consider hopping or spread spectrum cryptography. Historically they have been viewed as techniques for avoiding jamming and interference and sometimes also for making signals harder to find rather than as information security techniques. Their use in cordless phones is primarily to aviod interference from other users of the 902-928 band and not for security. > I know of only two really satisfactory places to hide information worth > hiding: combinatorial search space (read: real encryption such as DES > or RSA, with a hefty key), I think we all agree that security by obscurity is not real security at all. But even the security of mathematical crypto is mostly unproven as of yet - we merely think things are difficult to compute because we don't know an easy way to do it, not because there is a clear proof that is true. Dave Emery From proff at suburbia.net Thu Dec 28 10:11:43 1995 From: proff at suburbia.net (Julian Assange) Date: Thu, 28 Dec 95 10:11:43 PST Subject: Premail web server strangeness Message-ID: <199512281811.FAA20893@suburbia.net> Suprising amount of information one can gain from an env array, really. .... SORRY DISPLAY=callisto:0.0 EDITOR=/usr/sww/bin/emacsclient HOME=/ HOST=kiwi.cs.berkeley.edu HOSTTYPE=alpha LOGNAME=root LPDEST=lws510 MACHTYPE=alpha MAIL=/var/spool/mail/raph MANPATH=/private/raph/man:/usr/kerberos/man:/usr/sww/man:/usr/sww/X11/man:/usr/man:/usr/local/man MITSCHEME_LIBRARY_PATH=/usr2/fa92/c263/scheme/lib MPL=CMMD NNTPSERVER=agate OSTYPE=osf1 PAGER=/usr/sww/bin/less -r PATH=/usr/bin:/usr/sww/bin PGPPATH=/private/raph/.pgp PRINTER=lws510 PWD=/private/raph REMOTEHOST=callisto.HIP.Berkeley.EDU SHELL=/bin/sh SHLVL=2 TERM=xterm USER=root VENDOR=dec SERVER_SOFTWARE=Raph's li'l server 0.04 HTTP_ACCEPT=application/x-csh HTTP_FROM= HTTP_REFERER=http://kiwi.cs.berkeley.edu/cgi-bin/premail-0.42.tar.gz?question1=Yes&question2=Yes HTTP_USER_AGENT= QUERY_STRING=question1=Yes&question2=Yes Sorry, can't serve the document. -- +----------------------------------+-----------------------------------------+ |Julian Assange | "if you think the United States has | |FAX: +61-3-9819-9066 | has stood still, who built the largest | |EMAIL: proff at suburbia.net | shopping centre in the world?" - Nixon | +----------------------------------+-----------------------------------------+ From EALLENSMITH at mbcl.rutgers.edu Thu Dec 28 10:11:46 1995 From: EALLENSMITH at mbcl.rutgers.edu (E. ALLEN SMITH) Date: Thu, 28 Dec 95 10:11:46 PST Subject: Telcom bill report Message-ID: <01HZCBJ2O0DC8Y55KS@mbcl.rutgers.edu> From: IN%"futplex at pseudonym.com" 28-DEC-1995 01:20:39.13 >Thanks ever so much for posting my non-list-relevant private mail to the list. ------------ Oh, bloody hell. Oops... you (and anyone else bothered by the, as you point out, irrelevant mail) have my sincerest apologies. I didn't notice the lack of a CC: to cypherpunks (it's buried in the headers and I was lacking in sleep, but that's no excuse), and consequently goofed. -Allen From adam at lighthouse.homeport.org Wed Dec 27 18:22:08 1995 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Thu, 28 Dec 1995 10:22:08 +0800 Subject: MD5 for DOS/Windows In-Reply-To: Message-ID: <199512271437.JAA04030@homeport.org> | Anybody have a DOS or Windows implementation of MD5 available? | Thanks. Anytime I need to find crypto code, I go to the University of Milan. ftp.dsi.unimi.it The best selection of hash functions, raw ciphers, PGP, and much other stuff I know of. Worth a place in your hotlists. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From a-kurtb at microsoft.com Thu Dec 28 10:52:58 1995 From: a-kurtb at microsoft.com (Kurt Buff (Volt Comp)) Date: Thu, 28 Dec 95 10:52:58 PST Subject: FW: proposal for new cyber abbreviation Message-ID: TOBAL - There Oughta Be A Law... Same thing, easier on the mouth. Kurt ---------- From: Vladimir Z. Nuri[SMTP:vznuri at netcom.com] Sent: Wednesday, December 27, 1995 11:47 To: cypherpunks at toad.com Subject: proposal for new cyber abbreviation yes, cyberspace just doesn't have enough acronyms like AFAIK and IANAL etc. ad nauseam. (I have reason to believe that PTB, or "powers that be" was actually invented here on this list!!) anyway after reading recent messages I propose: SHTBD!!!! as in, Something Has To Be Done. used either seriously or satirically (probably mostly satirically by everyone here). example: "there was a editorialist on TV ranting about the 4 horsemen of the infocalypse and screeching that SHTBD!!!" or, "I was not implying that SHTBD, merely that we are moving into a brave new world in cyberspace". or, "those @#$%^&* online pedophiles are crawling all over the net. SHTBD!!!" or, "the @#%^^&* mainstream press is always pointing out new bogeymen with the concluding moral, SHTBD!!!" notice that SHTBD is the antithesis of cypherpunk philosophy in that it tends to imply 1. government intervention 2. coercive force 3. censorship etc. hence by using this term and popularizing it, we promote our own agenda of "cryptoanarchy". just my small contribution to humanity for today. From jpp at software.net Wed Dec 27 20:19:18 1995 From: jpp at software.net (John Pettitt) Date: Thu, 28 Dec 1995 12:19:18 +0800 Subject: FYI - telecom bill or not there are still censors Message-ID: <2.2.32.19951227172007.0070f34c@mail.software.net> This arrived in my mailbox (I have *not* personally confirmed it) .... According to reports popping up in other places around the Compuserve Information Service it appears that they have taken a stance of Internet censor and are now blocking access to certain Usenet newsgroups. This move took place just before the Christmas holiday and remains unannounced to the membership/subscriber base. Just about any Usenet newsgroup with the word "sex" or "erotica" are no longer available. Attempts to subscribe to these newsgroups produces an error message stating that the newsgroup does not exist. In reality its access has been blocked. A short list (very short) of other newsgroup feeds that are no longer accessible as provided by another party to me include: alt.homosexual alt.magick.sex alt.magick.sex.angst alt.motss.bisexua-l alt.politics.sex alt.recovery.addiction.sexual alt.recovery.sexual-addiction alt.religion.sexuality alt.sex alt.support.disabled.sexuality clari.news.crime.sex clari.news.gays clari.news.sex gay-net.coming-out rec.arts.erotica shamash.gayjews soc.support.youth.gay-lesbian-bi Other newsgroups also remain blocked or eliminated from a provided pick-list and if this is allowed to continue the likelihood of this spreading to other topics that a select group find offensive or intolerable is a very real threat. A number of these newsgroups are legitimate groups for people needing support or recovery or places where frank discussions on adult subjects take place. Some are religious in nature though non-mainstream. Others are associated with the gay lifestyle. As you can see there is a definite trend being set here. So far much of this change in access remains unknown to the vast majority of Compuserve customers who remain away from their terminals for the holidays. If this bothers you I would suggest that you send a message to Compuserve customer services at GO FEEDBACK. Those using autopilot programs send e-mail to Feedback at 70006,101. From outside of Compuserve send e-mail to 70006.101 at compuserve.com We are supposedly paying a monthly fee which includes =full= Internet service and access. We are no longer getting it. That is misrepresentation. Take this issue to your other favorite forums, newsgroups, etc. If we allow freedom of speech and access to be lost now we will never get it back. From rsalz at osf.org Wed Dec 27 20:20:05 1995 From: rsalz at osf.org (Rich Salz) Date: Thu, 28 Dec 1995 12:20:05 +0800 Subject: Some IETF drafts possibly of interest Message-ID: <9512271701.AA17855@sulphur.osf.org> Internet-Drafts are available by anonymous FTP to ds.internic.net in the directory internet-drafts. Other places, too -- don't ask me, tho; for questions, please mail to Internet-Drafts at cnri.reston.va.us. The first two seem interesting even if SKIP has no future in IPng. The last is useful because I keep pushing GSSAPI as a standard crypto API. :) Title : Encoding of an Unsigned Diffie-Hellman Public Value Author(s) : A. Aziz, T. Markson, H. Prafullchandra Filename : draft-ietf-ipsec-skip-udh-00.txt Pages : 6 Date : 12/22/1995 It is useful to be able to communicate public keys in the absence of a certificate hierarchy and a signature infrastructure. This document describes a method by which certificates which communicate Diffie-Hellman public values and parameters may be encoded and securely named. Title : Certificate Discovery Protocol Author(s) : A. Aziz, T. Markson, H. Prafullchandra Filename : draft-ietf-ipsec-cdp-00.txt Pages : 13 Date : 12/22/1995 Use of Public key cryptography is becoming widespread on the Internet in such applications as electronic mail and IP Security (IPSEC). Currently, however, a common public key certificate infrastructure does not exist which is interoperable with other systems and ubiquitous. In light of this, we describe a protocol which may be used to exchange or retrieve certificates (essentially signed public keys) with or from another entity. The protocol may be used to request certificates from a directory/name server or from the entity who owns the certificate. Title : The Simple Public-Key GSS-API Mechanism (SPKM) Author(s) : C. Adams Filename : draft-ietf-cat-spkmgss-05.txt Pages : 42 Date : 12/22/1995 This specification defines protocols, procedures, and conventions to be employed by peers implementing the Generic Security Service Application Program Interface (as specified in RFCs 1508 and 1509) when using the Simple Public-Key Mechanism. From jim at SmallWorks.COM Wed Dec 27 20:20:09 1995 From: jim at SmallWorks.COM (Jim Thompson) Date: Thu, 28 Dec 1995 12:20:09 +0800 Subject: Cybercash security Message-ID: <9512271711.AA13714@hosaka.smallworks.com> The thing I'd like to understand about Cybercash is... how do I get the cash back out of the system? From wlkngowl at unix.asb.com Thu Dec 28 12:25:56 1995 From: wlkngowl at unix.asb.com (wlkngowl at unix.asb.com) Date: Thu, 28 Dec 95 12:25:56 PST Subject: ANNOUNCE: NOISE.SYS random sampling device for DOS v0.2Beta Message-ID: <199512282034.PAA25359@UNiX.asb.com> -----BEGIN PGP SIGNED MESSAGE----- Re: NOISE.SYS Random Sampling Device Driver for DOS (v0.2-Beta): I've finally gotten a usable version of NOISE.SYS written. The beta is ready for semi-public release and review. If you're interested in testing it or examing the code, email me at It's only a prototype version. I do not know any strong methods of testing random data. If anyone is willing to help on that part or point me in the right direction, it would be appreciated... What this driver does: When loaded, it hooks onto the keyboard interrupt (0x09) and collected fast timings between keystrokes. It can also be easily configured at compilation to sample other interrupts, as well as collect "seedling" keystrokes upon initialization. It sets up a character device called RANDOM, that when polled takes the earliest collected bytes from the random pool (size can be adjusted), combines them with a count-word based on the number of samples collected plus the number of times the driver has fetched data from the pool, transforms it using the Secure Hash algorithm, and outputs the bits from the hash. It's only a prototype: this version doesn't check to see if the pool is "empty" at the moment. Features: written in 386 assembler, takes under 2k of memory and can be loaded from the command line using a utility like DEVLOD. Also under GPL, so you've got the source-code to play with. Comments and criticism from crypto-gurus would be greatly appreciated. Reply if you'd like me to send a copy. (Important Q: is this software covered under ITAR?!?) - --Rob -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMOL8gNscUKerH0gxAQHNlAP/eZChSaAEg3go/vxfm9Z0Af5Dfa4WBDhh SfbbpsYfymSkxFbU7bHUfRMFHk+Uy57AeGMUxXkgml7KO8cxyOPS6yVDcNWf6Z9W OeXtXRAFBWRn3CblT1sQzl5YCEG93YBZS9ZkbTsN4rgTcpo15QY8vG5BJCEgfP9f 9XHn5VGSkVo= =jaNN -----END PGP SIGNATURE----- From wlkngowl at unix.asb.com Thu Dec 28 12:26:14 1995 From: wlkngowl at unix.asb.com (wlkngowl at unix.asb.com) Date: Thu, 28 Dec 95 12:26:14 PST Subject: ANNOUNCE: NOISE.SYS random sampling device for DOS v0.2Beta Message-ID: <199512282034.PAA25370@UNiX.asb.com> -----BEGIN PGP SIGNED MESSAGE----- Re: NOISE.SYS Random Sampling Device Driver for DOS (v0.2-Beta): I've finally gotten a usable version of NOISE.SYS written. The beta is ready for semi-public release and review. If you're interested in testing it or examing the code, email me at It's only a prototype version. I do not know any strong methods of testing random data. If anyone is willing to help on that part or point me in the right direction, it would be appreciated... What this driver does: When loaded, it hooks onto the keyboard interrupt (0x09) and collected fast timings between keystrokes. It can also be easily configured at compilation to sample other interrupts, as well as collect "seedling" keystrokes upon initialization. It sets up a character device called RANDOM, that when polled takes the earliest collected bytes from the random pool (size can be adjusted), combines them with a count-word based on the number of samples collected plus the number of times the driver has fetched data from the pool, transforms it using the Secure Hash algorithm, and outputs the bits from the hash. It's only a prototype: this version doesn't check to see if the pool is "empty" at the moment. Features: written in 386 assembler, takes under 2k of memory and can be loaded from the command line using a utility like DEVLOD. Also under GPL, so you've got the source-code to play with. Comments and criticism from crypto-gurus would be greatly appreciated. Reply if you'd like me to send a copy. (Important Q: is this software covered under ITAR?!?) - --Rob -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMOL8gNscUKerH0gxAQHNlAP/eZChSaAEg3go/vxfm9Z0Af5Dfa4WBDhh SfbbpsYfymSkxFbU7bHUfRMFHk+Uy57AeGMUxXkgml7KO8cxyOPS6yVDcNWf6Z9W OeXtXRAFBWRn3CblT1sQzl5YCEG93YBZS9ZkbTsN4rgTcpo15QY8vG5BJCEgfP9f 9XHn5VGSkVo= =jaNN -----END PGP SIGNATURE----- From jsw at netscape.com Wed Dec 27 20:32:14 1995 From: jsw at netscape.com (Jeff Weinstein) Date: Thu, 28 Dec 1995 12:32:14 +0800 Subject: fun with rsaref and 64-bit machines In-Reply-To: <199512270120.RAA19559@infinity.c2.org> Message-ID: <30E12C02.54F7@netscape.com> sameer wrote: > > Does anyone know if RSAREF works on 64 bit CPUs? It seems > that RSAREF's NN_Mod is getting stuck in digit.c at: > > 99 */ > 100 while ((t[1] > 0) || ((t[1] == 0) && t[0] >= c)) { > 101 if ((t[0] -= c) > (MAX_NN_DIGIT - c)) > 102 t[1]--; > 103 aLow++; > 104 } In global.h, UINT4 is typedef'd to be unsigned long int, which is a 64 bit value on the DEC alpha system. The type UINT4 is supposed to be a 32-bit value. On the DEC system you need to make that be an unsigned int, which is 32-bits. I've complained to RSA before about this problem, as it bit me when I was porting SSLREF to the DEC machine. They mumbled something about people using the pre-compiled libraries, and ignored me. It would be so easy for them to just ifdef this one line... --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From sjb at universe.digex.net Thu Dec 28 12:44:44 1995 From: sjb at universe.digex.net (Scott Brickner) Date: Thu, 28 Dec 95 12:44:44 PST Subject: DOS - MD5 - Thanks In-Reply-To: Message-ID: <199512282039.PAA21627@universe.digex.net> "P.J. Ponder" writes: >Thanks to everyone who offered help on the MD5 for DOS. >Greg Broiles pointed me to the pgp source, which may do the >trick. (There is MD5 module in pgp[?]) I will investigate. > >For everyone's info, didn't find a freestanding dos >implementation, tho. My copy of Schneier didn't have the >disk, so I don't know if it's there, either. I have source code to a program called "md5sum". The comments indicate that it works on DOS, as well as unix. It's three source files, a "main", a ".h", and "md5.c", which implements the md5 hash. Want it? P.S. There's also source code for MD5 in the RFC1321, available from ftp.internic.net. From sameer at c2.org Wed Dec 27 21:05:46 1995 From: sameer at c2.org (sameer) Date: Thu, 28 Dec 1995 13:05:46 +0800 Subject: fun with rsaref and 64-bit machines In-Reply-To: <30E12C02.54F7@netscape.com> Message-ID: <199512271646.IAA23331@infinity.c2.org> That fixes it, thanks. > > sameer wrote: > > > > Does anyone know if RSAREF works on 64 bit CPUs? It seems > > that RSAREF's NN_Mod is getting stuck in digit.c at: > > > > 99 */ > > 100 while ((t[1] > 0) || ((t[1] == 0) && t[0] >= c)) { > > 101 if ((t[0] -= c) > (MAX_NN_DIGIT - c)) > > 102 t[1]--; > > 103 aLow++; > > 104 } > > In global.h, UINT4 is typedef'd to be unsigned long int, which is a 64 bit > value on the DEC alpha system. The type UINT4 is supposed to be a 32-bit > value. On the DEC system you need to make that be an unsigned int, which is > 32-bits. I've complained to RSA before about this problem, as it bit me > when I was porting SSLREF to the DEC machine. They mumbled something about > people using the pre-compiled libraries, and ignored me. It would be > so easy for them to just ifdef this one line... > > --Jeff > > -- > Jeff Weinstein - Electronic Munitions Specialist > Netscape Communication Corporation > jsw at netscape.com - http://home.netscape.com/people/jsw > Any opinions expressed above are mine. > -- sameer Voice: 510-601-9777 Community ConneXion FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From jeffb at sware.com Wed Dec 27 21:16:30 1995 From: jeffb at sware.com (Jeff Barber) Date: Thu, 28 Dec 1995 13:16:30 +0800 Subject: another anonymous poster helping to destroy our rights In-Reply-To: <9512271343.AA13409@all.net> Message-ID: <199512271725.MAA00248@jafar.sware.com> Fred Cohen writes: > > We just heard from another anonymous poster trying to destroy our rights > to free speech. How long will the cypherpunks put up with this? As Tim May has explained over and over again, "the cypherpunks" do not exist. Cypherpunks is a mailing list, not a society or club. "The cypherpunks" as a group can do nothing about what gets posted to this list except comment on it. BTW, it would be helpful if you would provide some context when you complain or comment about another posting. At the time I read your note, it was the only cypherpunks note in my mailbox. Perhaps I read some message earlier from the ECafe anonymous mailer but if so, it certainly wasn't remarkable enough to leave a lasting impression. Finally, it should be noted that the kind of messages you're posting lately are eerily reminiscent of Detweiler's mental deterioration just before he went off the deep end. In fact, the line "How long will the cypherpunks put up with this?" may be an exact quote. -- Jeff From sjb at universe.digex.net Thu Dec 28 13:26:59 1995 From: sjb at universe.digex.net (Scott Brickner) Date: Thu, 28 Dec 95 13:26:59 PST Subject: Employer Probing Precedents? In-Reply-To: Message-ID: <199512282126.QAA22624@universe.digex.net> David Mandl writes: >All I'll say here is that I disagree strongly with the views Tim May >posted about employees' property rights, etc. (though we agree on most >other things). I have to agree with David. I don't think that "property rights" are quite as clear-cut as Tim claims. By granting use of certain equipment to a single employee, such as a desk, a uniform, or personal computer, the employer has invested that employee with a vague sort of limited ownership of the item. The notion that, simply because you're wearing a uniform owned by your employer, you're subject to physical search at the employer's discretion is laughable. The difference between this and searching the computer on one's desk differ only in degree, IMO. Property rights *are* fundamental to many other human rights, but they aren't the exclusive basis of them. The right of self-determination isn't based in property (except to the extent that one may be said to inalienably own oneself, but this is really an analogy), and is equally fundamental to human rights. Many of the issues related to workplace privacy concerns exhibit conflicts between these two. From gorkab at sanchez.com Thu Dec 28 14:01:43 1995 From: gorkab at sanchez.com (Brian Gorka) Date: Thu, 28 Dec 95 14:01:43 PST Subject: IwinPak Message-ID: <01BAD546.1C3B8640@loki> Has anyone ever seen or heard of this company? They use PGP as an encryption transport for secure mail and transactions (at a price of course) http://www.iwinpak.com From fc at all.net Wed Dec 27 22:07:40 1995 From: fc at all.net (Fred Cohen) Date: Thu, 28 Dec 1995 14:07:40 +0800 Subject: another anonymous poster helping to destroy our rights In-Reply-To: <199512271335.NAA07018@pangaea.ang.ecafe.org> Message-ID: <9512271343.AA13409@all.net> We just heard from another anonymous poster trying to destroy our rights to free speech. How long will the cypherpunks put up with this? -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From dklur at dttus.com Wed Dec 27 22:12:55 1995 From: dklur at dttus.com (David Klur) Date: Thu, 28 Dec 1995 14:12:55 +0800 Subject: Misconfigured Web Servers Message-ID: <9511278200.AA820083186@cc2.dttus.com> Re: the "trick" below... an even more effective search is the following... http://www.altavista.digital.com/cgi-bin/query?pg=aq&what=web&q=url%3A etc%2Fpasswd&r=&d0=&d1=&Submit.x=51&Submit.y=14 which searches all URLs that contain etc/passwd See for yourself! David Klur _____________________________ Reply Separator _________________________________ Subject: BoS: Misconfigured Web Servers Author: nobody at mail.uu.net at Internet-USA Date: 12/26/95 3:57 PM Everyone, A friend of mine showed me a nasty little "trick" over the weekend. He went to a Web Search server (http://www.altavista.digital.com/) and did a search on the following keywords - root: 0:0 sync: bin: daemon: You get the idea. He copied out several encrypted root passwords from passwd files, launched CrackerJack and a 1/2 MB word file and had a root password in under 30 minutes. All without accessing the site's server, just the index on a web search server! Well, the first thing I did was check my site and it's ok. The second thing I did was check my ISP for my home account, and it's okay. But by trying various combinations of common accounts on web searches, dozens of passwd files were found. It seems that a large number of locations who use httpd and ftpd on the same server often copy the regular passwd file to ftp/etc or ftp-users/etc for ftp user access. A few sites have left the root password in the file, and many contain user accounts' passwords. The problems I see here are as follows: 1. You can get the passwd file in some cases by simply pointing your URL to http://target.com/ftp/etc/passwd or http://target.com/ftp-users/etc/passwd. Not good. Anon ftp can't get it but a web browser can. Many passwd files are shadowed but you can see some legit account names. Yes, I realize that this may be a dummy file but hey, not always the case. 2. Some sites do not have the passwd file world readable, but the entire passwd file stills exists indexed on the web search server. I don't know about you, but I don't think I'd want my passwd file indexed and searchable on a world accessible web server. 3. A ton of etc/group files turned up as well. The guy that showed me this found it funny, but I find it disturbing. Are there that many sites that are that poorly configured? Mark_W_Loveless at smtp.bnr.com From Kevin.L.Prigge-2 at cis.umn.edu Thu Dec 28 14:12:55 1995 From: Kevin.L.Prigge-2 at cis.umn.edu (Kevin L Prigge) Date: Thu, 28 Dec 95 14:12:55 PST Subject: URL for cypherpunks In-Reply-To: <199512281556.KAA05580@homeport.org> Message-ID: <30e316546c20002@noc.cis.umn.edu> According to rumor, Adam Shostack said: > > The csua.cs.bezerkely site is good, but hasn't been maintained > in a while. (Unfortunately, there is enough cypherpunk & related > stuff out there that maintaining a really good site would be a full > time job. Thats not a flame at any of the people out there who do good > work, just a wish for a really well organized www.cypherpunks.org > library & pointer list, should someone decide to pay for it. :) Looks like someone has... maroon% whois2 cypherpunks.org CypherPunks Group (CYPHERPUNKS3-DOM) 9705 Standford Road Ft. Meade, MD 20755 Domain Name: CYPHERPUNKS.ORG Administrative Contact, Technical Contact, Zone Contact: One, Aleph (EML2) aleph1 at DFW.NET 999-999-9999 Record last updated on 03-Oct-95. Record created on 03-Oct-95. Domain servers in listed order: DNS.CYBERWORKS.NET 205.164.71.20 NS2.PARANOIA.COM 204.157.153.18 WKP.COM 205.199.64.11 The InterNIC Registration Services Host contains ONLY Internet Information (Networks, ASN's, Domains, and POC's). Please use the whois server at nic.ddn.mil for MILNET Information. maroon% host www.cypherpunks.org www.cypherpunks.org is a nickname for cypherpunks.org cypherpunks.org has address 205.164.71.100 -- Kevin L. Prigge |"Have you ever gotten tired of hearing those UofM Central Computing | ridiculous AT&T commercials claiming credit email: klp at tc.umn.edu | for things that don't even exist yet? 010010011101011001100010| You will." -Emmanuel Goldstein From vznuri at netcom.com Wed Dec 27 23:39:28 1995 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Thu, 28 Dec 1995 15:39:28 +0800 Subject: proposal for new cyber abbreviation Message-ID: <199512271947.LAA22943@netcom17.netcom.com> yes, cyberspace just doesn't have enough acronyms like AFAIK and IANAL etc. ad nauseam. (I have reason to believe that PTB, or "powers that be" was actually invented here on this list!!) anyway after reading recent messages I propose: SHTBD!!!! as in, Something Has To Be Done. used either seriously or satirically (probably mostly satirically by everyone here). example: "there was a editorialist on TV ranting about the 4 horsemen of the infocalypse and screeching that SHTBD!!!" or, "I was not implying that SHTBD, merely that we are moving into a brave new world in cyberspace". or, "those @#$%^&* online pedophiles are crawling all over the net. SHTBD!!!" or, "the @#%^^&* mainstream press is always pointing out new bogeymen with the concluding moral, SHTBD!!!" notice that SHTBD is the antithesis of cypherpunk philosophy in that it tends to imply 1. government intervention 2. coercive force 3. censorship etc. hence by using this term and popularizing it, we promote our own agenda of "cryptoanarchy". just my small contribution to humanity for today. From perry at piermont.com Wed Dec 27 23:54:14 1995 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 28 Dec 1995 15:54:14 +0800 Subject: Some IETF drafts possibly of interest In-Reply-To: <9512271701.AA17855@sulphur.osf.org> Message-ID: <199512271913.OAA06367@jekyll.piermont.com> Rich Salz writes: > The first two seem interesting even if SKIP has no future in IPng. Thats why the group pushed Ashar to split up his document up (at the IETF meeting in Dallas earlier this month). Perry From vznuri at netcom.com Thu Dec 28 00:32:36 1995 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Thu, 28 Dec 1995 16:32:36 +0800 Subject: cool cpunk project proposal: "cpunk approved" logo Message-ID: <199512271959.LAA23984@netcom17.netcom.com> recently my local newspaper ran a section on privacy preservation in cyberspace. it quoted Dave Banisar of CPSR as talking about how future companies might have a "privacy safe" sticker affixed to them. *wow*, what a great idea. this would be a great project for the cpunks. most people here are familiar with Point Communications and how they do the "top 5% of web sites" and authorize sites to use their logo. this is such a neat idea: it's one of the first reputation rating companies in existence, in a sense. furthermore, it's *private*. TCM and others have advocated that these companies are going to become ubiquitous (rating *everything* including hot-button things like doctors, lawyers, hit men, etc. ) and I can see it happening quickly. here's my idea that some enterprising cpunks might like to pursue. create a CYPHERPUNK PRIVACY SAFE logo and distribute it to various companies who adhere to the criteria that it names!!! the steps would be: 1. create a logo 2. create a set of criteria for companies who are "privacy safe" or who adhere to cpunk privacy guidelines. 3. write out this list in careful detail. one might also have different levels or grades, such as "level 5 privacy protection" etc. one could conceivably use it as a negative reinforcement too, handing out "F's" to the worst companies. 4. POPULARIZE this. get companies to put the logo on their sites like they do with the Web logo. now, I don't know if people here realize how much great potential this idea has. the media just LOVES to quote these kinds of judgements when it's a slow news day (witness Blackwell's "worst dressed" list or "best haircuts" or whatever else). the immediate objection I can see is that all kinds of people such as PM will rant that there is no "official" cpunk privacy standard. great!! I propose somebody create their OWN and call it that without any reservations. if the cpunk name is not copyrighted, if no one owns it, then anyone can do whatever they want with it!!! ah, that's glorious anarchy for sure. if multiple standards emerge, I'm sure one will tend to become dominant, or at least the competition between them will have them covering different areas (such as FAQs in newsgroups work). this idea really has FANTASTIC protential imho. in fact I propose that Community Connection is in a really excellent position to latch onto this idea-- they already have many press releases and the industry is watching them. notice that this sticker could be used to handle the key escrow issues as well-- like one of the levels being that the company is ideologically opposed to mandatory key escrow or something. different levels of cryptography could be involved. someone will have to experiment with perhaps multiple logos and different grades. remember, the thing should be as absolutely obvious and easy to comprehend as possible for even Joe Sixpack to get it. let's create a cpunk "approval" rating that has as much recognition some day as the "intel inside" ad campaign has generated!!! From nobody at REPLAY.COM Thu Dec 28 00:50:35 1995 From: nobody at REPLAY.COM (Anonymous) Date: Thu, 28 Dec 1995 16:50:35 +0800 Subject: [NOISE] Re: AWARD: CHRISTMAS NET SCROOGE - AT&T & NETSCAPE Message-ID: <199512272040.VAA17079@utopia.hacktic.nl> [ More non-crypto garbage deleted ] > > God, you are annoying Fred, ER, I meant, "Alice". > My dearest Perry. > I am not Fred. I am not he. He is not me. Got it?? We aren't even in > the same category or the same country. Fred's an American, and I am not. But you do have much in common. Perry did not say that you are Fred, but instead implied he mixed the two of you up (quite understandable). > Scary, isn't it?? A non-American ... What's scary is a non-American foaming at the mouth about American politics when I'm sure his own country is far from perfect. P.S. This post is in the public domain. G. E. T. A. F. U. C. K. I. N. G. C. L. U. E. From vznuri at netcom.com Thu Dec 28 01:11:16 1995 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Thu, 28 Dec 1995 17:11:16 +0800 Subject: another anonymous poster helping to destroy our rights In-Reply-To: <199512271725.MAA00248@jafar.sware.com> Message-ID: <199512272022.MAA25782@netcom17.netcom.com> > >As Tim May has explained over and over again, "the cypherpunks" do not >exist. Cypherpunks is a mailing list, not a society or club. >"The cypherpunks" as a group can do nothing about what gets posted to >this list except comment on it. there are various myths here that ought to be addressed. - if the cypherpunks are not really a group, then people wouldn't get upset what goes under the cypherpunk name. but in fact people flame hotly what others think is or is not a "legitimate" cypherpunk tactic or project or whatever. you can't have it both ways. either anyone is free to decide what a cypherpunk is, and no one has the right to argue with it. or, cypherpunks are something in particular, and someone has the authority to determine that. so far the "authorities" are those who have been on a the list a long time. (it is still an informal system however). this is a reasonable system. but I object to the way that people such as PM argue in one message that "there is no such thing as the cypherpunks" but then endlessly determine themselves what is appropriate for the list. doesn't anyone see the inconsistency-at-best-and-hypocrisy-at-worst of this? - its simply not true that no one can do anything about what is posted here. there are different ways of running a mailing list. here are some things that would be different than what is going on right now. I'm not saying they are better, but just remember there are alternatives: = moderator keeps a higher profile, posts under his own name, keeps order, determines apropriateness = no one argues with moderator or each other about valid topics = list can bar people who are not subscribed from posting. this would in fact bar "hit and run" anonymous messages. however obviously the current list adminstration favors them. = the list charter can ask for people to submit to various practices on the honor system, such as not using pseudonyms. cryptoanarchists who hate the idea of trust are of course going to object to the honor system, because "that which cannot be enforced should not be prohibited". >Finally, it should be noted that the kind of messages you're posting >lately are eerily reminiscent of Detweiler's mental deterioration just >before he went off the deep end. In fact, the line "How long will the >cypherpunks put up with this?" may be an exact quote. perhaps Detweiler is in fact really a pseudonym of Cohen. or maybe Cohen and Detweiler and all other anonymous posts are really a big joke being played on everyone by TCM. although you may have an interesting point there. perhaps thinking about trying to impose order on cryptoanarchists (who themselves occasionally rant about the disorder amongst themselves, although never in those terms) is a sure recipe for frustration insanity. caveat emptor!! (the list, as it is currently set up, is highly vulnerable to agents provacateur. crpytoanarchists should realize that the same "disorders" (oh, sorry, "freedoms") such as completely unrestrained anonymous posting, no "official" moderation etc. they favor can be used very effectively against them when an intelligent an mischievous adversary so chooses or is provoked to do so. there have been visceral demonstrations of this on occasion here ) From nobody at REPLAY.COM Thu Dec 28 01:54:28 1995 From: nobody at REPLAY.COM (Anonymous) Date: Thu, 28 Dec 1995 17:54:28 +0800 Subject: [NOISE] Re: AWARD: CHRISTMAS NET SCROOGE - AT&T & NETSCAPE Message-ID: <199512272034.PAA04934@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- [ More non-crypto garbage deleted ] > > God, you are annoying Fred, ER, I meant, "Alice". > My dearest Perry. > I am not Fred. I am not he. He is not me. Got it?? We aren't even in > the same category or the same country. Fred's an American, and I am not. But you do have much in common. Perry did not say that you are Fred, but instead implied he mixed the two of you up (quite understandable). > Scary, isn't it?? A non-American ... What's scary is a non-American foaming at the mouth about American politics when I'm sure his own country is far from perfect. P.S. This post is in the public domain. G. E. T. A. F. U. C. K. I. N. G. C. L. U. E. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMOGt6yoZzwIn1bdtAQHvtwGAyZvsHKR64N1cPI6R95HiyMfuSuATVQNP BeXflQ0LGAhRHeXH9V8TUO79RBTe0y80 =m+al -----END PGP SIGNATURE----- From ses at tipper.oit.unc.edu Thu Dec 28 02:28:00 1995 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Thu, 28 Dec 1995 18:28:00 +0800 Subject: DejaNews and Alta Vista Search Tools, and Privacy Implications In-Reply-To: Message-ID: [Re: regulating dossiers et. al.] I'm sure that Phil Hallam-Baker has brought this up before, but there is a fair body of law on this subject internationaly. Probably the most restrictive is the UK Data Protection Act which regulates storage of personal information on computers (but not on paper). The DPA has a lot of holes, and seems to be honoured more in the breach than in the observance; other european countries have similar requirements. Of course, the UK has no FOIA, and won't until after the next election, so the most interesting databases aren't available. Simon ----- (defun modexpt (x y n) "computes (x^y) mod n" (cond ((= y 0) 1) ((= y 1) (mod x n)) ((evenp y) (mod (expt (modexpt x (/ y 2) n) 2) n)) (t (mod (* x (modexpt x (1- y) n)) n)))) From alanh at infi.net Thu Dec 28 02:45:08 1995 From: alanh at infi.net (Alan Horowitz) Date: Thu, 28 Dec 1995 18:45:08 +0800 Subject: Fwd: Re: Fwd: Re: FH radios [Dave Emery] [Vaughan Pratt] In-Reply-To: <9512270551.AA23874@pig.die.com> Message-ID: > That is not what Mr Shannon says, Shannon's law relates date That's Dr Shannon to you, kid..... From lwp at conch.aa.msen.com Thu Dec 28 02:45:32 1995 From: lwp at conch.aa.msen.com (Lou Poppler) Date: Thu, 28 Dec 1995 18:45:32 +0800 Subject: Reputation capital: FIBS case study Message-ID: <2sY4wMz2BcRC083yn@mail.msen.com> I am currently engaging in a reputation adjustment of a certain player on FIBS, the First Internet Backgammon Server (see my homepage). Reputation is important on FIBS, and I thought it might be informative to examine the ways it can work in the [more-or-less] real world. FIBS allows various levels of nymity, and various modes of reputation. Each player picks a pseudonym as his FIBS name. These can range from the crypticly anonymous nym, to some variant of the player's real name. The server will also disclose the FQDN from which the nym is connected, or was most recently connected. If she wants, the player may include any information, typically such as an email address, in an "address" field in her player profile. Or something cute, or nothing. Players may also choose to have a web page listed under their nym, on a page full of such listings. Players may participate in the newsgroup (rec.games.backgammon), identifying themselves in their posts by any or all or none of {their FIBS nym, their real name, their email address}. Reputation has several components on FIBS. Of course, personal experience with another nym is hugely significant, when it exists. When that is absent, or not conclusive, there are other sources of reputation which may be consulted. The server reports two numbers for each player, representing distinct reputation criteria: the "rating" is a weighted score representing the won/less record; the "experience" is a count representing how many games this player has played. Before I mention other reputation indices, I want to amplify on these two. When negotiating with another player about possibly starting a new match, and about the length in points of the potential match, most players will think about various aspects of the reputation of the prospective opponent. Depending on the circumstances, the difference in ratings may be decisive, in straightforward ways, for evaluating an invitation. Of particular relevance to past discussion on cypherpunks, the experience number is usually very important also. Those with a high experience level, and perhaps a name that you recall having seen before, are trusted more than nyms with little investment in their reputations. Experience matters a lot, because one of the key strategies is to avoid becoming involved with unpleasant or dishonest players. If someone has a huge experience number, you can be fairly sure that you would have heard about it if they are somehow undesirable. As FIBS is an open server, operating without charge to the users, we get a wide variety of newcomers every day. Some persist, and become better known, and others lose interest and don't return. Most are [more-or-less] agreeable and [more-or-less] ethical; however some nyms will exhibit certain recurring problem behaviors, and quickly begin to accrue negative reputation. On common problem is the use of profanity or the advocacy of various forms of bigotry, in "shout"ed comments or private messages, and the closely related hounding of players with female-sounding nyms by unwanted come-ons. This behavior is generally countered with "shout"ed and "tell"ed replies, and with the "gag " command which kills your copy of any further remarks from that user. The negative reputation resulting from this behavior is pretty much instantaneous and self-documenting, with reinforcement from anyone who is enraged enough to remember and to heckle the offender at a later login. Some of us are more sensitive about this than others, so the offensiveness is just another variable in reputation, not always the decisive one. The thorniest problem in our reputation economy continues to be the case of the player who drops out of a match when clearly losing, to avoid the decrement of his rating number (based on match results only, not on individual games). Such players follow a strategy of playing winning matches to completion, which increases their rating, but bailing out of losing matches before they end. When a match is interrupted, the server remembers it, and the two players can resume later, by mutual agreement. Almost all players are ethical enough to resume even losing matches, and eventually to complete them. The problem folks are the ones who ignore or refuse requests to resume. Avoiding such players is a key strategy for serious FIBS regulars. One indicator here can be a complex function of the rating and experience numbers: a player with fairly low experience but an unexpectedly high rating is one of two things -- either a very strong player, or else a match dropper. (Or else very lucky, but we prefer to think of that as strength of play.) The best defense we have found against the match dropper is complaining in the newsgroup. I just posted a warning in the newsgroup about a new match dropper which I had the misfortune of playing against. I accepted an invitation from him last Saturday, to play a 3 point match. I looked over his info before I accepted, and decided to give him a chance: no email address, experience = 57, and rating showing slightly more wins than losses, from a site at a college in Britain. I won the first game for 2 points, and was pretty clearly winning the next game, which would make me win the match. When "dorion" rolled a game-losing double five, he immediately dropped his connection to FIBS. The server saved the match, and I waited around for awhile to see if he would come back. He didn't. Now at this point, I'm not yet ready to start in on his reputation. After all, we all have host problems, and phone problems, and personal problems. It's still possible that he and I will meet later, and finish the match. (I'm skeptical, because the timing of it is just too convenient, but I hold my tongue). Finally Tuesday, I was hanging on FIBS when dorion returned. I asked politely if we could finish, but dorion immediately logged out without replying. I stayed connected to FIBS, while I did some other work on other VC-s. Before long, dorion was back, my little watchdog macro beeped for me, and I again politely asked him to resume. Instead of replying, he started a fresh match vs. a brand new player, experience equal zero. I started watching their match, where I asked again if we could resume sometime. While I wasn't getting an answer, I looked into the new player's information: connected from exactly the same site as dorion! This of course, is a warning sign of the other common form of ratings cheating -- creating two nyms for one person, and playing against oneself, with one nym always winning and the other always losing. Well, again I got no reply to my requests, and both nyms suddenly disconnected without finishing their match. At this point, I set about trashing dorion's reputation. I posted a (PGP signed) article to the newsgroup setting forth the facts. When I came back on today, there was one followup from another player who had a similar experience with dorion. When I signed onto FIBS, I got a "tell" from a trusted, veteran nym saying that dorion and his alter-ego nym BatesMotel had just been on, and played a couple of one-sided and not at all credible matches vs. each other. I checked their ratings/experience and followed up to my own article with a definite advisory against playing against either nym. Now, despite many elaborate proposals over the years, discussed at length in the newsgroup, there is no automated mechanism for dealing with this sort of negative reputation. I have a personal "don't-play" list I keep up to date, as do many others. My complaint surely got dorion and BatesMotel into many such personal lists, and neither nym is likely to last on FIBS. I'm not really asking for suggestions here or anything. It's likely that most of them have already been debated to death on r.g.b. I just wanted to show you a case of reputation markets in action. :::::::::::::::::::::::::::::::::::::: Thank you VERY much! You'll be :: Lou Poppler :: getting a Handsome Simulfax Copy :: http://www.msen.com/~lwp/ :: of your OWN words in the mail :::::::::::::::::::::::::::::::::::::: soon (and My Reply). From stewarts at ix.netcom.com Thu Dec 28 02:47:32 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Thu, 28 Dec 1995 18:47:32 +0800 Subject: DejaNews and Alta Vista Search Tools, and Privacy Implications Message-ID: <199512272027.MAA18633@ix12.ix.netcom.com> At 03:28 AM 12/27/95 -0800, tcmay at got.net (Timothy C. May) wrote: >Anyway, a point of clarification of a point, lest there be the belief that >_all_ Cypherpunks are opposed to comprehensive Web search tools: ...... ...offshore... ...... >Face it, every single word written by any of us to any Usenet newsgroup, >going back to the beginning of Usenet, and expanding out to many >ostensibly-private mailing lists, will fairly soon be searchable. The Internet not only makes it easier for everybody to get their 15 minutes of fame, it guarantees that anything stupid you've said in public over the last 15 years will be available to the entire world. So deal with it... I'm more bothered by people indexing what I read. What kinds of Cypherpunk technology can we use to affect this? I don't think we need to do too much work on _increasing_ data collection; the commercial markets will figure that one out fast enough, though understanding technical possibilities enough to stay ahead is good. Remailers and nymservers are obvious starts on the information-hiding end, and even the basic non-encrypted cypherpunks remailers are good enough for most applications. The problem is getting them widely deployed. I've seen a couple of web-page-based remailers, and they're probably easy to deploy widely; they're not very secure without SSL, but they're a start, and people on SSL-equipped systems can run them securely. Anon web proxies are more work to deploy, but they're not mysterious, and the main limits to deploying them are economics. Nymservers, however, are still pretty new - technology like anon.penet.fi is generally good enough for most people if you've got an operator you trust, and an economic base that makes it worth running them. But the more secure nymservers are still complex, and probably not something the average hacker can just pop up and run - we probably need to explore them more before it'll be easy to do. While I like getting services provided through community spirit, like most of the remailers, I suspect Tim's right that pay-per-use privacy services are going to evolve, and probably dominate. Among other things, they're in the balance between the couch-potato on-line services and real Internet connections; they're probably more likely to be offered by people who want full-time connectivity, and will be used to offset the slightly higher costs of real service. However, partly due to patent issues, and partly just to convenience, I don't think they all need to use fully-anonymous digicash for every transaction; most of them can get by with service-provider tokens that may be paid for by digicash or by less-anonymous systems. One of the main threats I see to privacy services is the Exon bill - it's pretty obvious that most US service providers will have to limit access to people over 18, in spite of any of the Good Senator's claims otherwise. If the Feds start making examples of people before any serious court cases get decided (or after, if the good guys lose), that probably means that service providers will have to check ID to protect themselves. There may be a market for services that validate that their customers are over 18, but provide anonymity within that. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # .... Heading back to The Big Phone Company From jeffb at sware.com Thu Dec 28 03:42:53 1995 From: jeffb at sware.com (Jeff Barber) Date: Thu, 28 Dec 1995 19:42:53 +0800 Subject: another anonymous poster helping to destroy our rights In-Reply-To: <199512272022.MAA25782@netcom17.netcom.com> Message-ID: <199512272229.RAA02161@jafar.sware.com> Vladimir Z. Not-Detweiler writes: > >As Tim May has explained over and over again, "the cypherpunks" do not > >exist. Cypherpunks is a mailing list, not a society or club. > >"The cypherpunks" as a group can do nothing about what gets posted to > >this list except comment on it. > > there are various myths here that ought to be addressed. > > - if the cypherpunks are not really a group, then people wouldn't get > upset what goes under the cypherpunk name. but in fact people flame > hotly what others think is or is not a "legitimate" cypherpunk tactic > or project or whatever. And flame hotly is the full extent of what can be done by "the cypherpunks". The point I'm making is that "the cypherpunks" can't do anything about anonymous posters or other such "problems". It's pretty pointless to ask the list how long "we" will "put up with" postings made by an anonymous person. There's nothing I nor any other J. Random Cypherpunk can do about it, even if I/we wanted to (which I, at least, do not). This is not at all the same issue as whether a given post is on-topic or whether a given opinion is cypherpunk-correct (not that there's much I can do about those things either). In any case, the only time most folks on this list get "upset" is when someone on the list tries to say or imply that they represent "the cypherpunks" or "the cypherpunk point of view". Of course he/she is free to do so anyway, but should expect to get "flamed hotly" if someone disagrees. [ Rest of rant also beside the point ] -- Jeff From nobody at REPLAY.COM Thu Dec 28 04:11:02 1995 From: nobody at REPLAY.COM (Anonymous) Date: Thu, 28 Dec 1995 20:11:02 +0800 Subject: AWARD: CHRISTMAS NET SCROOGE - AT&T & NETSCAPE Message-ID: <199512271950.OAA04721@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- [ Non-crypto garbage deleted ] The Vince Foster articles were more relevant than this garbage (not to mention the fact they made more sense). P.S. This post is in the public domain. G. E. T. A. F. U. C. K. I. N. G. C. L. U. E. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMOGjoCoZzwIn1bdtAQHRJwF/fATfL+ZmsLlB8wgGdme5QkXExqw8Fa0G MZuaH93wUT5B+VgTQSuWPfqfd+zaUUTo =jf8w -----END PGP SIGNATURE----- From mclow at owl.csusm.edu Thu Dec 28 04:43:23 1995 From: mclow at owl.csusm.edu (Marshall Clow) Date: Thu, 28 Dec 1995 20:43:23 +0800 Subject: Did anyone see... Message-ID: On C-Span today: 2:06 pm ET/11:06 am PT Secret Codes Used in World War II National Security Agency -- Marshall Marshall Clow Aladdin Systems "Eternal vigilance is the price of PostScript" -- MacUser Jan 96 DTP and Graphics column From usura at utopia.hacktic.nl Thu Dec 28 04:45:27 1995 From: usura at utopia.hacktic.nl (Alex de Joode) Date: Thu, 28 Dec 1995 20:45:27 +0800 Subject: COMMUNITY CONNEXION ANNOUNCES APACHE-SSL COMMERCE Message-ID: <199512271221.NAA06057@utopia.hacktic.nl> : At 01:12 PM 12/26/95 -0800, sameer wrote: : > The Apache-SSL Commerce webserver is the only commercial encrypting : > webserver with source available. Ian Goldberg, graduate student at : > U.C. Berkeley, well-known for his work on SSL security, commented on : > the importance of available source, ftp://ftp.hacktic.nl/pub/replay/pub/apache/ -AJ- From jya at pipeline.com Thu Dec 28 04:45:32 1995 From: jya at pipeline.com (John Young) Date: Thu, 28 Dec 1995 20:45:32 +0800 Subject: GEY_ser Message-ID: <199512271915.OAA21557@pipe1.nyc.pipeline.com> 12-27-95. W$Jug: A test of superfast cable modems at Boston College prove addictive to speed freak faculty and students downloading junk data in seconds not minutes and hours, thus accelerating mind-rupture. And, an editorial red flags the telecom billions giveaway; nags Republicans to shut the geyser and not-reg the I-Way. GEY_ser From ponder at wane-leon-mail.scri.fsu.edu Thu Dec 28 04:45:50 1995 From: ponder at wane-leon-mail.scri.fsu.edu (P.J. Ponder) Date: Thu, 28 Dec 1995 20:45:50 +0800 Subject: Crypto specialist wanted Message-ID: CSI's most recent _Computer Security Alert_ has a listing for: Cryptographic specialist for a San Diego based firm. Headhunter's address is: vfalcon at onramp.net (I know this is isn't jobs.misc, but traffic having been relatively light, I'm passing this on to others who may be interested in crypto, but aren't on CSI's mailing list. Now back to frequency hopping radios and Anti-Fred) From ponder at wane-leon-mail.scri.fsu.edu Thu Dec 28 04:46:11 1995 From: ponder at wane-leon-mail.scri.fsu.edu (P.J. Ponder) Date: Thu, 28 Dec 1995 20:46:11 +0800 Subject: DOS - MD5 - Thanks Message-ID: Thanks to everyone who offered help on the MD5 for DOS. Greg Broiles pointed me to the pgp source, which may do the trick. (There is MD5 module in pgp[?]) I will investigate. For everyone's info, didn't find a freestanding dos implementation, tho. My copy of Schneier didn't have the disk, so I don't know if it's there, either. -- PJP From mark at ausnetinfo.com.au Thu Dec 28 04:48:00 1995 From: mark at ausnetinfo.com.au (Mark) Date: Thu, 28 Dec 1995 20:48:00 +0800 Subject: Encrypted script - sort of In-Reply-To: Message-ID: <199512272234.JAA05530@ausnetinfo.com.au> >> >A tale I hear is that when HP had to deliver operating system source to >> >the french government they stripped all comments and changed all variable >> >and subroutine names to 32 byte strings of I 1 0 (zero) and O (uppercase O). >> >It still compiled but was 100% useless to human readers. > >A somewhat useful utility would be one that would compress C code into as >small space as possible, stripping out all spaces and making variable >names one character a piece when possible. And of course one to expand it >back into 'formatted' text, style could even be incorporated. > >I'm sure a Perl fanatic knows a quick solution... I'm always amazed at >how short Perl code is.. :) Anyone care to take care of this utility? press.c has been circulating for several years. I dont know of an unpress.c but a beautifier would do the same thing. From raph at kiwi.cs.berkeley.edu Thu Dec 28 05:02:46 1995 From: raph at kiwi.cs.berkeley.edu (Raph Levien) Date: Thu, 28 Dec 1995 21:02:46 +0800 Subject: Only accepting e-mail from known parties In-Reply-To: Message-ID: <199512280151.RAA25092@kiwi.cs.berkeley.edu> Dr. Dimitri Vulis wrote: > I suggest to the kind folks working on PGP 3 that there should be a > standard protocol to include within the signed portion the information > on when and for whom this text is written: i.e. the list of e-mail > recipients and/or Usenet newsgroups, which could be easily compared > with the RFC 822/1036 headers of an e-mail/Usenet article. Perhaps > there could be a new option for PGP to look _outside_ the signed block > and match the headers with what's inside the block. E.g., suppose the > signature block says: this text was written by alice at zog.org, posted > to alt.sex and alt.sex.banal and e-mailed to bob at masons.com. Suppose > PGP is asked to check the signature in a file that purports to be a > e-mail or a Usenet article and has some headers before the signed > portion. If there is a list of To: recipients, and it includes someone > other than the recipients listed within the signed block; or if there > is a Newsgroups: header, and it includes newsgroups not listed within > the signed portion; then the input is bogus. For compatibility with > the existing software, if the signed block doesn't include this info, > then this checking should't be done, of course. In fact, the security multiparts standard (RFC 1848) includes a provision for signing the headers as well as the body of a message. The security multiparts can be used with PGP, and there is even an Internet Draft for it (draft-elkins-pem-pgp-02.txt), but there is not yet consensus for adopting this as a standard on the pgp-mime mailing list. Perhaps your example can be used to argue one the advantages of the security multiparts approach. Raph From norm at netcom.com Thu Dec 28 05:29:25 1995 From: norm at netcom.com (Norman Hardy) Date: Thu, 28 Dec 1995 21:29:25 +0800 Subject: URL for cypherpunks Message-ID: I am putting up some solutions to the Garage Door problem that was discussed here perhaps a year ago. I would like to refer to the cypherpunks by URL. Are there currently any appropriate URLs ? From farber at central.cis.upenn.edu Thu Dec 28 05:29:50 1995 From: farber at central.cis.upenn.edu (Dave Farber) Date: Thu, 28 Dec 1995 21:29:50 +0800 Subject: German government orders censorship of CompuServe -- a sign of things to come djf Message-ID: <2.2.32.19951227235302.006bfe14@linc.cis.upenn.edu> Posted-Date: Wed, 27 Dec 1995 17:47:17 -0500 X-Sender: farber at linc.cis.upenn.edu Date: Wed, 27 Dec 1995 17:47:17 -0500 From: Dave Farber Subject: IP: German government orders censorship of CompuServe -- a sign of things to come djf To: FOR IMMEDIATE RELEASE CONTACT: William Giles Russ Robinson CompuServe Incorporated CompuServe Incorporated 614/ 538-4388 614/ 538-4274 COMPUSERVE(R) SUSPENDS ACCESS TO SPECIFIC INTERNET NEWSGROUPS COLUMBUS, Ohio, Dec. 28, 1995 -- During the past week, CompuServe Incorporated temporarily suspended access to more than 200 Internet newsgroups in response to a direct mandate from the prosecutor s office in Germany. Each of the newsgroups that was suspended was specifically identified to CompuServe by the German authorities as illegal under German criminal law. CompuServe did not select any groups or determine the nature of the newsgroups that have been impacted by this action. German government officials, as part of an investigation of illegal material on the Internet, ordered CompuServe to do what was necessary with respect to specified newsgroups in order to comply with German law. German authorities are investigating newsgroups and other Internet content that may contain child pornography, other pornographic material illegal for adults, as well as content that although not illegal for adults is of such an explicit nature that it is illegal for minors. While access has been suspended, CompuServe continues to work with German authorities to resolve this matter. CompuServe cannot alter the content on the Internet in any way and has only suspended access to the disputed newsgroups through CIS. The issues being investigated in Germany, like those being addressed across the industry, need to remain focused on the individuals and groups placing content on the Internet. CompuServe, as an access provider, is not responsible for the origination or nature of content on the Internet over which it has no creative or editorial control. The global market is vital to CompuServe. We currently have 500,000 members in Western Europe and anticipate doubling that number in the next year. As the leading global service, CompuServe must comply with the laws of the many countries in which we operate. However, laws in different countries are often in conflict, and this creates new challenges unique to the emerging online industry. CompuServe is investigating ways in which we can restrict user access to selected newsgroups by geographical location. > From tallpaul at pipeline.com Thu Dec 28 05:36:28 1995 From: tallpaul at pipeline.com (tallpaul) Date: Thu, 28 Dec 1995 21:36:28 +0800 Subject: Only accepting e-mail from known parties Message-ID: <199512280241.VAA19432@pipe10.nyc.pipeline.com> [Below is the original I failed to post to the group as a whole. Sorry about the temporal confusion that produced.] On Dec 25, 1995 14:53:19, 'Adam Shostack ' wrote: > The basic problem is that (personal) spam is a social, not a >technical problem. If someone wants to annoy you via the internet, >they can do so. You can raise the cost of their annoying you, but you >need to be careful not to make it difficult to talk to you. > I agree in many ways. On a personal level, I am far more interested in the *social* are of this form of privacy. It is more a problem of the data-hermit than privacy. And in a society increasingly generating narcissistists, I see the problem getting worse. Negroponte of the MIT Media Lab can sing the praises of the personal e-newspaper with personal filters to cut out everything uninteresting while culling the world new feeds for desired information. I see this feeding into the narcissitism problem. E.G. Imagine two people who "feel" that members of the other gender are "only interested in one thing." Each wakes up in the morning and looks at their personal e-paper. She reads nothing of particularly nasty rapes, serial rapists at large, rapists who have been convicted, and rapists who an uncaring pro-male system has let out to rape again (i.e. been found not guilty). He reads nothing of particularly nasty robberies of men by women, serial robberies by prostitutes, female robbers who have been convicted, and robbers who an uncaring pro-female system has let out to rob again. Both believe that their custom filtered feeds are the *real* events going on in the world and are far more accurate than any non-customized news feed. I hope nobody takes this as a generic attack on the privacy issues that the list is devoted to. I am a great supporter of privacy and pro-privacy tek. But I see myself as a realist on privacy issues, not as a privacy-utopian or a privacy-dystopian. We live in a post-Faustian world. It is divided into two groups of people. First are those who understand the post-Faustian character and devote themselves to getting used to it and even having fun with the new opportunities while understanding that the new world also generates new problems (like furthering data-narcicism). Second are those classic-reactionary forces (from all parts of the political spectrum) who whine about how the post-Faustian world is personally unfair to them and how everybody in the world has a personal obligation to them to move the world back to its pre-Faustian origins. --tallpaul PS to Tim May: I understand your posts on material that is off-topic. I usually agree with your posts. But I see the issues I discussed above as far more on topic (even if highly mediated) than, say, the ongoing discourse on the differences between an Army Captain and a Navy Captain. From tcmay at got.net Thu Dec 28 05:39:32 1995 From: tcmay at got.net (Timothy C. May) Date: Thu, 28 Dec 1995 21:39:32 +0800 Subject: another anonymous poster helping to destroy our rights Message-ID: At 5:25 PM 12/27/95, Jeff Barber wrote: >Fred Cohen writes: >> >> We just heard from another anonymous poster trying to destroy our rights >> to free speech. How long will the cypherpunks put up with this? > >As Tim May has explained over and over again, "the cypherpunks" do not >exist. Cypherpunks is a mailing list, not a society or club. >"The cypherpunks" as a group can do nothing about what gets posted to >this list except comment on it. Precisely. Some of the many advantages of having no centralized structure/leadership, and no formal rules/policies, are: -- less wrangling over leadership and rules (if you think we wrangle and fight too much, look at organizations that spend *all* of their time choosing leaders, having boardroom fights, setting policies, fighting, electioneering, etc...it makes our easily-filtered flame wars pale by comparison) -- no leaders means no one in a position of leadership to sue for the many "infractions" some of our list members commit (violations of export laws, posting of stolen code, libel, etc., all allegedly, of course) -- no centralized focus, save for the toad.com machine, which could be replaced quickly (or cypherpunks could become "alt.cypherpunks" and then truly have no center, not that I am advocating this, for various reasons). This lack of a point of pressure, a center, means opponents have nothing to jab at...they can't write threatening letters to the "Board of Directors" demanding that certain actions cease, etc. >Finally, it should be noted that the kind of messages you're posting >lately are eerily reminiscent of Detweiler's mental deterioration just >before he went off the deep end. In fact, the line "How long will the >cypherpunks put up with this?" may be an exact quote. Indeed. When I saw this "How long will the Cypherpunks put up with this?" I initially thought it was tongue in cheek. Apparently not. --Tim May Views here are not the views of my Internet Service Provider or Government. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 | black markets, collapse of governments. "National borders are just speed bumps on the information superhighway." From raph at c2.org Thu Dec 28 06:18:23 1995 From: raph at c2.org (Raph Levien) Date: Thu, 28 Dec 1995 22:18:23 +0800 Subject: Announcing a new alpha release of premail Message-ID: <199512280524.VAA09252@infinity.c2.org> This is to announce that premail version 0.42 is now available. It is a full alpha version of the new premail, containing all the features and functions planned for the production release. Features include: * Support for all cypherpunk remailers. * Support for Mixmaster remailers. * Encrypted and signed email, including both preparation and decoding. * Support for the emerging PGP/MIME standard. * Support for MOSS through TIS/MOSS 7.1. * Creation and management of alpha.c2.org style nyms. * More secure handling of sensitive "secrets". * Much improved automatic selection of remailer chains. * Clean handling of "cc:" field and other such interactions. * Numerous other features. For more information about premail, see the premail Web page at: http://www.c2.org/~raph/premail.html If you are in the US or Canada, you can download premail now, from the premail Distribution Authorization Form: http://kiwi.cs.berkeley.edu/premail-form.html Please forward bug reports, comments, and suggestions to me, so that the beta release can be as solid as possible. Raph Levien From futplex at pseudonym.com Thu Dec 28 06:23:43 1995 From: futplex at pseudonym.com (Futplex) Date: Thu, 28 Dec 1995 22:23:43 +0800 Subject: Telcom bill report In-Reply-To: <01HZBAWIUN7C8Y55DD@mbcl.rutgers.edu> Message-ID: <199512280621.BAA27713@opine.cs.umass.edu> E. ALLEN SMITH writes: > >> Here's the additional info from Reuters. As usual, Clinton is being a > > coward. > > How do you figure ? > > > Vice President Gore says President Clinton will sign the bill. Before > > the agreement, the president had been threatening for months to veto > > the bill if Republicans in Congress did not retreat on a long list of > ~~~~~~~~~~~ > > issues. They retreated. > ~~~~~~~~~~~~~~ > > Clinton won on this. The Administration does not appear to have altered its > position on this substantially. > ---------- > I am calling Clinton a coward for giving in to the Christian Coalition > and not vetoing this bill due to the censorship portion. He evidently decided > that following his oath of office and upholding the First Amendment wasn't > worth the "porn supporter" criticism Ralph Reed and his lot would direct his > way. Thanks ever so much for posting my non-list-relevant private mail to the list. -Futplex From tcmay at got.net Thu Dec 28 06:26:48 1995 From: tcmay at got.net (Timothy C. May) Date: Thu, 28 Dec 1995 22:26:48 +0800 Subject: Employer Probing Precedents? Message-ID: At 9:51 PM 12/27/95, "Jason D. Livingood/WSC"@hks.net wrote: >To Whom It May Concern: > >I was curious as to where I might find some electronic freedom legal >precedents. If, for example, an employer was planning to probe file >systems on >PCs in the off-hours and employees began encrypting their hard drives, what >legal precedents would support the employees or would support the employer in >blocking the encryption? Think of it another way. I have a PC which is for the use of my employee. It is my computer. I am his employer. He runs the programs I authorize him to, or at least I trust him to run programs needed to do his job and not use my computer to run a numbers racket or to manage his drug business. Thus, I reserve the right to inspect my own computer as I wish. He is free to accept this condition, or of course to leave. There can be no valid or reasonable law which says that my computer, which he uses, is no longer accessible to me because his "electronic privacy" takes precedence over my property rights. Nor any valid or reasonable law which says I cannot restrict what encryption programs he uses on *my* computer. (There are several on this list who disparage what they call the "libertarian emphasis on property rights over human rights," or somesuch. Fact is, property rights are central to all human rights. In the case of my employee using my computer, the concept of "his" human rights makes little sense: there is no "democracy" in corporations, as we normally think of democracy. Nor is there any "right of free speech," and so on. You may not like this, but this is the way it is, and should be.) I can't cite case law about "employee privacy," not being a lawyer, but I know that companies routinely restrict the uses to which their computers are put (video games, gambling, accessing porn are some obvious examples) and employees have very little to say about it. Furthermore, companies may need to look at hard drives to see if pirated software which could expose them to millions of dollars in damages (and raids by the SPA cops). I may not _like_ the fact that my employer (if I had one) is rooting through my hard disk, but it is, after all, his computer, and his liability if I am using his computers for illegal or unprofessional purposes. The courts have granted certain types of employee privacy, about things like the contents of purses and briefcases (though both of these examples can and do face inspections, as I faced when I worked for Intel). And monitoring of phone conversations now has a set of rules associated with it. But employers can always restrict what kinds of programs can be run on their computers. --Tim May Views here are not the views of my Internet Service Provider or Government. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 | black markets, collapse of governments. "National borders are just speed bumps on the information superhighway." From mab at research.att.com Thu Dec 28 06:32:28 1995 From: mab at research.att.com (Matt Blaze) Date: Thu, 28 Dec 1995 22:32:28 +0800 Subject: New! Improved! CryptoLib 1.1 now available. Message-ID: <199512280557.AAA19317@nsa.tempo.att.com> [Note: This is posted on behalf of Jack Lacy, whose news posting software is hopelessly broken; please direct responses to him at cryptolib at research.att.com. Jack spent the better part of the last two weeks getting a new release of CryptoLib out the door. This version, which should be stable for a while, fixes a few x86 problems, improves the interfaces to some of the functions, and now allows you to use your own random number generator to create key material. If you don't already have CryptoLib, be the first nerd on your block to get the new release. -matt] ======== Announcing CryptoLib - Release 1.1 12/21/95 Jack Lacy, AT&T Bell Labs CryptoLib is a portable and efficient library of primitives for building cryptographic applications. It runs under most versions of Unix as well as DOS, Windows and Windows-NT (and 95). We are pleased to make CryptoLib source code available without charge to researchers and developers in the US and Canada. (Because of export restrictions on cryptographic software, we are only able to make the software available within the US and Canada to US and Canadian citizens and US permanent residents.) CryptoLib is intended for research and experimental use, and is distributed without warranty or support. In particular, please note the following license conditions: * Copyright (c) 1995 by AT&T. * Permission to use, copy, and modify this software without fee * is hereby granted, provided that this entire notice is included in * all copies of any software which is or includes a copy or * modification of this software and in all copies of the supporting * documentation for such software. * * This software may be subject to export controls. * * NOTE: * Some of the algorithms in cryptolib may be covered by patents. * It is the responsibility of the user to ensure that any required * licenses are obtained. * * SOME PARTS OF CRYPTOLIB MAY BE RESTRICTED UNDER UNITED STATES EXPORT * REGULATIONS. * * * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR IMPLIED * WARRANTY. IN PARTICULAR, NEITHER THE AUTHORS NOR AT&T MAKE ANY * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE MERCHANTABILITY * OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR PURPOSE. The attached describes the library and some timing results. To obtain source code send electronic mail to: cryptolib at research.att.com with a statement of the following form: "I am a U.S. or Canadian citizen or a legal permanent resident of the U.S. and am aware that some parts of CryptoLib may be restricted under United States Export regulations and may be covered under various US and/or foreign patents. I have read and understand the CryptoLib license." Name: Location: E-mail: Are you licensed to use the RSA patent? If yes, give name of licensed organization: =============================================================================== CryptoLib includes the following: arbitrary length bignums. bigmath package: bigAdd, bigSubtract, bigMultiply, bgiDivide, bigLeftShift, bigRightShift, bigAnd, bigOr, bigXor, bigCopy, Euclid's extended GCD, modular reduction and exponentiation crypto primitives DES and 3DES + modes Diffie-Hellman DSA (Signing and verification roughly equally efficient) El Gamal Rabin's scheme Random Number generation (PSEUDO and TRUE) MD[2,4,5] Prime generation RSA (provided only if you convince me that you have a license) SHA truerand (For Unix, NT and 95) quantization (Defense against Kocher's timing attack) quantized RSA, DSA and El Gamal private key operations. support functions asn1.c ioutils.c netIface.c Some timing information: All times assume 32X32 bit assembly of multiplication primitives. bigPow times (a^b mod c with a,b,c the same length) 512 bits 1024 bits -------- --------- bigPow 0.12s 0.72s Sparc II Brickell bigpow 0.43s 3.0s Sparc II with asm (gcc) 0.12s 0.78s Sparc 10 with asm 0.03s 0.17s Sparc 10 with asm (Brickell) 0.084s 0.45s SGI Indigo (150MHz) 0.109s 0.75s 100 MHz Pentium (gcc under DOS) Strong Prime Generation -- ProbTestAttempts = 5 100 primes generated in each test. Times below are: (total test time)/100 = avg. time per prime generated. Using Gordon's strong prime algorithm. 256 512 1024 Machine --- --- ---- ------- 2.8s 24.0s 5.11m Sparc II .45s 2.7s 77s 100 MHz pentium RSA Times (64 bit public exponent, message encrypted is full length) --------- 512 768 1024 bits machine --- --- --------- ------- encrypt 30ms 50ms 80ms sparc II decrypt 160ms 480ms 930ms encrypt 15ms 33ms 56ms 100 MHz Pentium (Under NT) decrypt 38ms 104ms 214ms DSA Times --------- 512 768 1024 bits machine --- --- --------- ------- sign 99ms 166ms 216ms sparc II (Brickell speedup) verify 156ms 316ms 416ms sign 21ms 38ms 49ms 100 MHz Pentium (Under NT) verify 27ms 43ms 71ms From jirib at sweeney.cs.monash.edu.au Thu Dec 28 06:40:35 1995 From: jirib at sweeney.cs.monash.edu.au (Jiri Baum) Date: Thu, 28 Dec 1995 22:40:35 +0800 Subject: proposal for new cyber abbreviation In-Reply-To: <199512271947.LAA22943@netcom17.netcom.com> Message-ID: <199512280403.PAA10201@sweeney.cs.monash.edu.au> -----BEGIN PGP SIGNED MESSAGE----- Hello, "Vladimir Z. Nuri" wrote: > yes, cyberspace just doesn't have enough acronyms like AFAIK and IANAL etc. > ad nauseam. (I have reason to believe that PTB, or "powers that be" was ... > SHTBD!!!! > > as in, Something Has To Be Done. ... Proposed extension: SHTBD/ eg: There's a paedophile on the Internet! SHTBD/PTB! PTB're trying to regulate cyberspace! SHTBD/EFF! PTB're pushing GAK! SHTBD/C'punks! And so on. After all, all sides can cry "SHTBD", can't they? (Home users may prefer the alternate syntax SHTBD\, ie SHTBD\PTB, SHTBD\EFF, SHTBD\C_PUNKS etc :-) ... > used either seriously or satirically (probably mostly satirically by > everyone here). > > example: ... > "I was not implying that SHTBD, merely that we are moving into a brave > new world in cyberspace". How about something like: "I was not implying that SHTBD/PTB to stop it, but that SHTBD/us to support it/deploy it/get ready for it." ... > notice that SHTBD is the antithesis of cypherpunk philosophy in that > it tends to imply > > 1. government intervention Hence the addition of the field... > 2. coercive force > 3. censorship ... Yet one of your examples implied the opposite - sorry, I nuked it, but it was about the media picking bogeymen. ... > hence by using this term and popularizing it, we promote our own agenda > of "cryptoanarchy". ... Fortunately for the anarchists, perhaps, an authoritarian government is isomorphic to anarchy. Jiri - -- If you want an answer, please mail to . On sweeney, I may delete without reading! PGP 463A14D5 (but it's at home so it'll take a day or two) PGP EF0607F9 (but it's at uni so don't rely on it too much) -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMOIXESxV6mvvBgf5AQEOBQQA7ShSGoioMAb6CF5ot0sxu57hvBwMDJDw MmkBLnPXvoYaL8dOEc5uYhdtLa8hkPapXT3NEUywI1SDDx7QUc4YgbzfQCQNAgz0 HYlfUlL1SA1N7JQIiyHEBN+jWaldzEGGflLxJPy83vm4N1pyo0gluzzi2hMJigcD FgU3G8LjcoE= =aBT9 -----END PGP SIGNATURE----- From doug at Eng.Auburn.EDU Thu Dec 28 06:41:41 1995 From: doug at Eng.Auburn.EDU (Doug Hughes) Date: Thu, 28 Dec 1995 22:41:41 +0800 Subject: another anonymous poster helping to destroy our rights In-Reply-To: <199512272022.MAA25782@netcom17.netcom.com> Message-ID: On Wed, 27 Dec 1995, Vladimir Z. Nuri wrote: > > so far the "authorities" are those who have been on a the list a long time. > (it is still an informal system however). this is a reasonable system. > but I object to the way that people such > as PM argue in one message that "there is no such thing as the cypherpunks" > but then endlessly determine themselves what is appropriate for the list. > doesn't anyone see the inconsistency-at-best-and-hypocrisy-at-worst of this? No, what's appropriate is what's in the charter. Stuff related to cryptography and its offshoots. Conspiracy du-jour is totally unrelated, and Perry is right, it doesn't belong. I don't see why that's so hard to understand. Perry isn't acting as a list owner, but the subconscious reminder to "stick closer to the charter". He's a bit billious, but it helps to cut out the drivel, so I don't mind so much. They (I) object when something is labelled as cypherpunk because many of the people on this list have completely opposite views on different topics. There is no gestault. A mailing list does not make a common personality. ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug at eng.auburn.edu Pro is to Con as progress is to congress From blancw at accessone.com Thu Dec 28 06:43:28 1995 From: blancw at accessone.com (blancw at accessone.com) Date: Thu, 28 Dec 1995 22:43:28 +0800 Subject: another anonymous poster helping to destroy our rights Message-ID: <9512280551.AA13342@pulm1.accessone.com> From: "Vladimir Z. Nuri" you can't have it both ways. either anyone is free to decide what a cypherpunk is, and no one has the right to argue with it. or, cypherpunks are something in particular, and someone has the authority to determine that. ............................................ So are you saying that "SHTBD!!!!"? :>) As you note, it is an informal system which operates on the list. As you also note, an "intelligent and mischievous adversary" can effectively create problems. But you failed to note that intelligent and technically savvy members will find effective ways to deal with it. That is what is important about an 'anarchic' list like this - that the challenge of maintaining rational discourse is met by the application of active intelligence, rather than all the rigmarole you mentioned. And this is what makes it interesting, I think. Any person's ideas or concepts or contributions can be tested or challenged by the more knowledgeable on the list, if they are so moved (or not, if they are not so moved). The organizing subject around which discussions revolve is crypto, within the social context. Because of this, the relationship to the main subject is difficult to maintain. (And isn't this list like a microcosm, at times, of the larger social picture?) It is the unexpurgated exchanges of thought & expression, which regulate the list. It reminds me of a book about life: You Learn, or You Die. .. Blanc From bplib at wat.hookup.net Thu Dec 28 06:43:48 1995 From: bplib at wat.hookup.net (Tim Philp) Date: Thu, 28 Dec 1995 22:43:48 +0800 Subject: DejaNews and Alta Vista Search Tools, and Privacy Implications In-Reply-To: Message-ID: I was interested in your comments re DejaNews because of an experience that I had about a month ago. I received mail from Rick Broadhead, a co-author of the Canadian Internet Guide. He wanted to know if I was the Tim Philp who wrote a computer column for the Brantford Expositor and if so, would I be interested in reviewing his new books. It seems that he got my name from a clipping service because I had mentioned his first book in my column. As I did not include my E-mail address in my column, he used DejaNews to search for Tim & Philp. Bingo! my name poped out from an old Cypherpunks list posting. In this case it was good as I was interested in talking to him, but the possibilities for privacy invasion are great. In any case, I got an article out of the experience. I think that it will be interesting when some of the future politicians who are now just kids playing on the Internet are presented with some of their juvenile rantings when they are 40 years old and running for office. The mind boggles! Regards, Tim Philp Brantford, Ont., Canada =================================== For PGP Public Key, Send E-mail to: pgp-public-keys at swissnet.ai.mit.edu In Subject line type: GET PHILP =================================== From tallpaul at pipeline.com Thu Dec 28 06:55:17 1995 From: tallpaul at pipeline.com (tallpaul) Date: Thu, 28 Dec 1995 22:55:17 +0800 Subject: Only accepting e-mail from known parties Message-ID: <199512280309.WAA23655@pipe10.nyc.pipeline.com> [I mistakenly failed to post the original message to which A.J. Stuckey responded to the entire group. I have corrected this error. However, A.J. Stuckey quoted enough of the original to have his questions comprehensible so I'll reply to them here without waiting for the original to be sent to the list.] On Dec 27, 1995 15:50:55, '"Anthony J. Stuckey" ' wrote: >In uiuc.mlist.cypherpunks you write: >>We live in a post-Faustian world. >> >>It is divided into two groups of people. First are those who understand the >>post-Faustian character and devote themselves to getting used to it and >>even having fun with the new opportunities while understanding that the new >>world also generates new problems (like furthering data-narcicism). Second >>are those classic-reactionary forces (from all parts of the political >>spectrum) who whine about how the post-Faustian world is personally unfair >>to them and how everybody in the world has a personal obligation to them to >>move the world back to its pre-Faustian origins. > > Just what exactly defines a "post-Faustian" world? That we're aware >people will sell their souls for power? >-- I wasn't a matter of people selling their souls for power or that we're aware of it. My original reference was to one view on our society (not necessarily reflected on the list) that we must "avoid the Faustian bargain." Gee, I hated to inform them that the Faustian bargain had already been made and made anywhere from hundreds to tens of thousands of years ago. In this sense, we live in a post-Faustian [bargain] world. The bargain, so to speak, was not about knowledge or power or other such things. Those were involved only in the negotiating stages of the contract. The *real* bargain occured when Faust stated: "And if I should ever say, "'Oh moment stay!' "Thou art so fair!' "I *deserve* to perish "Then and there. _Faust_, Part I, Goethe We are all caught in a process that can not be even stopped let alone turned back without damnation. We need not like this; we need not support it; we can even pull the covers over our heads and refuse to recognize it. But the bargain and process exists nonetheless. There are Group One people, like (most) cypherpunks and others who understand the bargain has been made, who accept the world, and who may even have fun participating in a continuing and ever changing process. E.G. the microprocessor was invented. This created the possibility of things like PGP that in turn created the first opportunity in the history of the world for the average man and woman to have privacy as (pretty) good as any government *if they were willing to provide themselves that privacy.* The same invention also meant the greatest invasion of privacy through computerized lists at credit card companies, etc. Now personally I like PGP and do not personally like credit company's data bases. But both exist in the world and I recognize the inevitability of both. The you have Group Two people who whine about how the development of the microprocessor created a world they don't like, that is unfair to them, that is based on the Faustian bargain, etc. etc. To them, the world says (if it bothers to say anything at all) "Tough!" Now am I inclined to give up either PGP or my Pentium because these necessarily exist in the same world with the credit companies they do not like. To use another example: we have the internet and we have a _de jure_ freedom of speech. Group One people like the net, even if it means that a few people are going to send "kiddie porn" over the wires instead of looking at the old "kiddie underwear" ads in the _Sears_ catalog. Group Two people are fearful of the net and hate it, frequently attempting to rationalize their fears by reference to "kiddie porn," "drugs," "terrorists," etc. They want their fears to dominate both the net and freedom of speech on a global level. "If it doesn't play in Peoria then it shouldn't play in Denmark," etc. Group One people say in essence that "kiddie porn" is a small price to pay for the net and expanded freedom of speech; Group Two people say in essence that the net is too high a price for "kiddie porn" and let us also reduce freedom of speech while we're at it. As I wrote, it is a post-Fastuain world and none of us can go home to the pre-Faustian world ever again. ==tallpaul From EALLENSMITH at ocelot.Rutgers.EDU Thu Dec 28 07:06:23 1995 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Thu, 28 Dec 1995 23:06:23 +0800 Subject: Telcom bill report Message-ID: <01HZBAWIUN7C8Y55DD@mbcl.rutgers.edu> From: IN%"futplex at pseudonym.com" 21-DEC-1995 18:57:06.16 >> Here's the additional info from Reuters. As usual, Clinton is being a > coward. How do you figure ? > Vice President Gore says President Clinton will sign the bill. Before > the agreement, the president had been threatening for months to veto > the bill if Republicans in Congress did not retreat on a long list of ~~~~~~~~~~~ > issues. They retreated. ~~~~~~~~~~~~~~ Clinton won on this. The Administration does not appear to have altered its position on this substantially. ---------- I am calling Clinton a coward for giving in to the Christian Coalition and not vetoing this bill due to the censorship portion. He evidently decided that following his oath of office and upholding the First Amendment wasn't worth the "porn supporter" criticism Ralph Reed and his lot would direct his way. -Allen From DMiskell at envirolink.org Thu Dec 28 07:07:23 1995 From: DMiskell at envirolink.org (Daniel Miskell) Date: Thu, 28 Dec 1995 23:07:23 +0800 Subject: another anonymous poster helping to destroy our rights Message-ID: <9512280525.AA05396@envirolink.org> You know, you are really starting to annoy me with this $*i+ about how anon users are destroying our rights by abusing theirs. If you dont like it, ignore it. but stop cluttering bandwith with your aimless complaints. if you want cypherpunks to do somthing, SUGGEST somthing! Stop wining and shut up!! *sigh* its like people cannot handle their own problems today, except by bleating to the public. I am requesting that anybody who has a problem with anon users TALK TO THE OWNER OF THE LIST. Munster --- _________________________________ *!Cheese Doctrine:!* Though cultured over time, and aged to perfection, one must not yield to produce mold. One must also not belittle themselves by conforming to the "whiz", but melt over the unprocessed ideas of Ghuda. _________________________________ From weidai at eskimo.com Thu Dec 28 07:18:44 1995 From: weidai at eskimo.com (Wei Dai) Date: Thu, 28 Dec 1995 23:18:44 +0800 Subject: Reputation capital: FIBS case study In-Reply-To: <2sY4wMz2BcRC083yn@mail.msen.com> Message-ID: On Wed, 27 Dec 1995, Lou Poppler wrote: > The thorniest problem in our reputation economy continues to be the > case of the player who drops out of a match when clearly losing, to avoid > the decrement of his rating number (based on match results only, not on > individual games). [......stuff deleted...] The best defense we have > found against the match dropper is complaining in the newsgroup. It seems to me the easiest way to solve this problem is to list for each player the number of games he dropped and didn't finish along with his rating and experience. Why go for elaborate social solutions when a simple technical solution exists? Wei Dai From alby at empire.org Thu Dec 28 07:25:21 1995 From: alby at empire.org (Albatross) Date: Thu, 28 Dec 1995 23:25:21 +0800 Subject: BoS: Re: Misconfigured Web Servers In-Reply-To: Message-ID: <199512280308.WAA09007@empire.org> > > On Wed, 27 Dec 1995, David Klur wrote: > > > > > Re: the "trick" below... an even more effective search is the > > following... > > > Is it just me, or is everyone getting a dozen of these? Yup! I'm also receiving a ton.. -Alby From usura at utopia.hacktic.nl Thu Dec 28 07:40:30 1995 From: usura at utopia.hacktic.nl (Alex de Joode) Date: Thu, 28 Dec 1995 23:40:30 +0800 Subject: Announcing a new alpha release of premail Message-ID: <199512281108.MAA08509@utopia.hacktic.nl> You sez: : This is to announce that premail version 0.42 is now available. It : is a full alpha version of the new premail, containing all the : features and functions planned for the production release. [..] : If you are in the US or Canada, you can download premail now, from : the premail Distribution Authorization Form: : http://kiwi.cs.berkeley.edu/premail-form.html : Raph Levien ftp://ftp.hacktic.nl/pub/replay/pub/incoming From frantz at netcom.com Thu Dec 28 08:53:23 1995 From: frantz at netcom.com (Bill Frantz) Date: Fri, 29 Dec 1995 00:53:23 +0800 Subject: Only accepting e-mail from known parties Message-ID: <199512270801.AAA11744@netcom9.netcom.com> At 14:53 12/25/95 -0500, Adam Shostack wrote: > The basic problem is that (personal) spam is a social, not a >technical problem. If someone wants to annoy you via the internet, >they can do so. You can raise the cost of their annoying you, but you >need to be careful not to make it difficult to talk to you. It seems to me that one of the technical problems of the personal spam is the way it can grow into a denial of service attack on your system. If it takes you more horsepower to filter the spam than it takes to generate it, then you are particulary vunerable. ----------------------------------------------------------------- Bill Frantz Periwinkle -- Computer Consulting (408)356-8506 16345 Englewood Ave. frantz at netcom.com Los Gatos, CA 95032, USA From dee at cybercash.com Thu Dec 28 10:43:02 1995 From: dee at cybercash.com (Donald E. Eastlake 3rd) Date: Fri, 29 Dec 1995 02:43:02 +0800 Subject: Cybercash security In-Reply-To: <9512271711.AA13714@hosaka.smallworks.com> Message-ID: The current plans include a way to link your CyberCash persona with a bank account (DDA). If you have done that and there is cash in your CyberCash persona, you would be able to transfer it to the bank account. Using ACH, this operation typically happens overnight. Donald On Wed, 27 Dec 1995, Jim Thompson wrote: > > The thing I'd like to understand about Cybercash is... how do I get the > cash back out of the system? > > ===================================================================== Donald E. Eastlake 3rd +1 508-287-4877(tel) dee at cybercash.com 318 Acton Street +1 508-371-7148(fax) dee at world.std.com Carlisle, MA 01741 USA +1 703-620-4200(main office, Reston, VA) From fc at all.net Thu Dec 28 10:43:06 1995 From: fc at all.net (Fred Cohen) Date: Fri, 29 Dec 1995 02:43:06 +0800 Subject: Reputation capital: FIBS case study In-Reply-To: Message-ID: <9512281414.AA21403@all.net> > On Wed, 27 Dec 1995, Lou Poppler wrote: > > > The thorniest problem in our reputation economy continues to be the > > case of the player who drops out of a match when clearly losing, to avoid > > the decrement of his rating number (based on match results only, not on > > individual games). [......stuff deleted...] The best defense we have > > found against the match dropper is complaining in the newsgroup. > > It seems to me the easiest way to solve this problem is to list for each > player the number of games he dropped and didn't finish along with his > rating and experience. Why go for elaborate social solutions when a > simple technical solution exists? > > Wei Dai It seems to me that not finishing a game is the same as knocking over the board. It's a loss for the player waiting to move, and a non-game for the other player. This should solve the not-finishing-a-game problem in short order. For the problem of playing a fake unrated player, try variations on this scheme. Track the players each player plays and reevaluate all players scores in relative terms. To get a rating, players must engage in games with enough other players to form a valid statistical basis - at least 100 games with rated players for 10% accuracy. Start with provisional ratings in the 1-10 range based on comparrison with other players regardless of who. As players play other fully rated players, add a temporary rating based on relative performance and post both relative and 1-10 ratings. When players reach 100 games within the rated group, they get an official rating. -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From jya at pipeline.com Thu Dec 28 11:04:04 1995 From: jya at pipeline.com (John Young) Date: Fri, 29 Dec 1995 03:04:04 +0800 Subject: DOP_lip Message-ID: <199512271913.OAA21386@pipe1.nyc.pipeline.com> 12-27-95. WashP: The CIA's close-rankled directorate of operations aim to trashtalk Deutch out of depensioning the veteran Paris CoS for French economic spay of pigs. DOP_lip From dmandl at bear.com Thu Dec 28 11:42:51 1995 From: dmandl at bear.com (David Mandl) Date: Fri, 29 Dec 1995 03:42:51 +0800 Subject: Employer Probing Precedents? In-Reply-To: <199512272151.QAA05241@bb.hks.net> Message-ID: On Wed, 27 Dec 1995 Jason D. Livingood/WSC at hks.net wrote: > To Whom It May Concern: I was > curious as to where I might find some electronic freedom legal > precedents. If, for example, an employer was planning to probe file > systems on PCs in the off-hours and employees began encrypting their > hard drives, what legal precedents would support the employees or > would support the employer in blocking the encryption? Thanks for > any info you can give me!! You want to take a look at the ECPA (stands for Electronic Communications Privacy Act--I think). I don't have URLs handy, but it should be easy enough to find via Alta Vista or Yahoo. The way I understand it, though there are fairly strict limits on the snooping your employer can do, you waive more or less all your privacy rights if you sign a form saying you "consent" to the snooping. Your encryption question falls in kind of a grey area (most of the ECPA deals with reading people's email, etc.), but it's probably covered in there somewhere. I have very strong feelings about this subject, but I'll keep them to myself for now since I'm posting from work. We were all informed a week or two ago that Bear Stearns is now archiving every piece of email coming into or leaving the company. All I'll say here is that I disagree strongly with the views Tim May posted about employees' property rights, etc. (though we agree on most other things). --Dave. -- ******************************************************************************* Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. ******************************************************************************* From dmandl at bear.com Thu Dec 28 11:43:37 1995 From: dmandl at bear.com (David Mandl) Date: Fri, 29 Dec 1995 03:43:37 +0800 Subject: Employer Probing Precedents? In-Reply-To: Message-ID: On Thu, 28 Dec 1995, I wrote: > All I'll say here is that I disagree strongly with the views Tim May > posted about employees' property rights, etc. (though we agree on most > other things). Um, I meant employers' rights, obviously. --Dave. -- ******************************************************************************* Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. ******************************************************************************* From dlv at bwalk.dm.com Thu Dec 28 12:16:40 1995 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Fri, 29 Dec 1995 04:16:40 +0800 Subject: Only accepting e-mail from known parties In-Reply-To: <199512251953.OAA01614@homeport.org> Message-ID: I think the underlying problem is that the way PGP signatures are used by most people, they validate a text, but allow it to be quoted out of context in an e-mail or Usenet forgery. E.g., suppose Alice posts a PGP-signed text in alt.sex. Bob forges a Usenet article in misc.kids, making it look like it came from Alice and quoting her PGP-signed body. Alice will have a tough time convincing the public that she didn't post it -- after all, her signature verifies. (There are many people on the net who don't comprehend the argument that the Path: is clearly bogus). Or: Bob writes Alice a sexually explicit letter and forgets to say "Dear Alice" in the signed block. Alice forges an e-mail to Carol, making it look like it came from Bob and quoting the signed block. Bob would have to realy on the analysis of Received: headers to repudiate such a forgery. I suggest to the kind folks working on PGP 3 that there should be a standard protocol to include within the signed portion the information on when and for whom this text is written: i.e. the list of e-mail recipients and/or Usenet newsgroups, which could be easily compared with the RFC 822/1036 headers of an e-mail/Usenet article. Perhaps there could be a new option for PGP to look _outside_ the signed block and match the headers with what's inside the block. E.g., suppose the signature block says: this text was written by alice at zog.org, posted to alt.sex and alt.sex.banal and e-mailed to bob at masons.com. Suppose PGP is asked to check the signature in a file that purports to be a e-mail or a Usenet article and has some headers before the signed portion. If there is a list of To: recipients, and it includes someone other than the recipients listed within the signed block; or if there is a Newsgroups: header, and it includes newsgroups not listed within the signed portion; then the input is bogus. For compatibility with the existing software, if the signed block doesn't include this info, then this checking should't be done, of course. (Yes, one could do this with a wrapper to PGP, making the whole thing even more user-hostile.) --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From tcmay at got.net Thu Dec 28 12:17:42 1995 From: tcmay at got.net (Timothy C. May) Date: Fri, 29 Dec 1995 04:17:42 +0800 Subject: DejaNews and Alta Vista Search Tools, and Privacy Implications Message-ID: (Side note: I seem to have returned from my holiday away from this area and away from computers to a war zone, with multiple flames and threats of legal action. Being a part of the Cypherpunks group, and potentially part of the "criminal conspiracy" to defame, am I included in the lawsuits? I wonder.) Anyway, a point of clarification of a point, lest there be the belief that _all_ Cypherpunks are opposed to comprehensive Web search tools: At 8:46 PM 12/23/95, Steven L. Baur wrote: >Furthermore, no one has mentioned the positive changes made to ^^^^^^^^? >Dejanews since it got bashed thoroughly on this list a few weeks ago. >They've significantly turned down the amount of old information >indexed, and have restricted the groups (and mailing lists) they >archive. I for one don't consider this to be a positive development. Reducing the time horizon for searches has no real effect on the compilation of dossiers (for example), but certainly makes DejaNews less useful. (And I'd be willing to bet that the time horizon was scrunched down for space and time reasons, not for reasons of privacy; the horizon will likely _increase_ as users ask for, and perhaps are willing to pay a bit for, longer time horizons.) And I don't believe the dominant thinking of folks who commented was that DejaNews was worthy of "bashing." In fact, I found it all very interesting, and a confirmation of what many of us expected would soon happen, i.e., fast access to past comments. I think I and several others commented on the major implications for privacy, especially vis-a-vis the way corporations will be able to see compilations of postings to "outrageous" groups. Indeed, I know of some people hiring programmers who are already using such tools to get a better understanding of whom they may be hiring, or not. But my comments were not in the vein of "something has to be done," but of recognition that a Brave New World is fast unfolding. Thinking that one is "safe" because a particular search service is not including all the groups or mailing lists it _could_ include is illusory (one is reminded of ostriches....). The same thinking happened several years ago when a great hue and cry in the media caused Lotus to abandon plans to sell a CD-ROM to individuals with publically available census and other data on it about neighborhoods, phone numbers, etc. Inasmuch as the non-individual entities (corporations, mass mailers, courts, law enforcement, etc.) already have full access to such databases, all the hue and cry really accomplished was to give individuals a false sense of security and privacy. A triumph of feelgood style over substance. Real privacy and security comes from steps taken to make the information private in the first place, not to ex post facto limit access. (I am not claiming that Steven Bauer or anyone else on our list is calling for laws to limit Web search engines, just giving my views about this. As a matter of fact, however, I am hearing rumblings in other places that "there ought to be a law" about these archives, indexes/indices, etc. Same old story. Kind of hard to enforce such laws when the indexes are in Holland, or Byelorussia, or "somewhere in cyberspace." ) Face it, every single word written by any of us to any Usenet newsgroup, going back to the beginning of Usenet, and expanding out to many ostensibly-private mailing lists, will fairly soon be searchable. (Add some digital cash and proxy/remailer features, and someone will be incentivized to put some really big arrays of optical disks up for searching. And if the U.S. tries to "regulate" such searches....well, I'm preaching to the choir here....) --Tim May Views here are not the views of my Internet Service Provider or Government. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 | black markets, collapse of governments. "National borders are just speed bumps on the information superhighway." From dsmith at midwest.net Thu Dec 28 12:38:43 1995 From: dsmith at midwest.net (David E. Smith) Date: Fri, 29 Dec 1995 04:38:43 +0800 Subject: Proxy/Representation? Message-ID: <199512281517.JAA13397@cdale1.midwest.net> Caveat: I haven't yet looked through the archives, and it's late. This may sound even less intelligent than most of what's on the list as of late (although what with the flamewars about I'm not sure if that's possible). Today I made a purchase at a local store using a personal check that wasn't mine. It very clearly wasn't mine (since the name on the check was Helen and mine is Dave), but I am a duly appointed representative of Helen in certain affairs. Including this one, which was grocery shopping . (There are also other affairs, some with actual legal consequences, and there is paperwork to that effect in a lawyer's safe somewhere.) The question is: how do the current software packages handle representatives and proxies for a given is-a-person? Using PGP as an example, I can't sign a message with Helen's key. And a message signed with my key won't hold as much weight because "Dave" is not "Helen." And if every message I send on behalf of Helen has to be followed up by a message from Helen stating "yes, Dave may act on my behalf for this instance" then much of the point of the proxy process is lost. (i.e. the reduction of Helen's workload etc.) I'm sure that this has already popped up, so I'll just ask for pointers. dave ----- David E. Smith, c/o Southeast Missouri State University 1210 Towers South, Cape Girardeau MO USA 63701-4745, +1(573)339-3814 PGP ID 0x92732139, homepage http://www.midwest.net/scribers/dsmith/ Dec15-Jan15: (618)244-3340/2209 Perkins, Mt Vernon IL 62864 From jya at pipeline.com Thu Dec 28 13:15:43 1995 From: jya at pipeline.com (John Young) Date: Fri, 29 Dec 1995 05:15:43 +0800 Subject: VEL_cro Message-ID: <199512281327.IAA15628@pipe4.nyc.pipeline.com> 12-28-95. NYPaper reports on Communications Security Establishment's spying on citizens and allies, citing Jane Shorten's unzips (earlier bared here). Deputy PM Sheila Copps velcros fig leaf, "If, in fact, there has been illegal activity going on, we'll want to deal with that in as public a way as possible." VEL_cro From tallpaul at pipeline.com Thu Dec 28 13:50:08 1995 From: tallpaul at pipeline.com (tallpaul) Date: Fri, 29 Dec 1995 05:50:08 +0800 Subject: Only accepting e-mail from known parties Message-ID: <199512271205.HAA08576@pipe9.nyc.pipeline.com> On Dec 27, 1995 00:50:13, '"Robert A. Rosenberg" ' wrote: >At 13:23 12/26/95, tallpaul wrote: > >>I hadn't picked up the problem you mentioned. Thanks for pointing it out. >> > >You're welcome - You _did_ ask for comments/analysis . > I wasn't being sarcastic with the "thank you" and I don't usuallly treat criticism as a neo-flame. As you may have inferred from other posts of mine, I am more interested and knowledgable about the social aspects of the privacy/crypto/anon debates then the code/algo aspects. I know other peoplw who share my interests but who proceed to write, publish, comment on the tek issues without understanding them. Getting a better understanding of them is one of the reaons I'm on the list. Sometimes I'll venture a view on one of the tek issues, in part to test by knowledge of those issues from the tek angle. Criticism is first a small price to pay for the ability to do this. Second, it improves my knowledge of the tek. --tallpaul From bart at netcom.com Thu Dec 28 13:50:17 1995 From: bart at netcom.com (Harry Bartholomew) Date: Fri, 29 Dec 1995 05:50:17 +0800 Subject: (fwd) RSA CEO Bidzos on USML/ITAR Message-ID: <199512271817.KAA16898@netcom14.netcom.com> From: softwa19 at us.net (Charles R. Smith) Newsgroups: talk.politics.crypto Date: Tue, 26 Dec 1995 16:55:09 GMT RSA CEO/President D. James Bidzos, in a speech before the Commonwealth Club of California, openly stated his opposition to current USML/ITAR controls. "We stand to lose a significant part of our industry due to export controls", said Bidzos in the taped address shown on C-Span 12/25/95. The recent teaming of Sun with ex-Soviet programmers to avoid U.S. export controls on encryption was cited by Bidzos as an example of exactly how jobs and opportunities are being forced off shore by U.S. policy. Bidzos statements echo the remarks from Microsoft CEO, Bill Gates, who also lashed out at federal export restrictions in his comments before the National Press Club in early Decemeber. This author noted some months ago the teaming of Ernst & Young and SOFTWARE (AG), a german based software firm, to provide encryption security with no import regulations. Foreign companies are allowed freely to compete in the U.S. domestic market while U.S. citizens are restricted from the international market. This imbalance costs american jobs, taxes, rapidly erodes our lead in this important area of science and is unfair. The regulations, instead of limiting access to foriegn criminals and terrorists, has led to a U.S. funded explosion of better off-shore products that are beyond law enforcement control. In fact, the Federal government not only encourages this effort but even has a multi-million dollar contract with SOFTWARE (AG). The time for these regulations has clearly passed. Yet, our government is not geared for quick action, nor will self-seeking bureaucrats ever be convinced to let go. The world, however, will quickly leave us behind unless we act soon. 1 if by land, 2 if by sea. Paul Revere - encryption 1775 Charles R. Smith - President SOFTWAR, Richmond VA http://www.ultimate.org/2292/ From perry at piermont.com Thu Dec 28 13:55:57 1995 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 29 Dec 1995 05:55:57 +0800 Subject: Proxy/Representation? In-Reply-To: <199512281517.JAA13397@cdale1.midwest.net> Message-ID: <199512281546.KAA09482@jekyll.piermont.com> "David E. Smith" writes: > The question is: how do the current software packages handle representatives > and proxies for a given is-a-person? Using PGP as an example, I can't sign > a message with Helen's key. Nor should you be able to, actually. When you sign a document on behalf of another and have "Power of Attorney" in the paper world, you sign your own name and indicate that you are signing on behalf of another, as in "David Smith for Helen Smith". The right way to do this in the digital world, IMHO, is to have a standard for "Power of Attorney" documents, and for the entity receiving something signed in your key that should be signed in another person's key to also see the digitally signed power of attorney document. Then the entity can check the signature on the power of attorney was in Helen's key, and that the signed key in that document was the key that signed the document signed by the "attorney". > I'm sure that this has already popped up, so I'll just ask for pointers. Actually, I haven't seen it mentioned before -- its only a subset of other problems, though, like transient keys signed by longer term keys. There should be some standardization in formats to handle this. Perry From adam at lighthouse.homeport.org Thu Dec 28 14:45:02 1995 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Fri, 29 Dec 1995 06:45:02 +0800 Subject: URL for cypherpunks In-Reply-To: Message-ID: <199512281556.KAA05580@homeport.org> Norman Hardy wrote: | I am putting up some solutions to the Garage Door problem that was | discussed here perhaps a year ago. I would like to refer to the cypherpunks | by URL. Are there currently any appropriate URLs ? Possibly the archive site at www.hks.net. Tim May's cypheromnicon. mailto:cypherpunks at toad.com is NOT an appropriate pointer. People who hand out pointers to mailing lists (other than the subscribe address) are annoying fools, and encourage many innocent fools to annoy many people. The csua.cs.bezerkely site is good, but hasn't been maintained in a while. (Unfortunately, there is enough cypherpunk & related stuff out there that maintaining a really good site would be a full time job. Thats not a flame at any of the people out there who do good work, just a wish for a really well organized www.cypherpunks.org library & pointer list, should someone decide to pay for it. :) Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From adam at lighthouse.homeport.org Thu Dec 28 15:13:58 1995 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Fri, 29 Dec 1995 07:13:58 +0800 Subject: Cybercash security In-Reply-To: Message-ID: <199512281557.KAA05598@homeport.org> Donald E. Eastlake 3rd wrote: | The current plans include a way to link your CyberCash persona with | a bank account (DDA). If you have done that and there is cash in | your CyberCash persona, you would be able to transfer it to the bank | account. Using ACH, this operation typically happens overnight. Wow. Overnight clearing, bank interaction to load an account, *and* identity linking! Tell me again why this is better than FV? Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From dee at cybercash.com Thu Dec 28 16:44:05 1995 From: dee at cybercash.com (Donald E. Eastlake 3rd) Date: Fri, 29 Dec 1995 08:44:05 +0800 Subject: Cybercash security In-Reply-To: <199512281557.KAA05598@homeport.org> Message-ID: On Thu, 28 Dec 1995, Adam Shostack wrote: > Donald E. Eastlake 3rd wrote: > > [in answer to a question about how you would unload cash from a > Cybercash persona] > > | The current plans include a way to link your CyberCash persona with > | a bank account (DDA). If you have done that and there is cash in > | your CyberCash persona, you would be able to transfer it to the bank > | account. Using ACH, this operation typically happens overnight. > > Wow. Overnight clearing, bank interaction to load an account, > *and* identity linking! Tell me again why this is better than FV? You comment is sufficiently short and cryptic that it's a bit hard to tell what your point is. Different services are good for different things. Most of the merchant's signed up with CyberCash currently sell hard goods that they phsically ship to you. They have different needs from the on-line information vendors that FV primarily serves at this time. But both CyberCash and, I understand, FV plan to expand their service repertoire. If you want to use your credit card or bank account via CyberCash, you need to go though an authentication step to link them. If you don't want to use a credit card or bank account, there is no requirement to provide any real identity information when you set up a CyberCash persona. > Adam > > -- > "It is seldom that liberty of any kind is lost all at once." > -Hume Donald ===================================================================== Donald E. Eastlake 3rd +1 508-287-4877(tel) dee at cybercash.com 318 Acton Street +1 508-371-7148(fax) dee at world.std.com Carlisle, MA 01741 USA +1 703-620-4200(main office, Reston, VA) From markm at voicenet.com Thu Dec 28 17:07:11 1995 From: markm at voicenet.com (Mark M.) Date: Fri, 29 Dec 1995 09:07:11 +0800 Subject: URL for cypherpunks In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Wed, 27 Dec 1995, Norman Hardy wrote: > I am putting up some solutions to the Garage Door problem that was > discussed here perhaps a year ago. I would like to refer to the cypherpunks > by URL. Are there currently any appropriate URLs ? The most appropriate URL would be http://www.csua.berkeley.edu/cypherpunks/. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMOLX0LZc+sv5siulAQH/pgP/bDZ1cy0YjaQeuusUwoAkikJhdKtjW8r5 eoJzRcGaaPd1wdOuVP3w4ab5D2+LMj/B765GumHV9okT/01yHVcratqVymDxkG05 TuE7RSpicusKfa/V0cpb6uZjqjbP8DPj9nEX5CU3YFMHzmFCGlRNjsYj6n4odpqW XBQF/i1AHoU= =UEJR -----END PGP SIGNATURE----- finger -l markm at omni.voicenet.com for PGP key Key-ID: 0xF9B22BA5 Fingerprint: bd24d08e3cbb53472054fa56002258d5 http://www.voicenet.com/~markm/ -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GAT d- s:- a? C++++ U+++>$ P+++ L++(+++) E--- W++(--) N+++ o- K w--- O- M- V-- PS+++>$ PE-(++) Y++ PGP+(++) t-@ 5? X++ R-- tv+ b+++ DI+ D++ G+++ e! h* r! y? ------END GEEK CODE BLOCK------ From C.deGroot at inter.nl.net Thu Dec 28 17:44:38 1995 From: C.deGroot at inter.nl.net (Cees de Groot) Date: Fri, 29 Dec 1995 09:44:38 +0800 Subject: FYI - telecom bill or not there are still censors In-Reply-To: <2.2.32.19951227172007.0070f34c@mail.software.net> Message-ID: <199512281652.RAA05245@bofh.cdg.openlink.co.uk> > > According to reports popping up in other places around the Compuserve > Information Service it appears that they have taken a stance of Internet > censor and are now blocking access to certain Usenet newsgroups. This > move took place just before the Christmas holiday and remains unannounced > to the membership/subscriber base. > I got this response so fast, that I cannot do anything else but assume that they got an automated reply thingy on such requests. For any other simple question, CI$ needs something like a week to reply... :To: :Subject: Usenet Newsgroups : :Re: USENET Newsgroups : : :Thank you for using CompuServe Feedback! This is in reference :to your message concerning the disappearance of certain newsgroups :on CompuServe. : :Access to these certain newsgroups have been suspended indefinitely. :CompuServe has been notified that these areas may be in :violation of applicable laws or regulations. This matter is :under further review. : :Please let us know if you have any further questions. Thank you for :using CompuServe Feedback! : :Charlotte Harris : I won't start to comment on the style of this message. The term "Suitspeak" comes to mind. -- Cees de Groot, OpenLink Software 262ui/2048: ID=4F018825 FP=5653C0DDECE4359D FFDDB8F7A7970789 [Key on servers] -- Any opinions expressed above might be mine. From tcmay at got.net Thu Dec 28 18:22:32 1995 From: tcmay at got.net (Timothy C. May) Date: Fri, 29 Dec 1995 10:22:32 +0800 Subject: Laws, Politics, and Crypto Anarchy Message-ID: (Those interested in discussions of Fermat numbers should skip this message.) At 2:33 PM 12/28/95, David Mandl wrote: >I have very strong feelings about this subject, but I'll keep them to >myself for now since I'm posting from work. We were all informed a >week or two ago that Bear Stearns is now archiving every piece of >email coming into or leaving the company. > >All I'll say here is that I disagree strongly with the views Tim May >posted about employees' property rights, etc. (though we agree on most >other things). Yes, Dave and I agree about many things, but disagree about some things. I would not like to have my e-mail into and out of Bear Stearns--were I an employee--archived, monitored, and so forth, but I can certainly see why they feel the need to do it (their liability for SEC violations, insider trading, etc. is enormous). And were I an employer, I would not want some government telling me I am forbidden to see if my employees are selling me out over the Net. Just an example. (Important Historical Note: The thing that got me interested in cryptography, beyond my longstanding interest in the elegant mathematics of public key cryptography, was an evaluation I did in 1987 of an "information trading" business startup. My friend Phil Salin asked me to review his business plan for a company which later became "American Information Exchange" (AMIX). It allowed for people with information to sell to reach the potential buyers, and for buyers to reach potential sellers. Like a classified ad system. I thought about the system and said: "As an employer, I could not let my employees use your system." Phil's reaction was "Huh?" So I outlined a scheme whereby employees could begin "digital moonlighting," not only selling their expertise to my competitors on _company time_, but, infinitely worse, selling specific trade secrets to my competitors! I cited to Phil the prospect of a "BlackNet" (yes, I named it that in '87) which bought and sold corporate (and military, as I elaborated on the concept) secrets through digital pseudonyms and Chaum-style mixes. It became apparent to me what the Brave New World was going to look like. And thus were the ur-cypherpunkish ideas born.) It was not my intention to begin a debate about the nature of civil liberties and the role of property. In fact, I don't think "libertarian" debates are very useful here, for various reasons. (Though I don't go as far as some in thinking that only pure crypto should be discussed....the mix of crypto, programming, personal privacy, and technological empowerment is what we talk about.) Moreover, if political and economic issues never get discussed at all, some folks may think that Cypherpunks are "obviously" supportive of things like Data Protection Laws (which place limits on the compilation of dossiers and files on people), Electronic Privacy Laws (which tell employers they cannot snoop on employees), and Web Index Laws (which may limit the archiving and indexing of Usenet and Web items). In fact, I am against all of these laws. However, I won't take the list's time now to explain why, as the political discussion would take too long. Past articles have touched on these points, and references are scattered throughout the Cyphernomicon. --Tim May Views here are not the views of my Internet Service Provider or Government. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 | black markets, collapse of governments. "National borders are just speed bumps on the information superhighway." From lull at acm.org Thu Dec 28 18:41:50 1995 From: lull at acm.org (John Lull) Date: Fri, 29 Dec 1995 10:41:50 +0800 Subject: Proxy/Representation? In-Reply-To: <199512281517.JAA13397@cdale1.midwest.net> Message-ID: <30e2ce46.37070124@smtp.ix.netcom.com> David E. Smith wrote: > The question is: how do the current software packages handle representatives > and proxies for a given is-a-person? Using PGP as an example, I can't sign > a message with Helen's key. And a message signed with my key won't hold > as much weight because "Dave" is not "Helen." And if every message I send > on behalf of Helen has to be followed up by a message from Helen stating > "yes, Dave may act on my behalf for this instance" then much of the point > of the proxy process is lost. (i.e. the reduction of Helen's workload etc.) I would think a power-of-attorney, signed by Helen, would do the trick. This would normally be valid for some pre-defined period, for a pre-defined set of transactions, and would not have to be generated anew each time. From tcmay at got.net Thu Dec 28 20:59:15 1995 From: tcmay at got.net (Timothy C. May) Date: Fri, 29 Dec 1995 12:59:15 +0800 Subject: Compuserve is Not "Censoring": Look to Governments for the Cause Message-ID: At 4:52 PM 12/28/95, Cees de Groot wrote, speaking of Compuserve's recent dropping of many newsgroups in response to demands by German prosecutors: >I won't start to comment on the style of this message. The term "Suitspeak" >comes to mind. Perhaps it is "Suitspeak," but it is not "censorship." Or, more precisely, it is fear that government laws will be used to sanction the service. Thus, it is the government of Germany in this case which is "censoring." ("Censor" and "censorship" are notoriously overloaded terms, of course.) Likewise, the Telecom/Exon Bill which we are so opposed to would just make the U.S. another player in this arena, joining Germany, Iraq, Syria, Singapore, and other regimes in attempting to regulate what people access on the Net. The U.S. would most like demand that a foreign-based service operating in the U.S. comply with U.S. laws. The problem lies with the laws themselves, as there is essentially no solution which will accommodate all of the various conflicting standards and mores of the world's nations and tribes while still having a Net such as we know it today. This is why I favor "technological anarchy": have systems which allow people to read and write what they want to read and write, not what church elders or government officials have deemed to be approprate or wholesome. (Note: There are ongoing debates about whether laws against obscenity, pornography, insulting speech, and on and on, violate free speech provisions in the U.S. Constitution. I won't get into this here. However, the laws of Germany, Iraq, North Korea, Singapore, France, Syria,......, Germany, Japan, Italy, and Zaire are definitely not those of the U.S. Thus, any _global_ service, such as Compuserve, may soon be forced to remove 70% or more of all Usenet newsgroups, and to restrict Web page access. After all, providing access to "alt.binaries.pictures.muslim.women.nude" is punishable by death by stoning in at least 30 countries. And providing access to Christian recruiting groups, and most Jewish groups, is definitely not allowed in the Kingdom of Saudi Arabia--better remove all those groups.) More than just Compuserve and AOL--which has a list of words it does not like to see used--I expect the various attempts to crack down on un-Christian, un-Muslim, un-chastity, etc. words and images to spread. Singapore will have its list of things it doesn't want its "children" (= all citizen-units) to see, Nigeria will have its list, and so on. Germany's longstanding moves to limit images and words it considers inappropriate and offensive are likely to force many Usenet newsgroups out of Germany. Law enforcement there is concentrating on Compuserve, and is trying to get U.S. officials to crack down on neo-Nazi Web sites in the U.S. The shape of things to come. Technology to bypass these new laws, not even more laws, is the key. --Tim May Views here are not the views of my Internet Service Provider or Government. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 | black markets, collapse of governments. "National borders are just speed bumps on the information superhighway." From alex at proust.suba.com Thu Dec 28 21:00:08 1995 From: alex at proust.suba.com (Alex Strasheim) Date: Fri, 29 Dec 1995 13:00:08 +0800 Subject: blind validation Message-ID: <199512281849.MAA08259@proust.suba.com> With all the recent Congressional activity, I've been thinking about blind validation. I know that other people (Chaum, for one) have considered it, but it's not something that's talked about online very often. I'd like to kick off a discussion. I'm not good with protocols, there are almost certainly some flaws in my thinking, and I'm not familiar with much of what others have written on the subject. Any pointers or constructive criticism will be greatly appreciated. I Basicd (Almost everyone here will be familar with this stuff; I'm including it for completeness.) By "blind validation", I mean allowing someone to prove that they're entitled to do something without making them tell you who they are. One obvious application of blind validation is to allow people to download adult material anonymously while making sure that children don't have access. Other applications might be allowing US citizens to download crypto software anonymously, or giving members of a University community anonymous access to computing resources that aren't available to the general public. Why is blind validation desireable? Without blind validation, it's possible to build large and intrusive databases by linking together the various fields on your ID cards, especially your social security number. When someone goes to a liquor store and shows an ID, he doesn't just prove he's over 21. He tells the clerk his name and address, and whether or not he wears glasses, among other things. This isn't a big problem when you're showing your ID to a clerk, because the clerk is a human being who won't remember your name or address. But a computer has a very good memory, and groups of computers are very good at assembling data from disparate sources. There are already online services that do this. Westdata, for example, offers a service that allows customers to search a database assembled from a variety of sources -- census information, real estate transactions, credit information, telephone directories, and the like. It's pretty easy to go online and find someone's SSN, and once you've got that it's possible to retreive all sorts of information. This is why it's sensible for us to give out as little information as is ncessary to accomplish whatever it is we're trying to do. That's what blind validation is all about. II Transferability -- blind validation's big problem. Suppose Alice is allowed to do something. How can we prevent her from giving Carol the right to do it as well? We can't. This is true of any (ok, I don't know that -- most) validation scheme, not just blind scehems. I can give away a unix account's login name and password, or even my PGP key. But conventional validation schemes have a big advantage over blind ones: in non-blind validation, users can be held accountable for the people they let in. If I give someone access to my unix account and they post photoshop disk images to usenet, I'll be held responsible. I have a strong incentive to keep my password secret. If I can get blind validation to do something, I can't be held accountable for my own actions, or for giving access to someone else. This fact drastically reduces the number of situations in which blind validation is useful. Here's a simple blind validation protocol that won't work: 1. Alice generates a random number, blinds it, and sends it to Trent along with proof that she's validateable. 2. Trent checks Alice's proof of validatability, signs her blinded number, then returns it to her. 3. Alice unblinds her number and sends it to Bob, along with a request for a download. Then Alice uses a remailer to post her number to usenet, along with Trent's signature, and Bob has to let everyone who reads net news download files. Even a ticket based protocol similar to ecash won't work. Let's assume that Bob wants a ticket in exchange for a file, and that he checks the tickets people give him for double spending. What's to stop Alice for getting a thousand tickets from Trent and giving them to her friends? Tickets aren't ecash -- they don't cost anything. Trent will give a ticket to anyone who can prove he's validatable, and there's nothing preventing Alice from going back for tickets over and over again. III Kids and Liquor Stores Imagine a group of teenagers who want to buy some booze. Let's consider two attacks they can mount on a liquor store: they can go in and try to trick the clerk into selling to them, or they can hang around in the parking lot and try to convince an adult to buy for them. The liquor store wants to keep its license, so it tries hard to defend against the first attack. But there's nothing they can do about the second attack, and what's more, they really don't have to worry about it. If they give booze to minors, they can lose their license or possibly even face criminal charges. But if some other adult gives booze to the minors, he's responsible. It's not the liquor store's problem. If the kids get their booze from the clerk or another customer, the end result is the same: the kids are able to get drunk. But from the store's point of view, there's a big difference, the difference between losing their license and keeping it. This is very different from the attitudes of the participants in most crypto protocols. If I use a protocol to exchange secure email, I don't want anyone except the recipient to read it. It's not much comfort for me to be able to say, "It's not my fault," if the mail becomes public. But the liquor store has to be able to live with the possibility that a kid will get ahold of some booze from their shelves. If that's absolutely unacceptable to them, the only thing they can do is close their doors or make patrons drink up in front of the clerk, because they can't prevent a customer from giving a bottle to a minor. The main interest of the liquor store is to avoid blame for underage drinking, not to make absolutely sure that kids can't drink. IV Alice, Bob, and Sam. Let's assume that Bob is running an FTP archive with crypto software, and Alice wants to download it. Alice wants to remain anonymous. Let's assume that a blind validation scheme, where Alice proves that she's a US citizen while remaining anonymous, is acceptable to both of them. If a blind validation scheme is acceptable, why isn't no validation at all? Obviously Alice ought to be satisfied with no validation. She wants the file, and she wants to remain anonymous. If Bob doesn't use any validation, Alice is still happy. But what about Bob? Bob's not an idiot. He knows that if he distributes crypto software on the net, someone's going to send a copy to Europe, and if he uses blind validation he won't be able to find out who did it. Consequently, if the software's appearance in Europe is totally unacceptable to Bob, he won't distribute it with blind validation. If Bob can live with the software appearing in Europe, why does he want to use blind validation to check for citizenship? The answer, obviously, is that Sam (as in Uncle, the government) has told Bob he'll be imprisoned if he exports the software. The blind validation scheme will let Bob distribute the software anonymously (which is what he wants to do) and prove to Sam that he's followed the letter of the law. In general, it doesn't seem that there are many situations that only involve Alice and Bob where blind validation makes sense. If Bob is willing to accept the increased risk of transferability that comes with blind validation, he'll probably be willing to accept no validation at all. Blind validation becomes useful primarily when you add Sam to the mix. This isn't an absolute truism of course. Let's think about a library card catalog at a University. I remember a conversation I once had with an INS investigator, in which he told me that he sometimes asked for a list of all the books his targets had taken from the public library. You can learn a lot about someone from what they read, or even from their card catalog searches. I know that some universities restrict access to their card catalogs to students, faculty, and staff. Why? Because they don't want to shoulder the cost of providing a research tool to the entire net. They're not trying to protect the information -- they're trying to reduce load on their library computer. Perhaps a University might recognize that there there's some value in using a blind authentication system to grant access to the catalog. It could protect the privacy of the people using the catalog, and still do a reasonably good job of keeping out people who shouldn't be involved. The role of Sam in this discussion might be one of the reasons that blind validations haven't generated much interest on the net in general or on the cypherpunk list specifically. If blind validation is privarily useful for cooperating with laws we don't agree with, then it's not unreasonable to look at it as a technology of collaboration. A viable blind validation scheme might make censorship more attractive. V A protocol Let's assume that Alice knows that Bob and Trent are who they claim to be, and that she can talk to Bob anonymously, perhaps through a chain of remailers or a dc net. This protocol isn't intended to protect Bob's privacy, only Alice's. We also assume that there's some sort of system in place for non- blind validations. 1. Alice initiates a transaction with Bob. (Perhaps by asking him for a file.) 2. Bob generates a random number and sends it back to Alice. 3. Alice blinds Bob's number and sends it to Trent, along with proof of her validatability. 4. Trent checks Alice's proof, signs the blinded number, and then returns it to Alice. 5. Alice unblinds Bob's number, then sends it to Bob. 6. Bob checks Trent's signature and makes sure that the number he recieved matches the one he sent out. Then Bob processes Alice's transaction. If Bob always follows this protocol, he can prove to Sam that he's followed the law. Alice remains anonymous. Alice can still transfer the file, but she has to give it away herself: she can't give away the ability to get it directly from Bob without giving away the ability to prove Aliceness to Trent. This means that she'd have to accept all the consequences of giving away non-blind validatability. The main problems that I can see with this protocol are: 1. It's vulernable to traffic analysis. 2. Sam has to trust Trent, which he may be unwilling to do. 3. You can infer stuff about Alice from the kinds of requests she makes of Trent. Someone who always asks Trent for proof that he's not a felon might tag himself as a person who buys a lot of guns or ammunition, for example. I'd like to put Trent out of a job, but it's hard to imagine a Trentless system without Chaum's observer chips. I've read Hal's criticisms of observer chips, and what he says makes sense to me. But observer chips could be more appropriate in a blind validation situation than they are with ecash. Ecash security has to be bullet proof, but if we can live with transferability in a blind validation system we've already given up on such rigorous security. From m5 at dev.tivoli.com Thu Dec 28 21:21:45 1995 From: m5 at dev.tivoli.com (Mike McNally) Date: Fri, 29 Dec 1995 13:21:45 +0800 Subject: Employer Probing Precedents? In-Reply-To: Message-ID: <9512282259.AA12970@alpha> Scott Brickner writes: > The notion that, simply because you're wearing a uniform owned by your > employer, you're subject to physical search at the employer's > discretion is laughable. The difference between this and searching the > computer on one's desk differ only in degree, IMO. Another vaguely-related concept is that of tenants' rights to a degree of security in rental property. My employer owns the workstation in front of me, but in exchange for supplying them with software and ideas (when I'm not busy sending e-mail to mailing lists ;-) they've "given" it to me to use in that pursuit. They could of course insist that I pay for it, like the old company store model that railroad workers dealt with. In a sense I do pay for it, under the idea that the company would be able to pay me more if not for the expense of the tools I need for the job. Though the ownership==control equation works sometimes, and is appealing to reason, I don't think things are always so simple. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Nobody's going to listen to you if you just | Mike McNally (m5 at tivoli.com) | | stand there and flap your arms like a fish. | Tivoli Systems, Austin TX | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From corey at netscape.com Thu Dec 28 22:03:55 1995 From: corey at netscape.com (Corey Bridges) Date: Fri, 29 Dec 1995 14:03:55 +0800 Subject: cool cpunk project proposal: "cpunk approved" logo Message-ID: <199512282150.NAA10375@urchin.netscape.com> >now, I don't know if people here realize how much great potential this >idea has. the media just LOVES to quote these kinds of judgements when >it's a slow news day (witness Blackwell's "worst dressed" list or >"best haircuts" or whatever else). Well...nothing personal, but I'd rather cut my n*ts off than be the blackwell of the information industry... >:-) And not to poo-poo a nifty idea, but ultimately, I think that any c'punk cooperative effort like that is doomed to failure. Sure, people can manage to get together every month or so for a cypherpunk meeting (well, *I* can't, but I'm even more disorganized than most), but beyond that, things like official c'punk press releases, and official c'punk FAQs, and official c'punk seals of approval are just NOT going to happen and still be called Officially Cypherpunk. It's tough to have an "official" anything for a group that's not REALLY a group--just the name of a mailing list. Now, this doesn't stop Tim from creating his Cyphernomicon, and it doesn't stop other people on this list from issuing their own press releases. Nor should it stop you (and other interested parties) from issuing your seal of approval to worthy products. I just don't think it'll work to call it the Official Cypherpunk S-O-A. Besides, the idea of having an official seal-of-approval sticker sounds like we're only one step away from having Cypherpunk action figures. ("New Eric Hughes figure with crushing logic grip! Detweiler with whirling Tentacles of Doom (tm)!") Uh, I guess I should have put "NOISE" in the subject line... Corey Bridges Security Documentation Netscape Communications Corporation home.netscape.com/people/corey 415-528-2978 From dsmith at midwest.net Thu Dec 28 22:44:33 1995 From: dsmith at midwest.net (David E. Smith) Date: Fri, 29 Dec 1995 14:44:33 +0800 Subject: Proxy/Representation? Message-ID: <199512290017.SAA00619@cdale1.midwest.net> At 10:46 AM 12/28/95 -0500, perry at piermont.com wrote: >"David E. Smith" writes: >> The question is: how do the current software packages handle representatives >> and proxies for a given is-a-person? Using PGP as an example, I can't sign >> a message with Helen's key. >Nor should you be able to, actually. And I can't :) >The right way to do this in the digital world, IMHO, is to have a >standard for "Power of Attorney" documents, and for the entity >receiving something signed in your key that should be signed in >another person's key to also see the digitally signed power of >attorney document. Then the entity can check the signature on the >power of attorney was in Helen's key, and that the signed key in that >document was the key that signed the document signed by the "attorney". That's more of what I was looking for. I suppose that (I'm still using PGP as my example) there could be a shared PGP key, signed by Helen and myself, where only the two of us know the passphrase, with a keyid of "David Smith on behalf of Helen Jones " or something similar. The obvious problem is that in sharing the pass phrase the security is weakened. (Paranoid threat model: at some point we have to decide on the pass phrase, and we are videotaped/bugged/spied upon while this takes place.) dave ----- David E. Smith, c/o Southeast Missouri State University 1210 Towers South, Cape Girardeau MO USA 63701-4745, +1(573)339-3814 PGP ID 0x92732139, homepage http://www.midwest.net/scribers/dsmith/ Dec15-Jan15: (618)244-3340/2209 Perkins, Mt Vernon IL 62864 From usura at utopia.hacktic.nl Thu Dec 28 22:45:33 1995 From: usura at utopia.hacktic.nl (Alex de Joode) Date: Fri, 29 Dec 1995 14:45:33 +0800 Subject: [reply to anonymous] Re: rsaref Message-ID: <199512282306.AAA28036@utopia.hacktic.nl> to whom it may concern: rsaref20 is available on ftp.hacktic.nl since may 1995 in /pub/replay/pub/crypto/LIBS/rsaref20.zip -AJ- From perry at piermont.com Thu Dec 28 22:55:23 1995 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 29 Dec 1995 14:55:23 +0800 Subject: Proxy/Representation? In-Reply-To: <199512290017.SAA00619@cdale1.midwest.net> Message-ID: <199512290024.TAA10333@jekyll.piermont.com> "David E. Smith" writes: > >The right way to do this in the digital world, IMHO, is to have a > >standard for "Power of Attorney" documents, and for the entity > >receiving something signed in your key that should be signed in > >another person's key to also see the digitally signed power of > >attorney document. Then the entity can check the signature on the > >power of attorney was in Helen's key, and that the signed key in that > >document was the key that signed the document signed by the "attorney". > That's more of what I was looking for. I suppose that (I'm still using > PGP as my example) there could be a shared PGP key, signed by Helen and > myself, where only the two of us know the passphrase, Huh? Why? Why would you need such a thing? If you reread what I wrote above, you would see that such a thing is completely unneeded. Perry From stewarts at ix.netcom.com Thu Dec 28 23:01:31 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 29 Dec 1995 15:01:31 +0800 Subject: [reply to anonymous] Re: rsaref Message-ID: <199512290035.QAA09284@ix13.ix.netcom.com> At 12:06 AM 12/29/95 +0100, Alex de Joode wrote: >to whom it may concern: > >rsaref20 is available on ftp.hacktic.nl since may 1995 in > > /pub/replay/pub/crypto/LIBS/rsaref20.zip If the RSA folks want to get picky, this may be violating their copyright, which is enforceable in Europe (unlike their patents.) There's also an RSAEURO clone of RSAREF which is available on ftp.ox.ac.uk/pub/crypto, and presumably at many other fine sites. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, Pager/Voicemail 1-408-787-1281 # # "The price of liberty is eternal vigilance" used to mean us watching # the government, not the other way around.... From ecarp at tssun5.dsccc.com Thu Dec 28 23:08:39 1995 From: ecarp at tssun5.dsccc.com (ecarp at tssun5.dsccc.com) Date: Fri, 29 Dec 1995 15:08:39 +0800 Subject: Employer Probing Precedents? Message-ID: <9512272350.AA27768@tssun5.> > From owner-cypherpunks at toad.com Wed Dec 27 17:48 CST 1995 > Date: Wed, 27 Dec 1995 16:51:41 -0500 > Subject: Employer Probing Precedents? > To: cypherpunks at toad.com > From: "Jason D. Livingood/WSC"@hks.net > X-Server-Version: Cactus-Serv 1.5 > > -----BEGIN PGP SIGNED MESSAGE----- > > To Whom It May Concern: > > I was curious as to where I might find some electronic freedom legal > precedents. If, for example, an employer was planning to probe file systems on > PCs in the off-hours and employees began encrypting their hard drives, what > legal precedents would support the employees or would support the employer in > blocking the encryption? Try www.eff.org. I have a partition on my HD that is routinely encrypted. When asked about it, my response was that I was acting to protect company confidential material and company assets. From vznuri at netcom.com Thu Dec 28 23:35:59 1995 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Fri, 29 Dec 1995 15:35:59 +0800 Subject: cool cpunk project proposal: "cpunk approved" logo In-Reply-To: <199512282150.NAA10375@urchin.netscape.com> Message-ID: <199512290136.RAA05099@netcom17.netcom.com> > >And not to poo-poo a nifty idea, but ultimately, I think that any c'punk >cooperative effort like that is doomed to failure. Sure, people can manage >to get together every month or so for a cypherpunk meeting (well, *I* can't, >but I'm even more disorganized than most), but beyond that, things like >official c'punk press releases, and official c'punk FAQs, and official >c'punk seals of approval are just NOT going to happen and still be called >Officially Cypherpunk. It's tough to have an "official" anything for a group >that's not REALLY a group--just the name of a mailing list. you totally misunderstand my message. this is NOT an "official" project, it is NOT a cooperative project. I am proposing that INDIVIDUALS undertake the project under the cypherpunk name. no one has a right to complain after all, when there is no *official* cypherpunk standard. really, I do LOVE anarchy. >Now, this doesn't stop Tim from creating his Cyphernomicon, and it doesn't >stop other people on this list from issuing their own press releases. Nor >should it stop you (and other interested parties) from issuing your seal of >approval to worthy products. I just don't think it'll work to call it the >Official Cypherpunk S-O-A. I did not call it that. and in fact I of all people understand cypherpunk psychology quite well, thank you very much. > >Besides, the idea of having an official seal-of-approval sticker sounds like >we're only one step away from having Cypherpunk action figures. ("New Eric >Hughes figure with crushing logic grip! Detweiler with whirling Tentacles of >Doom (tm)!") not a bad idea imho. but really, someone came up with a Big Brother Inside sticker without a lot of whining about "officialness". all I am proposing is exactly the same thing, except that it would have the word "cypherpunk" on it. what's the difference? absolutely none. no one has any right to complain how the cypherpunk name is used if there is no "official" cypherpunk management. but notice I was excessively careful never to imply there was anything OFFICIAL the project. there is to be no collaboration or coordination except that agreed to by participants. what could be simpler??? it's really ridiculous how much the word OFFICIAL is considered pornographic on this mailing list. I didn't use that word and went to great lengths not to (and do so in ALL my mail to this list knowing the hypersensitivity of its participants). what I do object to is that because there is no OFFICIAL cypherpunk standard that individuals cannot create one that they CALL official. there is NOTHING stopping anyone from claiming they are running the OFFICIAL cpunk FAQ or whatever as long as there is no OFFICIAL cpunk management. what, is someone gonna sue? heh. no one has a right to complain!! why do I have to reiterate this obvious point? the sword cuts both ways. or, that communication path is full duplex, so to speak. From hfinney at shell.portal.com Thu Dec 28 23:37:40 1995 From: hfinney at shell.portal.com (Hal) Date: Fri, 29 Dec 1995 15:37:40 +0800 Subject: blind validation Message-ID: <199512290144.RAA28654@jobe.shell.portal.com> Those are very interesting thoughts Alex Strasheim posted about blind validations. The issue of people handing out copies of their validations ("credentials" is the term Chaum uses) can be significant. Chaum's way around it was basically to have some mechanism to give each person a unique number of some special form. There doesn't have to be any agency who knows what number each person has (in fact, there isn't, in his scheme), but there is a mechanism to assure that one person does not get two numbers. This is sometimes loosely referred to as an "is-a-person" credential (although in this specific context it is not actually a credential, just an identifier). One way to achieve the goal would be to make each person give a thumbprint, or some other biometric identification, in exchange for giving them the is-a-person credential. Another way would be to use conventional ID, making sure their credential is blinded. Then, the blind validations are mathematically structured to be linked to the identity number. Only someone who has a specific identity number can show a specific blind validation. The idea here is that this addresses the copying-validation problem because a person would not only have to give away the specific validation, but also his identity number. This would in effect let the other person masquerade as the first, and any bad things he did would come back to hurt the person who gave away the data. You can't just walk away as in a totally uncontrolled blind signature system because of the linked nature of the credentials, and because you only get one identity number. So the result in effect is to make it difficult to give away just a validation, without also giving away the ability to act as you. Here is an idea about another way to achieve the same thing, closer to Alex's example: Alice gets a blind validation as Alex describes based on a simple blind signature. (Alice hands a blinded number to Bob, he signs it, Alice unblinds it, and uses the resulting signed number as the validation to, say, access Bob's files.) We add that Alice puts, say, $100 into "escrow", encrypting it with the secret number and putting it on some public server. She proves to Bob that she has done this using cut and choose. Now if Alice gives away her secret number, anyone using it will be able to access Bob's files, but they can also get the $100. So now it costs something for Alice to give away her secret. (There are some major problems with this idea, the worst being that Alice can extract and spend the $100 right after proving to Bob that she is doing what she said, and before publishing her number. Maybe someone could think of some fixes.) Hal From ecarp at tssun5.dsccc.com Thu Dec 28 23:50:17 1995 From: ecarp at tssun5.dsccc.com (ecarp at tssun5.dsccc.com) Date: Fri, 29 Dec 1995 15:50:17 +0800 Subject: Employer Probing Precedents? Message-ID: <9512272351.AA27795@tssun5.> > From owner-cypherpunks at toad.com Wed Dec 27 17:48 CST 1995 > Date: Wed, 27 Dec 1995 16:51:41 -0500 > Subject: Employer Probing Precedents? > To: cypherpunks at toad.com > From: "Jason D. Livingood/WSC"@hks.net > X-Server-Version: Cactus-Serv 1.5 > > -----BEGIN PGP SIGNED MESSAGE----- > > To Whom It May Concern: > > I was curious as to where I might find some electronic freedom legal > precedents. If, for example, an employer was planning to probe file systems on > PCs in the off-hours and employees began encrypting their hard drives, what > legal precedents would support the employees or would support the employer in > blocking the encryption? Try www.eff.org. I have a partition on my HD that is routinely encrypted. When asked about it, my response was that I was acting to protect company confidential material and company assets. From dlv at bwalk.dm.com Fri Dec 29 00:14:52 1995 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Fri, 29 Dec 1995 16:14:52 +0800 Subject: A weakness in PGP signatures, and a suggested solution (long) Message-ID: I've been engaged in a lively debate with a few members of the cypherpunks mailing list about forgeries that are hard to repudiate even if PGP signatures are used. One of the participants suggested that I post a summary to alt.privacy.pgp and sci.crypt, which is just what I'm doing. (My apologies to the mail.cypherpunks readers who already saw much of this once.) I'll illustrate the problem with several scenarios of forgeries. (It's funny that earlier today I was showing a friend how easy it is to post forgeries. She seemed suitably impressed. :) Scenario 1: Bob once sent Carol an e-mail that looked like this: ----------------------------------------------------------------------- From: Bob at boxb To: Carol at boxc Date: 25 Dec 1965 Subject: Carol, we're history Message-ID: <111 at boxb> ----BEGIN PGP SIGNED MESSAGE---- I no longer wish to go out with you. Merry Christmas! ----BEGIN PGP SIGNATURE---- Version 2.6.2 12341234... ----END PGP SIGNATURE---- ----------------------------------------------------------------------- Carol can forge an e-mail to Alice that looks like this: ----------------------------------------------------------------------- From: Bob at boxb To: Alice at boxa Date: 25 Dec 1995 Subject: Alice, we're history Message-ID: <222 at bobb> ----BEGIN PGP SIGNED MESSAGE---- I no longer wish to go out with you. Merry Christmas! ----BEGIN PGP SIGNATURE---- Version 2.6.2 12341234... ----END PGP SIGNATURE---- ----------------------------------------------------------------------- We assume that it's easy for Carol to forge the RFC 822 headers to make it look like the e-mail came from Bob. That's why many of us use digital signatures. The signed portion of Bob's original e-mail did not state that the message is addressed to Carol (e.g., "Dear Carol"). Alice will probably verify that the signature matches Bob's private key and assume that the e-mail is authentic and has been sent to her by Bob. To repudiate the e-mail, Bob might have to point out that the "Received:" headers differ from his usual e-mails, without relying on PGP. In fact, the presense of his verifiable signature would create more of a presumption of authenticity of Alice's part. Scenario 2: Bob sends the same e-mail as above to Carol. David, a rogue sysadmin, gets a copy of the e-mail, forges the same e-mail as above to Alice. Scenario 3: Bob sends a signed e-mail to Alice. Alice sees it in her newsfeed, forges a Usenet article, makes it look like it came from Bob, and includes the body of Bob's e-mail as the body of the Usenet forgery. Usenet forgeries are easy. Again, if the signed text happens to be suitable, then Bob will have difficulty repudiating the forgery. He won't not be able to use the PGP signature, which will in fact verify. Hopefully, he'll be able to point out that the RFC 1036 Path: header is different from his usual header (which may not be the case). Many Usenet readers would be unconvinced and Bob's reputation would be damaged. Scenario 4: Bob posts a signed Usenet article to alt.sex. Alice forges a usenet article in Bob's name to misc.kids, recycilng the signed body, which would probably be considered inappropriate for misc.kids. Same result as #3. Scenario 5: Bob posts a signed Usenet article to some innocuous newsgroup. Alice reposts the same body in a forgery in Bob's name. The forgery can be cross-posted to numerous "inappropriate" newsgroups ("velveeta"), or multi-posted ("spam"). Certain rogue self-apponited net.cops forge cancels for all copies of Bob's article, including the original. (They are a bigger menace than the forgers :) (As several people know, I have been a victim of some of the above-described kinds of forgeries.) I think the underlying problem is that the way PGP signatures are used by most people, they validate a text, but allow it to be quoted out of context in an e-mail or Usenet forgery. I suggest to the kind folks working on PGP 3 that there should be a standard protocol to include within the signed portion the information on when and for whom this text is written: i.e. the list of e-mail recipients and/or Usenet newsgroups, which could be easily compared with the RFC 822/1036 headers of an e-mail/Usenet article. Perhaps there could be a new option for PGP to look _outside_ the signed block and match the headers with what's inside the block. For example, suppose the signature block says: this text was written by alice at zog.org, posted to alt.sex and alt.sex.banal and e-mailed to bob at masons.com. Suppose PGP is asked to check the signature in a file that purports to be a e-mail or a Usenet article and has some headers before the signed portion. If there is a list of To: recipients, and it includes someone other than the recipients listed within the signed block; or if there is a Newsgroups: header, and it includes newsgroups not listed within the signed portion; then the input is bogus. For compatibility with the existing software, if the signed block doesn't include this info, then this checking should't be done, of course. After I posted the above suggestion to cypherpunks, one very respected member of that list informed me that "the security multiparts standard (RFC 1848) includes a provision for signing the headers as well as the body of a message. The security multiparts can be used with PGP, and there is even an Internet Draft for it (draft-elkins-pem-pgp-02.txt), but there is not yet consensus for adopting this as a standard on the pgp-mime mailing list." I hope my examples will convince some that present practice of signing pieces of text which can be quoted out of context in a forgery is just not enough. We need to have an easy way to sign the headers without resorting to mine. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From sandfort at crl.com Fri Dec 29 00:24:42 1995 From: sandfort at crl.com (Sandy Sandfort) Date: Fri, 29 Dec 1995 16:24:42 +0800 Subject: cool cpunk project proposal: "cpunk approved" logo In-Reply-To: <199512290136.RAA05099@netcom17.netcom.com> Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, On Thu, 28 Dec 1995, "Vladimir Z. Nuri" wrote: > you totally misunderstand my message. this is NOT an "official" project, > it is NOT a cooperative project. I am proposing that INDIVIDUALS undertake > the project under the cypherpunk name. no one has a right to complain > after all, when there is no *official* cypherpunk standard. really, I do > LOVE anarchy. Hey Larry, go for it. I'm sure it will be every bit as successful as "Cypherwonks." > . . . I of all people understand cypherpunk psychology . . . Several of them, in fact. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From tcmay at got.net Fri Dec 29 00:40:52 1995 From: tcmay at got.net (Timothy C. May) Date: Fri, 29 Dec 1995 16:40:52 +0800 Subject: Employer Probing Precedents? Message-ID: (I've purged the four accumulated names off the cc: list. I urge other to do the same, as the headers are getting clogged up, and people are often getting two copies.) At 10:59 PM 12/28/95, Mike McNally wrote: >Another vaguely-related concept is that of tenants' rights to a degree >of security in rental property. Actually, tenants have nearly absolute rights of privacy. Landlords cannot enter the premises whenever they wish, conduct bed checks, sniff for marijuana, etc. However, landlords are also not held liable (in most cases) for the illegal acts of tenants. (Obvious exceptions include recent developments with "crack house" laws, or where the tenants are using a house as a base of operations, such as shooting from windows...and even then the landlord's responsibility is to cooperate with law enforcement: he is not liable for the shootings, nor for anything else that he could not have reasonably known about or controlled.) Ditto for hotel owners. I wrote a long essay for the Cyberia list using these examples as jumping off points for a view of law in cyberspace. Basically, that ISPs be treated as hotel owners. Not liable for the misdeeds of customers in the "rooms" (in realspace hotels, or in cyberspace). However, corporations aren't given the luxury of disassociating themselves from the actions of their employees. (Contract workers are a further issue, and the issue of whether they supply their own tools/computers, workspace, etc., enters in.) I maintain that my employees are beholden to me as to what they run on their computers. They can always choose not to work for me. (And the same applies to hotels, actually. Were a hotel to have stringent rules on in-room behavior, such as the YMCAs and religious retreat hotels have, then customers have little right to complain about bed checks, mixed sex bans, etc. That most hotels have no such rules says more about where the Schelling points are than it does about the efficacy of rules and laws. >Though the ownership==control equation works sometimes, and is >appealing to reason, I don't think things are always so simple. Nor do I think things are always simple. But it pays to think about proposed laws from a perspective of maximizing personal choice. (The choice of the owner of a hotel, or computer, or car, to establish the basis for trading use of his property for other considerations.) --Tim May We got computers, we're tapping phone lines. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From anonymous-remailer at shell.portal.com Fri Dec 29 00:53:50 1995 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Fri, 29 Dec 1995 16:53:50 +0800 Subject: Ecash graphic images? Message-ID: <199512290458.UAA15779@jobe.shell.portal.com> Could anyone provide some pointers to a gif or jpeg file containing good-looking ecash coins? I would like something larger and more detailed than the "we accept ecash" you see everywhere. Thanks very much. From tcmay at got.net Fri Dec 29 01:45:36 1995 From: tcmay at got.net (Timothy C. May) Date: Fri, 29 Dec 1995 17:45:36 +0800 Subject: Compuserve is Not "Censoring": Look to Governments for the Cause Message-ID: At 5:17 AM 12/29/95, Bill Humphries wrote: [much good stuff, with which I agree, elided] >Support your local ISP. This simple line is very, very important! Consider two extremes: * Extreme 1--Internet access via Compuserve, AOL, or other organizations striving for a "global presence." Every country these organizations does business in puts pressure on them to control content, supply names of contacts, etc. Singapore bans 200 newsgroups, Iraq executes the local sysops, the U.S. jails the corporate executives for allowing "alt.barney.die.die.die" to corrupt the morals of young people. * Extreme 2--"Individuals on the Net directly." Joe User has a box on the Net. Albania is powerless to hassle him. France cannot seize his computer. (If he's in Country A, that country may harass him, but if he connects to accomodation addresses in other countries, even this is lessened or avoided completely.) Small ISPs are closer to Extreme 2, as they have no presence in Albania, Iran, France, Chad, or other states desiring to control content. For small U.S. ISPs, their main worry is what the U.S. government will say they must do. Small, local ISPs may of course be more prone to other kinds of pressure. But it is my experience that small services are less likely to adopt speech codes and other draconian behavioral laws than are larger and "more responsible" (:-}) services. Jay Campbell, one of the sysops at my ISP, "got.net," may want to give his perspective, if he sees this. I see a positive longterm trend toward people connecting through smaller, more local services. Hard to enforce Albania's laws on 20,000 small Internet connection services. Even longer term, the anarchy of the Net will reach its true flowering when millions of users are directly connected. How ya gonna keep em down when they're directly on the Net? --Tim May We got computers, we're tapping phone lines. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From dsmith at midwest.net Fri Dec 29 01:54:23 1995 From: dsmith at midwest.net (David E. Smith) Date: Fri, 29 Dec 1995 17:54:23 +0800 Subject: Proxy/Representation? Message-ID: <199512290017.SAA00616@cdale1.midwest.net> At 05:07 PM 12/28/95 GMT, lull at acm.org wrote: >> The question is: how do the current software packages handle representatives >> and proxies for a given is-a-person? Using PGP as an example, I can't sign >> a message with Helen's key. And a message signed with my key won't hold >> as much weight because "Dave" is not "Helen." And if every message I send >> on behalf of Helen has to be followed up by a message from Helen stating >> "yes, Dave may act on my behalf for this instance" then much of the point >> of the proxy process is lost. (i.e. the reduction of Helen's workload etc.) >I would think a power-of-attorney, signed by Helen, would do the >trick. This would normally be valid for some pre-defined period, for >a pre-defined set of transactions, and would not have to be generated >anew each time. That's basically the situation in the wonderful world of paper. What I'm interested in is how to handle the power-of-attorney case in the world of bits. (I've been using PGP as my example, but I'm certainly open to software that handles it better; suggestions?) Even if Helen signs my PGP key, that doesn't do anything other than connect us in the almighty Web of Trust (for whatever that's really worth). dave ----- David E. Smith, c/o Southeast Missouri State University 1210 Towers South, Cape Girardeau MO USA 63701-4745, +1(573)339-3814 PGP ID 0x92732139, homepage http://www.midwest.net/scribers/dsmith/ Dec15-Jan15: (618)244-3340/2209 Perkins, Mt Vernon IL 62864 From frenchie at magus.dgsys.com Fri Dec 29 01:56:18 1995 From: frenchie at magus.dgsys.com (J.Francois) Date: Fri, 29 Dec 1995 17:56:18 +0800 Subject: Strategic Investments .... In-Reply-To: <199512290101.UAA12519@atlanta.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- While browsing my mail I noticed that mjsus at atlanta.com wrote: > > This can be some interesting ..... > > > **************************************************************************** > ********** > > GLOBAL STRATEGIC SYSTEMS NEWSLETTER > > December, 1995 > > Strategic Management Investments, Asset Allocation, Evaluation and Review Look, I aint no crypto expert or nuthin', but I have spent a lot of time looking for the algorithm or key to figure this thing out and I can't find it. I got whole ROOMS of cpu's crankin' on this one, I even called uncle Al at Fort Meade and he called back and said, "....dunno...must be some newfangled stego or something, I'll call you back". Was this really a newsletter post or do I need to go back to codebreaker school????? - -- =====================PGP Encrypted Mail Preferred======================== PGP Public Keys: 1024/BEB3ED71 & 2047/D9E1F2E9 on request. As soon as any man says of the affairs of the state " What does it matter to me? " the state may be given up for lost. J.J.Rousseau - The Social Contract =========================No Unsolicited Email============================ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: 355/113 -- Not the famous irrational number PI, but an incredible simulation! iQCVAgUBMONhDrbmxeO+s+1xAQEDvAQAjWwk9q48ZrOEzrpmb+OkTpwjkyqamfgU Z4KeC46s9GNC5QlW8JdiCfjmmwPFr/skyaGDFEH93V9Em6pl6tPjGI1KogOq5Xon RJGdconUUwgP8jRKaM3e+uXYCIurQDSwtUVCS0M4jnHobmQjhZ6SfGFHFMdJssEH dEplAfQy46Y= =odMQ -----END PGP SIGNATURE----- From m5 at dev.tivoli.com Fri Dec 29 01:56:40 1995 From: m5 at dev.tivoli.com (Mike McNally) Date: Fri, 29 Dec 1995 17:56:40 +0800 Subject: Employer Probing Precedents? In-Reply-To: <9512282259.AA12970@alpha> Message-ID: <9512290129.AA13043@alpha> Eric Murray writes: > > Another vaguely-related concept is that of tenants' rights to a degree > > of security in rental property. > > Wrong model. You don't pay rent to your employer for your computer. I don't think you read the rest of my note. I don't think it's completely clear that I don't pay rent to my employer for my computer. > Does this allow for employees keeping encrypted material on their > company computer? I don't think so, or rather I think that it's in > the company's rights to ask for the encryption keys under certain > circimstances- employee leaving company, employee suing company, etc. > If you've kept something damaging on your employers machine, you better > delete it before the situation gets so bad that they'll be going through > your files. And still this reminds me of tenants property rights. (And I do agree the connection is rather thin, but work with me here.) An apartment manager can get in to an apartment for a variety of contractually set reasons. Maybe what all this means is that, at some point, employees will begin demanding explicit contracts w.r.t. computer system policies, just like for basic stuff like salaries & benefits. Indeed, I know of several cases where engineers being courted demanded and got perks like window offices or an extra few PTO days in their initial offer; why not a contract for what is and isn't "mine" on the network? (In that light, it'd probably develop that those without such a contract would be left on poor legal ground.) (And we'd better stop before Perry yells at us :-) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Nobody's going to listen to you if you just | Mike McNally (m5 at tivoli.com) | | stand there and flap your arms like a fish. | Tivoli Systems, Austin TX | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From ericm at lne.com Fri Dec 29 01:57:27 1995 From: ericm at lne.com (Eric Murray) Date: Fri, 29 Dec 1995 17:57:27 +0800 Subject: Employer Probing Precedents? In-Reply-To: <9512282259.AA12970@alpha> Message-ID: <199512290107.RAA27776@slack.lne.com> > Scott Brickner writes: > > The notion that, simply because you're wearing a uniform owned by your > > employer, you're subject to physical search at the employer's > > discretion is laughable. The difference between this and searching the > > computer on one's desk differ only in degree, IMO. > > Another vaguely-related concept is that of tenants' rights to a degree > of security in rental property. Wrong model. You don't pay rent to your employer for your computer. Your deskside workstation is just like your desk that it sits beside when it comes to employer/employee rights. While a prudent employer won't go through your desk unless it's required, they do have the right to do so. Many companies have stated policies as to when they can go through your desk; at places like IBM it is very restrictive as to when managers can go through your desk. This is merely smart business- giving people trust is the best way to make them responsible. All companies should also have written policies that state what parts of employee's computers/hard drives/home directories/email etc. is considered private, and under what circimstances management is allowed to look through those areas. I managed to sneak a policy like this into the computer security policy I wrote for a previous employer. Again, the policy should strictly limit what snooping through employee's files the company will do. Any company that goes through it's employee's files with less than sufficient justification is going to generate a lot of negative reputation, and fast. Does this allow for employees keeping encrypted material on their company computer? I don't think so, or rather I think that it's in the company's rights to ask for the encryption keys under certain circimstances- employee leaving company, employee suing company, etc. If you've kept something damaging on your employers machine, you better delete it before the situation gets so bad that they'll be going through your files. If you want to keep something secret, put it on your own machine. -- Eric Murray ericm at lne.com ericm at motorcycle.com http://www.lne.com/ericm PGP keyid:E03F65E5 fingerprint:50 B0 A2 4C 7D 86 FC 03 92 E8 AC E6 7E 27 29 AF From mjsus at atlanta.com Fri Dec 29 01:58:02 1995 From: mjsus at atlanta.com (mjsus at atlanta.com) Date: Fri, 29 Dec 1995 17:58:02 +0800 Subject: Strategic Investments .... Message-ID: <199512290101.UAA12519@atlanta.com> This can be some interesting ..... **************************************************************************** ********** GLOBAL STRATEGIC SYSTEMS NEWSLETTER December, 1995 Strategic Management Investments, Asset Allocation, Evaluation and Review Strategic Management System (SMS) investments are long-term investments and total ROIs of these investments can only be evaluated after several years from the initial decisions and activities. However, this does not mean that the organization can not evaluate many specific elements and short-term projects of the whole SMS project separately and obtain some good feedback and information about the short-term performance within one year or sooner. The implementation of an overall SMS can be divided into small development projects such as back-up system, customer complaint processing, environmental communication and employee recruiting system development. Specific Return on Investment and other financial and cost objectives can be established for these projects, and they can be evaluated and monitored on a quarterly and/or annual basis. However, the main strategic objective, the aim of the SMS, can only be achieved, when all elements of the SMS have been implemented, integrated and operated effectively. To justify, specific investment decisions, both short-term and long-term financial indicators can be used, which can satisfy many passive investor's requirements to commit to the long-term investments. Depending on the field of technology and business complexity, the organization can spend up to 30 % of its annual revenue in the strategic investments including system development and any new technology R&D activities. In some cases, costs can be higher. What is the portion of this amount that is invested in the development of the SMS? With some rough information, it was possible to calculate that about 25 % of the total annual strategic investment was spent in one ISO 9000 quality system development. This 25 % was invested in organizational capability, improved quality assurance and additional equipment, manpower and machine acquisitions. Using the above estimation, the management estimated that it had invested up to 7.5 % of its annual revenue in the strategic management system development activities. The major portion of this investment can be used in tactical, short-term development projects such as returned goods processing and test and equipment control, where the investment performance data can be obtained faster; and the rest of the SMS investment can be used for project/program management and coordination, organizational restructuring, responsibility and authority definition, document and data control and any other supporting system development activities, the financial monitoring can be more difficult. The major cost categories in the SMS development projects are: 1. development, implementation and training time (manpower excluding external training, consulting and assessment activities), 2. equipment and machine acquisitions, 3. materials such as office supplies and 4. external project activities. Investments in the development of any SMS can be either tactical or strategic. The financial performance of the tactical investments is very often much easier to evaluate than the evaluation of the long-term investments that may not have specific and measurable investment objectives and/or the accounting information to evaluate the performance against any specific objectives which can be difficult to obtain. It is possible to develop specific budgets for each element of the SMS development project and identify the sources of development benefits and cost reductions that can be used for evaluating the financial performance of each project. The financial performance (including the maintenance of development budgets and the achievement of investment performance ratios such as Return on Investment and Investment Payback Period) can be reviewed and evaluated on a quarterly and annual basis. Any consolidated investments in the whole Strategic Management System development and the SMS development progress can be reviewed in the annual Strategic Planning activities by the top management in the same way as any specific tactical investments can be reviewed and analyzed in the departmental level to identify any problem areas, any potential problems and to determine and initiate necessary corrective and/or preventive actions to achieve or maintain all financial performance objectives and targets. The organization should manage its investments in the SMSs such as ISO 9000, ISO 14000 or Information Security Systems as it manages all its capital expenditures or any investments in financial instruments such as stocks and bonds. These investments have to be controlled, managed, reviewed and improved upon on an on-going basis by the managerial level. Each element of the SMS development can have its own budget and budget responsibility. The organization may establish its own unique accounting system for each SMS development project including specific cost and expenses categories, and identifying specific sources of financial benefit information that can be used to calculate financial ratios. Any over spending or other negative financial performance issues can be brought to the attention in the management reviews, which may lead to the initiation of necessary corrective and preventive actions. It is easy to overspend and waste financial resources such as the waste of manpower without adequate accounting, record keeping and monitoring systems and methods. The utilization of actual financial performance measures helps the organization also to see actual financial benefits from the strategic investments and to justify additional SMS development activities. However, we still have the question: "How much should the organization invest in any specific SMS to satisfy its future business requirements?" From pratt at cs.Stanford.EDU Fri Dec 29 01:58:18 1995 From: pratt at cs.Stanford.EDU (Vaughan Pratt) Date: Fri, 29 Dec 1995 17:58:18 +0800 Subject: Fwd: Re: Fwd: Re: FH radios [Dave Emery] [Vaughan Pratt] In-Reply-To: <9512270551.AA23874@pig.die.com> Message-ID: <199512290049.QAA28702@Coraki.Stanford.EDU> That is not what Mr Shannon says, Shannon's law relates date rate, bandwidth and signal to noise ratio - the "channel capacity" of 26 mhz of spectrum is determined by the signal to noise ratio in the 26 mhz channel and ranges from much less than 26 mbs to several times that rate depending on the signal to noise ratio (and of course how clever the modulation technology is at exploiting it). Witness a 28.8 kb modem which stuffs 28.8 kb into less than 3.2 khz given about 32 db gross SNR. Oops, mega*samples*, not megabits, how embarassing. I agree with your numbers, I was low by an order of magnitude or so on the quantity of data one would need to examine to reconstruct the message. But now that I think about what 902-928 MHz looks like in practice, I think I underestimated how hard things could get. If you're just trying to track a frequency-hopping signal where the rest of the power in the band is some mix of Gaussian noise and non-hopping signals, the carrier should be clearly visible as a spike hopping around in the band. As soon as you have two or more frequency-hopping signals however, keeping track of which carrier is which as they hop around looks *much* harder. If they hop at discernibly different times then you can correlate a carrier that disappeared with the one that appeared elsewhere at the same time. This easily described and implemented approach breaks down when two or more signals hop at the same time. Here you might try to associate some sort of signature with each signal to allow you to pair up the new carriers with the old, but you'd have to know more about the situation to say what signatures would be good. Similarly a single spread-spectrum signal should be easy to pick out, but multiple such sounds like an even bigger headache than multiple hoppers. But even the security of mathematical crypto is mostly unproven as of yet - we merely think things are difficult to compute because we don't know an easy way to do it, not because there is a clear proof that is true. Yes, this is a very important point (but presumably an obvious one to cypherpunks, maybe I should subscribe). Worse, even if we *could* prove a certain protocol secure, the proof will typically apply only to the protocol and not to any particular message transmitted using that protocol. There is a very big difference between proving the absence of a fast decryption algorithm for a given encryption scheme and proving that every message so encrypted is secure. One might call this distinction existential security vs. universal security. A universally T-secure channel is one for which every message is secure from all T-bounded attacks (algorithms taking time at most T expressed as a function T(n) of the length n of the message). An existentially T-secure channel is one such that for every T-bounded attack there exists an infinite set of messages all of which are secure from that attack, though not necessarily the same messages as you vary the attack. (As a practical matter it would be more useful to replace the function T by a fixed long duration such as a googol seconds, provided this could be achieved with messages of size at most say a kilobyte, a point of view advocated by e.g. Leonid Levin. This requires taking the state-symbol product of the computational model into account when measuring computational complexity since constant factors can no longer be neglected; here Kolmogorow complexity is a particularly natural setting. This still only addresses algorithmic attacks; for security against hardware attacks one should also appeal to limits set by physical constants like c and h-bar.) The danger is that someone will eventually demonstrate existential security for a protocol, the proof will as usual be trumpeted in the New York Times, and it will be interpreted by many as proving universal security. An intermediate notion is that of a uniformly existentially secure channel: there exist some messages secure from all attacks. But if those messages can be efficiently identified then such a channel can be converted to a universally secure channel simply by only transmitting secure messages. Modulo the identification problem, this shows that it is no easier to come up with a uniformly existentially secure protocol than a universally secure one. With a few exceptions, arising in e.g. quantum cryptography, we don't even have existentially secure protocols yet, let alone universally secure ones. Vaughan Pratt From cadams at fly.HiWAAY.net Fri Dec 29 02:00:40 1995 From: cadams at fly.HiWAAY.net (Chris Adams) Date: Fri, 29 Dec 1995 18:00:40 +0800 Subject: A weakness in PGP signatures, and a suggested solution (long) In-Reply-To: Message-ID: <4bvub2$4b3@fly.HiWAAY.net> -----BEGIN PGP SIGNED MESSAGE----- Newsgroups: alt.security.pgp,sci.crypt,mail.cypherpunks In article , Dr. Dimitri Vulis wrote: >I'll illustrate the problem with several scenarios of forgeries. The easy way around this if you think this might happen is just to put a line at the top of your signed message stating where the message is supposed to go. Then if people see it elsewhere, they can figure out that something is amiss. See above for an example. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMON8jiJFQNhhNdm5AQHCFgf9GbaCMWRckNQA4y9Av8e0nigYP0GpGxEh 0A2w9dvSJBmuzaMJ8QxERieGVE61U3+VXOLgssdWXZsnqOPBNKk+2hYyx+vatFL9 XKETZV245acLo4VMNNxV4m/hGteuHUb4oQEKCWHwylyh/f9wfvx+ZTjvTyd8RiqQ nwcpRPhRA4FozOaVNbjZw/A4nmvxq5I3gg3yMet3vfMWKdhLIy4gsvuhRm/asTGo BUSw8PIJQbFbrXpoyWsP/sWGDa5tjN7Z05HnX9yU3OIa0uk6K6e2xKVJUo3G2Jso Kts/pw2hqDBJ0K8XFsnicmncnUDz+FGNKqyCGsSFY8TlaVowpNFZJw== =VpDg -----END PGP SIGNATURE----- -- Chris Adams (cadams at HiWAAY.net) Finger for PGP public key "So, if anybody wants to have hardware sent to them: don't call me, but instead write your own unix operating system. It has worked every time for me." - Linus Torvalds, author of Linux (Unix-like) OS From fricke at roboben.engr.ucdavis.edu Fri Dec 29 02:50:48 1995 From: fricke at roboben.engr.ucdavis.edu (Light Ray) Date: Fri, 29 Dec 1995 18:50:48 +0800 Subject: FW: your financial transactions posting (fwd) Message-ID: ---------- Forwarded message ---------- Date: Fri, 29 Dec 1995 00:02:50 -0800 From: Bud Aaron To: "'privacy at ftc.gov'" Cc: "'hwg-business at daft.com'" Subject: FW: your financial transactions posting ---------- From: Greg Metcalfe[SMTP:biosphere at proaxis.com] Sent: Thursday, December 28, 1995 9:35 PM To: bud at checkmaster.com Subject: your financial transactions posting Bud, I've seen some well thought out messages in the commercial transactions listserver, but you are the first that I've seen with real numbers. Would you do us all a favor and make sure that you get some of this information to the privacy at ftc.gov discussion? I hope I'm not impertinent for asking. But numbers are probably our only hope. The gov has never really been into quantitative thinking... TIA --- Greg Metcalfe | The secret is getting E-mail biosphere at proaxis.com | enough sleep. URL http://www.proaxis.com/~biosphere | Usually. The following is a copy of the information mentioned above: The following article is quoted directly from Bank Technology News "Are Internet Security Fears Unfounded? Just how safe is the Internet? Pretty darn safe, according to Forrester Research, Inc., Cambridge, MA. Forrester predicts Internet fraud will occur far less frequently than current rates of fraud with cellular telephones, toll calls and credit cards (see chart). Cellular telephone fraud costs the phone industry almost $20 per $1000 in revenue, Forrester says, and toll-call fraud eats up $16 per $1000 in revenue. Meanwhile, credit-card fraud cost MasterCard almost $1.50 per $1000 in revenue in 1993. In contrast, Forrester says companies can expect to lose only $1 per $1000 of transactions on the Internet. Forrester's contentions on the safety of the Internet are backed up by some of the judges in this year's Best of the Newest bank technology survey. While many of the judges expressed concern over security issues, quite a few were also confident that the Internet will become a stalwart transaction system. See page one for further analysis of all the newest banking technologies." The chart accompanying this article shows the fraud levels in graphic form. You folks keep making drafts as a collection system seem more and more attractive. The fact that drafts MUST be deposited (not just cashed) and that the bank is going to want to know the depositor quite well means that tracking is excellent. The requirement added by the FTC that those whose accounts are being drafted must be notified by mail makes the system even safer. Let me add this - some level of security is obviously needed but regardless of the level of security, fraud will occur. All of these arguments for high levels of security remind me of the need for virus protection. Yes, virus attacks are real but virus protection vendors certainly make money by raising greater fear than may be realistic. Bud Aaron bud at checkmaster.com http://www.checkmaster.com/internetchecks/ The privacy list is run automatically by the Majordomo list manager. Please mail questions/problems to owner-privacy at ftc.gov From prz at acm.org Fri Dec 29 03:03:34 1995 From: prz at acm.org (Philip Zimmermann) Date: Fri, 29 Dec 1995 19:03:34 +0800 Subject: Revocation of Zimmermann's fossil key Message-ID: <199512290844.IAA02565@maalox> -----BEGIN PGP SIGNED MESSAGE----- To whom it may concern: I have revoked my oldest PGP key, keyID FF67F70B, user ID "Philip R. Zimmermann " which should no longer be used. Instead, use my newer key, keyID C7A966DD, with user ID "Philip R. Zimmermann " The new key has been distributed with all PGP versions since version 2.3a in 1994. My old email address at the sage site will soon disappear, so I'm revoking my old key. I keep getting mail at my old address at sage because people get that old address from my old key. I can't just revoke my old userID, so I have to revoke the whole key to get people to stop using it. Below is my revocation certificate, which I created shortly after I generated my new key in 1994. Please discontinue the use of my old key and my old email address. Note that this revocation does not imply that my old key has been compromised. -Philip Zimmermann prz at acm.org Here's my old public key with the revocation certificate... - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.3a mQCNAipt8iwAAAEEALGKgLblEQCfcZEiQ+jBFnw5g0B+o16GMPssYBKI7bWgjGbB DqnkQoMGagNJpcG5tX2bKpJdegi01Sp22QOMpZbdrv/KXRWHp/JjrNLAZHp9B+nl osbRrPLhGZZA/OgyU6D2GsGnMDcTacPD43wo1g+RUpDv+UjMr+J13g7/Z/cLAAUR iQCVAgUgLIUrAOJ13g7/Z/cLAQHThQP+NtEJ2yPCXPA+Em45HDWQLwb3X0AM61K0 Mt0Woq54eaC1U5A03oVqV5wEPM6mfrhH18FB6NwO5eROKOdXY1xz7nCggJ9eYfoX ZH6wfXCqGFSB4oLJU97nFHrqvh69IYSrrlKM/dJ29F5CKVxJApstpnRmfHddrZLP yfR2y6dxGeW0LFBoaWxpcCBSLiBaaW1tZXJtYW5uIDxwcnpAc2FnZS5jZ2QudWNh ci5lZHU+ =9UCt - -----END PGP PUBLIC KEY BLOCK----- Here's my new public key, generated in May 1994... - -----BEGIN PGP PUBLIC KEY BLOCK----- mQCNAiv8ZoAAAAEEAKc4d45hN5qFM79nWGLkrGWputWmtdxJk0BZEbi0kNRbJBC2 p10ASImd//cCDwLR2alBUSt8O2WGik9PBZgthjMOenoDmzKiG8BkE9AFKonyxvD2 lDnqbydXi+YQmOTsWSw4jTTSb3cflhVkf8hVUVpMFQThafV0CmV5hLjHqWbdAAUR tCJQaGlsaXAgUi4gWmltbWVybWFubiA8cHJ6QGFjbS5vcmc+iQCVAgUQLB48XPTK AIGN5yLZAQHWtwP/RBiLPN4dnt8sm9qZtK0HPYV0hfdZ4IiSfR0V52uKKMQsIrBJ x2c5Z2vurBLeKkh8Oecf/X+Zh2mEenrymR/urBCf8xGQnyTPew4t/3IQ5KXsqi2b uOTysk9Pkk+cqxZTEXJQWixB3fVKrCkR02xbWcRXQ/pPs0ObOE4VLtQT1G2JAGAC BRAsHUvayj2h/YZap/MBAcRRAliFU3EgFQdOGkC2nCupBAitm/R6CkKtayTZHQrd e5I/pCY0bGUc6alEnSuqZUyA9HC1fMg0iqsqM4vrQ6PZr2qV0IXDY4miyYNRJyKJ AJUCBRAr/GdG4nXeDv9n9wsBAYr/BACh4r3DZsq9IOy2mcd+0D0qKV0Ymb887Lw0 KjIBKLmUIqXUw2Rbn8bAnr+GF0qGE61oAHdSSN7pLROmfjl7nMVaODXHOxYuLHAn HZ0Z/AQsLc5U055Pm6rQ5lKrSaL4z9mEKJTWM9hQDYMZpH4oAC8hIz+apYH+/hBj ZR9w7AKluw== =1jM9 - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMOOo+WV5hLjHqWbdAQHhaQP/SW02cLbkAtHq6cdNHtcJ4YqSlKqxumyR BYpjKrNatLiVAFQP8njiLRFqPi8rgf6809nnQETIVcyt3BzURakyJLd4UuL3vvqD lluyGdj9MoaQiQkWIbBMADFdNGFDvRCQkcxhS78hHwXSY7viCSWNnfCdJcpaFNCk QPfqPsMErMo= =uH7K -----END PGP SIGNATURE----- From gbroiles at darkwing.uoregon.edu Fri Dec 29 03:10:40 1995 From: gbroiles at darkwing.uoregon.edu (Greg Broiles) Date: Fri, 29 Dec 1995 19:10:40 +0800 Subject: Employer Probing Precedents? Message-ID: <199512290937.BAA21468@darkwing.uoregon.edu> At 10:12 PM 12/28/95 -0800, Tim May wrote: >However, corporations aren't given the luxury of disassociating themselves >from the actions of their employees. (Contract workers are a further issue, >and the issue of whether they supply their own tools/computers, workspace, >etc., enters in.) I think this point about "contract workers" is going to become a lot more interesting as people move away from the traditional "employee for life" model and towards working at home/telecommunity, or working as subcontractors/consultants, etc. Further, it's becoming more common for employees to own their own communcations tools, and bring them to work. Arguments about a right to eavesdrop as being derived from workplace property ownership don't seem to work where an employee is talking on their personal cell phone, getting/sending messages on the SkyTel two-way pager that they pay for, using their laptop/Newton/PDA to get/send E-mail (using their private ISP/POPmail provider mailbox), and so forth. The concerns (about disclosure of secrets or wasting of time) raised to justify the invasions of employee privacy are still present, of course, but not the convenient "it's not your phone so you have no privacy" excuse. Employee/contractor ownership of work tools (or non-work related communication tools in the workplace) is probably going to get even more interesting; recent Ninth Circuit decisions re copyright law and licensing agreements have been sharply restricting the right of software licensees to allow third parties to use the licensed software. (e.g., _MAI v. Peak_ and _Triad Systems_, see http://darkwing.uoregon.edu/~gbroiles/triad for more on this and pointers to other analysis and the opinions themselves) I think this may lead to software licenses (or hardware ownership) which follows employees from home to work, and from job to job. Employees may get a credential from Microsoft, or Borland, or Mathematica or Word Perfect saying that they're allowed to be using a set of software tools; professionals will probably pay for those credentials themselves, or have them paid for as a fringe benefit of employment. An easy connection is to training related to the "software-right" - the licensor would also certify that the employee has been subjected to X hours of training and knows at least Y buzzwords and Z fancy tricks relating to the software. Retired or unemployed workers may work in a "black market", using software they're trained on but not licensed/certified for, logging on with the credentials of licensed users who have died recently or are sleeping. (Similar to the network of unlicensed uninsured under-the-table contractors, framers, electricians, drywall installers, etc., who exist at the fringes of construction activity.) And so on. >I maintain that my employees are beholden to me as to what they run on >their computers. They can always choose not to work for me. (And the same >applies to hotels, actually. Were a hotel to have stringent rules on >in-room behavior, such as the YMCAs and religious retreat hotels have, then >customers have little right to complain about bed checks, mixed sex bans, >etc. That most hotels have no such rules says more about where the >Schelling points are than it does about the efficacy of rules and laws. Subscribers to the Coase theorem would suggest that (modulo transaction costs) it doesn't matter who is initially assigned the right to determine whether or not surveillance will occur - the party who most values that right will bargain for it in the end. Then again, that party may lose something in exchange - and that's what makes this interesting. (And, I think, much too complex to simply be dismissed as a matter of "property rights". Then again, property looks to me like something that law creates, not something which exists pre-law which law is created to protect. YMMV.) I'd rather see the right to control surveillance assigned to employees, and let employers pay extra for it if they think it's necessary to their business situation. (Some might argue that this is the current situation, or at least that surveillance is something that market participants bargain over. My impression is that the current situation is legally murky absent a clear statement re "we're going to monitor you on the phone and search your briefcase when you enter and leave" and that a clear resolution re the legal baseline of surveillance would be useful to bargainers. And if we were to set a baseline for further bargaining, I'd rather see it set to favor employees.) -- "The anchored mind screwed into me by the psycho- | Greg Broiles lubricious thrust of heaven is the one that thinks | gbroiles at netbox.com every temptation, every desire, every inhibition." | -- Antonin Artaud | From wb8foz at nrk.com Fri Dec 29 03:17:14 1995 From: wb8foz at nrk.com (David Lesher) Date: Fri, 29 Dec 1995 19:17:14 +0800 Subject: FH radios In-Reply-To: <199512262025.OAA09759@cdale1.midwest.net> Message-ID: <199512270252.VAA00427@nrk.com> > I agree; but, if the information you are passing is truly that important > just use a landline phone. Eliminate the possable "leak". > I'm not claiming that a landline phone is secure, but your cordless is > connected to it, so no matter how good your security is on the phone its no > longer secure once it leaves the base station and enters the landline. Argh.... Phones are ANYTHING but secure. Hence the STUIII & PGPphone. An encrypted rf link is far better than any POTS.... -- A host is a host from coast to coast.................wb8foz at nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433 From gbroiles at netbox.com Fri Dec 29 04:35:21 1995 From: gbroiles at netbox.com (Greg Broiles) Date: Fri, 29 Dec 1995 20:35:21 +0800 Subject: ideath remailer permanently down / PGP key changes for Greg Broiles Message-ID: <199512291202.EAA02102@darkwing.uoregon.edu> -----BEGIN PGP SIGNED MESSAGE----- I don't think that the local freenet folks are ever going to get my domain name again, so I'm officially announcing the closing of the remailer formerly located "remailer at ideath.goldenbear.com". Mail to the goldenbear.com domain has been bou for almost three weeks now, and I expect that to continue. Sorry for any inconve I predict about a year of erratic net access and moving around while I finish la school, take the bar exam(s), and find a job or get a business started. When eve settles down I plan to find a reliable net connection and run a remailer again. Due to the loss of my domain name and UUCP connectivity, other changes are happe I'm now using a Windows box, not a Unix box, for my net access; have switched to for DOS and Private Idaho (nice job, Joel!). Am also using a new PGP key, since my old one (0x58ddf30d) was almost 3 years ol updated the MIT PGP keyserver with an "obsolete" marker for the old key, as well new key (signed by my old key). The new key is appended to this message. Am using a new long-term E-mail address, "gbroiles at netbox.com". Re my discussion weeks ago of alternatives for mail storage/forwarding, I have settled on netbox. can receive mail as "gbroiles at darkwing.uoregon.edu" but I expect that address to working sometime this coming May. The netbox.com address will ideally keep worki years to come. - -- "The anchored mind screwed into me by the psycho- | Greg Broiles lubricious thrust of heaven is the one that thinks | gbroiles at netbox.com every temptation, every desire, every inhibition." | -- Antonin Artaud | -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMOPafv37pMWUJFlhAQGnhAf/XrHe38eww+sMf0/mmqKFzT9xX9USCCBO 5yMteRAmAsEiiTo8TPcRPlB6eKqCrCiJJqDMfxm3UaWhhqBilRhQoB8BqdCvjTLY 87/HsHKV3Iv4IPvud+ojk9GEXwUf204U9m/CgVF17HKO+XTCK5GVN7gmsqWWxsLr a5gNccpentcFiy0KJVUWfLguOXA20I+nGnkZjMBK/RAPotBg4gezE2jqjbYyQ1rC y0SLX843ufEfRaePC1X8IyWH32gqiyrW5rZuTo8B2usbR96Y2VXXX6Oprrd5CD38 AuUhjkOXVEsCFVP5bt6uQbM81Uhvxc1mFYHYKKJyuWPWo5E6tBwXZA== =Heo3 -----END PGP SIGNATURE----- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQENAy8+sdEAAAEH/2YvMvdRxoxAIpNp1W88EGq4EMOVhpucjGjZByoJATpDoU+x sqZl6lwzWh7yhHbLfuUZhWZVhLlLGxOAcHkZ3o6Tao+T/qCLKUnyFtw3Q/Wpzfiw YIGbXkbKvSaI7U3PTMHraimiZNAW/QAhIuLanVEkl/rko/aIdvyIfOJSFHW9Bjml ArZmyrsT8PiA+Eiqa+JyRv/JnWiJJ00FYHhG1GkcAvBovQJxxLzqq9PcB8nVlVfS t4aV2z1OfmjXHq4pgUye6CwdjzXnMz3e70FT1erkoP+/iC56iSkb/4J67y8NnKgq RNQ8lt+X2+vnq3Fa8r8EhhqZFZcV/fukxZQkWWEABRG0IkdyZWcgQnJvaWxlcyA8 Z2Jyb2lsZXNAbmV0Ym94LmNvbT60KUdyZWcgQnJvaWxlcyA8Z3JlZ0BpZGVhdGgu Z29sZGVuYmVhci5jb20+iQCVAwUQLz8tYn3YhjZY3fMNAQGOkwP/cYeYdbTj9H0C BVI9nw70avUIGYUWT1HdQaK6YqdOvV4Eg56rpKdFEFlwUdOBg8MbuFaLMbbAnKxH EvGsQBtu0N1kyIebMAuEniT/22yVlVGHHS+uGxyBKq1i7Nv5uRXl2WSdQDUCHN0W 9YAzReRI1F6ExnVXJHuHo4EY7lQ3P94= =yJO8 -----END PGP PUBLIC KEY BLOCK----- From ses at tipper.oit.unc.edu Fri Dec 29 06:07:49 1995 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Fri, 29 Dec 1995 22:07:49 +0800 Subject: practical annoyances from multi-level security? Message-ID: Does anybody have any pet peeves and gripes about using systems with a compartmentalised security model- things that took ages to do even though they didn't really impact security, features that just got in the way or were too complicated to really use, etc? I'm currently working on a problem that seems to have some analogies to the compartmentalised problem, running code with various levels of trust were deliberate read-up and accidental write-down could be a breach. I've personally never used a system of this sort, but I've heard from friends in the RAF doing COM/SEC (more COM than SEC) that MLS can be a real pain at times. [for the truly paranoid, the RAF operates a network of communication satellites called Skynet :-)] Simon p.s. still no luck on the Hackers soundtrack - I did recognise a few prodigy tracks though (defun modexpt (x y n) "computes (x^y) mod n" (cond ((= y 0) 1) ((= y 1) (mod x n)) ((evenp y) (mod (expt (modexpt x (/ y 2) n) 2) n)) (t (mod (* x (modexpt x (1- y) n)) n)))) From jya at pipeline.com Fri Dec 29 07:06:37 1995 From: jya at pipeline.com (John Young) Date: Fri, 29 Dec 1995 23:06:37 +0800 Subject: CAV_ein Message-ID: <199512291234.HAA01062@pipe4.nyc.pipeline.com> 12-29-95. NYPaper: John Markoff page-ones Compuserve's cave-in to Reich sex law and the alt free-screeching for sex home censorship cave-in to rutting parents ashamed. CAV_ein From gbroiles at darkwing.uoregon.edu Fri Dec 29 07:08:37 1995 From: gbroiles at darkwing.uoregon.edu (Greg Broiles) Date: Fri, 29 Dec 1995 23:08:37 +0800 Subject: ideath remailer permanently down / PGP key changes for Greg Broiles Message-ID: <199512291247.EAA05290@darkwing.uoregon.edu> Doh, the wordwrap on that message was ugly. Sorry. Gotta spend some more time making friends with Private Idaho. Short version: remailer at ideath.goldenbear.com is gone forever, sorry. All mail to anything @goldenbear.com is bouncing. Mail for me should be sent to "gbroiles at netbox.com", effective immediately. I have distributed a new PGP key to the keyservers and marked my old key obsolete. I will be signing list messages again once I get that wordwrap thing fixed. -- "The anchored mind screwed into me by the psycho- | Greg Broiles lubricious thrust of heaven is the one that thinks | gbroiles at netbox.com every temptation, every desire, every inhibition." | -- Antonin Artaud | From nobody at REPLAY.COM Fri Dec 29 07:14:16 1995 From: nobody at REPLAY.COM (Anonymous) Date: Fri, 29 Dec 1995 23:14:16 +0800 Subject: Chinese Cypherpunk quote [NOISE] Message-ID: <199512291320.OAA23382@utopia.hacktic.nl> I see that some rants here are rubbing off on the folks who write chinese fortune cookies, In tonites dinner, The cookie said: The will of the people is the best law. I wonder if we can get a couple thousand cookies sent to Congress with that message? A.E.N. or to T.C.M..... Xmas_Troll From weld at l0pht.com Fri Dec 29 07:46:58 1995 From: weld at l0pht.com (Weld Pond) Date: Fri, 29 Dec 1995 23:46:58 +0800 Subject: Netscape 40-bit cracking. The new computing benchmark? Message-ID: >From Infoworld Dec 25, 1995 page 3. Netscape Commerce Server Security Broken Integrated Computing Engines Inc. (ICE), in Cambridge, Mass. announced it has cracked the 40-bit DES [huh? not RC4] encryption in the Netscape Commerce Server. Unlike a similar security break-in [talk about bad terminology] by a French university student last August, which required eight days, 120 workstations, and two supercomputers, ICE said it used a computer that cost $83,000 and compromised the Wold Wide Web server's security in 7.7 days. [Hey, what about the Cypherpunks crack that only took 31.8 hours?] Netscape Communications Corp. officials were not surprised by the security crack. "We've known that 40-bit encryption is breakable since we shipped the server. That's the reason it's allowed to be exported," said company spokeswoman Rosanne Siino. "We need to keep lobbying to get rid of the U.S. governments 40-bit restriction on what can be exported." Within the United States, Netscape sells products with 128-bit encryption. Weld Pond - weld at l0pht.com - http://www.l0pht.com/ L 0 p h t H e a v y I n d u s t r i e s Technical archives for the people - Bio/Electro/Crypto/Radio From tallpaul at pipeline.com Fri Dec 29 13:30:43 1995 From: tallpaul at pipeline.com (tallpaul) Date: Sat, 30 Dec 1995 05:30:43 +0800 Subject: Compuserve is Not "Censoring": Look to Governments for the Cause Message-ID: <199512291548.KAA19627@pipe6.nyc.pipeline.com> On Dec 28, 1995 23:30:19, 'tcmay at got.net (Timothy C. May)' wrote: > >I see a positive longterm trend toward people connecting through smaller, >more local services. > Quite correct. Not only does the internet radically change (at least perceptions) of space and time, it also is producing serious disequilibriums of scale in economics. Economy of scale states that until a farily high limit is reached, bigger enterprises tend to produce goods that are less expensive than those produced by smaller enterprises. Specialized handicraft production aside, the goods produced in larger enterprises also tend to be of higher quality. The disequilibrium here began with the development of the microprocessor as we see from the shift to the old centralized IBM iron to the microcomputers we're using today. Ditto certain aspects of network switching. Ditto DES moved from centralized hardware to decentralized software. We're seeing a growing dystopian world where national entities and non-governmental organizations all seek to enforce their particular cultural/political/economic/etc. biases on the global internet. I believe this process will continue for some period of time. At the same time we may (and I think likely will) see aspects of the net broken down into widely geographically separated locations that simultaneously have no more effect on end users than the floor at the central library on which the book we want resides. E.G. we'll use Denmark to get "alt.sex.granny.gum-jobs," ftp to Singapore for "/warez/microsoft/win99/hack/" and to the Turcos Islands for "data.finance.internal.morgan." We'll have all three open and on our monitor at the same time, passed through an second-level ISP in some small country that decides there's money in switching and will no more regulate data throughput than they would try to hold hotel keepers responsible for the content of the phone calls made by their tenants. --tallpaul From Bill.Humphries at msn.fullfeed.com Fri Dec 29 14:17:54 1995 From: Bill.Humphries at msn.fullfeed.com (Bill Humphries) Date: Sat, 30 Dec 1995 06:17:54 +0800 Subject: Compuserve is Not "Censoring" Message-ID: This is a resend of a reply to Tim May's message on the CI$/Bundsweiser Republic/alt.nekkid.hitler.youth controversy. The Cypherpunks mailer didn't enjoy my attempts at humor in the headers... ------------ Tim May wrote: >At 4:52 PM 12/28/95, Cees de Groot wrote, speaking of Compuserve's recent >dropping of many newsgroups in response to demands by German prosecutors: > >>I won't start to comment on the style of this message. The term "Suitspeak" >>comes to mind. > >Perhaps it is "Suitspeak," but it is not "censorship." > >Or, more precisely, it is fear that government laws will be used to >sanction the service. Thus, it is the government of Germany in this case >which is "censoring." ("Censor" and "censorship" are notoriously overloaded >terms, of course.) It's a political problem. This demonstates the basic problem with tollerating monopolies in this industry. When governments interfere, everyone subscribing loses, which means most of the people in the audience for the service loses. Unfortunately, there are no technological fixes (in the short term) for monopolies. The shumpeterian cycle is too long for the time horizons engendered by the German government's actions or the Exon/Gorton/Hyde language. You have to fight monopolies on the political arena as well as the technical (remember how the WWW was going to liberate all of us on it's own? Until the elites recognized people wouldn't be watching Microsoft ads *conspiratorial wink*.) If I were a compuserve user, complain to your nearest German consulate and call your congresscritter. Those GOP types will have a field day condeming "euro-data-imperialism" during special order speeches on C-SPAN. Support your local ISP. Bill Humphries PS: If only the Germans worried about Nazis during the Nurmemberg trials the way they worry now, maybe they wouldn't be facing their current plauge of nativist/skinhead problems. From rah at shipwright.com Fri Dec 29 14:17:55 1995 From: rah at shipwright.com (Robert Hettinga) Date: Sat, 30 Dec 1995 06:17:55 +0800 Subject: (fwd) DigiCash licencing? Message-ID: --- begin forwarded text Organization: Digiturg Date: Fri, 29 Dec 1995 17:32:10 +0200 (EET) From: Jyri Kaljundi To: ecash at digicash.com Subject: DigiCash licencing Mime-Version: 1.0 Sender: owner-ecash at digicash.com Precedence: bulk Reply-To: ecash at digicash.com Does anyone know about the terms and costs of licencing ecash software? I have tried contacting DigiCash directly with these questions, but have got no answers :( And who and where are already implemeting ecash? Mark Twain Bank and Swedish post are two I know of, what about the others? Our company is very interested in using ecash here in Estonia, but somehow DigiCash does not seem to allow that. With all the best, Juri Kaljundi, managing director, DigiMarket jk at digit.ee --- end forwarded text ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "Reality is not optional." --Thomas Sowell The NEW(!) e$ Home Page: http://thumper.vmeng.com/pub/rah/ >>>>Phree Phil: Email: zldf at clark.net http://www.netresponse.com/zldf <<<<< From sjb at universe.digex.net Fri Dec 29 14:51:13 1995 From: sjb at universe.digex.net (Scott Brickner) Date: Sat, 30 Dec 1995 06:51:13 +0800 Subject: Proxy/Representation? In-Reply-To: <199512290017.SAA00619@cdale1.midwest.net> Message-ID: <199512291752.MAA11504@universe.digex.net> "David E. Smith" writes: >That's more of what I was looking for. I suppose that (I'm still using >PGP as my example) there could be a shared PGP key, signed by Helen and >myself, where only the two of us know the passphrase, with a keyid of >"David Smith on behalf of Helen Jones " >or something similar. The obvious problem is that in sharing the pass >phrase the security is weakened. (Paranoid threat model: at some point >we have to decide on the pass phrase, and we are videotaped/bugged/spied >upon while this takes place.) Why bother with the shared key? You need a message from Helen describing the powers with which you are invested, signed by her key. The wonderful thing about data is that copying it is virtually free. When you issue an order on her behalf, include a copy of the signed PoA, and sign the whole thing with your key. From shamrock at netcom.com Fri Dec 29 15:02:46 1995 From: shamrock at netcom.com (Lucky Green) Date: Sat, 30 Dec 1995 07:02:46 +0800 Subject: Ecash graphic images? Message-ID: At 20:58 12/28/95, anonymous-remailer at shell.portal.com wrote: >Could anyone provide some pointers to a gif or jpeg file containing >good-looking ecash coins? I would like something larger and more >detailed than the "we accept ecash" you see everywhere. Thanks very >much. Try http://www.delorie.com/gif/signs/ -- Lucky Green PGP encrypted mail preferred. From cp at proust.suba.com Fri Dec 29 15:12:24 1995 From: cp at proust.suba.com (Alex Strasheim) Date: Sat, 30 Dec 1995 07:12:24 +0800 Subject: blind validation In-Reply-To: <199512290144.RAA28654@jobe.shell.portal.com> Message-ID: <199512291816.MAA09405@proust.suba.com> > Chaum's way around it was basically to have some mechanism to give > each person a unique number of some special form. There doesn't have > to be any agency who knows what number each person has (in fact, there > isn't, in his scheme), but there is a mechanism to assure that one > person does not get two numbers. This is sometimes loosely referred to > as an "is-a-person" credential (although in this specific context it is > not actually a credential, just an identifier). If I understand you correctly, this protcol allows Alice to create one and only one nym that can't be connected to her real identity. All of Alice's transactions can be linked together and to that nym, but there's no way to tag Alice with them. The main difficulty I see with this protocol is that if things go wrong, they go very wrong. If Alice slips up once, or if she's compelled to give herself up, then she loses everything and gets tagged with all of her transactions. Does anyone have a pointer to Chaum's paper? [...] > So the result in effect is to make it difficult to give away just a > validation, without also giving away the ability to act as you. Here > is an idea about another way to achieve the same thing, closer to > Alex's example: Alice gets a blind validation as Alex describes based > on a simple blind signature. (Alice hands a blinded number to Bob, he > signs it, Alice unblinds it, and uses the resulting signed number as > the validation to, say, access Bob's files.) We add that Alice puts, > say, $100 into "escrow", encrypting it with the secret number and > putting it on some public server. She proves to Bob that she has done > this using cut and choose. > > Now if Alice gives away her secret number, anyone using it will be able > to access Bob's files, but they can also get the $100. So now it costs > something for Alice to give away her secret. > > (There are some major problems with this idea, the worst being that Alice > can extract and spend the $100 right after proving to Bob that she is > doing what she said, and before publishing her number. Maybe someone > could think of some fixes.) This is a good idea because it addresses one of the big problems with my protocol, the impossibility of introducing latency. But apart from the problem you mentioned above, isn't there a problem with setting the escrow amount? Ordinarily, we'd want to set the amount just high enough so that Alice doesn't have any interest in cheating. Whatever benefit Alice gains will be offset by the penalty. How do we put a numeric value on the benefits Alice gets from cheating? Don't we create a situation in which a rich guy might be perfectly comfortable with the risk of losing the money, while someone else might not? From attila at primenet.com Fri Dec 29 15:23:03 1995 From: attila at primenet.com (attila) Date: Sat, 30 Dec 1995 07:23:03 +0800 Subject: easy avoidance of PGP signature forgeries and reuse In-Reply-To: Message-ID: START I never paid much attention to the problem other than to avoid it by forcing it --i.e. list the destination and the send inside the signature block, thus: ----------------- BEGIN PGP SIGNED TEXT To: john doe Newsgroups: sci.crypt From: jane roe Subject: that's all folks! John, don't darken my door during the Christmas holidays. Nevermore. jane ---------------- BEGIN PGP SIGNATURE ERTYUIKJBNM,./34567JM,./ ---------------- END PGP SIGNATURE with e-mail, e-letters, direct faxes, etc. it is to easy to ignore the courtesy header. From a standpoint of security, you have blown away each of the attacks outline in your article in so much as the signature will not compute if the courtesy block is omitted. personally, I do not think PGP 3 should attempt to solve the problem. Most of the headers involved are applied _after_ the message leaves the mail program; and, PGP interfaces are virtually the same as invoking an alternate editor, which gets you nothing. END -- -------------------------------------------------------------------- #!/bin/perl -s-- -export-a-crypto-system-sig -RSA-3-lines-PERL $m=unpack(H.$w,$m."\0"x$w),$_=`echo "16do$w 2+4Oi0$d*-^1[d2%Sa 2/d0 James A. Donald wrote: > At 09:45 AM 12/26/95 +0100, Anonymous wrote: > >Check out http://www.hrb.com/encryption/ssp.html, your > >exclusive source of the Ultron Crypto-Engine (tm) > > The web page proudly announces: > "is the only NSA-approved Type I data encryptor available today." > > There are probably some people ignorant enough to regard that as > a recommendation. >James A. Donald What's the problem? If you're a contractor or agency looking to store classified data, the NSA approval is essential. There's no pretence in the ad that the NSA can't read it. It says: "NSA provides necessary keying material for SSP3110 operation." and "It is available to U.S. Government agencies, military organizations, and defense contractors." This is not a snake oil product ala "Power One Time Pad" (sic). It's a real system, approved for use with classified data. I strongly doubt that there are any known holes (with the NSA supplying the key material, why should there be?) Speaking for myself, Peter Trei trei at process.com From EALLENSMITH at ocelot.Rutgers.EDU Fri Dec 29 15:36:16 1995 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 30 Dec 1995 07:36:16 +0800 Subject: another anonymous poster helping to destroy our rights Message-ID: <01HZDR1AL5S48Y55Y6@mbcl.rutgers.edu> From: IN%"vznuri at netcom.com" "Vladimir Z. Nuri" 28-DEC-1995 01:36:46.58 >= the list charter can ask for people to submit to various practices on the honor system, such as not using pseudonyms. cryptoanarchists who hate the idea of trust are of course going to object to the honor system, because "that which cannot be enforced should not be prohibited". ---------------- Does this last idea leave much doubt in anyone's mind that "Vladimir Z. Nuri" is a Detweiler tentacle? -Allen From EALLENSMITH at ocelot.Rutgers.EDU Fri Dec 29 15:47:23 1995 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 30 Dec 1995 07:47:23 +0800 Subject: "Cybercrime" Article from Reuters Message-ID: <01HZDS4NA1PC8Y55Y6@mbcl.rutgers.edu> Most of what they claim to be looking for is stuff that most people won't object to their countering. Still, if anyone spots a government agency offering an "informant" email address, posting it so that we can send them lots of stuff (i.e., all the "Make Money Fast" pyramid schemes) would seem to be a good thing to do... it should occupy them so that they're doing things that are useful. Cypherpunks relevance? Well, there is the mention of anonymnity. -Allen Reuters New Media _ Thursday December 28 6:31 AM EST _ Authorities Patrolling Cyberspace for Crime WASHINGTON (Reuter) - Crime on the Internet is now more than just dirty pictures. With millions of people and a fast-growing commercial presence in cyberspace, federal law enforcement authorities are struggling to crack down on wrongdoing in the new territory. They are hunting for bogus get-rich-quick schemes, weight-loss miracles, AIDS cures, credit-repair programs, investment scams and gambling. That's in addition to crimes such as trafficking in child pornography. ``The scams are the same. The way you investigate them is different,'' said Lucy Morris, assistant director for credit practices at the Federal Trade Commission, which has staff attorneys monitoring the Internet. Just as they would on the street, these ``cybercops'' act on tips or they just patrol. The potential crime scenes are the Internet worldwide computer network, computer online services such as America Online and smaller computer bulletin boards. Cruising cyberspace as part of their work are employees with the FTC, the Securities and Exchange Commission, the Department of Transportation, the Secret Service, state attorneys general and state securities regulators. They can work at the office or from home. ``In some respects it's easier to find the violations because you don't have to leave the office,'' said Minnesota Deputy Attorney General Tom Pursell. But there are obstacles. Cyberspace offers criminals wonderful anonymity and law officers face ambiguous jurisdiction issues due to the global nature of the Internet, raising questions about whether new laws are needed to cope with the new medium. ``Now all you need is a computer, a telephone, a little bit of software, and you're in business,'' said Hubert Humphrey III, the attorney general of Minnesota who himself prowls cyberspace in search of wrongdoing. Authorities agree they have their work cut out. ``It's going to be very difficult,'' predicted Humphrey, whose state has been out front in tracking down wrongdoing. From EALLENSMITH at ocelot.Rutgers.EDU Fri Dec 29 15:51:53 1995 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 30 Dec 1995 07:51:53 +0800 Subject: Telecom Bill Rewrite Message-ID: <01HZDSQB7MJ48Y55Y6@mbcl.rutgers.edu> It looks like some political pressure will still be possible. Definitely good news, especially since most of the methods for receiving "banned groups" listed in the FAQ are through US sites. -Allen Reuters New Media _ Friday December 29 5:51 AM EST _ Dole, Gingrich Unhappy with Telecom Bill WASHINGTON (Reuter) - Top House and Senate Republican leaders expressed unhappiness Thursday with a proposed rewrite of the nation's communications laws amid signs the Republicans may seek changes in legislation circulating on Capitol Hill. ``There are a number of problems in the bill that could have been resolved in a different way,'' Senate Majority Leader Robert Dole told a news conference. The Kansas Republican, appearing with House Speaker Newt Gingrich, said there are ``three, or four, or five provisions'' GOP leaders ought to focus on, including what he described as a ``giveway'' of a key part of the airwaves to broadcasters. The plan worked out by congressional negotiators proposes that in the future, when the government doles out licenses for high-definition digital TV, the Federal Communications Commission ``should'' limit eligibility to existing broadcasters. Critics have charged this would amount to a multibillion dollar giveaway of the airwaves to the broadcast industry and that the government could instead raise as much as $70 billion through a competitive auction of the digital spectrum. Last week it appeared the White House and congressional leaders had reached agreement on legislation to overhaul the 61-year-old communications laws, following weeks of work by House and Senate negotiators. The plan would tear down decades-old laws and permit telephone, cable and broadcast companies to invade each other's turf. But after Vice President Al Gore and some congressional leaders said they had achieved an accord, other Republicans began to balk at the proposal, saying no deal had been struck. The protests scuttled any chance the telecommunications bill would be completed this year. Among other things, Republicans expressed dissatisfaction with provisions to ease restrictions on the number of TV stations broadcasters could own, saying the plan did not go far enough. They also cited issues such as regulation of the Internet and a decision to drop language permitting greater foreign investment in telecommunications. From roy at sendai.cybrspc.mn.org Fri Dec 29 16:21:40 1995 From: roy at sendai.cybrspc.mn.org (Roy M. Silvernail) Date: Sat, 30 Dec 1995 08:21:40 +0800 Subject: CAV_ein In-Reply-To: <199512291605.LAA15428@pipe4.nyc.pipeline.com> Message-ID: <0T6DkDvcwapi@sendai.cybrspc.mn.org> -----BEGIN PGP SIGNED MESSAGE----- [ kudos once again to John Young for making the NYT material available] > The New York Times, December 29, 1995, pp. A1, D4. > > On-Line Service Blocks Access To Topics Called Pornographic > > Complaint by Germany Has Worldwide Impact > > By John Markoff [big snip] > "In the future, every Internet operator will be subject to > local laws," said Eric Schmidt, chief technology officer > for Sun Microsystems Inc., a Mountain View, Calif., > computer maker. "And software will be developed to provide > the appropriate local censorship." Ick. There's some truth in the first quoted sentence, but I fail to see any censorship as "appropriate". Does Mr. Schmidt swing much weight in Sun's policy department? - -- Roy M. Silvernail [ ] roy at cybrspc.mn.org PGP Public Key fingerprint = 31 86 EC B9 DB 76 A7 54 13 0B 6A 6B CC 09 18 B6 Key available from pubkey at cybrspc.mn.org -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMORMg2Cl9Uka85MxAQErqgf/Wx/Ai7EUSv1QpipAAtsEDLbos/aH+INT mA8+hF6PIyONHjwxsz24L5+c7ZcmiwshmH4pJpI/l1b9H9Wz/O/aKG+QqOr7hTtY By/yU2M5s9y7ZJ1rn4coasx/J4ar/SNLgxFNPV+buL5v3UFLzmmUwWzryCH6pIkB 5PShfQ1BqD7MI4juwKjWGw+fgZraJfScb2zKYk01E6brFPObNGdMAZ0P8lFqtkub VdYyAneCtc+F6xeU5lRSGhysJWE+PwkwgKKhQX6h1zwMlhLQXX5t1kSnsezzqPzZ /C+Bgt2BGQYPoDH9Gpc8GXQENpDRx3Lh8dhlNDlNAEDxKva03Ij30A== =RLCm -----END PGP SIGNATURE----- From tcmay at got.net Fri Dec 29 16:25:58 1995 From: tcmay at got.net (Timothy C. May) Date: Sat, 30 Dec 1995 08:25:58 +0800 Subject: Massey, CEO of Compuserve, on Internet Message-ID: Wow! I am watching the CEO of Compuserve being interviewed on CNBC, explaining how his company is "taking the high road by complying with the laws of Germany" in removing access to 200 Usenet groups. So, what happens with Saudi Arabia announces that Christian and Jewish newsgroups violate their laws (I don't know this for sure, but I know that Jewish and Christian temples and churches are strictly verboten in Saudi Arabia). And, think of the many countries which ban homosexuality, and so on. An amazing cave. Massey seems to think that all of the other large ISPs will fall in line and remove "illegal" newsgroups (illegal in any country in which they have account holders). I wrote a longer post on the issues last night, so I won't repeat those points. --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From hajo at quijote.in-berlin.de Fri Dec 29 16:35:44 1995 From: hajo at quijote.in-berlin.de (Hans-Joachim Zierke) Date: Sat, 30 Dec 1995 08:35:44 +0800 Subject: A weakness in PGP signatures, and a suggested solution (long) In-Reply-To: Message-ID: <5-oG4BKKYgB@quijote.in-berlin.de> -----BEGIN PGP SIGNED MESSAGE----- Dr. Dimitri Vulis writes: > I suggest to the kind folks working on PGP 3 that there should be a > standard protocol to include within the signed portion the information on > when and for whom this text is written: i.e. the list of e-mail recipients > and/or Usenet newsgroups, which could be easily compared with the RFC > 822/1036 headers of an e-mail/Usenet article. This assumes that every Usenet site uses RFC 822/1036 headers locally. This is no real-world assumption. And the clearsign problem can be solved with MIME only, since currently, the MIME 8-bit character set conversion will kill the validity of signatures, regardless whether being forged or not. Since I know this, I seldom use clearsigning. Quite simply, it does not work, and that's a more severe problem. If an error on signature validation is the normality, not the exception, the whole stuff does not make any sense. hajo -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Sig validation of clearsigned 8 bit text is uncertain. iQCVAwUBMORRda1Qa39mIA0ZAQELEAQAryOaVDZIhnYQETxhmHyJktRei3080gXV 77Oy5Qo3/WdO7cvFdR+CKytbZQlV7GHS4lQ+N0MCPHH79+vLnw8xvQ+3htkzerjF u6tgjiEnbR/YNCvjEq01aU2RVHgycg680WVOH4DqUNTi7yAY2G5Sc6K2LAD4AQrp toniWTWanyY= =+LZR -----END PGP SIGNATURE----- From lstewart at prisminc.com Fri Dec 29 16:45:21 1995 From: lstewart at prisminc.com (lstewart) Date: Sat, 30 Dec 1995 08:45:21 +0800 Subject: Housewarming/birthday party Message-ID: <9502157953.AA795307204@prisminc.prisminc.com> You're invited to celebrate Laura and Bill's New Home Bill's Birthday and anything else you'd like to celebrate! Date: Saturday, January 13 Time: 5:00pm (or whenever) Putative location: 2040 Rock Ave. #22, Mountain View, CA RSVP (acceptances): lstewart at prisminc.com, or Laura Stewart at work: 408-744-3359. What to bring: If you RSVP by Jan 12, don't bring anything! We'll provide something resembling dinner. If you don't RSVP, bring food or drink. You are welcome to bring your family or other guests, but please do not forward this invitation to other mail lists. Smoking is prohibited, laptop computers tolerated, board games warmly encouraged. How to get there (all directions are written as if 101 really went north and south): HOW TO FIND THE APARTMENT The address is 2040 W. Middlefield #22, but ignore that fact. It is much easier to find if you firmly believe that the address is 2040 Rock Ave. #22. From the corner of Rock & Rengstorff, follow the big lighted "2040" numbers along Rock. Just after the second driveway on Rock you will find a walkway into the complex...follow the walkway to #19, then climb the stairs to #22. HOW TO FIND THE CORNER OF ROCK & RENGSTORFF Cypherpunks: From La Castena (the burrito place), just go one block "west" on Rengstorff. From Highway 101 southbound: Take Rengstorff exit, which makes a 180-degree loop. Turn left onto Rengstorff westbound (away from the bay, toward the ocean). One block after Old Middlefield (and one block before Middlefield), turn left on Rock Ave and park on Rock. See above to find the apartment. From Highway 101 northbound: Ignore the Middlefield exit. Take Rengstorff exit, which makes a 270-degree loop and merges onto Rengstorff westbound (away from the bay, toward the ocean). One block after Old Middlefield (and one block before Middlefield), turn left on Rock Ave. and park on Rock. See above to find the apartment. From 680 at Dunbarton exit: Taking the Dunbarton bridge to 101 is a few minutes faster, but it's easy to get lost between the bridge and 101. Unless you're familiar with the area, we recommend taking 680 to 237, west on 237 to 101, and north on 101 to the Rengstorff exit, which makes a 270-degree loop and merges onto Rengstorff westbound (away from the bay, toward the ocean). One block after Old Middlefield (and one block before Middlefield), turn left on Rock Ave. and park on Rock. See above to find the apartment. Further complications..er, clarifications: Rock Ave. and Rock St. are the same thing. Middlefield Road and Old Middlefield Road are two different things. Middlefield Rock Old Middlefield 101 ^ | | | | | | | | | "North" | | | | the | | | | bay Rengstorff----------------------------------------------------- | _______ | | | | [ 2 ]| |La | | [ 0 ]| |Castena | | [ 4 ]| | | | [ 0 ]| | | | [_______]| | | | #22 | | | | | | | | | | | Lost on the day of the party? Call us at home: 415-938-1697. The price of condo living: There is no guest parking in the complex, and the party must end by 10pm. Please help us get along with our new neighbors by respecting the condo rules. Thanks! From jya at pipeline.com Fri Dec 29 17:01:36 1995 From: jya at pipeline.com (John Young) Date: Sat, 30 Dec 1995 09:01:36 +0800 Subject: CHU_chu Search Engines, Branded Communities Message-ID: <199512292107.QAA02245@pipe2.nyc.pipeline.com> 12-29-95. FinTimes: "Engine of the superhighway" muses on search engines and branded communities, and how their convergence will barb-wire lecher Tio Web from wild-legger Tia Juana. CHU_chu From corey at netscape.com Fri Dec 29 17:23:23 1995 From: corey at netscape.com (Corey Bridges) Date: Sat, 30 Dec 1995 09:23:23 +0800 Subject: Chinese Cypherpunk quote [NOISE] Message-ID: <199512300011.QAA16526@urchin.netscape.com> At 02:20 PM 12/29/95 +0100, Anonymous wrote: >The will of the people is the best law. Rrrr. Rrrrr... OKAY, I'm sure that's bait, but it's a (relatively) slow week here at Netscapegoat. (Besides, I've apparently already set a precedent for responding to tentacularly dangled carrots earlier this week with my response to the C'punk Seal question.) So I'm throwing better judgment to the wind and leaping straight for the soft pink throat of this taunt. To reply simply: Wrong -- the will of the people is as fickle as the wind. Follow the will of the people, and you run your country by following fads. Mob rule and all that. We're in deep trouble if we ever get a true democracy. Sorry. Just had to respond. -- MY opinions, thank you very much. Corey Bridges Netscape Communications Corporation home.netscape.com/people/corey Action figure #35: "Jeff Weinstein, with real asbestos suit and glow-in-the-dark magnetized target!" From jsw at netscape.com Fri Dec 29 17:55:01 1995 From: jsw at netscape.com (Jeff Weinstein) Date: Sat, 30 Dec 1995 09:55:01 +0800 Subject: Netscape 40-bit cracking. The new computing benchmark? In-Reply-To: Message-ID: <30E488F1.1F51@netscape.com> Weld Pond wrote: They (ICE) say that they actually ran Hal's SSL challenge. I think the mention of DES must have been an error on the part of Infoworld. --Jeff > > From Infoworld Dec 25, 1995 page 3. > > Netscape Commerce Server Security Broken > > Integrated Computing Engines Inc. (ICE), in Cambridge, Mass. announced it > has cracked the 40-bit DES [huh? not RC4] encryption in the Netscape > Commerce Server. Unlike a similar security break-in [talk about bad > terminology] by a French university student last August, which required > eight days, 120 workstations, and two supercomputers, ICE said it used a > computer that cost $83,000 and compromised the Wold Wide Web server's > security in 7.7 days. [Hey, what about the Cypherpunks crack that > only took 31.8 hours?] Netscape Communications Corp. officials were not > surprised by the security crack. "We've known that 40-bit encryption is > breakable since we shipped the server. That's the reason it's allowed to > be exported," said company spokeswoman Rosanne Siino. "We need to keep > lobbying to get rid of the U.S. governments 40-bit restriction on what > can be exported." Within the United States, Netscape sells products with > 128-bit encryption. -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From proff at suburbia.net Fri Dec 29 17:59:17 1995 From: proff at suburbia.net (Julian Assange) Date: Sat, 30 Dec 1995 09:59:17 +0800 Subject: Housewarming/birthday party In-Reply-To: <9502157953.AA795307204@prisminc.prisminc.com> Message-ID: <199512300046.LAA16884@suburbia.net> > The price of condo living: There is no guest parking in the complex, > and the party must end by 10pm. Please help us get along with our new ^^^^^ ^^^^ > neighbors by respecting the condo rules. Thanks! > Thats not a party. Thats an after-school tupperware get-together. Cheers, -- +----------------------------------+-----------------------------------------+ |Julian Assange | "if you think the United States has | |FAX: +61-3-9819-9066 | has stood still, who built the largest | |EMAIL: proff at suburbia.net | shopping centre in the world?" - Nixon | +----------------------------------+-----------------------------------------+ From byteback at ldd.net Fri Dec 29 18:18:48 1995 From: byteback at ldd.net (HousePasley) Date: Sat, 30 Dec 1995 10:18:48 +0800 Subject: (no subject) Message-ID: <30E49366.18EB@ldd.net> Talk to me..my son has shoes...cypher this... mays out of maggots, go arial. From sameer at c2.org Fri Dec 29 18:45:37 1995 From: sameer at c2.org (sameer) Date: Sat, 30 Dec 1995 10:45:37 +0800 Subject: Netscape 40-bit cracking. The new computing benchmark? In-Reply-To: <30E488F1.1F51@netscape.com> Message-ID: <199512300151.RAA00995@infinity.c2.org> ObPlug: Community ConneXion does not ship a 40-bit-crippled server. (Apache-SSL) > > surprised by the security crack. "We've known that 40-bit encryption is > > breakable since we shipped the server. That's the reason it's allowed to > > be exported," said company spokeswoman Rosanne Siino. "We need to keep -- sameer Voice: 510-601-9777x3 Community ConneXion FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From grendel at netaxs.com Fri Dec 29 19:36:23 1995 From: grendel at netaxs.com (Michael Handler) Date: Sat, 30 Dec 1995 11:36:23 +0800 Subject: Massey, CEO of Compuserve, on Internet In-Reply-To: Message-ID: On Fri, 29 Dec 1995, Timothy C. May wrote: > Wow! I am watching the CEO of Compuserve being interviewed on CNBC, > explaining how his company is "taking the high road by complying with the > laws of Germany" in removing access to 200 Usenet groups. A blatant lie. Newsgroups: alt.online-service.compuserve,comp.org.eff.talk From: tomklem at netcom.com (Tom Klemesrud) Subject: Re: Compuserve lies about the Germans Message-ID: [ ... ] Compuserve CEO Massey appeared on CNBC and said that Compuserve was only obeying the (German) law. However, the AP article makes it clear that there is no such German law--that there is only an investigation going on in Germany as th exactly what is on the internet. Compuserve was not asked to censor anything, according to the AP article. Compuserve has apparently used this episode as a excuse to do what it was already predisposed to do, in my opinion. [ end ] From: tc <72417.1514 at compuserve.com> Newsgroups: alt.online-service.compuserve,comp.org.eff.talk Subject: Re: Compuserve lies about the Germans Message-ID: <4c222o$jc3 at dub-news-svc-4.compuserve.com> CompuServe is starting to look worse and worse in this thing. I'm still waiting for the real story. Here is an excerpt from a story on the AP: Munich prosecutor Manfred Wick confirmed Friday that Bavarian state police investigators searched CompuServe's networks and computers last month for child pornography, but he would not say what they found. "We didn't threaten them with charges," Wick said. Arno Edelmann, a CompuServe product manager in Unterhaching, Germany, said Friday that the company blocked access to 200 sex-oriented newsgroups in a portion of the Internet called Usenet. "It is perhaps an overreaction but we want to cooperate with the Bavarian prosecutor's office," Edelmann said. [ end ] And herein lie the pitfalls of trying to establish a global ISP presence. I'm with Tom Klemesrud on this one. CI$ is trying to lick some boots to get a position as a _capo_ when Der Revolution begins. Michael, rec.arts.erotica and soc.support.youth.gay-lesbian-bi moderator (both banned by CI$). As far as I'm concerned, CI$ is no longer welcome to any articles from my group; I'll mangle the Path: header as necessary to insure they never get there. -- Michael Handler From jimbell at pacifier.com Fri Dec 29 20:02:58 1995 From: jimbell at pacifier.com (jim bell) Date: Sat, 30 Dec 1995 12:02:58 +0800 Subject: "Deterrence" Message-ID: In the 1960's movie, "Dr. Strangelove," the title character defined "deterrence" as being "the art of making your enemies FEAR to attack you." As has been well-publicized recently, pressure from a German prosecutor had induced Compuserve to cease access to a number of sex-related Internet groups. Clearly, neither Compuserve nor its users nor the Internet community in general has demonstrated adequate DETERRENCE to him or people in his position. In my essay, "Assassination Politics," I pointed out that it would be relatively easy to deter such official-type actions if enough of us simply said, "NO!" and denominated it in terms of dollars and cents. After all, with four million Compuserve users, if they each were willing to donate a penny to see this latter-day Fuhrer dead, that would be $40,000. (Pardon me if I don't translate this into marks and other currencies.) In practice, of course, if such a system were in place, it is highly unlikely that he would have even dared try to put pressure on Compuserve, and Compuserve wouldn't have dared respond cooperatively to such outrageous influence. It is worth noting that if six million Jews had been willing to donate a dime each in 1932 to see Hitler and his cronies dead, much of the late thirties and forties would have ended up quite differently. Some may argue that today's situation isn't nearly as serious now as it was then, but then again, the situation probably didn't really look very serious in 1932, did it?!? WHEN, exactly, would it be appropriate to act? From dlv at bwalk.dm.com Sat Dec 30 12:30:22 1995 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Sat, 30 Dec 95 12:30:22 PST Subject: last straw In-Reply-To: Message-ID: Dave Del Torto writes: > I've decided to cancel my CrampuNerve account and send the weasels a msg to > telling them why. I encourage everyone here to do the same with your CI$ > account (if you still have one). These [insert colorful expletive here]s > only understand one thing: cold ca$h. Thus, the only effective way to send > them an indication of one's displeasure at their poor precedent-setting is > to vote with one's wallet. One could go one step further -- use free trial accounts to go to their local boards and chat rooms and tell the truth, uring others to leave. By the way, Cantor & Siegal were long-time CompuServe users before spamming Usenet with their green card ad. > Any who are still unfortunate enough to rely on CI$ for Internet/Usenet > access are getting reamed price-wise anyway, not to mention suffering poor > reliability and now access, so maybe a few of them could also take this > opportunity to migrate to an ISP with some real "backbone." A friend of mine tried to use CS to read Usenet and reported the following: * There's a very small limit on the size of an article to post to Usenet; * There's a tremendous delay before Usenet articles pass through their gateway; * He saw many articles at other sites that never made it to CS; he estimated that about 30-50% of Usenet articles just never get thru; * The expiration in many high-volume newsgroups is 3 days or less. (I don't know how true this is; his impressions may be wrong.) When he complained to CS about it, he was told that CS doesn't position itself as an Internet service provider. They have a lot of proprietary content that's not available via the internet. They don't expect people to use their services to use Usenet or Internet e-mail. And now comes the *point*: There's much information on CompuServe that cannot be accessed from the outside. One example is the very informative National Computer Security Association's forum. I think it would be a fitting response if NCSA removed their forum from CS. (There are other such for-pay forums, like SovSet', which can be accessed from the internet without paying anything to CompuServe). As it stands, there are people who will maintain their CS accounts to access the NCSA forum (even though they find CS's actions repugnant). If you don't like it, encourage the NCSA to move their forum elsewhere. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From joelm at eskimo.com Fri Dec 29 20:33:12 1995 From: joelm at eskimo.com (Joel McNamara) Date: Sat, 30 Dec 1995 12:33:12 +0800 Subject: Internet wiretap? Message-ID: <199512300409.UAA28915@mail.eskimo.com> This tidbit was posted a few hours ago on c|net (12/29 4:00 PST). Thanks to a wiretap on the Internet, three people have been arrested for illegally selling and manufacturing cellular phone equipment and electronic devices over the Internet, according to Secret Service agent Brian Gimlett. This is the first time the Secret Service and the Drug Enforcement Administration were allowed to wiretap via the Internet, says Gimlett. The rest of the story talks about an exchange of e-mail discussing the sale of various nasty cellular accessories. There is no information on exactly what "wiretap" means or any other technical details. Interesting to note the DEA was in on it. Crypto-relevance only if the perps were using a remailer (which I kind of doubt). Full story (quite short), at: http://www.cnet.com/Content/News/Files/0,16,326,00.html Joel From rsalz at osf.org Fri Dec 29 20:59:44 1995 From: rsalz at osf.org (Rich Salz) Date: Sat, 30 Dec 1995 12:59:44 +0800 Subject: http://www.gsa.gov/irms/ki/sipmo.htm Message-ID: <9512300421.AA23481@sulphur.osf.org> As many of you probably already know, the US Postal Service is creating a national public-key infrastructure for individuals (I've never heard any mention of Corporate identities, not to say that there won't be any). A few weeks ago the General Services Agency of the US Gov't had an open working session of their Security Infrastructure Program Management Office (SIPMO). At that session they announced a pilot program for electronic filing of federal tax returns, using the USPS infrastructure. The URL in the subject line has not yet been updated to discuss the pilot; right now it is basically an overview of SIPMO. Anyone know more? /r$ From ravage at ssz.com Fri Dec 29 21:05:55 1995 From: ravage at ssz.com (Jim Choate) Date: Sat, 30 Dec 1995 13:05:55 +0800 Subject: January meeting (fwd) Message-ID: <199512300442.WAA01350@einstein> Hi all, Please make the date Saturday January 6, not Sunday January 7. Forwarded message: > From ravage at ssz.com Fri Dec 29 22:41:13 1995 > From: Jim Choate > Message-Id: <199512300441.WAA01326 at einstein> > Subject: January meeting > To: austin-cpunks at ssz.com (Austin Cypherpunks) > Date: Fri, 29 Dec 1995 22:41:11 -0600 (CST) > Cc: cypherpunks at toad.com > X-Mailer: ELM [version 2.4 PL23] > Content-Type: text > Content-Length: 373 > > > Hi all, > > Just a reminder that the next general meeting will be held on January 7, > 1996 from 6-8pm at the Central Market HEB on N. Lamar at 42nd. > > We will be discussing further issues related to the video and setting a > schedule of meetings and deadlines for various production points. > > Hope to see you folks there! > > Jim Choate > > From danielguerard at accent.net Fri Dec 29 21:21:51 1995 From: danielguerard at accent.net (daniel guerard) Date: Sat, 30 Dec 1995 13:21:51 +0800 Subject: (no subject) Message-ID: <199512300455.XAA29856@server0.accent.net> please, mail list of server. Tank you From erc at dal1820.computek.net Fri Dec 29 22:28:32 1995 From: erc at dal1820.computek.net (Ed Carp [khijol SysAdmin]) Date: Sat, 30 Dec 1995 14:28:32 +0800 Subject: Zensoren ueber Alles In-Reply-To: <199512300548.AAA02407@pipe8.nyc.pipeline.com> Message-ID: <199512300604.AAA05518@dal1820.computek.net> -----BEGIN PGP SIGNED MESSAGE----- This "Tall Paul" fellow said: > Based on other news reports, I conclude that CompuServe lied in both areas. So? Companies lie all the time - the bigger the company, the bigger the lie, in my experience. Companies are like governments - they will get away with what they can until caught. Even then, they rarely stop - it just goes undercover. > It did none of these things. It cut off all customers to an enormous number > of groups. It inferrentially violated property rights (i.e. contracts) to > customers promised internet access and now provided only a crippled version > thereof. And it lied about the whole thing. Again, so? All that it will do is to drive people away from Compu$erve into the arms of other service providers. Maybe some of them will even figure out what a *real* ISP is... - -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMOTWTyS9AwzY9LDxAQH+OwQApSgooUc/ZgQgQm5xn1v4YxmI5jcVoJfR b5pBCnJvcvTBld5C/6tTuOyqpnEvJD/oBlT+buhQDinvLYD97Z3oh65weEAZNrJ0 x2iTz1NzilPB5EDawIPs4lTELFaJLLdPVKZvgPaqhoUum3Sm3uHvgL1HcvnR+vt0 5hZW/NGlF4M= =p6vI -----END PGP SIGNATURE----- From sandfort at crl.com Fri Dec 29 22:58:38 1995 From: sandfort at crl.com (Sandy Sandfort) Date: Sat, 30 Dec 1995 14:58:38 +0800 Subject: DIBS Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, Eric Hughes and I are calling dibs for the FEBRUARY Cypherpunks meeting. On February 10, we will host the meeting at our offices in downtown San Francisco (easily accessible by BART and Muni). More details later. After the meeting, I will be hosting a gala costume party in the large, elegant Oakland house owned by two of my co-hosts. I will soon be setting up an invitation on a web page provided another co-host, C'punk hero-of-the-revolution, Sameer. Stay tuned. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From exabyte!mikej2 at uunet.uu.net Fri Dec 29 23:53:34 1995 From: exabyte!mikej2 at uunet.uu.net (Mike Johnson second login) Date: Sat, 30 Dec 1995 15:53:34 +0800 Subject: DOS - MD5 - Thanks In-Reply-To: <199512282039.PAA21627@universe.digex.net> Message-ID: A freestanding implementation of MD5SUM (compiled from that in the PGP distribution) for DOS is at ftp://ftp.csn.net/mpj/public/md5sum.zip and on the Colorado Catacombs BBS at 303-772-1062. I suggested to Phil Zimmermann that he should put this in the next PGP release along with the compiled DOS version of PGP, but there hasn't been a new release of PGP since then. Happy New Year! Mike Johnson mpj at exabyte.com #include From futplex at pseudonym.com Sat Dec 30 01:23:09 1995 From: futplex at pseudonym.com (Futplex) Date: Sat, 30 Dec 1995 17:23:09 +0800 Subject: blind validation In-Reply-To: <199512281849.MAA08259@proust.suba.com> Message-ID: <199512300908.EAA07360@opine.cs.umass.edu> Alex Strasheim writes: [discussion and assumptions liberally elided] > 1. Alice initiates a transaction with Bob. (Perhaps by asking > him for a file.) > > 2. Bob generates a random number and sends it back to Alice. > > 3. Alice blinds Bob's number and sends it to Trent, along with > proof of her validatability. > > 4. Trent checks Alice's proof, signs the blinded number, and > then returns it to Alice. > > 5. Alice unblinds Bob's number, then sends it to Bob. > > 6. Bob checks Trent's signature and makes sure that the number > he recieved matches the one he sent out. Then Bob processes > Alice's transaction. > > If Bob always follows this protocol, he can prove to Sam that > he's followed the law. Alice remains anonymous. Alice can still > transfer the file, but she has to give it away herself: she > can't give away the ability to get it directly from Bob without > giving away the ability to prove Aliceness to Trent. I'm not convinced that your last point is true. It appears that the signed Bobnet-access-number is still just a transferrable ticket. Charlie can place an order with Bob, forward the Bobnet-access-number to Alice, wait for Alice & Trent to do the blinding & signing tango, forward the signed Bobnet- access-number to Bob, and get the goods from Bob. Charlie can't use the signed Bobnet-access-number to prove to Trent that he's Alice. In fact, since it's unblinded, Charlie can't even prove that he's linked to a particular validation performed by Trent. (If Alice foolishly gave him the blinded version too, he could show that he shares Alice's knowledge about this validation.) [...] > The main problems that I can see with this protocol are: > > 1. It's vulernable to traffic analysis. > 2. Sam has to trust Trent, which he may be unwilling to do. > 3. You can infer stuff about Alice from the kinds of requests > she makes of Trent. Someone who always asks Trent for proof > that he's not a felon might tag himself as a person who buys > a lot of guns or ammunition, for example. 3. is OK as long as Alice trusts Trent. The trick is selecting a Trent trusted by both Alice and Sam ;) -Futplex From Ulf_Moeller at public.uni-hamburg.de Sat Dec 30 03:50:09 1995 From: Ulf_Moeller at public.uni-hamburg.de (Ulf Moeller) Date: Sat, 30 Dec 1995 19:50:09 +0800 Subject: Compuserve is Not "Censoring": Look to Governments for the Cause Message-ID: >Thus, it is the government of Germany in this case which is "censoring." This is today's page 1 article in the newspaper "die tageszeitung". The article "Zensur im Cyberspace" (censorship in cyberspace) and the comment "Die Moral der Biederm�nner" are available http://www.prz.tu-berlin.de/~taz until tomorrow. From the article (my translation): "The Bavarian department of public prosecution 'has left it to their discretion' to take the 'necessary steps' on their own, to avoid 'possible punishability of the management in Germany'. An advice that CompuServe has followed although there is no kind of legal obligation for it. Legally, it is still perfectly unclear if enterprises that provide access to the Internet can be held responsible in any way for the contents distributed there." From the comment by Niklaus Haubl�tzel: "Reality cannot be outlawed, only improved, and many still hope that complete freedom of information and opinion in computer networks can contribute to that. But the company of CompuServe does not seem to be interested in that. They only want their customers' money, but not their freedom. [...] Like any censorhip, this one comes with hipocrisy. Towards their paying customers, CompuServe claims to have been forced by German prosecutors. Thus one lie creates another. That they were forced it out of the question. It is only in dictatorships that the prosecutors judge the defendants - that is why dictatorships need censors." From junger at pdj2-ra.F-REMOTE.CWRU.Edu Sat Dec 30 05:28:20 1995 From: junger at pdj2-ra.F-REMOTE.CWRU.Edu (Peter D. Junger) Date: Sat, 30 Dec 1995 21:28:20 +0800 Subject: Massey, CEO of Compuserve, on Internet Message-ID: Michael Handler writes: : On Fri, 29 Dec 1995, Timothy C. May wrote: : : > Wow! I am watching the CEO of Compuserve being interviewed on CNBC, : > explaining how his company is "taking the high road by complying with the : > laws of Germany" in removing access to 200 Usenet groups. : : A blatant lie. [Material deleted] : CompuServe is starting to look worse and worse in this thing. I'm : still waiting for the real story. Here is an excerpt from a story on the : AP: : : : Munich prosecutor Manfred Wick confirmed Friday that Bavarian state : police investigators searched CompuServe's networks and computers last : month for child pornography, but he would not say what they found. : "We didn't threaten them with charges," Wick said. : Arno Edelmann, a CompuServe product manager in Unterhaching, : Germany, said Friday that the company blocked access to 200 : sex-oriented newsgroups in a portion of the Internet called Usenet. : "It is perhaps an overreaction but we want to cooperate with the : Bavarian prosecutor's office," Edelmann said. : : [ end ] : : And herein lie the pitfalls of trying to establish a global ISP : presence. : One should also notice that Bavaria is only one state in the German Federal Republic; this case is more like Texas investigating Compuserve than the United States federal government investigating Compuserve. Bavaria is the stronghold of what can properly be called the (Catholic) Religious Right in Germany. It should also be noticed that in general German publications and television seem to be less constrained in publishing materials that in the United States would be called ``indecent'' by some than are United States publications and broadcasters. -- Peter D. Junger--Case Western Reserve University Law School--Cleveland, OH Internet: junger at pdj2-ra.f-remote.cwru.edu junger at samsara.law.cwru.edu From ddt at lsd.com Sat Dec 30 07:51:51 1995 From: ddt at lsd.com (Dave Del Torto) Date: Sat, 30 Dec 1995 23:51:51 +0800 Subject: last straw Message-ID: I've decided to cancel my CrampuNerve account and send the weasels a msg to telling them why. I encourage everyone here to do the same with your CI$ account (if you still have one). These [insert colorful expletive here]s only understand one thing: cold ca$h. Thus, the only effective way to send them an indication of one's displeasure at their poor precedent-setting is to vote with one's wallet. Any who are still unfortunate enough to rely on CI$ for Internet/Usenet access are getting reamed price-wise anyway, not to mention suffering poor reliability and now access, so maybe a few of them could also take this opportunity to migrate to an ISP with some real "backbone." CI$ is becoming redundant and now they're making themselves unappealing. Convenient, economical dialups are now available to Europeans and any of us Yanks who have to travel to Europe regularly through various non-anus-kissing ISPs (xs4all, iSYS, etc.). Back in '90-'92 CI$ used to be somewhat handy when travelling to Europe, but even then it was horribly expensive when you tallied up their "surcharges" for dialing in through Frankfurt, etc. Good riddance, say I. dave ____________________________________________________________ "I prefer a real whorehouse to The Theatre." -Dorothy Parker From dlv at bwalk.dm.com Sat Dec 30 08:46:03 1995 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Sun, 31 Dec 1995 00:46:03 +0800 Subject: another anonymous poster helping to destroy our rights In-Reply-To: <01HZDR1AL5S48Y55Y6@mbcl.rutgers.edu> Message-ID: <94HXgD17w165w@bwalk.dm.com> "E. ALLEN SMITH" writes: > From: IN%"vznuri at netcom.com" "Vladimir Z. Nuri" 28-DEC-1995 01:36:46.58 > > >= the list charter can ask for people to submit to various practices on > the honor system, such as not using pseudonyms. cryptoanarchists who > hate the idea of trust are of course going to object to the honor system, > because "that which cannot be enforced should not be prohibited". > ---------------- > Does this last idea leave much doubt in anyone's mind that "Vladimir Z. > Nuri" is a Detweiler tentacle? Yes. I've exchanged several e-mails with LD. LD is much smarter. (Unless he's playing dumb... :) --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From dlv at bwalk.dm.com Sat Dec 30 08:49:17 1995 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Sun, 31 Dec 1995 00:49:17 +0800 Subject: easy avoidance of PGP signature forgeries and reuse In-Reply-To: Message-ID: attila writes: > I never paid much attention to the problem other than to avoid > it by forcing it --i.e. list the destination and the send inside the > signature block, thus: > > ----------------- BEGIN PGP SIGNED TEXT > > To: john doe > Newsgroups: sci.crypt > From: jane roe > Subject: that's all folks! ... Good - that's just what I've proposed :). However right now the overwhelming majority of people who PGP-sign their writings, don't include a copy of the headers within the signed portion. Those few who do, all seem to use different formats, so the signed headers cannot be easily compared to the headers in the actual envelope by a program. I propose a format below. > with e-mail, e-letters, direct faxes, etc. it is to easy to > ignore the courtesy header. From a standpoint of security, you have > blown away each of the attacks outline in your article in so much as > the signature will not compute if the courtesy block is omitted. I totally agree; that's why I propose copying that info in the signed portion "by default". > personally, I do not think PGP 3 should attempt to solve the > problem. Most of the headers involved are applied _after_ the message > leaves the mail program; and, PGP interfaces are virtually the same > as invoking an alternate editor, which gets you nothing. I don't think that a protocol for signing headers that requires mime/multipart is going to be widely used, especially for Usenet postings. I've thought about it and came up with the following idea for the syntax: ----BEGIN PGP SIGNED MESSAGE---- some text ----BEGIN PGP SIGNED HEADERS---- From: address [all these are optional] To: address[,address]... Newsgroups: group[,group]... Date: rfc 822 date Subject: subject ----BEGIN PGP SIGNATURE---- Version 2.6.2 12341234... ----END PGP SIGNATURE---- The "signed headers" portion may contain the following optional fields: From: address -- the address associated with the key used to sign this message To: address[,address]... -- addresses (user at host, no names) of the recipients in RFC 822 To: and Cc: headers (not the Bcc: recipients). Addresses mangled by various gateways shouldn't verify. Newsgroups: group[,group]... -- the newsgroups from the RFC 1036 header Date: and Subject: -- should match the header The sequence of events would be: * pick the addressees and the newsgroups + compose the text * sign the signed portion * post/e-mail the result to the specified addressees/newsgroups. (Of course, the poster could lie and claim in the signed portion that the article is being posted to alt.sex.pedo when he himself posts it to misc.kids:) If a standard like this catches on, and is integrated into PGP-aware news/e-mail programs, then it's a simple exercise to write a little script to look for BEGIN PGP SIGNED HEADERS and compare the information inside it with the RFC 822/1036 headers outside the signed portion of the message. It could be done within PGP too. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From tallpaul at pipeline.com Sat Dec 30 09:00:20 1995 From: tallpaul at pipeline.com (tallpaul) Date: Sun, 31 Dec 1995 01:00:20 +0800 Subject: Zensoren ueber Alles Message-ID: <199512301554.KAA25650@pipe4.nyc.pipeline.com> On Dec 30, 1995 00:04:01, '"Ed Carp [khijol SysAdmin]" ' wrote: > >This "Tall Paul" fellow said: "Based on other news reports, I conclude that CompuServe lied in both areas." > >So? Companies lie all the time - the bigger the company, the bigger the >lie, in my experience. Companies are like governments - they will get >away with what they can until caught. Even then, they rarely stop - it >just goes undercover. > I was not presenting a political analysis behind CompuServe's actions, nor writing a simple personal opinion. I was presenting what I considered an factually correct objective observation of their actions. >> It did none of these things. It cut off all customers to an enormous number >> of groups. It inferrentially violated property rights (i.e. contracts) to >> customers promised internet access and now provided only a crippled version >> thereof. And it lied about the whole thing. > >Again, so? All that it will do is to drive people away from Compu$erve >into the arms of other service providers. Maybe some of them will even >figure out what a *real* ISP is... > How accurate is Carp's conclusion. Not very, in my opinion. The inaccuracy develops from the excessively narrow economic focus of Carp's thinking. It is an analysis that ignores the *social* implications of the CompuServe decision, treating the entire matter almost as something that would only interest CompuServe, Microsoft, AOL, and Prodigy stockholders. Among the other effects *already* visible, the decision has: 1) Led to an enormous amount of anti-net publicity by incompetent editors on the national news; 2) Furthered the development of hysteria and hysterical organizing; ("I don't care if it is censorship," said one mommy interviewed on the national news. "It is good for my children.") 3) Furthered the developmet of the right-wing "family rights" crowd; ("We need to follow Germany's lead," said one official from one of the "family rights" crowd interviewed on the national news.) 4) Promoted more dishonesty as a perfectly reasonable and perfectly acceptable means of engaging in social discourse; I predict it will also be used for additional attacks on issues of encryption, privacy, and anonymity. That is, I think we will see statements like "We need to be especially vigilant to make sure that the perverts are not smuggling banned material into the country via the internet. This means we have to block encryption, monitor user accounts even more carefully for potential perverts, etc. etc. Finally, I am not sure that Carp's economic analysis of the CompuServe decision is correct. The large internet service providers (LISP) form an oligopoly and, I think, the LISP all abandon hopes that they can become a monopoly. One form of oligopolistic co-operation is the creation of market niches within acceptable bounds of market share for each of the oligopolistic corporations. That is, CompuServe just launched a huge organizing effort to grab the "family" niche within the LISP market. I do not have the facts needed for a detailed quantfiable analysis of the LISP oligopoly (and frankly would not want to devote the time to such an analysis even if I did.) So I'll conclude here by stating that CompuServe's market share may increase because of their decision as parents move from the "family hostile" MSN/AOL/etc. to the "family friendly" CompuServe. If sexual hysteria is much stronger than views against censorship, for freedom of speech and inquiry, then we may see the other LISP groups emulate CompuServe to protect their oligopolistic market share. That is, if *significant* portions of AOL/MSN/etc. customers are motivated by sexual hysteria and start moving their accounts to CompuServe we will see AOL.MSN/etc. become equally "family friendly" to stop the customer shifts. --tallpaul From cg at bofh.toad.com Sat Dec 30 09:10:28 1995 From: cg at bofh.toad.com (Cees de Groot (none)) Date: Sun, 31 Dec 1995 01:10:28 +0800 Subject: Australian "calculatorcard" Message-ID: <199512301556.QAA31294@bofh.cdg.openlink.co.uk> Hi everybody, Yesterday, on UK Discovery, there was an item in the programme Beyond 2000 about an Australian card which implements a challenge-response protocol and can be used for banking, etcetera. Basically, you give your card number (over the phone), get a challenge number, enter your pin and the challenge, and then give the response. All in CC format... They plugged it as the ultimate identity-prover, so I'm kind of interested in what's behind. Now, I know that Discovery constantly repeats old stuff, so I'm not sure whether this is actually hot/new/... Can anybody provide me with pointers to more in-depth information about this device and the algorithm(s) behind it ? Thanks -- Cees de Groot, OpenLink Software 262ui/2048: ID=4F018825 FP=5653C0DDECE4359D FFDDB8F7A7970789 [Key on servers] -- Any opinions expressed above might be mine. From nobody at alpha.c2.org Sat Dec 30 09:17:07 1995 From: nobody at alpha.c2.org (Anonymous) Date: Sun, 31 Dec 1995 01:17:07 +0800 Subject: NoneMurder, Inc. (was "Deterrence") Message-ID: <199512301603.IAA25153@infinity.c2.org> > In my essay, "Assassination Politics," I pointed out that it would be > relatively easy to deter such official-type actions if enough of us simply > said, "NO!" and denominated it in terms of dollars and cents. After all, > with four million Compuserve users, if they each were willing to donate a > penny to see this latter-day Fuhrer dead, that would be $40,000. (Pardon > me if I don't translate this into marks and other currencies.) > > In practice, of course, if such a system were in place, it is highly > unlikely that he would have even dared try to put pressure on Compuserve, > and Compuserve wouldn't have dared respond cooperatively to such > outrageous influence. In reality, four million compuserve users would not donate a penny each. It is likely that a few hundred people who felt strongly about the cause (and didn't mind a little bloodshed) might be willing to put up funds in amounts of around $20. Of course nobody would want to advertise under their real name that they have a contract out on some gummint agent. This would require the existance of a "Murder, Inc." as an escrow agent for the money. (There would likely be several such agents as it it unlikely people would trust just one.) Each person would give the escrow agent their contribution toward the elimination of the gummint troublemaker. Anyone who was willing to do the hit could post an encrypted claim, in advance, stating the time and date or method he plans to use, and where to send payment. Once the act was done, the hitman posts the decryption key so that everyone can see that he did it, and he collects the money. If after some reasonable amount of time, nobody takes out the gubmint asswipe, then the escrow agent returns all the money. It's quite feasable, and not especially difficult. The hardest thing is convincing people that the escrow agent is trustworthy, and to convince people that they really want to pay to have someone murdered. There is something a little chilling about that thought... On the other hand, the US government seems to feel that it's okay to kill people if they can get away with it (Ruby Ridge, Waco, that guy in California (forgot his name) who got shot on his ranch over bogus drug charges, etc.) So although murder is a Bad Thing(tm), the gubmint has set a very bad precedent in making it look "okay". Hence it becomes "okay" for people to do the same to them (for example the recent Oklahoma incident). It's okay for the government to randomly pick on innocent people to make a statement, hence it becomes okay to derail random trains to make a statement. (For the record, I am absolutely not defending what those people did to that Amtrak train in Arizona, just pointing out the psycology of it. If you're mad at the government then fucking kill some government people - What the hell did the amtrak passengers do to you?) Unfortunately it seems to be becoming okay to pick on random people to make an unrelated point (or just boost your ego) The government is using this tactic too, for example pick on a few porno collectors to demonstrate your "authority" in cyberspace. Same thing with picking on random gun owners to make a statement against RKBA. So maybe it will become popular to kill a random politician (or anyone) just to make a statement against the government. This is turning into a rant. I'll shut up now. From dlv at bwalk.dm.com Sat Dec 30 09:23:13 1995 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Sun, 31 Dec 1995 01:23:13 +0800 Subject: Chinese Cypherpunk quote [NOISE] In-Reply-To: <199512300011.QAA16526@urchin.netscape.com> Message-ID: Corey Bridges writes: > To reply simply: Wrong -- the will of the people is as fickle as the wind. > Follow the will of the people, and you run your country by following fads. > Mob rule and all that. We're in deep trouble if we ever get a true democracy. One of the things Adolph Hitler and Bill Clinton have in common is that both were democratically elected leaders. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From adam at lighthouse.homeport.org Sat Dec 30 09:32:47 1995 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Sun, 31 Dec 1995 01:32:47 +0800 Subject: Compuserve is Not "Censoring": Look to Governments for the Cause In-Reply-To: Message-ID: <199512301700.MAA08304@homeport.org> This trend towords governments saying 'This might be illegal, we won't tell you' is very disturbing. Doug Barnes reported on it being the tactic of choice in forcing banks to fall in line & spy on their customers. Compuserve should be encouraged to get a ruling from the Barvarian/German government on the legality of the groups. (Does the EU provide freedom of speech protections, or simply freedom of inoffensive speech?) Also, how does this interact with the harmonization of publications laws with places such as the Netherlands? The EU can't be expected to thrive if each country has totally different publishing laws. Alternately, if there are cypherpunks who spend time in alt.config, we might create groups such as alt.intimate.stories, alt.intimate.bondage.duct-tape, etc. Ulf Moeller wrote: | This is today's page 1 article in the newspaper "die tageszeitung". | | The article "Zensur im Cyberspace" (censorship in cyberspace) | and the comment "Die Moral der Biederm=E4nner" are available | http://www.prz.tu-berlin.de/~taz until tomorrow. | | From the article (my translation): | | "The Bavarian department of public prosecution 'has left it to their | discretion' to take the 'necessary steps' on their own, to avoid | 'possible punishability of the management in Germany'. An advice that | CompuServe has followed although there is no kind of legal obligation | for it. Legally, it is still perfectly unclear if enterprises that | provide access to the Internet can be held responsible in any way for | the contents distributed there." -- "It is seldom that liberty of any kind is lost all at once." -Hume From nobody at c2.org Sat Dec 30 10:22:47 1995 From: nobody at c2.org (Anonymous User) Date: Sun, 31 Dec 1995 02:22:47 +0800 Subject: Is Dr Fred Cohen a Loon??? Message-ID: <199512301723.JAA00902@infinity.c2.org> Trolling for Flames(just another anonymous poster destroying the 'net) :) The Subject says it all... I believe Fred suffers from a severely inflated ego and suffers from the "false expert" syndrome detailed by various self-help orgs... what say you fred?? Another anon poster destroying the integrity of the net From tcmay at got.net Sat Dec 30 10:24:17 1995 From: tcmay at got.net (Timothy C. May) Date: Sun, 31 Dec 1995 02:24:17 +0800 Subject: Positive Implications of the Compuserve Moves Message-ID: At 3:54 PM 12/30/95, tallpaul wrote: >Among the other effects *already* visible, the decision has: > >1) Led to an enormous amount of anti-net publicity by incompetent editors >on the national news; On the positive side, I've heard some commentators (mainly on CNBC, and all-business news channel) ask pointed questions, and note that if every country imposes its own standards on the Internet/Usenet, then the implications are dire. The strong reaction developing against Compuserve could rebound to the benefit of killing off the Exon/Hyde language, in the best of all situations. (The Telecom Bill is still being thrashed out, and the CS controversy may remind folks of the implications of their actions.) >4) Promoted more dishonesty as a perfectly reasonable and perfectly >acceptable means of engaging in social discourse; I predict Compuserve will lose so much of what little respect they have eked out amongst Internet users that they will be eventually forced to provide the 200 dropped newsgroups, issue an apology, and probably retire or reassign a few executives as a show of public remorse. You heard it hear first. And many users are seeing the problems with monolithic, primitive ISPs like Compuserve, AOL, Prodigy, etc., and are moving to get "real" Net connections. This is a Good Thing. >Finally, I am not sure that Carp's economic analysis of the CompuServe >decision is correct. The large internet service providers (LISP) form an >oligopoly and, I think, the LISP all abandon hopes that they can become a LISP? (define CompuserveSucks (lambda () (display ".") (CompuserveSucks))) (CompuserveSucks) Recurses, foiled again! --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From ravage at ssz.com Sat Dec 30 10:36:07 1995 From: ravage at ssz.com (Jim Choate) Date: Sun, 31 Dec 1995 02:36:07 +0800 Subject: January meeting Message-ID: <199512300441.WAA01326@einstein> Hi all, Just a reminder that the next general meeting will be held on January 7, 1996 from 6-8pm at the Central Market HEB on N. Lamar at 42nd. We will be discussing further issues related to the video and setting a schedule of meetings and deadlines for various production points. Hope to see you folks there! Jim Choate From trei at process.com Sat Dec 30 10:44:02 1995 From: trei at process.com (Peter Trei) Date: Sun, 31 Dec 1995 02:44:02 +0800 Subject: CHU_chu Search Engines, Branded Communities Message-ID: <9512300206.AA12772@toad.com> riverrun John Young writes: > 12-29-95. FinTimes: > "Engine of the superhighway" muses on search engines and > branded communities, and how their convergence will > barb-wire lecher Tio Web from wild-legger Tia Juana. > CHU_chu I can't get much out of the second clause above. Much as I truely value John's notices of articles from the paper world, I sometimes wish he would not obfuscate his text. speaking for myself Peter Trei trei at process.com riverrun From tallpaul at pipeline.com Sat Dec 30 10:46:31 1995 From: tallpaul at pipeline.com (tallpaul) Date: Sun, 31 Dec 1995 02:46:31 +0800 Subject: Zensoren ueber Alles Message-ID: <199512300548.AAA02407@pipe8.nyc.pipeline.com> >From initial reports, the challenge to CompuServe did not come from the German government. It did not come form the German Parliament. It did not come form the German judiciary. It came from one (repeat one) prosecutor in one (repeat one) city. I also suspect the U.S. journalists who reported the news may not know the difference between a "prosecutor" and a "procurator." It is a significant differnce in many legal systems. (Not to slag U.S. journalists too hard because I myself don't know which of the two Germany has.) The news reports on New York City television focused exclusively on the "sexual" character of the banning, without directly mentioning that other groups were also banned. "But," wrote Jonathan Oatis of Reuter in an article available on the Clarinet news feed, "many more span a host of topics, including Barney the dinosaur of children's television, Estonian politics and the New York Yankees baseball team." Also included in the reports of news groups banned is the clari.news.sex feed containing articles routinely filed by the Associated Press and Reuter. It has also been reported that self-help recovery groups were banned because the groups also had the word "sex" in the name. (In order to save the victims it was necessary to destroy them!) How did the 11 o'clock news here in New York handle the story? Two of the three channels stated that CompuServe banned "chat rooms," not news groups. The third got it right and reported on internet groups. The two channels who spoke of the "chat room" ban also stated that the rooms were banned because they contained "explicit" sexual images or graphics "depicting" sexual topics. What can we infer? No single thing directly save for the inaccuracy of the reports. But certainly even national-level tv editors are not yet sufficiently informed about the internet to know the difference between chat rooms and news groups. I'd say that this level of ignorance rather impacts on their ability to do their job in a professional fashion. (It also points to our collective failure to adequately inform them.) Second, the editors -- whether under pressure of deadline, personal psychological bias, or more sinister things -- can't pick up the idea that the verbal ("chat") and the visual ("explicit" sexual images) are two different things. Third, the sexual hysteria of the editors themselves significantly erodes their ability to perform their jobs in an objective fashion. CompuServe also got off easy under initial press inquiry. One spokesman for the company announced they were required to do it. He also stated that there was no way to cut the German customers off from the groups will making the groups available to other CompuServe customers. Based on other news reports, I conclude that CompuServe lied in both areas. (BTW, this is the first time I recall using the word "lie" on any post to the cypherpunks list.) I also infer that CompuServe did not "roll over" on this issue. The evidence shows, I think, that CompuServe is merely using one German prosecutor (or procurator) as an excuse to implement their own desired and previously prepared policy. CompuServe had, I think, several actions open. First, if the news reports that it was not "forced" to do anything by the single German, it could simply not have done anything. Second, it could have appealed the decision by the prosecutor to the courts (or submitted accurate information to the procurator and demanded that he consider it.) Third, it could have narrowly targeted the banned groups to alt.binary groups dealing with sexual issues. Fourth, it could have easily used software to cut off the feed to Germany. It did none of these things. It cut off all customers to an enormous number of groups. It inferrentially violated property rights (i.e. contracts) to customers promised internet access and now provided only a crippled version thereof. And it lied about the whole thing. Interestingly, none of the classic cypher-nasties were behind CompuServe's decision. The "big statists" in Washington didn't tell CompuServe to do it. The "hell with private property rights" bureaucrats didn't force CompuServe to do it. Nor did the taxman. The taxmen historically rarely do; they do not seek to ban "sin;" they tax it. The Treasury Department's Bureau of Booze, Butts & Bazookas (aka Bureau of Alcohol, Tobacco, and Firearms) is not behind this country's anti-booze, anti-butt, or anti-bazooka movement. They just tax all three. (They may kill you if you buy, transfer, or manufacture your bazooka without paying the US$ 200 (?) excise tax, but they're not out there in the forefront of those pushing gun control.) Additional facts that will be forthcoming in the future will point, I believe, to two things behind CompuServe's decision. The two leading causes will, I predict, be: First, the growing abstract systemic fear in this society produced by a society in crisis. This is a fear unnaturally re-directed at things like PGP and anonymity by various political poo-bahs to both deflect the citizens' fears from real causes and to rechannel that fear into areas where the same poo-bahs can claim credit for doing the "something" in "something has to be done." Second, the growing sexual hysteria within large sections of the population that does not exist in an abstract form and is not being artifically rechanneled but rather appealled to. CompuServe, in a rather brilliant move, managed to handle both groups, and blame a foreign force to boot. But while brilliant tactically, I do not believe they will succeed in continuing their policy. --tallpaul From shamrock at netcom.com Sat Dec 30 10:53:39 1995 From: shamrock at netcom.com (Lucky Green) Date: Sun, 31 Dec 1995 02:53:39 +0800 Subject: Zensoren ueber Alles Message-ID: At 10:54 12/30/95, tallpaul wrote: [On the CI$ issue] >I predict it will also be used for additional attacks on issues of >encryption, privacy, and anonymity. That is, I think we will see >statements like "We need to be especially vigilant to make sure that the >perverts are not smuggling banned material into the country via the >internet. This means we have to block encryption, monitor user accounts >even more carefully for potential perverts, etc. etc. Nothing new here. Pornography and the other Three Horsemen will be use to ban the spread of 'dangerous' thoughts on the Internet. This was clear years ago. Let me emphasize a few facts: o Non-GAK Encryption will be outlawed. o 'Immoral' texts and pictures will be banned. o The dissemination of 'dangerous ideas' will become a felony. At best, Cypherpunks can hope to provide the infrastructure that will allow an underground to communicate semi-securely. We are unable to stop the global tidal wave of fascism. Let's not waste our time on bemoaning the freedoms crushed in its path. We have more important work to do. -- Lucky Green PGP encrypted mail preferred. From jamesd at echeque.com Sat Dec 30 10:56:08 1995 From: jamesd at echeque.com (James A. Donald) Date: Sun, 31 Dec 1995 02:56:08 +0800 Subject: (fwd) DigiCash licencing? Message-ID: <199512301815.KAA14002@blob.best.net> Jyri Kaljundi wrote: > Does anyone know about the terms and costs of licencing ecash software? I > have tried contacting DigiCash directly with these questions, but have > got no answers This experience (total lack of coherent response from Digicash) seems to be widespread, on many issues. The answer to your question has to be decided by DigiCash on a case by case basis, and they are not noted for thinking on their feet. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From jya at pipeline.com Sat Dec 30 11:09:25 1995 From: jya at pipeline.com (John Young) Date: Sun, 31 Dec 1995 03:09:25 +0800 Subject: PLA_gue Germ Terrorism Message-ID: <199512301830.NAA05708@pipe4.nyc.pipeline.com> 12-30-95. To update the list of terrorist threats, the Wash Post reports on the purchase in May of bubonic plague germs by "white supremacist" Larry Wayne Harris, his bust by the FBI and germ teams, prosecutors amazement that possession of such deadly micro-organisms is not illegal, and the consequent plea bargain of wire fraud with probation. The article explains that possession of "terrorist" mites is not prohibited due to a legal loophole which allows scientific trade in wee supremacists. There are calls for outlawing the meat-eaters by closing the gap in the anti-terrorism bill before Congress. But scientists say how dare you spit in our nanodeath soup. It notes that offshore spread is Commerce regulated. BTW, why this story now about summer events? For the anti-terrorist bill, TLA-plague growth, any germ any? PLA_gue From gary at kampai.euronet.nl Sat Dec 30 11:18:16 1995 From: gary at kampai.euronet.nl (Gary Howland) Date: Sun, 31 Dec 1995 03:18:16 +0800 Subject: Massey, CEO of Compuserve, on Internet Message-ID: <199512301850.NAA17165@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- Peter D. Junger wrote: > > One should also notice that Bavaria is only one state in the German > Federal Republic; this case is more like Texas investigating > Compuserve than the United States federal government investigating > Compuserve. Bavaria is the stronghold of what can properly be called > the (Catholic) Religious Right in Germany. It should also be noticed > that in general German publications and television seem to be less > constrained in publishing materials that in the United States would be > called ``indecent'' by some than are United States publications and > broadcasters. > In some areas they may be a tad more liberal, but in general they are not. They do indeed have laws preventing freedom of speech (especially with regard to right wing politics, the holocaust etc.) Somebody correct me if I'm wrong, but I believe that all German ISPs do not carry various political/controversial newsgroups such as alt.revisionism due to legal reasons. A more serious problem for those of us in EU countries is that the German government have influence on other EU states - only a week or two ago they tried to push through European wide legislation restricting freedom of speech. Gary - -- "If there be time to expose through discussion the falsehood and fallacies, to avert the evil by the processes of education, the remedy to be applied is more speech, not enforced silence." -- US Supreme Court Justive Louis Brandeis - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMOWKESoZzwIn1bdtAQEBQwGA1jg9rwAJgB/PlkzItUp4JOjScswcqxR5 hqSJK/rj2o6cNN7Z9OGVD8+9VMJi7BEp =XTJn -----END PGP SIGNATURE----- From goedel at cerebus.redweb.com Sat Dec 30 11:37:57 1995 From: goedel at cerebus.redweb.com (Dietrich J. Kappe) Date: Sun, 31 Dec 1995 03:37:57 +0800 Subject: Massey, CEO of Compuserve, on Internet In-Reply-To: Message-ID: <199512301926.NAA29572@cerebus.redweb.com> > Munich prosecutor Manfred Wick confirmed Friday that Bavarian state ^^^^^^ ^^^^^^^^ >police investigators searched CompuServe's networks and computers last >month for child pornography, but he would not say what they found. > "We didn't threaten them with charges," Wick said. Its worth mentioning that the state of Bavaria (Bayern) is the most conservative and one of the most Catholic provinces in Germany. There was an article in Zeit a few months ago about a division of the police investigating on-line crime, although at the time it was more BBS and Video Text related. As a former resident of Bavaria, I am not one bit surprised at these scare tactics. -- Dietrich Kappe | Red Planet http://www.redweb.com Red Planet, LLC| "Chess Space" | "MS Access Products" | PGP Public Key 1-800-RED 0 WEB| /chess | /cobre | /goedel/key.txt Web Publishing | Key fingerprint: 8C2983E66AB723F9 A014A0417D268B84 From tfs at vampire.science.gmu.edu Sun Dec 31 03:58:09 1995 From: tfs at vampire.science.gmu.edu (Tim Scanlon) Date: Sun, 31 Dec 95 03:58:09 PST Subject: Massey, CEO of Compuserve, on Internet In-Reply-To: Message-ID: <9512311156.AA00347@vampire.science.gmu.edu> you said: |On Fri, 29 Dec 1995, Timothy C. May wrote: | |> Wow! I am watching the CEO of Compuserve being interviewed on CNBC, |>explaining how his company is "taking the high road by complying with the |>laws of Germany" in removing access to 200 Usenet groups. | |A blatant lie. | How this could ever be construed as "the high road" is beyond me. Censorship and fascism tend to go hand in hand, I suppose it should be no surprise to see this coming from de-dom. Can we just start calling them CompuCensor instead of Compuserve? Tim ________________________________________________________________ tfs at vampire.science.gmu.edu (NeXTmail, MIME) Tim Scanlon tfs at epic.org (PGP key aval.) crypto is good Digital Encryption Systems Inc. I own my own words From jimbell at pacifier.com Sat Dec 30 12:27:34 1995 From: jimbell at pacifier.com (jim bell) Date: Sun, 31 Dec 1995 04:27:34 +0800 Subject: last straw Message-ID: At 07:34 AM 12/30/95 -0800, you wrote: >I've decided to cancel my CrampuNerve account and send the weasels a msg to >telling them why. I encourage everyone here to do the same with your CI$ >account (if you still have one). These [insert colorful expletive here]s >only understand one thing: cold ca$h. Thus, the only effective way to send >them an indication of one's displeasure at their poor precedent-setting is >to vote with one's wallet. > >Any who are still unfortunate enough to rely on CI$ for Internet/Usenet >access are getting reamed price-wise anyway, not to mention suffering poor >reliability and now access, so maybe a few of them could also take this >opportunity to migrate to an ISP with some real "backbone." I don't have a CSERVE account, and never have. But yesterday, I called a friend (who has such an account) I talk to every two weeks or so. The conversation went something like this: "Hi Greg." "Hi Jim." "I suggest that you get rid of your Comp..." (he cuts me off in mid-sentence, anticipating the entire subject of the call) "I'm doing that as we speak, Jim" "...because they just..." (I continued the thought, but he cut me off again) "That's EXACTLY why I'm doing it, Jim." (mutual laughter as we realize the irony of the situation.) Somehow, I think Compuserve is going to get the message. From cp at proust.suba.com Sat Dec 30 12:33:56 1995 From: cp at proust.suba.com (Alex Strasheim) Date: Sun, 31 Dec 1995 04:33:56 +0800 Subject: blind validation In-Reply-To: <199512300908.EAA07360@opine.cs.umass.edu> Message-ID: <199512302007.OAA00861@proust.suba.com> > I'm not convinced that your last point is true. It appears that the signed > Bobnet-access-number is still just a transferrable ticket. Charlie can > place an order with Bob, forward the Bobnet-access-number to Alice, wait for > Alice & Trent to do the blinding & signing tango, forward the signed Bobnet- > access-number to Bob, and get the goods from Bob. > > Charlie can't use the signed Bobnet-access-number to prove to Trent > that he's Alice. In fact, since it's unblinded, Charlie can't even prove > that he's linked to a particular validation performed by Trent. (If Alice > foolishly gave him the blinded version too, he could show that he shares > Alice's knowledge about this validation.) > I'm not convinced that your last point is true. It appears that the signed > Bobnet-access-number is still just a transferrable ticket. Charlie can > place an order with Bob, forward the Bobnet-access-number to Alice, wait for > Alice & Trent to do the blinding & signing tango, forward the signed Bobnet- > access-number to Bob, and get the goods from Bob. Yes and no. It is just a ticket, except that there are time constraints. If Alice doesn't respond in some reasonable time while the protocol is going on, Bob quits. (I didn't say that explicitly, my mistake.) Part of what I was trying to say, but didn't say well, is that Alice can *always* act as a proxy, ie., she can always get a file and give it to someone else. But Sam can't bust Bob if Alice gives the file away. He'll have to go after Alice. The whole point of the exercise is to convince Sam that Bob hasn't given away any files to minors or Europeans or whoever else Sam feels shouldn't have them. This puts a whole new spin on the situation, a different sort of attitude than we usually have when we're talking about crypto protocols. The entire ecash system has to have integrity. If someone figures out how to forge or double spend ecash, it doesn't do the bank any good to say, "We didn't do it, this person with an account did it." But we can't keep erotica out of the hands of minors, or home grown crypto out of the hands of Europeans. That means that from a certain point of the view, the system as a whole won't have integrity. But no system can have integrity, because Alice can always act as a proxy. The point is to set things up so that: 1. Alice can remain anonymous 2. Bob can keep Sam off his back 3. Sam has to admit that the system, imperfect as it is, is as good as other systems. (Alice can act as a proxy, but she could do that at a liquor store or a pornography shop also. If Alice had to give her ID, she could still give away the file.) The through the looking glass aspect of this is that from a practical standpoint, there's no real difference between Alice giving away her credentials and Alice acting as a proxy. But Sam foists the upon us the necessity of arguing what are almost semantic points. If Bob always gives the files to people Sam says are ok, then Bob won't go to jail. It is true that Alice could act as a beard for someone in the transaction, but in my opinion it's not unreasonable to claim that if she does she's acting as a proxy. The attacker still has to go to Alice and say, "give me this file", and Alice still has to agree and interact with Trent in the moment to make it work. Going back to the liquor store analogy, Alice can go into the liquor store with a kid, have the kid point to a bottle on the shelf, go to the register, and then buy it. But she can't give her ID away to the kid and let the kid go to the liquor store on his own. Either way the kid gets drunk, but if Alice can't give away her ID, Bob won't have to worry about losing his license. Alice, of course, has to watch out for Sam. > 3. is OK as long as Alice trusts Trent. The trick is selecting a Trent > trusted by both Alice and Sam ;) Very true. > > -Futplex > From dlv at bwalk.dm.com Sun Dec 31 05:40:15 1995 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Sun, 31 Dec 95 05:40:15 PST Subject: anon.penet addresses in .sigs In-Reply-To: <199512311100.GAA18408@thor.cs.umass.edu> Message-ID: futplex at pseudonym.com (Futplex) writes: > The direct address is easier to use, especially for people whose mailers > don't allow them to add arbitrary email headers. Note that the ratio of I recall that anon.penet.fi can be used by those whose mailers don't allow them to add new headers -- the extra headers can be placed in at the top of the body and it'll recognize them. Likewise cypherpunk remailers let you add headers with ##. I've taught at least one extremely "non-technical" user to use the cypherpunks remailers successfully. > users of the various cypherpunk remailers to users of anon.penet is even > lower than the S/N ratio on this list in December. Like, negative????? :) > In certain parts of Usenet, many people routinely advertise addresses at > anon.penet (and similar services) in their .sigs (as Ed does) to make > pseudonymized replies as convenient as possible. This is not a new phenomenon My question was "why". I think I see the answer now. Thank you. Happy New Year! --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From Steve14571 at aol.com Sun Dec 31 06:15:34 1995 From: Steve14571 at aol.com (Steve14571 at aol.com) Date: Sun, 31 Dec 95 06:15:34 PST Subject: Massey, CEO of Compuserve, on Internet Message-ID: <951231091526_102864093@mail06.mail.aol.com> In a message dated 95-12-30 21:34:12 EST, accessnt at ozemail.com.au (Mark Neely) wrote: I assume that C$ is only filtering the newsfeed as it hits German shores? Please tell me they aren't denying access to these "banned" newsgroups for all users worldwide! This is exactly what they are doing, Mr. Neely. I am not familiar with CompuServe, as I have never used it. However, based on my understanding of how Usenet operates, it would be possible to write software and incorporate it into CompuServe software that would block German readers from the "obscene" newsgroups. CompuServe would rather score points with the mostly ignorant general public by saying that they are becoming more "family-oriented." I get my access through America Online, and I am afraid that these monolith online services (AOL, Delphi, Prodigy) will follow C$'s lead so they may also say they are "family-oriented." I will no longer send mail to addresses that end with "compuserve.com." If AOL decides to become family oriented, I will look for other ways to connect to the net. From fc at all.net Sat Dec 30 14:47:42 1995 From: fc at all.net (Fred Cohen) Date: Sun, 31 Dec 1995 06:47:42 +0800 Subject: Is Dr Fred Cohen a Loon??? In-Reply-To: <199512301723.JAA00902@infinity.c2.org> Message-ID: <9512302200.AA14470@all.net> > The Subject says it all... I believe Fred suffers from a severely inflated > ego and suffers from the "false expert" syndrome detailed by various > self-help orgs... what say you fred?? People who call me a "false expert" are so afraid of damaging their own reputation by doing so that they have to do it anonymously. -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From frissell at panix.com Sun Dec 31 06:49:51 1995 From: frissell at panix.com (Duncan Frissell) Date: Sun, 31 Dec 95 06:49:51 PST Subject: Compuserve *hasn't* banned newsgroups Message-ID: <2.2.32.19951231145010.008c9658@panix.com> So I'd heard that CompuServe had banned access to all those naughty newsgroups including my favorite alt.binaries.erotic.senior-citizens. Could this be true? I fired up my CompuServe Internet Dialer (the PPP software packaged with WinCim and logged on to the nets. Sure enough. The popular binaries groups were missing from news.compuserve.com. But not to be deterred... I grabbed a copy of the Free Agent newsreader: http://www2.interpath.net/forte/agent/freagent.htm ftp.forteinc.com/pub/free_agent/fagent10.zip I grabbed the latest list of open NNTP Servers from: http://dana.ucc.nau.edu/~jwa/open-sites.html I pointed my copy of Free Agent at CPCNET's open news server (198.70.185.5) and grabbed a list of groups sure enough, there were the seasoned citizens in all their glory. And I was checking out those binaries via CompuServe. Don't tell the Bavarians. DCF From jya at pipeline.com Sat Dec 30 14:49:55 1995 From: jya at pipeline.com (John Young) Date: Sun, 31 Dec 1995 06:49:55 +0800 Subject: 1OV_ert Net Tap 1 Message-ID: <199512301147.GAA20962@pipe4.nyc.pipeline.com> 12-30-95. NYP: Aided by the first court-approved Net wiretap, via Compuservile, three people have been jailed for an international plot to sell cel-tel cheaters. 1OV_ert From erc at dal1820.computek.net Sat Dec 30 14:58:29 1995 From: erc at dal1820.computek.net (Ed Carp [khijol SysAdmin]) Date: Sun, 31 Dec 1995 06:58:29 +0800 Subject: Is Dr Fred Cohen a Loon??? In-Reply-To: <9512302200.AA14470@all.net> Message-ID: <199512302211.QAA14605@dal1820.computek.net> -----BEGIN PGP SIGNED MESSAGE----- > > > The Subject says it all... I believe Fred suffers from a severely inflated > > ego and suffers from the "false expert" syndrome detailed by various > > self-help orgs... what say you fred?? > > People who call me a "false expert" are so afraid of damaging their own > reputation by doing so that they have to do it anonymously. OK, I'll do it. Fred, sometimes your pontifications make as little sense as you arrogantly signing "Dr. Fred Cohen" in your name field. - -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMOW5DCS9AwzY9LDxAQEF3QP/SjHSSva0F/aolc++yrQbL9Mk0V/Nnl60 mxUmDKJ2C8dH9D5EKwwPhgQ1kknp/90JGHztzjKJwG9jkPDixMa1vL3U4iRToy3v kQ9Ziwr5A/WwMS+6d0++54qMwMEgwVWdmbVJVzrB6VxSPqvVvlmw3t7keBnZGiRA 1dT7Rlq1HsY= =tm8l -----END PGP SIGNATURE----- From wb8foz at nrk.com Sun Dec 31 07:14:17 1995 From: wb8foz at nrk.com (David Lesher) Date: Sun, 31 Dec 95 07:14:17 PST Subject: Australian "calculatorcard" In-Reply-To: <01HZFQH4O0R695OXTW@MAIL-CLUSTER.PCY.MCI.NET> Message-ID: <199512311459.JAA00430@nrk.com> > sounds like the card i use for remote dialup to certain non-public > systems i use at work. it has a six digit number on the front that > changes every 60 seconds. Do these card systems use a window to handle clock-slip? I'd think you could have the server safely accept # N, N-60 sec, and N+60 seconds; and adjust the server's idea of your card's clock speed from that. What new risk would that create? -- A host is a host from coast to coast.................wb8foz at nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433 From jya at pipeline.com Sun Dec 31 07:18:17 1995 From: jya at pipeline.com (John Young) Date: Sun, 31 Dec 95 07:18:17 PST Subject: SEY_use Message-ID: <199512311518.KAA19667@pipe4.nyc.pipeline.com> 12-31-95. WashP: Emulating US founding outlaws, the Seychelles government has enacted an investment law described by transatlantic neo-imperialists as a "Welcome, Criminals" act. The law offers anyone who invests $10 million or more in Seychelles -- no questions asked as to the source -- protection from extradition, from seizure of assets and to other "concessions and incentives commensurate with the investment." Neo-imps say this is "an open invitation to money launderers and other international criminals to set up shop with impunity." Under the statute the Seychelles government could grant diplomatic passports and other protections as a shield from thermonuclear pornography. SEY_use From cjs at netcom.com Sat Dec 30 15:37:48 1995 From: cjs at netcom.com (Christopher J. Shaulis) Date: Sun, 31 Dec 1995 07:37:48 +0800 Subject: Is Dr Fred Cohen a Loon??? In-Reply-To: <9512302200.AA14470@all.net> Message-ID: <199512302133.QAA00352@localhost.cjs.net> > > The Subject says it all... I believe Fred suffers from a severely inflated > > ego and suffers from the "false expert" syndrome detailed by various > > self-help orgs... what say you fred?? > > People who call me a "false expert" are so afraid of damaging their own > reputation by doing so that they have to do it anonymously. Reguardless if it is said anonymously or not, the fact remains that you are a loon, and you couldn't get a clue if they gave them away in rice krispies boxes. As always, I encourage everyone reading this thread to not reply to it 'cuz it does nothing but encourage Freddy to post more jibberish. > > -> See: Info-Sec Heaven at URL http://all.net/ > Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From ryan at pobox.com Sat Dec 30 16:13:42 1995 From: ryan at pobox.com (Ryan Lackey) Date: Sun, 31 Dec 1995 08:13:42 +0800 Subject: Starting an e-cash bank Message-ID: <199512302305.SAA20998@netaxs.com> _Money_ is at the root of control of cyberspace. If states control the banks issuing the currency, states will control cyberspace. If the banks/issuers of coins are beyond the reach of statist governments, cyberspace will remain free. Crytpo of course will allow the banks to issue coins, but if they have to follow statist laws, crypto won't really help them all that much -- I don't know many bank execs willing to face down the US Government with nothing to back them up but ~unbreakable codes. What would it take to start an anonymous, private, secure, etc. etc. bank issuing e-cash, located in a country without taxes/etc.? I assume a tax haven like the Cayman Islands or a small third world country somewhere would have plenty of nice tax-shelter banks interested in such a venture. Of course, it would be quite illegal to transfer money to such a bank, but once it's there, wouldn't coins be perfectly legitimate currency? The bank could even make money by issuing coins for $US held in vaults, $US invested in different mutual-fund type things or other currencies, and perhaps even coins backed only by the bank's profits (sounds like stock). A cypherpunk? me?, Ryan From tcmay at got.net Sat Dec 30 16:32:13 1995 From: tcmay at got.net (Timothy C. May) Date: Sun, 31 Dec 1995 08:32:13 +0800 Subject: Compuserve is Not "Censoring": Look to Governments for the Cause Message-ID: At 11:17 AM 12/30/95, Ulf Moeller wrote: > From the comment by Niklaus Haubl�tzel: > >"Reality cannot be outlawed, only improved, and many still hope that >complete freedom of information and opinion in computer networks can >contribute to that. But the company of CompuServe does not seem to >be interested in that. They only want their customers' money, but >not their freedom. [...] Like any censorhip, this one comes with >hipocrisy. Towards their paying customers, CompuServe claims to have >been forced by German prosecutors. Thus one lie creates another. >That they were forced it out of the question. It is only in >dictatorships that the prosecutors judge the defendants - that is why >dictatorships need censors." Well said by this person! (Except for the point about Compuserve's "greed"...greed is good.) I am hopeful that Germany can move away from this censorious position (whether they prosecuted CS or not, there was clearly the threat of prosecution, and CS caved into it). As with the Cornell case, where students "volunteered" to perform "community service" and thus Cornell did not otherwise discipline them for their speech (the "75 Reasons" joke they sent to their friends), the mere possibility of punishment/sanction is usually sufficient. This is called "the chilling effect" in free speech discussions. Longterm, the solution still lies with moving toward smaller units directly accessing the Net, thus making threats harder to effectively mount. --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed From steve at miranova.com Sat Dec 30 16:40:24 1995 From: steve at miranova.com (Steven L. Baur) Date: Sun, 31 Dec 1995 08:40:24 +0800 Subject: easy avoidance of PGP signature forgeries and reuse In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- [sample implementation for Gnus is included] >>>>> "Dimitri" == Dimitri Vulis writes: Dimitri> I propose a format below. See the PGP header block attached to this message as an example of this proposed format. atilla> with e-mail, e-letters, direct faxes, etc. it is to easy atilla> to ignore the courtesy header. From a standpoint of atilla> security, you have blown away each of the attacks outline atilla> in your article in so much as the signature will not atilla> compute if the courtesy block is omitted. Dimitri> I totally agree; that's why I propose copying that info Dimitri> in the signed portion "by default". atilla> personally, I do not think PGP 3 should attempt to solve atilla> the problem. Most of the headers involved are applied atilla> _after_ the message leaves the mail program; and, PGP atilla> interfaces are virtually the same as invoking an alternate atilla> editor, which gets you nothing. I agree. Besides, this whole thing can be done with the existing PGP. Date: and Message-ID: are two, and they need to be signed. Date: is a further problem with Gnus, since the format of the displayed date is user customizable, but that's a separate issue. ... Dimitri> The "signed headers" portion may contain the following Dimitri> optional fields: Dimitri> From: address -- the address associated with the key used Dimitri> to sign this message It's easier to deal with whatever is being used as the From: in the message. ... Dimitri> (Of course, the poster could lie and claim in the signed Dimitri> portion that the article is being posted to alt.sex.pedo Dimitri> when he himself posts it to misc.kids:) So you would also include the Message-ID:. Dimitri> If a standard like this catches on, and is integrated Dimitri> into PGP-aware news/e-mail programs, then it's a simple Dimitri> exercise to write a little script to look for BEGIN PGP Dimitri> SIGNED HEADERS and compare the information inside it with Dimitri> the RFC 822/1036 headers outside the signed portion of Dimitri> the message. It could be done within PGP too. This is basically a Good Idea, and can be implemented using existing tools. Here is some to code to implement it for Gnus. Verification of the headers is left (at present) as an exercise for the reader. ;;; Add this to your .gnus and call ;;; gnus-article-sign-message instead of mc-sign directly. ;;; Pgp signed messages are vulnerable to various kinds of badness due to ;;; the separation of header information. Fix it. (defconst gnus-pgp-included-headers '("From" "To" "Newsgroups" "Message-ID" "Date" "Subject" "Cc" "Gcc") "Headers to include in signed portion of PGP signed message.") (defconst gnus-pgp-signed-headers "----BEGIN PGP SIGNED HEADERS----\n" "String to use for separation in message.") (defun gnus-article-sign-message (arg) "Sign a message with PGP, including outgoing headers in an included block, as per the suggestion of \"Dr. Dimitri Vulis\" ." (interactive "p") (save-excursion (save-restriction (gnus-inews-narrow-to-headers) (goto-char (point-max)) (or (mail-fetch-field "date") (insert (concat "Date: " (gnus-inews-date) "\n"))) (or (mail-fetch-field "message-id") (insert (concat "Message-ID: " (gnus-inews-message-id) "\n"))))) (save-excursion (goto-char (point-max)) (insert "\n") ;; If there is already a header block (eg. after undoing a signature) ;; remove it entirely, and rebuild from scratch. (if (re-search-backward gnus-pgp-signed-headers nil t) (kill-region (point) (point-max))) (insert gnus-pgp-signed-headers) (let ((headers gnus-pgp-included-headers) header header-value) (while (setq header (car headers)) (setq headers (cdr headers)) (save-excursion (save-restriction (gnus-narrow-to-headers) (setq header-value (mail-fetch-field header)))) (if header-value (insert (concat header ": " header-value "\n")))) (insert "\n"))) (mc-sign arg)) - -- steve at miranova.com baur - ----BEGIN PGP SIGNED HEADERS---- To: cypherpunks at toad.com Message-ID: Date: 30 Dec 1995 15:34:22 -0800 Subject: Re: easy avoidance of PGP signature forgeries and reuse -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBMOXMhKLJZEUiepcNAQGjtgP/ZnC+TL4cbFL3RF+o8fwe2YFciqGkOWX9 VuPK4btnvfKF/wcdMTfJoUKbSutKcwRkbLe5fAqEV3qrXwM7PgfNMlXfcgNg44It UhfLAaFg6ke5ArWr9EZfyFcD93OrS9qVGU7emSenmsqpdJUE6jU0HmKAQkZzP1Ak AYQD7ow/tzI= =PTV7 -----END PGP SIGNATURE----- From ses at tipper.oit.unc.edu Sat Dec 30 16:41:41 1995 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Sun, 31 Dec 1995 08:41:41 +0800 Subject: new years resolutions for cypherpunks In-Reply-To: <199512302133.QAA00352@localhost.cjs.net> Message-ID: Another year, another flamewar :-) Anyone else prepared to sign something similar? Simon -----BEGIN PGP SIGNED MESSAGE----- In 1996 I resolve to 1) Avoid ad-hominem attacks even on complete idiots 2) Not post non-crypto libertarian or consipracy items to cypherpunks. 3) Contribute to, Implement and use open cryptographic standards rather than proprietary ones. 4) Have most of my regular internet hosts running IPSEC before 1997. -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQB1AwUBMOXNiQkKftKguxLhAQEDsAL/ZoWeONP+R2pJrA9O9RuIu+Juljt04OIB pFYxH+DfktzDoX0dhfDkrP0TdjMiXnPI7Z5zkidF4O2oUJ0Myzv1F9VSgFXiyU7X BHUxnazXmhj7crbt86YIwchxqgLGVVNw =Bwyh -----END PGP SIGNATURE----- (defun modexpt (x y n) "computes (x^y) mod n" (cond ((= y 0) 1) ((= y 1) (mod x n)) ((evenp y) (mod (expt (modexpt x (/ y 2) n) 2) n)) (t (mod (* x (modexpt x (1- y) n)) n)))) From frankw at in.net Sat Dec 30 16:43:09 1995 From: frankw at in.net (Frank Willoughby) Date: Sun, 31 Dec 1995 08:43:09 +0800 Subject: Massey, CEO of Compuserve, on Internet Message-ID: <9512302338.AA07501@su1.in.net> Peter D. Junger writes: 8< [snip] >One should also notice that Bavaria is only one state in the German >Federal Republic; this case is more like Texas investigating >Compuserve than the United States federal government investigating >Compuserve. Bavaria is the stronghold of what can properly be called >the (Catholic) Religious Right in Germany. It should also be noticed >that in general German publications and television seem to be less >constrained in publishing materials that in the United States would be >called ``indecent'' by some than are United States publications and >broadcasters. > Peter has made some rather astute and accurate observations. (I particularly liked his analogy of Bavaria & Texas. From my experience, I would say that Bavaria is the Texas of Germany.) While the Computserve incident in Germany may provoke outrage here & across the Internet, given the culture and other factors, the incident itself was rather inevitable (really). After having lived in Munich & Stuttgart, I'm just surprised it took so long to happen. (Then again, the wheels of bureaucracy do spin slowly). 8^) I'm not saying I agree with their actions, but I think I do understand the mentality behind the actions. I would venture to guess that the Bavarian State Police were trying to enforce the JugendSchutzGesetz (Protection of Minors Law). These laws are posted in every restaurant, bar, etc. As indicated by its title, the law basically serves to protect minors from the evils of the adult world. It spells out what ages a person has to be to drink beer, hard liquor, etc, and covers curfews and other similar topics which serve to protect the youth. The Compuserve censorship may be the result of an interpretation or enhancement of the JSG - in that because Compuserve really has no way of knowing the age of individuals who have access to pornographic materials, it is not capable of fully implementing the JSG. (Although how this differs from cable TV (which shows porno movies and can't controll who sees them is beyond me). Without commenting on the actions of the Bavarian State Police or Compuserve, I think that perhaps we are applying our standards to an incident in another culture - without viewing it in the context of that culture or country. (In other words, comparing apples and oranges.) FWIW, there are a few differences between the USA and Germany which are related to the Compuserve incident and which may help to understand why the police performed their actions. I am not saying I agree with their actions, only that I think I understand the mentality behind the actions. Anyway, here are a few differences: 1) Germans (and foreigners who live/work there) enjoy fewer freedoms than we do - including freedom of speech, press, assembly, movement, etc. 2) The legal system is different than in the USA. I'm not a lawyer, but my impressions were that the police had far more liberties with what they (legally) can do than do our counterparts here or in other countries. The OJ fiasco probably couldn't have happened in Germany (and he probably also wouldn't have gotten off). 3) There is no real separation of Church & State like we have here in the USA. As a result, the impact of the Catholic & Lutheran churches on the German legal system & government is significant. It has also led the the government subsidizing (ie - providing public funds to) the churches. FWIW, the German government (like every other government on the planet) is ill-equiped to handle something like the Internet and its impact on the social & legal systems of that country. FWIW, the above is my opinion based on having lived there for over 9 years. Best Regards, Frank >-- >Peter D. Junger--Case Western Reserve University Law School--Cleveland, OH >Internet: junger at pdj2-ra.f-remote.cwru.edu junger at samsara.law.cwru.edu PS - The rest of this mail contains an elaboration of the points mentioned earlier. They were separated from the summarized info mentioned above for those who are short on time or have no interest in the long version. PPS - Four really neat things about Germany are the BDSG (Privacy Act), the mandatory (by law) 6-weeks paid vacation for all full-time employees, their sausages, and skiing. (Their sausages are really great. You might even say they're the best of the wurst. The skiing can be flakey on occasion, though.) 8^) 8^) 8^) PPPS - Have a Happy & Prosperous New Year! 8^) ----------------------------------------------------------------------------- The following is an elaboration of the above differences, based on my observations while I was there. I'm not taking a stand one way or another on these differences in this mail, just indicating what they are. 1) Germans (and foreigners who live/work there) enjoy fewer freedoms than we do. A few examples: - it is mandatory (ie - a law) that citizens & foreigners register their domicile address with the police. (When you move, you have to unregister with the police in your old city, & register with them in the new city). - it is not trivial to obtain a permit for a weapon (or obtain a hunting license). - it is against the law to monitor police & government frequencies - until 1984/85), the radio & TV media were a monopoly of the State (or government). Commercial (ie - non-government owned) radio & TV stations didn't exist until then. - the freedom of speech is more restricted than here. Use of the swastika symbol is prohibited by law. Groups attempting to deny the abuses of WW II or promoting the rhetoric of the Hitler regime are outlawed. - all demonstrations must be registered (and approved) by the police before they can ocur. - mandatory store closings (general). Most stores are open 'til 6pm on Monday, Tuesday, Wednesday, and Friday. They stay open late ('til 8:30pm) on Thursdays. Saturdays, the stores are open 'til 2pm unless it is the first Saturday of the month (& then 'til 5pm). - all TVs, radios have to be registered with the BundesPost (and you will be charged a fee). The BundesPost uses vans with have the ability to detect which apartments have TVs (as well as which channel the individual is watching). (I have seen the vans & have had a brief conversation with some of the BP employees who have used this equipment). 2) The legal system is different than in the USA. I'm not a lawyer, but my impressions were that the police had far more liberties with what they (legally) can do than do our counterparts here or in other countries. On the plus side, the police are very efficient (but having access to a nationwide databank about every person in the country helps to increase the efficiency in catching crooks). - One law in particular is the JugendSchutzGesetz (Protection of Minors Law). The JSG spells out exactly what ages a person has to be to drink beer, hard liquor, etc. (I believe it also covers curfews, movie ratings, etc.). The Compuserve censorship may be the result of an interpretation or enhancement of the JSG - in that because Compuserve really has no way of knowing the age of individuals who have access to pornographic materials, it is not capable of fully implementing the JSG. (Although how this differs from cable TV (which offers porno movies is beyond me). - One thing to be admired, though, is the German Information/Data Privacy Act (BundesDatenSchutzGesetz = BDSG). The BDSG is one of the most stringent privacy laws in the world. Actually, it is a shame that we don't have a law like the BDSG (with a few minor changes). (Our Privacy Act here in the USA is a joke). The abuses of privacy which result in the collection and distribution of personal data here in the USA is simply unbelievable. - I also had the impression that in the German court system, the burden of proof is on the accused, not the prosecution. This is somewhat analagous to the military courts here in the USA. 3) There is no separation of Church & State like we have here in the USA. - All persons who are subject to taxes are required to pay a Church Tax (Kirchensteuer) of 1% of their pay to support a few of the major churches in Germany (primarily, the Catholic, the Lutheran, and the Jewish religious institutions). The only exemption to this is for those who fill out an affadavit that they have formally left their church or those whose voluntary contributions to their church exceed 1%. BTW, the German tax laws also differentiate between members of the 3 churches mentioned above & others. - Major religious institutions are subsidized & receive financial support by the government (from the Kirchensteuer), as well as additional funding for the preservation & upkeep of historic religious buildings, etc. I remember seeing an investigative report on German TV which provided a list of which religious institutions received how much money and the reason why those funds were given to the churches by the government. I don't remember the acutual sums involved, but they were rather large (hundreds of millions of dollars or above, if my memory serves). - The Catholic & Lutheran churches in particular have enormous political clout (far more than they ever could here in the USA) and are a force to be reckoned with. Although from my observations, the Catholic church has more clout than the Lutheran. Their clout has a major impact on the political & legal sytems in Germany. An illustration of this is that one of the top two political parties in Germany is the CDU (Christian Democratic Union). - The ability of a church's missionaries to proselytize is heavily regulated/restricted - particularly if they are not one of the top three churches mentioned earlier. - In general, the top 3 churches mentioned above are given preferential treatment. Other denominations are generally ignored by the German government. In conclusion: None of the above statements are intended to be critical of Germans or of the German government, or anything/anyone else. These are merely my personal observations. ----------------------------------------------------------------------------- Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. From tcmay at got.net Sat Dec 30 16:48:25 1995 From: tcmay at got.net (Timothy C. May) Date: Sun, 31 Dec 1995 08:48:25 +0800 Subject: Guerilla Internet Service Providers Message-ID: At 6:18 PM 12/30/95, Lucky Green wrote: >At best, Cypherpunks can hope to provide the infrastructure that will allow >an underground to communicate semi-securely. We are unable to stop the >global tidal wave of fascism. Let's not waste our time on bemoaning the >freedoms crushed in its path. We have more important work to do. And support your local ISPs! (Or, even better, direct connection to the Net, though this is harder for most of us to arrange.) This CompuServe situation should be a great recruiting opportunity. Cypherpunks in various parts of the country (and outside the U.S.) can get active in local AOL, Prodigy, and Compuserve groups (and maybe even Netcom chat groups, as Netcom is large enough to be a ripe target for harassment by some zealous prosecutor or tort-crazed lawyer, as the Church of Scientology case showed). They can tell the folks about local alternatives. Having lots of small, decentralized providers makes censoring the Net all the harder. Guerilla Internet Service Providers. (I'm not disparaging Netcom. Tom Klemesrud not only fought the CoS, he has also spoken out against CompuServe's action. I just understand that the "deep pockets" effect means that any ISP large enough to register on the radar screens of the statists will be targetted for regulation and sanctioning. Better to have a thousand services, melting into the jungle when the heavy artillery arrives.) --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From an5877 at anon.penet.fi Sun Dec 31 09:10:48 1995 From: an5877 at anon.penet.fi (deadbeat) Date: Sun, 31 Dec 95 09:10:48 PST Subject: Fred Cohen, PhD Message-ID: <9512311704.AA03856@anon.penet.fi> -----BEGIN PGP SIGNED MESSAGE----- Regarding Fred Cohen, PhD: Cohen's haughty and bombastic style do nothing good for his reputation. I assume he advertises his PhD to highlight his early accomplishments; he has done little since. Let's also consider the granting institution, a second-rank school. Cohen's thesis broke new ground, but how many people have read it, or any of his writings, or know anything about his ideas beyond a single word? How far did he carry this work? Where are the conference and journal papers? Cohen's reputation faded into obscurity long ago. Now he is building a new reputation as a pig-headed loudmouth, threatening his "defamers." Shades of Sternlight. DEADBEAT -----BEGIN PGP SIGNATURE----- Version: 2.4 iQBFAgUBMOa9TPFZTpBW/B35AQFLQQGAmzB8o+g5k3mYmzMmk3JiDTBf+P8dSFZY 25IwVISjSV7o95vgbmNWAy/3zVY50AKn =SfU6 -----END PGP SIGNATURE----- --****ATTENTION****--****ATTENTION****--****ATTENTION****--***ATTENTION*** Your e-mail reply to this message WILL be *automatically* ANONYMIZED. Please, report inappropriate use to abuse at anon.penet.fi For information (incl. non-anon reply) write to help at anon.penet.fi If you have any problems, address them to admin at anon.penet.fi From doc at intellinet.com Sat Dec 30 17:43:26 1995 From: doc at intellinet.com (Doc) Date: Sun, 31 Dec 1995 09:43:26 +0800 Subject: EMail Blockade for Compuserve? Message-ID: <199512310121.TAA02917@intellinet.com> I dont know if this is a good idea. I think CI$ shut off the newsgroups due to economic presure- from some German officials. Drop them or we ban CI$. Now, if CI$ were to shed excess customers in the rest of the world... they might just turn those newsgroups back on. So if folks turned on twit filters and deleted-before-reading mail from anyone at compuserve - and if folks, newsletters etc refused to SEND mail to accounts at ci$ ... well if enough ci$ customers were to LEAVE. This is not a proposal..some of my best friends are at compuserve. From dlv at bwalk.dm.com Sat Dec 30 17:59:12 1995 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Sun, 31 Dec 1995 09:59:12 +0800 Subject: Is Dr Fred Cohen a Loon??? In-Reply-To: <199512302211.QAA14605@dal1820.computek.net> Message-ID: The following comment has zero crypto relevance and should not be construed as an attack on and/or a defense of any particular net.personality: "Ed Carp [khijol SysAdmin]" writes: > OK, I'll do it. Fred, sometimes your pontifications make as little sense > as you arrogantly signing "Dr. Fred Cohen" in your name field. Without commenting on the quality of anyone's contributions to this mailing list, let me remind you that Dr. Fred Cohen received his Ph.D. after writing a very innovative thesis on computer viruses, a classic in his field. He has every right to call himself "Dr." if he wants to. In my experience, people who get so hysterical when a Ph.D. calls himself or herself Dr. are invariably Ph.D. dropouts who wasted many years of their lives trying and failing to attain a Ph.D. and are bitterly envious of those who have succeeded. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From erc at dal1820.computek.net Sat Dec 30 18:17:48 1995 From: erc at dal1820.computek.net (Ed Carp [khijol SysAdmin]) Date: Sun, 31 Dec 1995 10:17:48 +0800 Subject: Is Dr Fred Cohen a Loon??? In-Reply-To: Message-ID: <199512310155.TAA12831@dal1820.computek.net> -----BEGIN PGP SIGNED MESSAGE----- > > The following comment has zero crypto relevance and should not be construed > as an attack on and/or a defense of any particular net.personality: > > "Ed Carp [khijol SysAdmin]" writes: > > OK, I'll do it. Fred, sometimes your pontifications make as little sense > > as you arrogantly signing "Dr. Fred Cohen" in your name field. > > Without commenting on the quality of anyone's contributions to this mailing > list, let me remind you that Dr. Fred Cohen received his Ph.D. after writing a > very innovative thesis on computer viruses, a classic in his field. He has > every right to call himself "Dr." if he wants to. > > In my experience, people who get so hysterical when a Ph.D. calls himself or > herself Dr. are invariably Ph.D. dropouts who wasted many years of their lives > trying and failing to attain a Ph.D. and are bitterly envious of those who have > succeeded. Not at all -- but it's been *my* experience that people who rely on titles and degrees and such have very little else to recommend them. I am as unenvious of Mr. Cohen as I am of Bruce Schneier - and Bruce has a lot more of my respect. Just because someone writes a "very innovative thesis" on viruses doesn't mean they know diddly about anything else, especially cryptography. Where is Fred's paper? I've got Bruce's book on my shelf that I can read for myself and *that's* a classic in the field. When "I can read Fred's paper for myself, then I can judge the merits of his degree. Until then, I consider him no different than any other PhD whose gotten themselves a degree and become convinced that the doctorate entitles them to pontificate upon any and every subject under the sun as though they knew absolutely everything about any subject that happens to catch their fancy. Just remember - PhD means 'piled higher and deeper'. - -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMOXtjyS9AwzY9LDxAQFoZQQAiBsi6i3tGeY1oJ4bL4UJthdmsW77ZybC BPpdGBvGc8IyJo9V2uMCW5nU/4LJeX08IAKWS1pt4xTPrz4HlLEJXgAWVnPErTqj V9MXmI1QY79cmtd2MvJUoUNtq7O4fbD4Hg/ZRRdY3YNZvrlXlRRdbU6m01xSAxOR 4ApMv7cboz4= =DjDf -----END PGP SIGNATURE----- From accessnt at ozemail.com.au Sat Dec 30 18:44:51 1995 From: accessnt at ozemail.com.au (Mark Neely) Date: Sun, 31 Dec 1995 10:44:51 +0800 Subject: Massey, CEO of Compuserve, on Internet Message-ID: <199512310220.NAA16258@oznet02.ozemail.com.au> >Wow! I am watching the CEO of Compuserve being interviewed on CNBC, >explaining how his company is "taking the high road by complying with the >laws of Germany" in removing access to 200 Usenet groups. >Timothy C. May I assume that C$ is only filtering the newsfeed as it hits German shores? Please tell me they aren't denying access to these "banned" newsgroups for all users worldwide! Mark ___ Mark Neely - accessnt at ozemail.com.au Lawyer, Professional Cynic Author: Australian Beginner's Guide to the Internet Work-in-Progress: Australian Business Guide to the Internet WWW: http://www.ozemail.com.au/~accessnt From shamrock at netcom.com Sat Dec 30 19:07:32 1995 From: shamrock at netcom.com (Lucky Green) Date: Sun, 31 Dec 1995 11:07:32 +0800 Subject: Massey, CEO of Compuserve, on Internet Message-ID: At 13:20 12/31/95, Mark Neely wrote: >I assume that C$ is only filtering the newsfeed as it hits German shores? >Please tell me >they aren't denying access to these "banned" newsgroups for all users >worldwide! I am afraid they are. -- Lucky Green PGP encrypted mail preferred. From herbs at connobj.com Sat Dec 30 19:24:24 1995 From: herbs at connobj.com (Herb Sutter) Date: Sun, 31 Dec 1995 11:24:24 +0800 Subject: Is Dr Fred Cohen a Loon??? Message-ID: <2.2.32.19951231025816.0074caa0@mail.interlog.com> At 19:55 12.30.1995 -0600, Ed Carp [khijol SysAdmin] wrote: >I am as unenvious of Mr. Cohen as I am of Bruce Schneier - and Bruce has a >lot more of my respect. Just because someone writes a "very innovative >thesis" on viruses doesn't mean they know diddly about anything else, >especially cryptography. Where is Fred's paper? I've got Bruce's book on >my shelf that I can read for myself and *that's* a classic in the field. In that case, look at the last two pages in "Applied Crypto - 2nd ed", where Wiley puts ads for related books. You'll find: - "E-Mail Security", also by Bruce Schneier - "Protection and Security on the Information Superhighway", by Frederick B. Cohen - "Digital Money", by Daniel Lynch and Leslie Lundquist I am neither attacking nor defending Fred Cohen; I don't know him from Adam, and haven't read his messages or his book. But since you asked for where you can find Cohen's published work, there's one answer (assuming it's the same Fred Cohen). Herb ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Herb Sutter (herbs at connobj.com) Connected Object Solutions 2228 Urwin - Suite 102 voice 416-618-0184 http://www.connobj.com/ Oakville ON Canada L6L 2T2 fax 905-847-6019 From nobody at flame.alias.net Sat Dec 30 19:30:33 1995 From: nobody at flame.alias.net (Anonymous) Date: Sun, 31 Dec 1995 11:30:33 +0800 Subject: Trolling for L00ns was Re: is Freddy Boy a Loon Message-ID: <199512310305.EAA03110@utopia.hacktic.nl> Ah... the targets bit perfectly... You see fred my boy being zapped by a nym wouldnt hurt SO bad unless on some level you believed the anon posters assertions about your behaviours were TRUE... you reacted exactly as predicted, as have David Sternlight, L Detweiler and a host of others... I normally lurk except when I get a chance to send anon barbs to puncture an EGO as inflated as yours.. anon p.s. You are next vlad... From jonnyx at edge.edge.net Sat Dec 30 20:23:34 1995 From: jonnyx at edge.edge.net (jonnyx) Date: Sun, 31 Dec 1995 12:23:34 +0800 Subject: (NOISE) Re: PLA_gue Germ Terrorism In-Reply-To: <199512301830.NAA05708@pipe4.nyc.pipeline.com> Message-ID: <199512310354.VAA02877@edge.edge.net> In a recent message, John Young babbled: > 12-30-95. To update the list of terrorist threats, the Wash > Post reports on the purchase in May of bubonic plague germs > by "white supremacist" Larry Wayne Harris, his bust by the > FBI and germ teams, prosecutors amazement that possession > of such deadly micro-organisms is not illegal, and the > consequent plea bargain of wire fraud with probation. < snip > Think that's fun? How 'bout this: given that the initial "mapping" phase of the human genome project is nearly complete, and the huge amount of genetic information available on the net, PLUS ever- more-powerful-yet-less-costly computers anyone can purchase, just how long do y'all think it'll be before some nut whips up a bug that targets, say, people with negroid genetic characteristics? Or epicanthic folds? Or blonde hair? Seem kinda far-fetched? The November NUTS & VOLTS has a nifty six page article on garage genetic experimentation (how to convert that old aquarium into an incubator, culturing techniques, etc.). They even list souces for equipment AND GERMS. Yes folks, you can order your very own "E-Z Gene Splicer DNA Recombination and Transformation Kit" from the good folks at Images Company, POBox 140742, Staten Island NY 10314, (718) 698-8305, $49.95 each, not recommended for children under 6 (too many parents complaining about mutated family cats). Quote from the article: "A word of caution is in order before we start. Although the materials in the kit are safe, it is important for you to follow simple procedures to keep the experiment controlled and nonthreatening." No shit. E-coli bacteria (what the kit uses) aren't pathogens, but still... I guess every budding young white supremist/right-wing religious nut/genocidal maniac has to start somewhere. Pleasant dreams. -- || ______ || comments, criticisms, and/or death-threats may be sent to: || || \__ /\ || jonny anonymous, c/o jonnyx at edge.net || || __/ / \ || or snail-mail pobox 23001, nashvegas tn 37202-3001, usa || || \__/_/\_\ ||______"DRIVING DRUNK ON THE INFORMATION SUPERHIGHWAY!"______|| ps - Hey! I violated the new copyright laws with my quote AND I wrote a dirty word that 10 year olds might read! Cool! Wonder how else this message can get me in trouble? From harveyrj at vt.edu Sat Dec 30 20:33:34 1995 From: harveyrj at vt.edu (R. J. Harvey) Date: Sun, 31 Dec 1995 12:33:34 +0800 Subject: Is Dr Fred Cohen a Loon??? Message-ID: <199512310359.WAA23216@quackerjack.cc.vt.edu> At 08:15 PM 12/30/95 EST, you wrote: > >In my experience, people who get so hysterical when a Ph.D. calls himself or >herself Dr. are invariably Ph.D. dropouts who wasted many years of their lives >trying and failing to attain a Ph.D. and are bitterly envious of those who have >succeeded. > Well, my experience is exactly the opposite: the ones who have to brandish the "Ph.D." label are the ones who were the least secure in their abilities, and the ones who seem least deserving of having ever graduated. Often the same folks who feel compelled to put "Dr." in their 'from' lines. This is from one of the numerous people on this list who have Ph.D.s and who don't wear them on their sleeves (and who only "wasted" 3 years of his life in getting one)... rj From cjs at netcom.com Sat Dec 30 20:35:29 1995 From: cjs at netcom.com (Christopher J. Shaulis) Date: Sun, 31 Dec 1995 12:35:29 +0800 Subject: Is Dr Fred Cohen a Loon??? In-Reply-To: <2.2.32.19951231025816.0074caa0@mail.interlog.com> Message-ID: <199512310246.VAA00949@localhost.cjs.net> > I am neither attacking nor defending Fred Cohen; I don't know him from Adam, > and haven't read his messages or his book. But since you asked for where ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ You should. They're hysterical. The man hasn't a clue to his name. > you can find Cohen's published work, there's one answer (assuming it's the > same Fred Cohen). Christopher From Alan.Pugh at internetMCI.COM Sat Dec 30 21:40:40 1995 From: Alan.Pugh at internetMCI.COM (amp) Date: Sun, 31 Dec 1995 13:40:40 +0800 Subject: Australian "calculatorcard" Message-ID: <01HZFQH4O0R695OXTW@MAIL-CLUSTER.PCY.MCI.NET> -- [ From: amp * EMC.Ver #2.3 ] -- -----BEGIN PGP SIGNED MESSAGE----- From: Cees de Groot \ Internet: (cg at bofh.toad.com) To: cypherpunks \ Internet: (cypherpunks at toad.com) Subject: Australian "calculatorcard" Hi everybody, CG> Yesterday, on UK Discovery, there was an item in the programme CG> Beyond 2000 about an Australian card which implements a CG> challenge-response protocol and can be used for banking, etcetera. CG> Basically, you give your card number (over the phone), get a CG> challenge number, enter your pin and the challenge, and then give the CG> response. All in CC format... sounds like the card i use for remote dialup to certain non-public systems i use at work. it has a six digit number on the front that changes every 60 seconds. the card is registered to me. when i enter my username/password i'm prompted for the number. it's Pretty Good (tm) security, but like anything not biometric, it is vulnerable to black-bag attacks. physical possession being all that is required. if you know the algorithm and the serial number of the card and the time, even that isn't necessary. CG> Can anybody provide me with pointers to more in-depth information CG> about this device and the algorithm(s) behind it ? i don't know if there are any net sources for them, but i'd be suprised if not. my card references "security dynamics" of cambridge massachusetts. amp <0003701548 at mcimail.com> (since 10/31/88) PGP Key = 57957C9D PGP FP = FA 02 84 7D 82 57 78 E4 E2 1C 7B 88 62 A6 F9 F7 December 30, 1995 23:29 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMOYRtIdTfgZXlXydAQGengf9EH07ubUAH43THj3l+6kWUjnXDYfe2DFj CvpEKlFoDkxwllDcIX0KfWK+ENr3YzyQp/yuWU+ZAw/ogci3y5r4IF+oJ4ItrVD6 pZ4AzF5NvXb2KWcnSaQoVsfo3yIt0bfRknuQjGyirntNhLpTkObVygbUmSSNeT8S hrpGB85IkEoy/km3pntCMfrfA0BrED3GCnNLxVYupY7jM7AxbD+mjHvS8to63bPv 68xjB93b+78ld/O0FPsOP7GQMbUZyTJMiLoNwiMhbgEi8Y4dFTlZ6mF6NMHsDxDy p/ocbp2dOj0Vy/BFbfbBqCgdjY3FoExRRHpgav8b0Xd4qNydkFDelg== =MSp2 -----END PGP SIGNATURE----- From dlv at bwalk.dm.com Sat Dec 30 21:54:18 1995 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Sun, 31 Dec 1995 13:54:18 +0800 Subject: Is Dr Fred Cohen a Loon??? In-Reply-To: <199512310155.TAA12831@dal1820.computek.net> Message-ID: <8iiygD48w165w@bwalk.dm.com> "Ed Carp [khijol SysAdmin]" writes: [yet another very long flame directed at Dr. Fred Cohen] > Just remember - PhD means 'piled higher and deeper'. > - -- > Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com > 214/993-3935 voicemail/digital pager > 800/558-3408 SkyPager > Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi ^^^^^^^^^^^^^^^^^^^^^ I wonder why you put your anon.penet.fi address in your signature. There may be a perfectly reasonable explanation that I didn't think of :) --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From zinc at zifi.genetics.utah.edu Sat Dec 30 22:38:48 1995 From: zinc at zifi.genetics.utah.edu (zinc) Date: Sun, 31 Dec 1995 14:38:48 +0800 Subject: (NOISE) Re: PLA_gue Germ Terrorism In-Reply-To: <199512310354.VAA02877@edge.edge.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Sat, 30 Dec 1995, jonnyx wrote: > Date: Sat, 30 Dec 1995 21:54:15 -0600 (CST) > From: jonnyx > To: cypherpunks at toad.com > Subject: (NOISE) Re: PLA_gue Germ Terrorism > > In a recent message, John Young babbled: > < GIANT snip > am i troll-bait or what? > Think that's fun? How 'bout this: given that the initial "mapping" > phase of the human genome project is nearly complete, and the huge > amount of genetic information available on the net, PLUS ever- > more-powerful-yet-less-costly computers anyone can purchase, just > how long do y'all think it'll be before some nut whips up a bug > that targets, say, people with negroid genetic characteristics? > Or epicanthic folds? Or blonde hair? this is so much shit. targetting anything is very difficult. just ask all those people about the wonders of gene therapy. hell, even the economist had an article about it's failures recently (Dec 16-22 1995, p77). in any event the so-called 'differences' you are imagining are phenotypes. these are a long cry from DNA. i'm not aware of any genetic markers available to distinguish a black man from a white man. and, even if there were, recombination requires long stretches of homology between DNAs, not small differences. i'd bet it's nearly impossible to target black vs white vs yellow vs a gorilla. > Seem kinda far-fetched? The November NUTS & VOLTS has a nifty yes. - -pjf patrick finerty = zinc at zifi.genetics.utah.edu = pfinerty at nyx.cs.du.edu U of Utah biochem grad student in the Bass lab - zinc fingers + dsRNA! ** FINGER zinc-pgp at zifi.genetics.utah.edu for pgp public key - CRYPTO! zifi runs LINUX 1.2.11 -=-=-=WEB=-=-=-> http://zifi.genetics.utah.edu -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMOYZtk3Qo/lG0AH5AQFFlAQAq/F+kLRXqyQZm9pIWMaXw8UWu3f4KERb CKTBDCQqFiskwu1KOusB9vz3TwTAB2n7qzOBoTA69iPWXoAFW9yzHlEDTnKFmZbz DTr9VNoNYkG8jlTA1Z5sBkjzPUAEFg7Gc2X2qrahE8hOWVEKdS220bhF1TEXdevD f2Zj5hD88bI= =BMiz -----END PGP SIGNATURE----- From daw at boston.CS.Berkeley.EDU Sat Dec 30 22:45:36 1995 From: daw at boston.CS.Berkeley.EDU (David A Wagner) Date: Sun, 31 Dec 1995 14:45:36 +0800 Subject: [ecash] Re: Multi-issuer questions Message-ID: <199512310504.AAA18856@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- I have to admit I don't know the ecash concepts well enough to respond very intelligently to everything you talked about, though I'd like to address one of your comments on inter-bank clearing. I wanted to bring up one misconception: you mention that the main worth of ecash is measured by whether merchants will accept it as payment, and that whether a bank will accept it as a deposit is just a secondary issue. From this you conclude that so long as a merchant can validate ecash (via online clearing, to detect double-spending), it doesn't really matter whether that merchant's bank will accept the ecash -- just that other merchants will accept the ecash. This is brought up in the context of "what if Bank B didn't accept [deposits of] ecash from Bank A?". I claim that this is at best misleading, because with Digicash's ecash, when a merchant receives ecash as payment, the ecash is "made out" to that particular merchant, and is non-transferable-- i.e. can't be used as payment to another merchant. When you've been payed Digicash ecash, about the only interesting thing you can do is deposit it with your bank. [ For simplicity, I'm ignoring wildcards in the "pay to" field; but wildcards are insecure on their own. Digicash hasn't really attempted to support wildcards or transferable ecash in general, as far as I can tell. Correct me if I'm wrong. ] - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMOYZwCoZzwIn1bdtAQFvaQGA1f4oy6Z2TF9810fIUEqkktpQN01FPUCb ER/q3WI/kuyjQCBJh/laA0QsU2q8jnP4 =8Mib -----END PGP SIGNATURE----- From erc at dal1820.computek.net Sat Dec 30 22:52:33 1995 From: erc at dal1820.computek.net (Ed Carp [khijol SysAdmin]) Date: Sun, 31 Dec 1995 14:52:33 +0800 Subject: Is Dr Fred Cohen a Loon??? In-Reply-To: <8iiygD48w165w@bwalk.dm.com> Message-ID: <199512310509.XAA24032@dal1820.computek.net> -----BEGIN PGP SIGNED MESSAGE----- > "Ed Carp [khijol SysAdmin]" writes: > [yet another very long flame directed at Dr. Fred Cohen] Well, it wasn't directed specifically at Fred... > > Just remember - PhD means 'piled higher and deeper'. > > Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi > I wonder why you put your anon.penet.fi address in your signature. > There may be a perfectly reasonable explanation that I didn't think of :) Well, yes, there is. :) It's so that folks may correspond with me anonymously if they wish to do so. Some people don't want me knowing who they are.... - -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMOYbDyS9AwzY9LDxAQFMLAP/Z1Y6XkSBpX+EA/ooiOU5hfn4Sx0+pWH+ pe4SHGhS7B9iSqX55/3YNq16ZXeA/mBzqF0d9XiWUZa/Qs8u5MaFqID1BbHM65Bk DrhGcP5YDSDLykY1z7mzLw9ItHM35UUDvygk0M3CNcerEZZd5C29kfg3SkwgOh55 aFNE8vMbsbU= =LTOA -----END PGP SIGNATURE----- From jburrell at crl.com Sat Dec 30 23:02:31 1995 From: jburrell at crl.com (Jason Burrell) Date: Sun, 31 Dec 1995 15:02:31 +0800 Subject: Massey, CEO of Compuserve, on Internet In-Reply-To: <199512310220.NAA16258@oznet02.ozemail.com.au> Message-ID: On Sun, 31 Dec 1995, Mark Neely wrote: > I assume that C$ is only filtering the newsfeed as it hits German shores? > Please tell me > they aren't denying access to these "banned" newsgroups for all users worldwide! > > Mark Unfortunately, that's exactly what they're doing. Check out comp.org.eff.talk for more a discussion of it. From blancw at accessone.com Sat Dec 30 23:13:31 1995 From: blancw at accessone.com (blanc) Date: Sun, 31 Dec 1995 15:13:31 +0800 Subject: last straw (or Possible Developments re Censorship) Message-ID: <01BAD6FD.B8FBF560@blancw.accessone.com> From: Dr. Dimitri Vulis And now comes the *point*: There's much information on CompuServe that cannot be accessed from the outside. One example is the very informative National Computer Security Association's forum. ...[etc.] ................................................................................................... Aside from the obvious implications to liberty, of the backing down from standing up (!) to the demand for self-censorship, I was thinking about other possible developments: Since, as 'Dr. Dimitri' mentions, CompuServe offers some info which is not available from other sources - and this info is often quite useful/valuable to business enterprises, such that they and other individuals would not be too keen on abandoning these immediately just for the principle of the thing - it could develop that those who are willing and can afford it, will end up "supporting", or getting services from, different providers based on the particular services which they offer. This could represent a partial solution (in my mind, at least, not being inclined toward blanket censorship of all things discomfitting to my sensibilities) to the matter of there being free-radical electrons "out there" existing in the form & shape of various degrees of sexual permutations: . Those concerned that their children may innocently surf over to alt.binaries.naughty.nude.x-rated.pictures and see alarming truths about adult behavior, and don't want to purchase the available filtering software, could subscribe to CompuServe and rest assured that their children would only have access to safe, industrial-strength info on that account. . Those wishing want to discuss their sexually-related personal problems, or who are pleased to just look at/talk about sex et al, could continue do so through their subscription to the adult bbs-es or local ISPs providing uncensored access to all newsgroups. It could develop that large companies providing internet access will seek to distinguish/identify themselves (as they are tending to do already) between the pablum-feeding family-types like AOL, or corporate/business-types like CompuServe, or free-for alls like local ISPs. Such developments of course would depend on a tolerance for the existence of those un-specialized carriers which aren't adverse to transmitting controversial, "sensitive" content. These divisions among services might still not be acceptable to States and Nations & other 'busybodies', but the resistance to such developments would only serve to more explicitly define the problem; it could make prominent the real issue of people's attitudes, fears, and expectations concerning sex & human nature, and of the obstacles in the way of achieving personal responsibility regarding these (among other things). .. Blanc From dlv at bwalk.dm.com Sat Dec 30 23:23:21 1995 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Sun, 31 Dec 1995 15:23:21 +0800 Subject: Is Dr Fred Cohen a Loon??? In-Reply-To: <199512310509.XAA24032@dal1820.computek.net> Message-ID: "Ed Carp [khijol SysAdmin]" writes: > > I wonder why you put your anon.penet.fi address in your signature. > > There may be a perfectly reasonable explanation that I didn't think of :) > > Well, yes, there is. :) It's so that folks may correspond with me > anonymously if they wish to do so. Some people don't want me knowing who > they are.... This is fascinating! Could you please explain (for the benefit of clueless Ph.D.'s like myself) how putting your anon id in your signature enables folks to send you anonymous e-mail, who couldn't do that before by e-mailing anon at anon.penet.fi and adding: X-Anon-To: erc at dal1820.computek.net (E-mailing erc%dal1820.computek.net at anon.penet.fi might work too.) I do see how it stops you from being anonymous when you post via that particular anon.penet.fi address, but that's a different issue. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From erc at dal1820.computek.net Sat Dec 30 23:33:17 1995 From: erc at dal1820.computek.net (Ed Carp [khijol SysAdmin]) Date: Sun, 31 Dec 1995 15:33:17 +0800 Subject: Compuserve and copyrights Message-ID: <199512310542.XAA25896@dal1820.computek.net> -----BEGIN PGP SIGNED MESSAGE----- I have sent Compuserve a notice that all posts originating from this site are copyrighted and barred from being stored on a site that does not allow reciprocal access. I would urge that other sites consider sending a similar notice to Compuserve. - -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMOYi1SS9AwzY9LDxAQFdagP/VMdunjZ1LLY7nUVgxUgFEoHDdcyPwWLl oPTQ/jDdcsIfolBQlNp+IzKJyubutW7oUv0qmsInAlXBUDPGvTmgyhPVczud7U79 JQh/ssxCiWZbTHwwwpJyg8Iw+jjAvrNTe4sWh/NOCM/Y3+knIckEm8k5DXA3BTCV 0+fkcV6sf+o= =dQU8 -----END PGP SIGNATURE----- From jcorgan at aeinet.com Sun Dec 31 00:09:35 1995 From: jcorgan at aeinet.com (Johnathan Corgan) Date: Sun, 31 Dec 1995 16:09:35 +0800 Subject: Australian "calculatorcard" Message-ID: <199512310627.WAA11299@scruz.net> >sounds like the card i use for remote dialup to certain non-public >systems i use at work. it has a six digit number on the front that >changes every 60 seconds. the card is registered to me. when i enter >my username/password i'm prompted for the number. it's Pretty Good >(tm) security, but like anything not biometric, it is vulnerable to >black-bag attacks. physical possession being all that is required. if >you know the algorithm and the serial number of the card and the >time, even that isn't necessary. > > >CG> Can anybody provide me with pointers to more in-depth information >CG> about this device and the algorithm(s) behind it ? > >i don't know if there are any net sources for them, but i'd be >suprised if not. my card references "security dynamics" of cambridge >massachusetts. You are referring to the ACE/SecurID token card from Security Dynamics. In addition to the displayed number, you should be prepending it with a memorized PIN; this prevents operation in case of theft. The server end will disable the card after x failed attemps, etc. Otherwise it is basically a one-time password system. I've had a business relationship with these folks for a year or so now-- sharp guys. From cjs at netcom.com Sun Dec 31 00:15:55 1995 From: cjs at netcom.com (Christopher J. Shaulis) Date: Sun, 31 Dec 1995 16:15:55 +0800 Subject: Is Dr Fred Cohen a Loon??? In-Reply-To: Message-ID: <199512310524.AAA01241@localhost.cjs.net> > "Ed Carp [khijol SysAdmin]" writes: > > > I wonder why you put your anon.penet.fi address in your signature. > > > There may be a perfectly reasonable explanation that I didn't think of :) > > > > Well, yes, there is. :) It's so that folks may correspond with me > > anonymously if they wish to do so. Some people don't want me knowing who > > they are.... > > This is fascinating! Could you please explain (for the benefit of > clueless Ph.D.'s like myself) how putting your anon id in your > signature enables folks to send you anonymous e-mail, who couldn't > do that before by e-mailing anon at anon.penet.fi and adding: > X-Anon-To: erc at dal1820.computek.net > I do see how it stops you from > being anonymous when you post via that particular anon.penet.fi > address, but that's a different issue. Gee.. you would think a high and mighty Ph.D like yourself could do a little better then petty-bickering. Christopher From ravage at ssz.com Sun Dec 31 00:20:49 1995 From: ravage at ssz.com (Jim Choate) Date: Sun, 31 Dec 1995 16:20:49 +0800 Subject: (NOISE) Re: PLA_gue Germ Terrorism In-Reply-To: <199512310354.VAA02877@edge.edge.net> Message-ID: <199512310701.BAA01450@einstein.ssz.com> > Think that's fun? How 'bout this: given that the initial "mapping" > phase of the human genome project is nearly complete, and the huge > amount of genetic information available on the net, PLUS ever- > more-powerful-yet-less-costly computers anyone can purchase, just > how long do y'all think it'll be before some nut whips up a bug > that targets, say, people with negroid genetic characteristics? > Or epicanthic folds? Or blonde hair? > Malarky. > Seem kinda far-fetched? The November NUTS & VOLTS has a nifty > six page article on garage genetic experimentation (how to convert > that old aquarium into an incubator, culturing techniques, etc.). > They even list souces for equipment AND GERMS. Yes folks, you can > order your very own "E-Z Gene Splicer DNA Recombination and > Transformation Kit" from the good folks at Images Company, POBox > 140742, Staten Island NY 10314, (718) 698-8305, $49.95 each, > not recommended for children under 6 (too many parents complaining > about mutated family cats). > While it is quite possible to obtain equipment and supplies from any reputable science supply center (I like Brodehead-Garrett & Cenco myself) it is not cheap. The type of equipment that can be made out of aquaria and such is very low-level and poses little threat *provided* isolation proceedures are taken. The types of 'genetic' experiments that can be done at this level are quite simple and generaly explore characteristics that are based on the crossing models of Mendelson. Most of the threat of this type of experiments are from simple infections since viruses are not easily raised with this form of equipment. One of my favorite 'technology rulers' is when the first strain of commen yeast is released which produces THC or LSD. Both of these chemicals are relatively simple to produce at a cellular level and Marijuana was completely mapped just a couple of years ago. Yeast has been mapped for several years and there is a whole technology of protocols based around using it (or E. Coli) for laboratory experiments into secondary and tertiary production systems in cells. The reason that I use Marijuana or LSD as a test is that neither are the result of direct protein synthesis. They are rather produced as a result of cellular metabolism of primary componants. Both of these require garage level control and access to only the most basic tools and sequencers. To do this successfuly will require somebody to take the necessary genomes out of the choromosomes and then using a virus and suitable cutting agents insert them in the yeast. I do not believe we will see this in the near term using the micro-manipulater systems which do direct injection of genetic material because of the cost and utility requirements of such equipment. > Quote from the article: "A word of caution is in order before we > start. Although the materials in the kit are safe, it is important > for you to follow simple procedures to keep the experiment controlled > and nonthreatening." No shit. E-coli bacteria (what the kit uses) > aren't pathogens, but still... I guess every budding young white > supremist/right-wing religious nut/genocidal maniac has to start > somewhere. > E. Coli can be quite toxic. The people who died last year because of the bad burger at the Jack In The Box died from E. Coli. There are hundreds of strains of Esherichi Coli and not all of them are benign. There is also a long history of this type of experimentation, it is not new. Scientific American put out a book in the late 50's and early 60's that had a whole slew of 'Amateur Scientist' articles compiled and several of them related to this technology. From proff at suburbia.net Sun Dec 31 00:44:18 1995 From: proff at suburbia.net (Julian Assange) Date: Sun, 31 Dec 1995 16:44:18 +0800 Subject: (fwd) Benchmarks - revs 1.3.50 & 51 Message-ID: <199512310736.SAA06119@suburbia.net> Path: news.apana.org.au!goliath.apana.org.au!sysx.apana.org.au!sleeper.apana.org.au!greathan.apana.org.au!news-mail-gateway From: fluido at marktest.pt (Carlo Emilio Prelz) Newsgroups: apana.lists.os.linux.kernel Subject: Benchmarks - revs 1.3.50 & 51 Date: Thu, 28 Dec 1995 08:05:17 +0100 (MET) Organization: Mail-to-News Gateway Lines: 158 Sender: daemon at greathan.apana.org.au Approved: usenet at greathan.apana.org.au Distribution: apana Message-ID: NNTP-Posting-Host: greathan.apana.org.au Hi. Here follow the benchmark comparisons w.r.t. revisions 50 & 51. I decided to wait before posting rev 50 before because the file read & write results again bounced up with it, and I spent some (very little) time trying to see if I could have done anything to cause that. With no results, as usual. Now I also have results for the "greased weasel", and I decided to send out my numbers for what they're worth. Not much has changed with the latest release... I repeat my query: if anybody has suggestions about these huge jumps in disk performance, please let me know. I am ALWAYS running the benchmark test after a reboot. I login as root, start the process in background and log out, and then generally go to sleep. The machine is NOT online, and is not doing anything important at night. I have not changed anything in the kernel config in the latest 3 revisions. I have a plain old ISA disk controller, and two generally fullish disks, but again, the situation did not change notably between 1.3.49 and 1.3.50. And, I now have to admit that I find it faster, for example, to load a huge C file into emacs, and have it do the syntax coloring. I noticed it this morning. No problems in patching & compiling. --8<----8<----8<----8<----8<----8<----8<----8<----8<----8<----8<----8<----8<-- From: * Linux pimpinel.fluido.org 1.3.49 #77 Fri Dec 22 21:05:57 MET 1995 i486 * Fri Dec 22 21:41:03 MET 1995 To: * Linux pimpinel.fluido.org 1.3.50 #78 Mon Dec 25 11:18:00 MET 1995 i486 * Mon Dec 25 12:11:11 MET 1995 ******* Results ******* File Write (30 seconds) || 1000.0 -> 9460.0 +846.00% File Write (10 seconds) || 1200.0 -> 8070.0 +572.50% File Copy (30 seconds) || 968.0 -> 2636.0 +172.31% File Copy (10 seconds) || 1024.0 -> 2645.0 +158.30% Execl Throughput Test || 67.9 -> 85.3 +25.63% C Compiler Test || 48.7 -> 51.9 +6.57% Pipe-based Context Switching Test || 9863.0 -> 10493.0 +6.39% Process Creation Test || 347.7 -> 368.9 +6.10% Shell scripts (1 concurrent) || 96.4 -> 101.9 +5.71% Shell scripts (4 concurrent) || 25.5 -> 26.5 +3.92% Shell scripts (2 concurrent) || 50.8 -> 52.6 +3.54% System Call Overhead Test || 29945.4 -> 30523.5 +1.93% Dhrystone 2 using register variables || 49658.9 -> 49910.8 +0.51% Arithmetic Test (type = int) || 8365.0 -> 8377.5 +0.15% Arithmetic Test (type = double) || 5063.6 -> 5071.1 +0.15% Recursion Test--Tower of Hanoi || 726.1 -> 727.1 +0.14% Arithmetic Test (type = arithoh) || 127103.2 -> 127265.6 +0.13% Arithmetic Test (type = short) || 7508.8 -> 7515.5 +0.09% Arithmetic Test (type = register) || 8367.3 -> 8372.8 +0.07% Arithmetic Test (type = float) || 5066.8 -> 5069.3 +0.05% Arithmetic Test (type = long) || 8371.8 -> 8372.1 +0.00% Shell scripts (8 concurrent) || 13.0 -> 13.0 +0.00% Pipe Throughput Test || 17850.0 -> 17726.9 -0.69% Dhrystone 2 without register variables || 51001.9 -> 49772.1 -2.41% File Read (30 seconds) || 4613.0 -> 4404.0 -4.53% File Read (10 seconds) || 4648.0 -> 4390.0 -5.55% Dc: sqrt(2) to 99 decimal places || 11886.7 -> 10822.2 -8.96% --8<----8<----8<----8<----8<----8<----8<----8<----8<----8<----8<----8<----8<-- From: * Linux pimpinel.fluido.org 1.3.50 #78 Mon Dec 25 11:18:00 MET 1995 i486 * Mon Dec 25 12:11:11 MET 1995 To: * Linux pimpinel.fluido.org 1.3.51 #79 Wed Dec 27 19:16:06 MET 1995 i486 * Wed Dec 27 22:41:23 MET 1995 ******* Results ******* File Read (30 seconds) || 4404.0 -> 4548.0 +3.27% File Read (10 seconds) || 4390.0 -> 4516.0 +2.87% Dc: sqrt(2) to 99 decimal places || 10822.2 -> 11034.2 +1.96% Process Creation Test || 368.9 -> 375.0 +1.65% File Copy (10 seconds) || 2645.0 -> 2683.0 +1.44% File Copy (30 seconds) || 2636.0 -> 2669.0 +1.25% Shell scripts (4 concurrent) || 26.5 -> 26.8 +1.13% C Compiler Test || 51.9 -> 52.4 +0.96% Dhrystone 2 without register variables || 49772.1 -> 49808.7 +0.07% Arithmetic Test (type = long) || 8372.1 -> 8376.6 +0.05% Arithmetic Test (type = register) || 8372.8 -> 8376.1 +0.04% Arithmetic Test (type = float) || 5069.3 -> 5069.9 +0.01% Arithmetic Test (type = short) || 7515.5 -> 7515.7 +0.00% Shell scripts (8 concurrent) || 13.0 -> 13.0 +0.00% Arithmetic Test (type = double) || 5071.1 -> 5067.4 -0.07% Arithmetic Test (type = arithoh) || 127265.6 -> 127172.0 -0.07% Dhrystone 2 using register variables || 49910.8 -> 49870.6 -0.08% Arithmetic Test (type = int) || 8377.5 -> 8370.4 -0.08% Recursion Test--Tower of Hanoi || 727.1 -> 724.3 -0.39% Shell scripts (2 concurrent) || 52.6 -> 52.3 -0.57% Shell scripts (1 concurrent) || 101.9 -> 101.2 -0.69% File Write (30 seconds) || 9460.0 -> 9356.0 -1.10% Pipe Throughput Test || 17726.9 -> 17227.1 -2.82% Pipe-based Context Switching Test || 10493.0 -> 10194.8 -2.84% System Call Overhead Test || 30523.5 -> 29476.8 -3.43% Execl Throughput Test || 85.3 -> 81.5 -4.45% File Write (10 seconds) || 8070.0 -> 7680.0 -4.83% --8<----8<----8<----8<----8<----8<----8<----8<----8<----8<----8<----8<----8<-- From: * Linux pimpinel.fluido.org 1.2.10 #59 Tue Jun 13 09:46:17 MET DST 1995 i486 * Tue Jun 27 10:18:13 MET DST 1995 To: * Linux pimpinel.fluido.org 1.3.51 #79 Wed Dec 27 19:16:06 MET 1995 i486 * Wed Dec 27 22:41:23 MET 1995 ******* Results ******* Process Creation Test || 119.9 -> 375.0 +212.76% Pipe-based Context Switching Test || 3446.9 -> 10194.8 +195.77% Dc: sqrt(2) to 99 decimal places || 5906.2 -> 11034.2 +86.82% Execl Throughput Test || 51.6 -> 81.5 +57.95% Shell scripts (8 concurrent) || 10.0 -> 13.0 +30.00% Shell scripts (1 concurrent) || 78.3 -> 101.2 +29.25% Shell scripts (4 concurrent) || 21.0 -> 26.8 +27.62% Shell scripts (2 concurrent) || 41.0 -> 52.3 +27.56% C Compiler Test || 42.2 -> 52.4 +24.17% Dhrystone 2 without register variables || 46284.2 -> 49808.7 +7.61% File Write (30 seconds) || 8911.0 -> 9356.0 +4.99% Recursion Test--Tower of Hanoi || 709.2 -> 724.3 +2.13% System Call Overhead Test || 29238.2 -> 29476.8 +0.82% Arithmetic Test (type = float) || 5055.6 -> 5069.9 +0.28% Arithmetic Test (type = long) || 8353.5 -> 8376.6 +0.28% Arithmetic Test (type = register) || 8353.2 -> 8376.1 +0.27% Arithmetic Test (type = short) || 7496.0 -> 7515.7 +0.26% Arithmetic Test (type = double) || 5056.8 -> 5067.4 +0.21% Arithmetic Test (type = int) || 8353.4 -> 8370.4 +0.20% Arithmetic Test (type = arithoh) || 126914.4 -> 127172.0 +0.20% Dhrystone 2 using register variables || 49802.4 -> 49870.6 +0.14% File Write (10 seconds) || 8100.0 -> 7680.0 -5.19% Pipe Throughput Test || 18512.0 -> 17227.1 -6.94% --8<----8<----8<----8<----8<----8<----8<----8<----8<----8<----8<----8<----8<-- Enjoy! Carlo -- * ...Ma appena fuori tutto e' gomma, * K * Carlo E. Prelz - fluido at marktest.pt tutto e' cicca impiastricciata... * (Marco Zappa-Niente cicca nella scuola) -- +----------------------------------+-----------------------------------------+ |Julian Assange | "if you think the United States has | |FAX: +61-3-9819-9066 | has stood still, who built the largest | |EMAIL: proff at suburbia.net | shopping centre in the world?" - Nixon | +----------------------------------+-----------------------------------------+ From hal9001 at panix.com Sun Dec 31 01:31:10 1995 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Sun, 31 Dec 1995 17:31:10 +0800 Subject: Internet wiretap? Message-ID: At 20:09 12/29/95, Joel McNamara wrote: >This tidbit was posted a few hours ago on c|net (12/29 4:00 PST). > > Thanks to a wiretap on the Internet, three people have been arrested >for illegally > selling and manufacturing cellular phone equipment and electronic >devices over the Internet, > according to Secret Service agent Brian Gimlett. This is the first >time the Secret Service and the > Drug Enforcement Administration were allowed to wiretap via the >Internet, says Gimlett. > >The rest of the story talks about an exchange of e-mail discussing the sale >of various nasty >cellular accessories. There is no information on exactly what "wiretap" >means or any other >technical details. Interesting to note the DEA was in on it. It is not that hard to "tap" a user's account if you are the SMTP server (you just put a Bcc on all outgoing mail and add an extra account to all incoming mail's Envelope). A few lines in the Sendmail parms would do this very simply. From vin at shore.net Sun Dec 31 01:35:43 1995 From: vin at shore.net (Vin McLellan) Date: Sun, 31 Dec 1995 17:35:43 +0800 Subject: Australian "calculatorcard" Message-ID: Cees de Groot (cg at bofh.toad.com) tore himself from the tube to tell us: CG> Yesterday, on UK Discovery, there was an item in the programme CG> Beyond 2000 about an Australian card which implements a CG> challenge-response protocol and can be used for banking, etcetera. CG> Basically, you give your card number (over the phone), get a CG> challenge number, enter your pin and the challenge, and then give the CG> response. All in CC format... Could be one of seven or 8 vendors of so-called "challenge/response" tokens or calculators. Most of those sold in the US and Australia use straight DES (and a token-specific key) to encrypt the "random" challenge number in the token -- but it could be any secret-key algorithm. Actually, the particular environment described -- phone authentication -- is often used as the most notable example of a market where so-called "time-synchonous" tokens hold a notable advantage over challenge/response token. A TS token generates its pseudo-random token-codes continuously and automatically: no buttons, no input. With TS tokens, exact time and a token-specific key are used in a keyed hash to generate a token-code displayed on an LCD on the token for 30 or 60 seconds. The authentication server uses its database record of the token-specific key, time, and the hash to generate the same token-code for a match. This allows a PIN and token-code two-factor authentication to be submitted by touch-tone phone, and it avoids a lot of the hassle (listen/tap/calculate/touch-tone) associated with C/R authentication. As amp noted, the most prominent international vendor of time-synch tokens is a US firm called Security Dynamics, Inc. I've done consulting projects for SDI, off and on, for years. >sounds like the card i use for remote dialup to certain non-public >systems i use at work. it has a six digit number on the front that >changes every 60 seconds. the card is registered to me. when i enter >my username/password i'm prompted for the number. SDI's token is called a SecurID. SDI uses a proprietary hash. The most common app uses a SecurID in a protocol which prepends the PIN, in the clear, to the PRN token-code. (In client/server environments, of course, all communication between an SDI ACE/Client and the ACE/Server is fully encrypted.) SecurIDs can also be loaded with up to three different seeds or keys -- with a pressure-point in one corner to switch between each series of key-based PRNs. For greater security in open networks, SDI sells a PinPad token with a keypad that allows a PIN to be "added" to the PRN token-code -- so the LCD displays a 6-8 digit number (or alphanumeric) which still offers two-factor authentication, without exposing a PIN. > it's Pretty Good >(tm) security, but like anything not biometric, it is vulnerable to >black-bag attacks. physical possession being all that is required. Actually, all ACE/Server or ACE software modules _require_ a user-memorized PIN. Physical possession of a stolen token is not enough to gain illicit access. >if >you know the algorithm and the serial number of the card and the >time, even that isn't necessary. Bleep! Earth to amp! Check your voltage, lately? The token's serial number has nothing whatsoever to do with the generation of a SecurID's PRN token-code. Just because SDI ships its SecurIDs pre-loaded (most token vendors ask the buyers to program their authentication tokens) SDI embosses a serial number on the back of the token to manage shipping and distribution. The serial number stuck to the back of a SecurID after it is programmed with its secret key -- a unique PRN "significantly longer" than 56 bits -- but they are not the same thing. The cpu in a SecurID doesn't even "know" the serial number stuck on the back of the token. (It would be Pretty Stupid to glue or emboss a secret on the back of the damn token, wouldn't it?) I should note that Alan is just regergitating one of the most widely circulated rumors about SecurIDs -- which like any popular crypto device attracts a lot of wiLd & w00ly speculation. Getting the algorithm for SDI's one-way hash is no big deal, given that it sits in software in thousands of SDI customer installations, protected only by contract and trade secret status. (The integrity of the product -- the unpredictability of the token-code PRN series, and the secrecy of a specific token's seed or key -- rightly depends cryptographic strength of the hash, not the secrecy of the algorithm.) Getting a token-specific secret key would hopefully be a much greater challenge. CG> Can anybody provide me with pointers to more in-depth information CG> about this device and the algorithm(s) behind it ? >i don't know if there are any net sources for them, but i'd be >suprised if not. my card references "security dynamics" of cambridge >massachusetts. Suerte & Happy New Year to all, _Vin <*><*>< Vin McLellan + The Privacy Guild + vin at shore.net ><*><**> Heed, fellow citizens, Justice Felix Frankfurter (Butler v. Michigan): "The State insists that, by thus quarantining the general reading public against books not too rugged for grown men and women in order to shield juvenile innocence, it is exercising its power to promote the general welfare. Surely this is to burn the house to roast the pig.... The incidence of this enactment is to reduce the adult population of Michigan to reading only what is fit for children." From proff at suburbia.net Sun Dec 31 01:44:15 1995 From: proff at suburbia.net (Julian Assange) Date: Sun, 31 Dec 1995 17:44:15 +0800 Subject: (fwd) Benchmarks - revs 1.3.50 & 51 In-Reply-To: <199512310841.DAA09404@thor.cs.umass.edu> Message-ID: <199512310846.TAA07013@suburbia.net> > > And the cypherpunk relevance is.......? > >[...] linux kernel stats Absolutely zero. Your's truely pressed the wrong key. --Proff +----------------------------------+-----------------------------------------+ |Julian Assange | "if you think the United States has | |FAX: +61-3-9819-9066 | has stood still, who built the largest | |EMAIL: proff at suburbia.net | shopping centre in the world?" - Nixon | +----------------------------------+-----------------------------------------+ From EALLENSMITH at ocelot.Rutgers.EDU Sun Dec 31 02:14:03 1995 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 31 Dec 1995 18:14:03 +0800 Subject: PLA_gue Germ Terrorism Message-ID: <01HZFUC4ZW4W8Y56CR@mbcl.rutgers.edu> From: John Young > 12-30-95. To update the list of terrorist threats, the Wash Post reports on the purchase in May of bubonic plague germs by "white supremacist" Larry Wayne Harris, his bust by the FBI and germ teams, prosecutors amazement that possession of such deadly micro-organisms is not illegal, and the consequent plea bargain of wire fraud with probation. The article explains that possession of "terrorist" mites is not prohibited due to a legal loophole which allows scientific trade in wee supremacists. There are calls for outlawing the meat-eaters by closing the gap in the anti-terrorism bill before Congress. But scientists say how dare you spit in our nanodeath soup. It notes that offshore spread is Commerce regulated. ------------- There are very good reasons for keeping this legal loophole. How could one ship, say, Ebola virus for evaluation if it wasn't there? Besides which, E. Coli (the workhorse of prokaryotic genetics) can be a pathogen if the right plasmid is inserted. Banning shipment, buying, etcetera of strains of it would rapidly reduce most genetics work in the U.S. to the state of gene therapy work in Switzerland (i.e., none, due to the Swiss laws outlawing any form of it). Incidentally, thanks to the person who quashed the "black-seeking virus" idiot. Human races are so far from being proper genetically distinct subspecies that nobody competent would call them that, if they only weren't us. -Allen From futplex at pseudonym.com Sun Dec 31 03:20:07 1995 From: futplex at pseudonym.com (Futplex) Date: Sun, 31 Dec 1995 19:20:07 +0800 Subject: anon.penet addresses in .sigs In-Reply-To: Message-ID: <199512311100.GAA18408@thor.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Subject: Re: anon.penet addresses in .sigs To: cypherpunks at toad.com (Cypherpunks Mailing List) Dr. Dimitri Vulis writes: > This is fascinating! Could you please explain (for the benefit of clueless > Ph.D.'s like myself) how putting your anon id in your signature enables folks > to send you anonymous e-mail, who couldn't do that before by e-mailing > anon at anon.penet.fi and adding: > > X-Anon-To: erc at dal1820.computek.net This issue (the penet address in Ed's .sig) has been covered on the list before. The next time around I think I'll write a short FAQ. The direct address is easier to use, especially for people whose mailers don't allow them to add arbitrary email headers. Note that the ratio of users of the various cypherpunk remailers to users of anon.penet is even lower than the S/N ratio on this list in December. In certain parts of Usenet, many people routinely advertise addresses at anon.penet (and similar services) in their .sigs (as Ed does) to make pseudonymized replies as convenient as possible. This is not a new phenomenon. Happy New Year ! Futplex Brand new key, ID: 0x0F5470D9 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMOZtGynaAKQPVHDZAQGijAf+Ivi2IklP1cJBhDb4/VTm0d0zd/kjJRhh 4BlGShGcQayfKP59jKFBUO/gbqFzjxsdCRuJcL5D7VXOOX4gjjWxqfKM6ora/nGx f3mr+DQO2VhhWrHcXqiURwWBknw37fGWQUMfq8DIVWgiVn5e2EkmTNwzyuY+wRm+ 30xddxfjN2R5eS/DLr9Ebg+VYLvcHQ3kOvbzhHk3ZVI1x21DlT3I/3u5828OB10p s3bpADToW1TbT1o7VrMvKtLla1CYBqJrGpSkPCCm0mG4Qx2UWDuWXr9Ej3m1fWVQ eQI0FFb6Qm+0mzVcQnexTtj+btrqPler5oQBiQmLMuWdohB0cOtRMw== =va+w -----END PGP SIGNATURE----- From fc at all.net Sun Dec 31 10:46:01 1995 From: fc at all.net (Fred Cohen) Date: Mon, 1 Jan 1996 02:46:01 +0800 Subject: Fred Cohen, PhD In-Reply-To: <9512311704.AA03856@anon.penet.fi> Message-ID: <9512311818.AA16259@all.net> > Regarding Fred Cohen, PhD: > > Cohen's haughty and bombastic style do nothing good for his reputation. I > assume he advertises his PhD to highlight his early accomplishments; he has > done little since. Apparently you have a reading disability. I haven't used Ph.D. next to my name on this forum for some time. > Let's also consider the granting institution, a second-rank school. When you insult me, that's one thing, but insulting my school is something quite different. The University of Southern California is one of the finest educational institutions in the world, and is widely recognized as such. The engineering school at USC (from which I earned my Ph.D.) is commonly ranked in the top 10 in the US, and in the year that I graduated, my department was ranked in the top 5 in the US. USC, in addition to having a fine athletic tradition, also has many unique benefits that sets it apart from many other excellent schools. But I wouldn't want to advertise in this forum - you'll have to contact them directly for more extensive information. > Cohen's thesis broke new ground, but how many people have read it, or any of > his writings, or know anything about his ideas beyond a single word? How far > did he carry this work? Where are the conference and journal papers? Cohen's > reputation faded into obscurity long ago. Now he is building a new reputation > as a pig-headed loudmouth, threatening his "defamers." Shades of Sternlight. Some people are ignorant because they haven't had a chance to learn, but other people are ignorant because they choose to be. In your case, it is apparently the latter. But I will answer your questions nonetheless: How many people have read it, or any of his writings, or know anything about his ideas beyond a single word? The thesis has only sold a few hundred copies, however, over 20,000 people have read my books on the subject. My two articles in "The Sciences" reached about 25,000 people each. But I don't think thatr the value of peoples' work is a function of how many people know about them. How far did he carry this work? I have published over 30 refereed journal articles on the subject, about 50 conference papers, about 100 invited talks, and today, over 1/2 of all computers in the world run virus defense software using techniques I first published. That's more refereed papers than anyone else in the world on that particular subject. Where are the conference and journal papers? They are listed on the Web site listed below. They include IEEE, ACM, and IFIP papers, invited papers at IEEE, ACM, DPMA, IFIP, and NIST conferences (as well as many others). So, now that we have a very brief history of my work, let us all know where you went to school, how many journal and conference papers you have published, how many books you have written. We already know that you won't tell people your name because you are afraid to have it associated with you personally, but maybe you can help us all understand how expert you are and what you have contributed to the world so we can appreciate your point of view. -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From tcmay at got.net Sun Dec 31 11:25:48 1995 From: tcmay at got.net (Timothy C. May) Date: Mon, 1 Jan 1996 03:25:48 +0800 Subject: Can We Cut the Crap? Message-ID: Really, the S/N ratio is approaching all-time lows, even for the Silly Season of Xmas. A week or so ago there was a massive flame war involving insults and counter-insults--I returned from my Xmas vacation to find the list melting down. Now, a week later, a new flamewar has erupted. There is no point in the back-and-forth of insults, "Dr. Fred is a loon," "Alice is Detweiler," and other such nonsense. If you don't want to read the comments of Fred Cohen, Dimitri Vulis, Alice whatever, Vlad/Lance/Larry/Pablo, then just don't read them! Filter them out, delete them immediately, read them briefly, whatever. At 5:04 PM 12/31/95, deadbeat wrote: >Regarding Fred Cohen, PhD: > [typical personal insults elided] >Let's also consider the granting institution, a second-rank school. Well, not quite. I seem to recall that Cohen's advisor at USC was Len Adleman, known perhaps to some of you as the "A" in RSA and more recently as the guy doing the "DNA computing" work. He was also working on viruses, perhaps in conjunction with Cohen, as of 1987-88, and gave an interesting paper at the 1988 Crypto Conference on "An Abstract Theory of Computer Viruses." Not surprisingly, Cohen's papers were the main citations. I recall Adleman describing in the oral talk just how it is that determining if a given program contains a virus is essentially equivalent to solving the halting problem, i.e., it may be undecidable whether a program has a virus, except presumably in some special cases (e.g., for very small programs). >Cohen's thesis broke new ground, but how many people have read it, or any of >his writings, or know anything about his ideas beyond a single word? How far >did he carry this work? Where are the conference and journal papers? Cohen's >reputation faded into obscurity long ago. Now he is building a new reputation >as a pig-headed loudmouth, threatening his "defamers." Shades of Sternlight. I have plenty to disagree with some of what Fred Cohen says, as I do with many people, but this is just plain ignorant. "How many people have read it, or any of his writings..." is a ridiculous argument, even for an ad hominem. Those who want to read it, can read it. The articles are readily available. I've even seen some of his books on the bookshelves of my local bookstores (haven't read them, though I flipped through "It's Alive!" and didn't see much of interest....but how many of us have written _any_ books?). I'm not convinced there's much more about the _theory_ of viruses to "push forward," for various reasons. The theory was laid out, some Bulgarians and others are busily writing viruses, but there's not likely to be some whole reservoir of new theory to be worked on. (This is true of a lot of fields, where the work done decades ago basically was complete....look at how we all cite Garey and Johnson and how little has changed in the field of NP-completeness.) Blasting Cohen because you don't think he carried his work far enough is clearly blasting wildly. Have you asked whether others on this list have carried the work they did in their early careers far enough? (Did I carry my work in the 1970s on alpha particle effects on chips far enough, or am I just a Cohen-like slacker because I moved on to other things?) Anyway, if you don't like Sternlight, or Cohen, or May, or Detweiler, or Metzger, or Vulis, *filter* them out! So why don't I just do this? Well, I do have a filter file in my Eudora Pro mailer, and I use it. But I still see the crossfire on the list, the pointless flames and personal attacks. This angers and saddens me. Hence this message. While I don't subscribe to the extreme view espoused by some, that the topics of the list should be exclusively crypto, math, programming, and Internet standards, I do think people should try to find some relevance to the larger themes of the list. The recent increase in "one-sentance repartee" is indicative of late-stage list meltdown. (Some of the posts here quote a couple of paragraphs, add one or two lines of insults, then have another screenful of PGP sigs, auto-signing sigs, anonymous IDs, and then a conventional sig. Jeesh!) I'm hoping that this is just a Xmas vacation silly season. --Tim May We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From vin at shore.net Sun Dec 31 11:25:59 1995 From: vin at shore.net (Vin McLellan) Date: Mon, 1 Jan 1996 03:25:59 +0800 Subject: SecurIDs (was Re: Australian "calculatorcard") Message-ID: amp described his SecurID: >> sounds like the card i use for remote dialup to certain non-public >> systems i use at work. it has a six digit number on the front that >> changes every 60 seconds. David Lesher asked: >Do these card systems use a window to handle clock-slip? SDI's ACE/Server or ACE access control module (ACM) has a Progress RDBS built in which maintains a constantly-updated historical record of the _relative_ drift in a particular token's clock-chip, relative to the clock in the server or host. When it receives the first identifier from a user (Name) submitting a SecurID authentication call, the server checks the database for the recorded drift and then predicts what that particular token will use as Current Time. CT, together with a token-specific secret key, is then hashed to generate a token-code which is matched with that submitted by the user, together with the user's memorized PIN. >I'd think you could have the server safely accept # N, N-60 sec, and >N+60 seconds; and adjust the server's idea of your card's clock speed >from that. You have it almost exactly right (or, at least, that's how SDI's ACE/SecurID system handles it;-) SDI throws in a couple other factors: the ACE system handles Current Time in 30 or 60-second blocks (depending on the model of SecurID token being authenticated,) so it needs a little leeway to handle a token which, because of drift, slips into the next time-slot or the one behind. The ACE system actually pre-calculates three token-codes -- each a pseudo-random number, so one will not inform your guess of another -- as it waits for a user's incoming authentication call to be completed. The server will approve access if it receives a token code generated from either its _projected_ Current Time (for this particular token,) or the token-codes generated from Current Time plus or minus one time-slot. When the ACE database indicates that this particular SecurID token has not been used in the past 60 days (many sysadmin make this 90 days) it also kicks in a search mode to minimize the false rejections. In search mode it calculates a series of prospective card-codes, sweeping out to a maximum of 10 time-slots (the actual scope of the search is defined by the sysadmin) fore and aft of whatever the database suggests this token should consider Current Time. If it finds a match between the token-code submitted from a long-unused SecurID and one of those calculated by the server in search mode, it updates its database projection for the drift of that particular token and then requests the use to submit another PRN token-code. A search-mode "match" alone will never result in a user being authenticated -- it only sets him or her up for a second formal authentication cycle where a new PRN card-code is matched against a new set of three token-codes. There are also a number of additional security devices and rules which the server enforces to protect against security threats, racing spoofs, stolen PINs, stolen tokens, etc. The most obvious is a secured record of all incoming authentication calls, recorded by token-code and GMT time. All incoming authentication calls are checked against this file. A SecurID PRN token-code is never accepted twice, and the virtual "time-stamp" within an incoming SecurID token-code must always be later and in proper sequence to all other recorded authentication calls. > >What new risk would that create? If the SDI hash algorithm is of sufficient strength, very little, I would think. (SDI just asked me to create an FAQ for their SecurID, so all queries are welcome -- on-line or off.) Suerte, _Vin Vin McLellan +The Privacy Guild+ 53 Nichols St., Chelsea, Ma. 02150 USA Tel: (617) 884-5548 <*><*><*><*><*><*><*><*><*> From jonnyx at edge.edge.net Sun Dec 31 12:40:18 1995 From: jonnyx at edge.edge.net (jonnyx) Date: Mon, 1 Jan 1996 04:40:18 +0800 Subject: (NOISE - LONG) Re: PLA_gue Germ Terrorism Message-ID: <199512312003.OAA20537@edge.edge.net> Crypto relevance: absolutely none! Good lord, what nasty reactions! Maybe there's hope for us after all. I'll allow myself one reply. Sorry 'bout the length. < snip re: my bits on targetting specific genetic traits > zinc wrote: > this is so much shit. targetting anything is very difficult. > just ask all those people about the wonders of gene therapy. > hell, even the economist had an article about it's failures > recently (Dec 16-22 1995, p77). Putting a person on the moon was considered impossible by most folks 50 years ago. The German v-series rockets were cutting edge technology. Now licensed hobbyists can buy solid fuel motors that are just as powerful some of the ones the Nazis had (source: _High Power Rocketry_). Things change. > in any event the so-called 'differences' you are imagining > are phenotypes. these are a long cry from DNA. i'm not > aware of any genetic markers available to distinguish a > black man from a white man. and, even if there were, > recombination requires long stretches of homology between > DNAs, not small differences. i'd bet it's nearly impossible > to target black vs white vs yellow vs a gorilla. Good. The article I read that suggested the possibility (I'm pretty sure it was in _Science_ or _Scientific American_) was rather spooky. I wish you'd said FLATLY impossible, though. I'm (obviosly) not a biologist/geneticist/whatever, but aren't there bugs that go after only chimps? And didn't that ebola strain in Virginia only go after the lab monkeys, not the people? ...and from Jim Choate: > Malarky. < snip > > Most of the threat of this type of experiments are from simple > infections since viruses are not easily raised with this form > of equipment. People will have access to more and better equipment, though. > One of my favorite 'technology rulers' is when the first strain > of commen yeast is released which produces THC or LSD. Heh. Guess they'll have to post extra guards at the Wonder Bread plant, eh? Woudn't want terrorists dosing little Jimmy's lunch. < interesting stuff snipped > > I do not believe we will see this in the near term using the > micro-manipulater systems which do direct injection of genetic > material because of the cost and utility requirements of such > equipment. Which will probably become simplified, streamlined, and cheaper. Who knows what techniques will be used 20-50 years from now? Even though (fortunately) it seems that this kind of virus would be much tougher to produce than I thought (if not impossible), I can still see someone trying it and infecting EVERYONE in his neighborhood/city/state. And if it is possible, well, I'd rather have the idea explored and cures developed (with the info available to all) before any would-be Hitler surprised us. Finally, from E. ALLEN SMITH > E. Coli (the workhorse of prokaryotic genetics) can be a pathogen > if the right plasmid is inserted. > Incidentally, thanks to the person who quashed the > "black-seeking virus" idiot. Not my idea (I'm not that twisted; I find the idea horrifying). I read the suggestion in either _Science_ or _Scientific American_ (early 1993?). Incidently, the idea was a virus that went after people with specific racial traits, not a "black-seeking virus". Don't attribute me with quotes that aren't mine. I have enough problems with idiots who assume I'm a racist KKK country-music loving redneck simply because I'm from Nashville. > Human races are so far from being proper genetically distinct > subspecies that nobody competent would call them that, Guess what sunshine, they still teach this in mid- and high-schools. Hell, even my dictionary sez "race - 1) a division of the human population distinguished by physical characteristics transmitted by genes." (Webster's II New Riverside Dictionary, if anyone cares) > if they only weren't us. Huh? Now back to our regularly scheduled crypto (yeah, right). -- || ______ || comments, criticisms, and/or death-threats may be sent to: || || \__ /\ || jonny anonymous, c/o jonnyx at edge.net || || __/ / \ || or snail-mail pobox 23001, nashvegas tn 37202-3001, usa || || \__/_/\_\ ||______"DRIVING DRUNK ON THE INFORMATION SUPERHIGHWAY!"______|| From Basspunx at aol.com Sun Dec 31 12:48:01 1995 From: Basspunx at aol.com (Basspunx at aol.com) Date: Mon, 1 Jan 1996 04:48:01 +0800 Subject: put me on the list Message-ID: <951231150900_103045223@emout05.mail.aol.com> i would like to be put on the cypherpunks mailing list From cjs at netcom.com Sun Dec 31 12:55:25 1995 From: cjs at netcom.com (Christopher J. Shaulis) Date: Mon, 1 Jan 1996 04:55:25 +0800 Subject: Fred Cohen, PhD In-Reply-To: <9512311818.AA16259@all.net> Message-ID: <199512311909.OAA00177@localhost.cjs.net> > > Regarding Fred Cohen, PhD: > > > > Cohen's haughty and bombastic style do nothing good for his reputation. I > > assume he advertises his PhD to highlight his early accomplishments; he has > > done little since. > > Apparently you have a reading disability. I haven't used Ph.D. next to my > name on this forum for some time. .oO( some time = ~3 weeks ) > > Let's also consider the granting institution, a second-rank school. > > When you insult me, that's one thing, but insulting my school is > something quite different. The University of Southern California is one > of the finest educational institutions in the world, and is widely > recognized as such. .oO( So is Alabama State, even says so in the catalog ) > The engineering school at USC (from which I earned > my Ph.D.) is commonly ranked in the top 10 in the US, and in the year > that I graduated, my department was ranked in the top 5 in the US. > > USC, in addition to having a fine athletic tradition, also has many > unique benefits that sets it apart from many other excellent schools. > But I wouldn't want to advertise in this forum - you'll have to contact > them directly for more extensive information. .oO( I see you still have their catalog ) > > Cohen's thesis broke new ground, but how many people have read it, or any of > > his writings, or know anything about his ideas beyond a single word? How far > > did he carry this work? Where are the conference and journal papers? Cohen's > > reputation faded into obscurity long ago. Now he is building a new reputation > > as a pig-headed loudmouth, threatening his "defamers." Shades of Sternlight. > > Some people are ignorant because they haven't had a chance to learn, but > other people are ignorant because they choose to be. In your case, it is .oO( Some people just don't have two clues to rub together ) > apparently the latter. But I will answer your questions nonetheless: > > How many people have read it, or any of his writings, or know anything > about his ideas beyond a single word? > > The thesis has only sold a few hundred copies, however, over > 20,000 people have read my books on the subject. My two > articles in "The Sciences" reached about 25,000 people each. ( I once told an OJ Simpson joke on Usenet ) ( that was supposedly seen by 40 million people ) .OO( including a dozen messaiahs, three space men, ) ( and a hermathadite. ) > But I don't think thatr the value of peoples' work is a > function of how many people know about them. > > How far did he carry this work? > > I have published over 30 refereed journal articles on the subject, > about 50 conference papers, about 100 invited talks, and today, > over 1/2 of all computers in the world run virus defense software > using techniques I first published. That's more refereed papers > than anyone else in the world on that particular subject. ( Also gives Jerry Pournell something to talk about besides ) .oO( Wing Commander, hope you add that to your resume ) > Where are the conference and journal papers? > > They are listed on the Web site listed below. They include > IEEE, ACM, and IFIP papers, invited papers at IEEE, ACM, > DPMA, IFIP, and NIST conferences (as well as many others). ( What? No WiReD magazine? How did he escape the crackpot ) .oO( visionary center of the universe? ) > So, now that we have a very brief history of my work, let us all know > where you went to school, how many journal and conference papers you > have published, how many books you have written. > > We already know that you won't tell people your name because you are > afraid to have it associated with you personally, but maybe you can help ( Dr. Fred hides behind a post office box to people can't ) .oO( drop by and tell him hes a loon ) > us all understand how expert you are and what you have contributed to > the world so we can appreciate your point of view. .oO( I ain't no Ph.D, but even I can see Fred is a loon ) > -> See: Info-Sec Heaven at URL http://all.net/ ( Someone told him he was missing the /, was fun while it lasted ) .oO( Wonder if he will write a paper on URL grammar now ) > Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From rah at shipwright.com Sun Dec 31 13:11:34 1995 From: rah at shipwright.com (Robert Hettinga) Date: Mon, 1 Jan 1996 05:11:34 +0800 Subject: (fwd) e$: Looking down, not up, to the future Message-ID: --- begin forwarded text Sender: e$@thumper.vmeng.com Reply-To: rah at shipwright.com (Robert Hettinga) Mime-Version: 1.0 From: rah at shipwright.com (Robert Hettinga) Date: Fri, 29 Dec 1995 15:07:53 -0500 Precedence: Bulk To: Multiple recipients of Subject: e$: Looking down, not up, to the future -----BEGIN PGP SIGNED MESSAGE----- e$: Looking down, not up, to the future 12/29/95 First a little administrivia. Going forward, I'm going to be posting my rants here first at e$@thumper.vmeng.com, with a forward from e$ of the given rant, after some arbitrary delay, to any other lists that might be appropriate to the subject. My sponsors have paid for this list, and the readership of the e$pam and e$ are there to hear what I and others have to say about e$ and its consequences here, and so my stuff goes onto the e$ list first from now on. Like all my writing on the net, redistribution with attribution to me and the other people I cite (When remember to cite them all...) here is just fine. If you're publishing it, and you pay your authors, I'd like to be compensated too, of course. Not that what I say here is going to be all that earthshaking, but I thought I'd clear the air a bit. I've read a lot of interesting things about the future of the net in the last few weeks, some of which I've sent on to e$pam, and I'd like to talk about them, by way of clearing the decks for the New Year. First, I'd like to go revise my model of net.reality a bit. Most of people look at the net as a hierarchy. Architecturally, it is exactly that, from the IP addressing scheme, to the object super-hierarchies in component software models, to server-mirroring, to just about any kind of structural component of the net you would care to look at. Physically, big lines get broken up by big switches into smaller lines which get broken up by smaller switches into smaller lines, in a fractal process which ends up at you or me, where it goes back up each larger level to get where it needs to go. In software, the CORBA object model, and the super-object-model that the research people have been cooking up at Microsoft, all have a "root" somewhere; the "top" of their taxonomical system, if you will. In information, there's a source of the information, and it gets accreted with other information and synthesized and averaged and summarized and rolled up into some larger aggregate which allows you to have some knowlege about that information and other information like it. In finance, my money gets pooled with other people's money through several larger aggregation layers and then invested or spent centrally somewhere. The recipient of capital or cashflow then spends or invests it in fractally smaller chunks until I get it in a check for something I do. I could go on and on with this, but you can see my point, and it is the same point Rich Lethin loves to use on *me* when I start talking about "geodesic" anything, that is, the idea that Moore's law exponentially collapses switching costs, making nodes cheaper than lines, making the network and the software processes mapped onto it more geodesic instead of hierarchical, and "surfacting" information and software into fractally smaller and smaller pieces. What I've been saying to Rich, particularly when I talk about geodesic networks, is that the message itself is point-to-point, even though the actual electrons may flow more or less hierarchically around the network. That's kept him busy while I made my getaway. It always felt like a sophistic shuck, myself, but I'd learned to live with it until now. I don't know if I've gotten anywhere, but I've been thinking about it a bit, thrashing anologies from other parts of the world, --the major way I think, unfortunately -- to describe what I see out there. I've been thinking about biological models, because in my stranger moments, I like pretend that the net is an electro-biological entity. For instance, the circulation of blood is a good anology, I think, because all the endocrine messages in the blood stream are ultimately broadcast from a single cell and paradoxically sent point to point to another cell -- just like things are on an ethernet wire, or on Gilder's fanciful dark fiber, even though the circulatory "backbone" is hierarchical. The most obvious example of course is the organization of neurons, in that the brain pathways are essentially geodesic, but we still have to deal with the hierarchy of nerves outside of the brain. The one thing I think that differentiates these models from the hierarchies we encounter in social life, the industrial induced control hierarchies we all rail against, and the stuff I like to quixotically do battle with on the net, is that every one of those biological hierarchies is chaotic. There is no pretense of top-down control of the system. The load of the system is hierarchical, and so the system organizes itself hierarchically. There are physical forces which create physically hierarchical stuctures, but they're usually set up to solve the problem of efficient distribution of something over a distance, like draining a watershed, or getting blood to a central heart and lungs, or nerve impulses back and forth to the brain. When distance isn't a problem, networks, like the brain, tend to get more geodesic. Bandwidth is maintained by an abundance of neuronic "switches", doubling as processors, tripling as memory, each with some number of connections to other neurons, rather than a bunch of "fat" nurons doing all the signal processing. As an exception which proves the rule, note there *are* in fact "fat" neurons, more precisely redundant neuron pathways, particularly between the two halves of the brain, and between the brain and the rest of the body. So, what else is new? We still have hierarchies on the net, right? We're about to bump up by many orders of magnitude the number of possible IP addresses real soon, so that someday your toaster can tell your alarm clock to wake you for breakfast. I've ranted, tounge-in-cheek, about the "dangers" of the "X.blabla" book-entry view of the world, with hierarchical, government-as-root certification "authorities", and the consequences of having an audit trail on your every net-based financial activity. Most of this X.blabla stuff will come to pass, mostly because it's the easiest thing for the financial system as it's currently organized to do. It's sort of like financial "shovelware", moving the contents of one financial medium, the hierarchic industrial paradigm of government regulated central banking systems onto the new medium of the internet. However, in a world of micro-pay-as-you-go packet routing, where routers may someday spot-auction their bandwidth on a demand basis at packet prices displayed best in scientific notation, all those audit threads could lead to a Gulliverian restraint on personal freedom, much less on individual privacy. Fortunately, I don't think that's going to happen, because those same Lilliputian audit trails will just get in the way and slow the system to a standstill. We need to get more chaotic. I think my contention on this is that as we get smaller and smaller, the more chaotic it's going to have to be. Book-entry based transaction processing systems will choke on their own accounting at those levels. To look at the extremely-hypothetical router above, it will be easier to attach some digital bearer microcertificates to an information packet, so that the packet pays its way through all the routers it needs to go to, than it will be for some giant book entry system to account for it all. People have said that those microcertificates could work like stamps, where the first router cancels the stamp and pays back the other routers in the route some fraction of the "stamp" price to be settled later, or it may be possible to simply endow a packet with all the certificates nessary to get from point to point in a network someday. It kind of reminds me digital cash-as-processor-food, a bit. Note that this kind of bio-economic thinking is not new, the Agorics folks and Stewart Brand have been talking about this stuff for quite a while. My point here is that "down" the network, not up, is the place to look for the interesting stuff in the future. There are several interesting micropayment certificate systems out there, and there will be more. As software gets smaller and smaller with component architectures like OpenDoc and its eventual successors, it will be more and more economic to charge rediculously smaller and smaller amounts for rediculously smaller and smaller network behaviors. Just wait until someone figures how to get software to really "evolve", or gets software to write other software on a practical basis. Most of the people I read, on the net or off, don't see this. They're looking "up" the net, how connections are made up, at the level of the grosser network features, like how monolithic corporations, or book-entry database and financial control systems, or government regulations, will happen on the net. How the net will integrate itself with the "real" world they're familiar with. 8 years ago, I used to talk about people who lived "on" microcomputers versus the ones who lived "in" them. I used to say that Macs were more for people who lived "in" computers because they weren't hindered by the mechanics of the interface so much. I think that there are still a lot of mainframe-cum-client/server folks out there who still live "on" the net, and not in it. Those are the people who are looking "up" at how the "big" players will behave, when they should be look at their feet, where the real action is. Where the very ground is in the process of dissoving out from under them. Cheers, Bob Hettinga -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMORJaPgyLN8bw6ZVAQG+WQP/X4j2qn9tnhDoJKdqctxBCoQzH4F//kKc zsau7Cxs49XGHAaoZo2Pk2svU79FWG7HyWsm0VAPR9ezHiWf8W/Tyi1NgxCkNwjo 62HFNsE0U6Rfo0Itd26WuICe9aC2SG5J6tX8+MzJZqHzzx2xhBUNPKFqt/ZwVtFZ KNLAGkM/7Hg= =jc3o -----END PGP SIGNATURE----- -------------------------------------------------- The e$ lists are brought to you by: Making Commerce Convenient (tm) - Oki Advanced Products - Marlboro, MA Value-Checker(tm) smart card reader= http://www.oki.com/products/vc.html Where people, networks and money come together: Consult Hyperion http://www.hyperion.co.uk info at hyperion.co.uk See your name here! Be a charter sponsor for e$pam, e$, and Ne$ws! e-mail rah at shipwright.com for details... ------------------------------------------------- --- end forwarded text ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "Reality is not optional." --Thomas Sowell The NEW(!) e$ Home Page: http://thumper.vmeng.com/pub/rah/ >>>>Phree Phil: Email: zldf at clark.net http://www.netresponse.com/zldf <<<<< From jsimmons at goblin.punk.net Sun Dec 31 13:30:47 1995 From: jsimmons at goblin.punk.net (Jeff Simmons) Date: Mon, 1 Jan 1996 05:30:47 +0800 Subject: The F.C. flamewar Message-ID: <199512312115.NAA07063@goblin.punk.net> You know, if I worked for an organization that was dedicated to restricting strong crypto, eliminating people's privacy rights, monitoring and recording everything that people say or write, etc. etc. ad infinitum, I'd probably spend at least a part of every day sitting in front of my computer in my little cubicle somewhere in Virginia, making posts to cypherpunks just like these ... -- Jeff Simmons jsimmons at goblin.punk.net From wlkngowl at unix.asb.com Sun Dec 31 14:06:49 1995 From: wlkngowl at unix.asb.com (Mutatis Mutantdis) Date: Mon, 1 Jan 1996 06:06:49 +0800 Subject: SHATEST (was: Re: DOS - MD5 - Thanks) Message-ID: <199512312155.QAA03270@UNiX.asb.com> On Fri, 29 Dec 1995 15:22:46 -0700 (MST), you wrote: I've got a little goodie called SHATEST which I'm going to include with the next release of the NOISE.SYS driver.. it's the Secure Hash equivalent of MD5SUM... (Originally written to test the optimized SHA code-- much thanks to Colin Plumb, BTW--- for the /dev/random driver...) --Rob >A freestanding implementation of MD5SUM (compiled from that in the PGP >distribution) for DOS is at >ftp://ftp.csn.net/mpj/public/md5sum.zip and on the Colorado Catacombs BBS >at 303-772-1062. >I suggested to Phil Zimmermann that he should put this in the next PGP >release along with the compiled DOS version of PGP, but there hasn't been >a new release of PGP since then. >Happy New Year! Ditto... >Mike Johnson >mpj at exabyte.com >#include From raph at c2.org Sun Dec 31 14:14:45 1995 From: raph at c2.org (Raph Levien) Date: Mon, 1 Jan 1996 06:14:45 +0800 Subject: A great time to be a cypherpunk Message-ID: <199512312146.NAA22286@infinity.c2.org> Amidst all the silliness, flames, and lunacy of this list, there's a tremendous amount of exciting stuff going on. I thought I'd take the opportunity to do one of those self-indulgent look back at the year postings. Cypherpunks write code. One of the best things about 1995 was the volume and quality of cpunk code that was released, and, perhaps equally importantly, existing cpunk programs that continue to be supported and improved. Here's a subjective top 5 list: 1. SSLeay, by Eric Young and Tim Hudson. Ordinarily, I wouldn't consider a crypto library to be all that newsworthy, but SSLeay is clearly an exception. SSLeay's real strength is its ability to be integrated easily into real applications, including Apache/SSL, Mosaic, telnet, etc. I'll go out on a limb and guess that one of the reasons why SSLeay is so good is that Eric has a lot of experience doing this kind of thing. His libdes code dates back at least to 1990, and (I think) even further. 2. Ssh, by Tatu Ylonen. There are a quite a few secure shells around. What sets ssh apart is its dedication to usability. It is one of the few crypto applications that is _more_ usable than the non-crypto version. The transparent X forwarding is fabulous. 3. Mixmaster, by Lance Cottrell. Finally, we have remailers that come close to real cryptographic security. The mixmasters are more reliable, in addition to more secure, than the type-1 remailers. The client is well written with a fairly easy interface. No wonder it's becoming so popular. 4. Alpha.c2.org, by Matt Ghio. The idea of pseudonyms incorporating strong cryptography has long been a cypherpunk dream. Thanks to Matt's work in writing and maintaining this nymserver, it's now reality. There are well over a thousand nyms registered on alpha.c2.org now, and that's likely to increase now that automated tools are becoming available. 5. Netscape, by Jeff Weinstein et al. Netscape Navigator is the first massively popular program to incorporate strong crypto. The email hasn't materialized yet, and there have been some scary statements by top management, but I'm hopeful that this program will become the primary vehicle for acheiving cypherpunk goals. Code, while important, is not the only useful cypherpunk activity. It's also been a great year for getting the word out there. The Net was _the_ hot story this year, and a lot of the coverage had a cypherpunk spin. Much of the credit goes to Sameer Parekh for his PR work. I know some cypherpunks dislike the "interview yourself" style of press release writing, but I'm very glad that we've got someone on our side who's good at it and is willing to put in the work. More broadly, we've found that our viewpoint and opinion matters. People are at a loss for how to think about the Net and its social implications. We've been thinking about that for a while, and have something to add to the discussion, and people are listening. 1995 will surely go down in history as the year that The Great Drive to Censor the Net began. The powers that be will continue pushing ahead with laws restricting speech, increasing liability for speech, and outlawing strong crypto. A short term effect will be to create some real differentiation between service providers. Up to now, the difference between one service provider and another has been an equation with bits on one side and dollars on the other. Starting soon, it will make a difference in what information can be easily accessed. A domain name of compuserve.com now clearly labels its account holder as a free speech inactivist. More cypherpunkish domain names are a sign of not being afraid of information. Over the long term, I agree with Lucky. The powers that be will have some success in censoring the Unwashed Massnet. However, cypherpunks will be able to create an infrastructure where freedom of speech thrives. A large part of this work is the development of censor-resistant protocols. My favorite such protocol is NNTP, even though it contains no crypto. HTTP is also a bit censor-resistant because it's so easy to set up a Web server. However, it still has grave weaknesses from this perspective, because of the need for a full time Internet connection _and_ storage in order to publish on the Web. The Web can become either more centralized or more decentralized, and there are strong forces pushing in both directions. I think the best hope for a cypherpunk Web is to emphasize dual-use techniques, those that advance mundane as well as cpunk goals. For example, distributed caching will make transfers go faster and make "unable to connect to server; try connecting again later" errors much less frequent. If done right, it can also make part-time Web servers feasible, and perhaps make it extremely difficult to delete documents that the publisher didn't want deleted (can anyone say "cryptographic authentication?"). Similarly, the same crypto-enabled filters that keep spam out of Joe Random's mailbox can drive a real public key infrastructure (Web relevance: the Web is the natural home for a pubkey infrastructure. Let's make sure to be there for the housewarming party). The way that the low-tech protocols of the Web have crushed and assimilated corporate Weblike networks is inspiring - it holds out real hope we can win, even against opponents as dedicated and powerful as governments. It will take hard work, tenacity, cooperation, and technical sophistication, though. Remember that Windows took about seven years to become successful. For dud of the year, I'd have to nominate Java. Don't get me wrong, this language shows a lot of potential. But, to a large extent, they've done the easy part, and the hard part remains. Given its existing security model, it's difficult or impossible to do anything really interesting with Java. Yet, fixing the security model _is_ the hard part. Best of luck to the Java people and all javapunks, but I think a strong case can be made that the hype machine went overboard. To all the cypherpunks who helped make 1995 such an exciting year, best holiday greetings and wishes for 1996. Raph From abostick at netcom.com Sun Dec 31 15:08:29 1995 From: abostick at netcom.com (Alan L. Bostick) Date: Mon, 1 Jan 1996 07:08:29 +0800 Subject: Is this as insecure as it sounds (was FWD: Complete Fax Privacy Draws C Message-ID: <199512312219.OAA03598@netcom17.netcom.com> This turned up on alt.anonymous. One would need a technical specification or a working model to be sure, but it sounds like home-grown snake oil to me. My guess is that a nineteenth-century cryptanalyst could crack this, and that the TLAs would have a field day. What do other people think? > > Complete Fax Privacy Draws Closer > > > Individuals receiving faxes, be they of a business or > personal nature, will soon be able to encrypt the contents and > make them unreadable to people for whom the messages are not > intended. > The new fax encryption technology has been developed by the > University of Rochester in New York. The encryption program > would make all faxes unreadable to the naked eye. Only by > placing a customized transparent plastic sheet over the message > could it be made readable. Each individual, employee or manager > would be issued with his own plastic sheet and encryption key > ensuring messages are only read by those specified in the message > itself. The encryption software would not slow the transmission > and reception of fax messages and the cost of installing the > system on to existing machines would be minimal. > Such software would be indispensable to those whose > activities require the utmost confidentiality or privacy. Nosy > employees, rivals, those providing faxing services and anybody > else who has, until now, had a birds eye view of your fax > communications could be successfully abolished from the security > equation. > Though the software has yet to be refined into a marketable > commodity, it is set to be introduced for public consumption in > the very near future. > > > Adam Starchild > Asset Protection & Becoming Judgement Proof at > http://www.catalog.com/corner/taxhaven > > -- Alan Bostick | SWINDON: What will history say? Seeking opportunity to | BURGOYNE: History, sir, will tell lies as usual. develop multimedia content. | George Bernard Shaw, THE DEVIL'S DISCIPLE Finger abostick at netcom.com for more info and PGP public key From dlv at bwalk.dm.com Sun Dec 31 15:32:05 1995 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Mon, 1 Jan 1996 07:32:05 +0800 Subject: Can We Cut the Crap? In-Reply-To: Message-ID: tcmay at got.net (Timothy C. May) writes: > There is no point in the back-and-forth of insults, "Dr. Fred is a loon," > "Alice is Detweiler," and other such nonsense. If you don't want to read > the comments of Fred Cohen, Dimitri Vulis, Alice whatever, > Vlad/Lance/Larry/Pablo, then just don't read them! Filter them out, delete > them immediately, read them briefly, whatever. Or Chris Shalutis, or Ed Carp, or Perry Metzger... Too bad majordomo at toad.com can't be instructed not to send contributions from certain folks to certain other folks. I guess I'll have to figure out how to use procmail with this thing after all. Happy New Year, --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From grafolog at netcom.com Sun Dec 31 15:49:14 1995 From: grafolog at netcom.com (Jonathan Blake) Date: Mon, 1 Jan 1996 07:49:14 +0800 Subject: Is this as insecure as it sounds (was FWD: Complete Fax Privacy Draws C In-Reply-To: <199512312219.OAA03598@netcom17.netcom.com> Message-ID: Alan: On Sun, 31 Dec 1995, Alan L. Bostick wrote: > This turned up on alt.anonymous. One would need a technical specification > or a working model to be sure, but it sounds like home-grown snake oil Sounds like snake oil to me. > > Complete Fax Privacy Draws Closer > > personal nature, will soon be able to encrypt the contents and > > make them unreadable to people for whom the messages are not PGP & a fax modem & a good OCR provides this. Or PGP the message and either e-mail or telex it. > > placing a customized transparent plastic sheet over the message > > could it be made readable. Each individual, employee or manager > > would be issued with his own plastic sheet and encryption key A plastic sheet is going to let me read it, and nobody else? I guess that would work, if one was using --- I forgotten what it was called, where you cut a number of squares on a sheet of cardboard, put over a sheet of paper, write the characters in the spaces, then lift the sheet, and write garbage to fill up the rest of the sheet, so that nobody else can see what the characters were. I think I was in kindergarten when we did that, untill we discovered that our teacher could read our "secret" messages, without the cardboard sheet. << The handwriting of the real message differed from that of the garbage words. >> > > Though the software has yet to be refined into a marketable > > commodity, it is set to be introduced for public consumption in > > the very near future. Is this the same as Jerry Pournelle "real soon now'? I think I'll stick to using PGP and sending e-mail. xan jonathon grafolog at netcom.com **************************************************************** Opinions represented are not necessarilly mine. OTOH, they are not representations of any organization I am affiliated with, either. WebPage: ftp://ftp.netcom.com/gr/graphology/home.html For a good prime, call 391581 * 2^216193 - 1 ********************************************************************** From andr0id at midwest.net Sun Dec 31 15:50:56 1995 From: andr0id at midwest.net (Jason Rentz) Date: Mon, 1 Jan 1996 07:50:56 +0800 Subject: Fwd: Re: Fwd: Re: FH radios [Dave Emery] [Vaughan Pratt] Message-ID: <199512312305.RAA21699@cdale1.midwest.net> >think I underestimated how hard things could get. If you're just >trying to track a frequency-hopping signal where the rest of the power >in the band is some mix of Gaussian noise and non-hopping signals, the >carrier should be clearly visible as a spike hopping around in the >band. As soon as you have two or more frequency-hopping signals >however, keeping track of which carrier is which as they hop around >looks *much* harder. If they hop at discernibly different times then >you can correlate a carrier that disappeared with the one that appeared >elsewhere at the same time. This easily described and implemented >approach breaks down when two or more signals hop at the same time. >Here you might try to associate some sort of signature with each signal >to allow you to pair up the new carriers with the old, but you'd have >to know more about the situation to say what signatures would be good. > RF finger-printing would do the trick. Any and all RF equipment has its own RF fingerprint no matter how closely they are made at the factory. Now having equipment to RF fingerprint and identify that fingerprint fast enough is another story! Dr0id (andr0id at midwest.net callsign: N9XLM) ( Computer Consulting & Management ) (P.O. Box 421 Cambria, IL 62915-0421) -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQENAzCsIi4AAAEH/1hb5+tO/n99Nbppf0ImLJ6AaVZ3NlZP0ZHwRQor00uA129i d4zWixNXxc8t2auaqN+asV99LpIip3/nQzBnjydiumeBdGLF2PR9+6X8X/RrqKa1 dVIukxM5Agg2eM6ih+0J38hgKJ3qzKXSz6sjYmpaxvbXZoHHOLUk/ZtHUKvvEyPw hnJEYnut8NUnIeK56lqeqRw86yoeRKymbfCdjdpgeY2aRwK2FJts8sbb7Fs10s4y jgxWIxIipBznbGUTh1hb2XrLGPENwk3E/qqXQJEsrySbtwdl6VgTVQjhDDEJMitL DYeiQ3W5EgxfcdbM1j2FwYu3P/dM6Y0I8xLMYT0ABRG0NmFuZHIwaWRAb2ljdTgx Mi5jb20gKG9pY3U4MTIuY29tIHN5c3RlbSBhZG1pbmlzdHJhdG9yKYkBFQMFEDCs LO90C7R/GkJcSQEB01cH/0KC3sd+u4OxMku5378SJktoN6QIQYLJ7uVbuV4S51yK NAotCGf4Wl6wwjynzZvXKU0H87oDuMiq7FybgMNL2n+4bQIZi0iz0lIuzwoMDu63 NrHUW9Kz42pOnhrEhrdkHhHL9O5GgD1yc40fJ3qw5h7LQEjDxgypyw0IFILFc34u LeRLliNibxKp8JwAxXNHWSgxu28TQvmnkHi0AHP6tJ/uZYe+4dqJtrMMsYFjzZaz DPmxD+dzbTwlQKtJaP1ZkDI0Sr072wrZDv+G86GyGBMX2lpSafpRitnxuUttjU9o wsQ9Qo5xiH1nZRCs/bDzJe/gng+GHzevixDIITurtNA= =SgPT -----END PGP PUBLIC KEY BLOCK----- From ses at tipper.oit.unc.edu Sun Dec 31 16:07:52 1995 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Mon, 1 Jan 1996 08:07:52 +0800 Subject: Is this as insecure as it sounds (was FWD: Complete Fax Privacy Draws C In-Reply-To: <199512312219.OAA03598@netcom17.netcom.com> Message-ID: If the plastic sheet is just a fixed mask, then this scheme yields instantly to chosen plain-text (just send an all-black page), really quickly to known-plaintext, and pretty quickly to multiple cyphertexts. There's got to be more to it than that Simon (defun modexpt (x y n) "computes (x^y) mod n" (cond ((= y 0) 1) ((= y 1) (mod x n)) ((evenp y) (mod (expt (modexpt x (/ y 2) n) 2) n)) (t (mod (* x (modexpt x (1- y) n)) n)))) From jcorgan at aeinet.com Sun Dec 31 16:22:12 1995 From: jcorgan at aeinet.com (Johnathan Corgan) Date: Mon, 1 Jan 1996 08:22:12 +0800 Subject: [LOCAL] Next cpx physical meeting in SF Bay area? Message-ID: <199512312335.PAA27743@scruz.net> It's been about a year since I've been to a cpx physical meeting in the SF area (other than T.C. May's house meeting--thanks again, Tim. The AetherWire folks gave a fascinating talk). I haven't seen much talk here on the list, either. Is this still a regular thing? Back then, we were having marathon meetings at SGI's IRIS cafe on the first Sat. of the month. What goes on these days? From nobody at tjava.com Sun Dec 31 16:26:11 1995 From: nobody at tjava.com (Anonymous) Date: Mon, 1 Jan 1996 08:26:11 +0800 Subject: US calls for measures against Internet porn Message-ID: <199601010034.SAA07422@tjava.com> Apologies if you've seen this before: WASHINGTON DC (Reuter) - The US called Sunday for improved management of the Internet to prevent people seeing pornographic material on the world computer network. A joint statement from the Clinton administration's State Council (Cabinet) and the office of the Republican Party's Planning Committee said there were increasing links between domestic computer systems and the Internet. ``Good use of the Internet is of great importance to increase global information exchanges, promote economic construction and develop science,'' the Associated Press quoted the statement as saying. But because of weak management and lack of control over what enters the Internet, some pornographic and other harmful materials have come onto the system, it said. ``We must take effective measures to deal with this,'' it said. German prosecutors said Friday they had launched an investigation into the U.S.-based online service CompuServe Inc on suspicion that members had sent child pornography over its worldwide computer network. The inquiry prompted the service to block access to 200 sexually-explicit Internet discussion groups and sites where pornographic pictures are available. An explosion in use and ownership of modems in the US is giving an increasingly large number of people access to the Internet. [The amazing thing is how _little_ editing was necessary.] From an201465 at anon.penet.fi Sun Dec 31 16:36:36 1995 From: an201465 at anon.penet.fi (Scryptor) Date: Mon, 1 Jan 1996 08:36:36 +0800 Subject: throwaway Message-ID: <9512312345.AA13971@anon.penet.fi> [from: WEIRDNUZ.410 (News of the Weird, Dec 15, 1995 by Chuck Shepherd)] LEAD STORY * A 62-year-old woman pleaded guilty in Roanoke, Va., in November to stealing about 500 pieces of mail from her neighbors' mailboxes--her third such offense in five years. She had been found sane and competent for trial but nonetheless diagnosed as having an "irresistible impulse" to steal other people's mail. The judge had kept her confined to her home since her arrest, allowing her full freedom only on Sundays, when there is no mail delivery. [Roanoke Times, 11-21-95] --****ATTENTION****--****ATTENTION****--****ATTENTION****--***ATTENTION*** Your e-mail reply to this message WILL be *automatically* ANONYMIZED. Please, report inappropriate use to abuse at anon.penet.fi For information (incl. non-anon reply) write to help at anon.penet.fi If you have any problems, address them to admin at anon.penet.fi From anon-remailer at utopia.hacktic.nl Sun Dec 31 16:45:25 1995 From: anon-remailer at utopia.hacktic.nl (Anonymous) Date: Mon, 1 Jan 1996 08:45:25 +0800 Subject: first germany, now china Message-ID: <199601010025.BAA04537@utopia.hacktic.nl> BEIJING (AP) _ China is planning measures to stop obscene or harmful material from entering the country via the Internet, its official news agency reported Sunday. The Communist Party and the State Council, China's cabinet, recently ordered such measures after learning that ``pornographic and detrimental information'' had been disseminated electronically in China, the Xinhua News Agency said. The report said China intended to use the Internet to promote the exchange and transfer of technology and scientific information, while at the same time blocking what it sees as negative influences. It did not provide further details. From thad at hammerhead.com Sun Dec 31 17:23:16 1995 From: thad at hammerhead.com (Thaddeus J. Beier) Date: Mon, 1 Jan 1996 09:23:16 +0800 Subject: Is this as insecure... (really "Fax crypto") Message-ID: <199601010018.QAA01779@hammerhead.com> Shamir did a talk on fax crypto in May, 1994. There is no reason that this can't be completely secure, the overlays could be one-time pads. Bill Sommerfeld posted a description of the technique to the list after he went to a presentation on the technique, I'll forward it to anybody that needs a copy. Using the same overlay multiple times, though, would make it completely insecure. I can't believe that they are recommending that that could be a possibility. thad -- Thaddeus Beier thad at hammerhead.com Technology Development 408) 286-3376 Hammerhead Productions http://www.got.net/~thad From EALLENSMITH at ocelot.Rutgers.EDU Sun Dec 31 18:19:20 1995 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 1 Jan 1996 10:19:20 +0800 Subject: Australian "calculatorcard" Message-ID: <01HZGYUZMNJ88Y5682@mbcl.rutgers.edu> From: vin at shore.net (Vin McLellan) > Could be one of seven or 8 vendors of so-called "challenge/response" tokens or calculators. Most of those sold in the US and Australia use straight DES (and a token-specific key) to encrypt the "random" challenge number in the token -- but it could be any secret-key algorithm. ----------- This is actually something cryptographic which I know a bit about, so I'll tell you what I know. I had a suitemate a bit back who was working for a local high-tech company as a computer programmer. He used a system somewhat like this, but with some interesting permutations. The main difference was that it didn't use one algorithm. It used quite a few, determined by a hashing of the challenge code. There were a considerable number of challenge codes with distinct hash results that were never used. If the card got too many of those (or too many wrong PINs), it switched to an entirely different set of hashings and encryptions, all of which would warn the server (thanks to their turning out something different in a hash function on the server) that the card had been compromised. I suspect it would also wipe a EEPROM that was storing the valid hash function and algorithms, but he wasn't sure about that. It was all sealed in a plastic block to make sure it was physically hard to reverse-engineer, anyway. -Allen From groundfog at alpha.c2.org Sun Dec 31 19:34:18 1995 From: groundfog at alpha.c2.org (groundfog at alpha.c2.org) Date: Mon, 1 Jan 1996 11:34:18 +0800 Subject: For the New Year: A Symbol for Information Freedom Message-ID: <199601010311.WAA12624@mail.FOUR.net> In talk.politics.crypto, ptupper at direct.ca (Peter Tupper) wrote: > A Symbol for Information Freedom > by Peter Tupper > 1996 is off to a discouraging start when it comes to the >future of information freedom. The American Congress seems >determined to impose censorship on the Internet. The legal >status of strong dual-key cryptography is still in debate. >Telephone companies, cable TV services and publishing services >are all eagerly trying to seize control of the Internet and >eliminate the many-to-many nature of the medium. The accidental >wonder that is the Internet seems to be threatened on all sides, >in danger of being destroyed or denatured before reaching its >potential. > My proposal is only a small contribution to the solutions to >this problem. I believe a symbol is needed; a simple yet >recognizable item that will communicate to others that you are: > -for freedom of speech and expression in all realms, >particularly via computer mediated communications. > -against the imposition of arbitrary community standards by >centralized authority on communications. > -for making access to communications available to everyone. > -against the violation of individual privacy by wiretapping, >intercepting computer communications, compiling dossiers by >government or commercial organizations or other forms of >surveillance. > -for making strong, dual-key encryption programs without >back-doors available to the public. > -against building surveillance measures into communications >and financial infrastructures. > -for a future of communications that is by, for and of the >people, not the state or the market. > The symbol I have chosen is the paper clip. Why a paper >clip? > There are many reasons: > Pragmatic: Paper clips are readily available for >practically nothing, all over the world. They can be applied to >collars, lapels, scarves, pocket edges, suspenders and neck ties >without damaging them and without risk of the pin breaking the >skin. > Aesthetic: The paper clip is a simple, elegant design that >is easily recognized the world over. It can be rendered in many >colors or plated with precious metals. > Symbolic: The paper clip is a simple but effective piece of >technology. An individual uses it to bundle together documents >from disparate sources to create a unified document upon a given >subject, which may be dismantled and remade for another topic. >Furthermore, a paper clip may be bent out of its regular shape >and used as an improvised tool for any number of purposes. > Historic: During the German occupation of Norway in World >War II, Norwegians wore paper clips on their collars as a sign of >solidarity against the invaders. > Commercial: While anybody can obtain a plain paper clip >with little trouble, funds for Information Freedom can be raised >by marketing electroplated or designer paper clips. > The cause of awareness of and activism about AIDS had a >simple, readily recognized symbol, the folded red ribbon. Just >as every celebrity who wears a red ribbon, no matter how trite >and self-promoting it is, is a reminder to those watching that >AIDS is happening and that many people are concerned, >celebrities appearing at the Academy Awards or Grammies with a >designer, gold-plated paper clip on their outfit reminds the >world that information freedom is under fire and that people are >concerned. It will make the Internet community a visible reality >in the public sphere. It will bring these issues into the public >eyes, and give those involved a rallying symbol. It will make a >small difference, but it will contribute to the greater good. > Advertising couldn't hurt. From abostick at netcom.com Sun Dec 31 19:42:33 1995 From: abostick at netcom.com (Alan Bostick) Date: Mon, 1 Jan 1996 11:42:33 +0800 Subject: US calls for measures against Internet porn In-Reply-To: <199601010034.SAA07422@tjava.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- In article <199601010034.SAA07422 at tjava.com>, nobody at tjava.com (Anonymous) wrote: > Apologies if you've seen this before: > > WASHINGTON DC (Reuter) - The US called Sunday for improved > management of the Internet to prevent people seeing pornographic > material on the world computer network. > A joint statement from the Clinton administration's State > Council (Cabinet) and the office of the Republican Party's Planning > Committee said there were increasing links between domestic computer > systems and the Internet. > ``Good use of the Internet is of great importance to increase > global information exchanges, promote economic construction and > develop science,'' the Associated Press quoted the statement as > saying. > But because of weak management and lack of control over what > enters the Internet, some pornographic and other harmful materials > have come onto the system, it said. ``We must take effective measures > to deal with this,'' it said. > German prosecutors said Friday they had launched an > investigation into the U.S.-based online service CompuServe Inc on > suspicion that members had sent child pornography over its worldwide > computer network. > The inquiry prompted the service to block access to 200 > sexually-explicit Internet discussion groups and sites where > pornographic pictures are available. > An explosion in use and ownership of modems in the US is > giving an increasingly large number of people access to the Internet. > > [The amazing thing is how _little_ editing was necessary.] > Ummm. Wasn't it *China* in today's original? - -- Alan Bostick | SWINDON: What will history say? Seeking opportunity to | BURGOYNE: History, sir, will tell lies as usual. develop multimedia content. | George Bernard Shaw, THE DEVIL'S DISCIPLE Finger abostick at netcom.com for more info and PGP public key -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMOc9A+VevBgtmhnpAQFjOAL/d4U3rPqsYG6Bkzv1JWX8uoePdYCxZTGf /AnOLH1vSw2ZEJ3oNDTiLxjM4uuoWHjAOzJRer7aAb1UuoCT1wm3+aEQNSk83Jg6 jMRFZtri5nj2LKTD2u6T19wqydYZ6zBl =aYBC -----END PGP SIGNATURE----- From alanh at infi.net Sun Dec 31 20:55:05 1995 From: alanh at infi.net (Alan Horowitz) Date: Mon, 1 Jan 1996 12:55:05 +0800 Subject: For the New Year: A Symbol for Information Freedom In-Reply-To: <199601010311.WAA12624@mail.FOUR.net> Message-ID: I don't agree that the market is different than the people. And I hope that Information Freedom doesn't become as trivialized, trendy, and the property of dilletantes as the red-ribbon AIDS shtick. There is a danger to holding up the AIDS hullabaloo as a role model. To wit, the AIDS activists have committed themselves to a lie - that AIDS is an epidemic, a generalized threat to society. They are riding a tiger by the tail, for when the actual facts seep into the consciousness of the unwashed masses - which might never really happen, given the reality of our "whoever puts out their press release first, gets awarded the Conventional Wisdom seal-of-approval" journalism - then the AIDS-industrial complex is going to be in trouble. So, on with the paperclips - only, let's make sure that no Hollywood celebrities are allowed to participate. It's the kiss of death.... Alan Horowitz alanh at infi.net From jcobb at ahcbsd1.ovnet.com Sun Dec 31 22:17:25 1995 From: jcobb at ahcbsd1.ovnet.com (James M. Cobb) Date: Mon, 1 Jan 1996 14:17:25 +0800 Subject: Ah, the future... Message-ID: Friend, 12 31 95 Associated Press reports: Ah, the future ... At least part of what will happen in the coming year seems clear. Cyberspace will be regulated -- kicking and screaming -- and the court battles over free speech will begin. "It's going to throw the Internet into a state of uncertainty for several years," said [Bob] Smith [of Interactive Services Association]. You may recall the question I asked in an earlier message: And when the State DECIDES...? But that's all right... Despite that, business growth on the net will begin to catch up with the phenomenal increase in accounts. Cordially, Jim NOTE. The newsstory's headline? YEAR OF THE INTERNET: What a tangled web we weave. Its dateline? (Dec 31, 1995 - 00:23 EST). Accessed at? Nando News (www.nando.net). Online filename? info306_3.html That message? Date: Wed, 22 Nov 1995 04:16:50 -0500 (EST) From: "James M. Cobb" To: cypherpunks at toad.com Subject: Secrets of the Internet This critical essay, "Ah, the future..." was composed 12 31 95. From Alan.Pugh at internetMCI.COM Sun Dec 31 22:57:23 1995 From: Alan.Pugh at internetMCI.COM (amp) Date: Mon, 1 Jan 1996 14:57:23 +0800 Subject: Australian "calculatorcard" Message-ID: <01HZH81Y0DKI95P3WV@MAIL-CLUSTER.PCY.MCI.NET> -- [ From: amp * EMC.Ver #2.3 ] -- From: David Lesher \ Internet: (wb8foz at nrk.com) To: amp \ Internet: (alan.pugh at internetmci.com) cc: Cees de Groot \ Internet: (c.degroot at inter.nl.net) cc: cypherpunks \ Internet: (cypherpunks at toad.com) Subject: Re: Australian "calculatorcard" > sounds like the card i use for remote dialup to certain non-public > systems i use at work. it has a six digit number on the front that > changes every 60 seconds. DS> Do these card systems use a window to handle clock-slip? i'm not sure. i would image so. DS> I'd think you could have the server safely accept # N, N-60 sec, and DS> N+60 seconds; and adjust the server's idea of your card's clock speed DS> from that. DS> What new risk would that create? i would figure the server would give a minute or so for slippage. basically the risk is that it would give someone 3 minutes to do a brute force attack rather than one. if you have decent security on the server side, i.e., disallow the card for 5 minutes or more after 3 or so failed attempts, brute attacks would be minimized. however, if the actual window for a single code is 3 minutes, that increases your chance of hitting it as 3 separate numbers would be valid for a given card at any given time. amp <0003701548 at mcimail.com> (since 10/31/88) PGP Key = 57957C9D PGP FP = FA 02 84 7D 82 57 78 E4 E2 1C 7B 88 62 A6 F9 F7 December 31, 1995 21:59 From Alan.Pugh at internetMCI.COM Sun Dec 31 22:57:35 1995 From: Alan.Pugh at internetMCI.COM (amp) Date: Mon, 1 Jan 1996 14:57:35 +0800 Subject: Australian "calculatorcard" Message-ID: <01HZH81RU4DE95P4B0@MAIL-CLUSTER.PCY.MCI.NET> -- [ From: amp * EMC.Ver #2.3 ] -- From: Vin McLellan \ Internet: (vin at shore.net) > it's Pretty Good >(tm) security, but like anything not biometric, it is vulnerable to >black-bag attacks. physical possession being all that is required. VM> Actually, all ACE/Server or ACE software modules _require_ a VM> user-memorized PIN. Physical possession of a stolen token is not VM> enough to gain illicit access. >if >you know the algorithm and the serial number of the card and the >time, even that isn't necessary. VM> Bleep! Earth to amp! Check your voltage, lately? The token's VM> serial number has nothing whatsoever to do with the generation of a VM> SecurID's PRN token-code. hmmmm, let me see... yup. you are right. voltage low. give me a second to plug back in... VM> and distribution. The serial number stuck to the back of a SecurID VM> after it is programmed with its secret key -- a unique PRN VM> "significantly longer" than 56 bits -- but they are not the same VM> thing. The cpu in a SecurID doesn't even "know" the serial number VM> stuck on the back of the token. VM> (It would be Pretty Stupid to glue or emboss a secret on VM> the back of the damn token, wouldn't it?) I should note that Alan is VM> just regergitating one of the most widely circulated rumors about VM> SecurIDs -- which like any popular crypto device attracts a lot of VM> wiLd & w00ly speculation. actually, i was speaking pretty much off the top of my head. it's been a while since i registered it, but all i basically had to tell the server the first time i used it was the s/n. and yes, i think it would be Pretty Damn Stupid to have the s/n have anything to do with the actual seed or pin. VM> Getting the algorithm for SDI's one-way hash is no big deal, VM> given that it sits in software in thousands of SDI customer VM> installations, protected only by contract and trade secret status. VM> (The integrity of the product -- the unpredictability of the VM> token-code PRN series, and the secrecy of a specific token's seed or VM> key -- rightly depends cryptographic strength of the hash, not the VM> secrecy of the algorithm.) Getting a token-specific secret key would VM> hopefully be a much greater challenge. one would certainly hope so. personally, i like the card. it offers pretty good security and thus gives me remote access to systems my employer would otherwise laugh in my face for access to (and did, more than once before we got these things). its main weakness would be a black bag job where someone gains physical posession. at that point, all bets on its securty are off for obvious reasons. luckily, because of the nature of the device, i can simply report it as stolen and it quickly becomes a rather worthless piece of silicon. amp <0003701548 at mcimail.com> (since 10/31/88) PGP Key = 57957C9D PGP FP = FA 02 84 7D 82 57 78 E4 E2 1C 7B 88 62 A6 F9 F7 December 31, 1995 22:15 From erc at dal1820.computek.net Sun Dec 31 23:15:26 1995 From: erc at dal1820.computek.net (Ed Carp [khijol SysAdmin]) Date: Mon, 1 Jan 1996 15:15:26 +0800 Subject: Can We Cut the Crap? In-Reply-To: Message-ID: <199601010637.AAA22761@dal1820.computek.net> -----BEGIN PGP SIGNED MESSAGE----- > tcmay at got.net (Timothy C. May) writes: > > There is no point in the back-and-forth of insults, "Dr. Fred is a loon," > > "Alice is Detweiler," and other such nonsense. If you don't want to read > > the comments of Fred Cohen, Dimitri Vulis, Alice whatever, > > Vlad/Lance/Larry/Pablo, then just don't read them! Filter them out, delete > > them immediately, read them briefly, whatever. > > Or Chris Shalutis, or Ed Carp, or Perry Metzger... > > Too bad majordomo at toad.com can't be instructed not to send contributions from > certain folks to certain other folks. I guess I'll have to figure out how > to use procmail with this thing after all. Hey, Dimitri? That's what it's *for*! This is not about censorship, or is it? Is that what you're suggesting? No one is forcing you to read anything I, or anyone else, says. If you don't like it, the 'd' key is somewhere on your keyboard. Or is that too much manual labor for you? Grrr... - -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMOeBFCS9AwzY9LDxAQHDxwQApbzrRLJQTcLshlPGx5qCUNYNfFBeloYY 7o0ULL3+dGs+bjE+VsGy+taEBnWp1L1i5BK4NGo44dEV9SwkndnE5bCalS3vCIsd YidfhM8nfDa9+e93Uh7VM63ZLVxi6F2SBvN6vcfnmxC7V9LN/b+jrvUPbJG2tVMx D64Dg2Zd5Jk= =lIHF -----END PGP SIGNATURE-----